IETF Logo Mail Archive

Re: [Txauth] Additional implementation

Fabien Imbault <fabien.imbault@gmail.com> Sun, 05 July 2020 12:47 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 444083A005F for <txauth@ietfa.amsl.com>; Sun, 5 Jul 2020 05:47:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7Xw5uxpXQAZ for <txauth@ietfa.amsl.com>; Sun, 5 Jul 2020 05:47:44 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2A7C3A005B for <txauth@ietf.org>; Sun, 5 Jul 2020 05:47:44 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id a11so22479026ilk.0 for <txauth@ietf.org>; Sun, 05 Jul 2020 05:47:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HkrKTIS6H8SVzXVz0YOE1X8VnLV2HPqBg+l/HTgZT7s=; b=oVH0O7PFeaQZ2Sz5bWyVeWzvv+v6fnEVMbUB9y0+iPY9U5HeaUYacCyqK9nSeUDvpo EhyoTSo45U4OtySZNqY29RzljEPUd9r4SHiv5jmoB/9qv9Gz8CZ/7105pJUaOGER/Oq4 BNXptV3uGjf8R1Yf5esvdBN7+Uot1B/8dyl8ckFwYf5CFcp+HsflsiUkCFT1NTQs3GoV TBqTWha//WbPP4E7HGUafHpUOqDvAsCSMqItgDhkMpS+s9ObjZ6A79ZP0VrwakouFvdx EA0Ue6xfZcdqJ43BGVqWS/AQNCAO70uQhh0c4imYuBOCc/JaWgZpQYYf1HtWwN89vSah UXZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HkrKTIS6H8SVzXVz0YOE1X8VnLV2HPqBg+l/HTgZT7s=; b=oDkayVQVMDv8qXoxCNuyPsV8lRwVOpcf3qZfG610s+soZYa1T+nUhhv/6tkzdtCTVm J7QQFZtwqGeZjyQUAkGHpaVE5fGufFsoD1X0vb8rMyONIOOCiBz+sNcEcVAezmfioaX2 aE3i1oTbpVCcpEDNCGoIdTi5im+T9BImwjOoUcTor/Mc/LE0SxYiAvDFmQUkZkp4wA5m PnwL+58NEvzsksKAvUheyrPLmiQvv8EcWNei85vMgq7g3i3nnkPiUSsRK73m9fghpJbG y9eKhMyjIKPzbu0pFSPyFHo+KSQcGiL1FW62e+ePU1zo05w8RR4WnMRN9z3gQnfQgGSn j5zQ==
X-Gm-Message-State: AOAM533nJuVed8soKOi3IDrPIOG3Q7BnDFZd0qwYVtB8ugAOfdyA9GD9 jpBO31Mqws/dFVvX8TNSocO/Ajigb6dxMzl71C4=
X-Google-Smtp-Source: ABdhPJwhECdRvM6OVV00zgl1CYnUyzO3pwsoWa+s3/7PRD/C7Q7whoofo9ya1ygib/uru805ZW97WXdKTXPzlcLzUns=
X-Received: by 2002:a05:6e02:1313:: with SMTP id g19mr24230261ilr.123.1593953263969; Sun, 05 Jul 2020 05:47:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuRA1VfPs6bdrGgssBeBNe4wPySHjKcjiP6HexKMUff4DQ@mail.gmail.com> <CAD9ie-t7Lzt8S09YKPqwhc__7fKU6XpsyL1m8CGYUqfQwj8+ww@mail.gmail.com> <CAM8feuQK7HnKWd4TuusKy6z5q0K8V1+fO7xdqnLwOckThgtfNw@mail.gmail.com> <CAM8feuT5VO3w-PJWX-SWL0tdoCH4TfzfTnabD5kNLfZ=T8nAZw@mail.gmail.com> <CAD9ie-vUGGRcsv2mC6OD=p2P-jRLbpWo1dOfq3AVYc9gU1S8hA@mail.gmail.com> <CAM8feuRc_arjH-mKyXo+4k_PzRZ0Pq83fkNsN3_YM0mZ8VmmMg@mail.gmail.com> <CAD9ie-un7KEtreop+CYgkds5R89Xc26qCxt5Zd9zHRzY9UEH5Q@mail.gmail.com>
In-Reply-To: <CAD9ie-un7KEtreop+CYgkds5R89Xc26qCxt5Zd9zHRzY9UEH5Q@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Sun, 05 Jul 2020 14:47:29 +0200
Message-ID: <CAM8feuQWU8sr1XrNaESbBiB4gcr1JMYk6edpNnhSt1dyJTmWmA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000166a6c05a9b12a6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/oYVOsLAAsKicV-zvxxDyxj2YDsc>
Subject: Re: [Txauth] Additional implementation
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jul 2020 12:47:48 -0000

Hi,

You're spot on with you last comments, we should stay very clear on claims
vs tokens (and indeed they are defined in other working groups). I agree
with that.

What I'm suggesting is that json-ld may be used as a support for providing
context and extendibility capabilities, as it provides a conventional
manner of defining metadata to deliver on the polymorphic feature of the
core protocol.
Request/response (and continuation) endpoints may use this metadata to
adapt their behavior to the capabilities or intent of the other party
(client and AS). The most obvious example is for resources description
("dolphin-metadata" in the XYZ example), to provide semantic context around
common access patterns.

Cheers,

Fabien

Le sam. 4 juil. 2020 à 03:33, Dick Hardt <dick.hardt@gmail.com> a écrit :

>
>
> On Fri, Jul 3, 2020 at 1:19 AM Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
>
>> Thanks Dick.
>>
>> Likewise, comments inserted (marked with "FI").
>>
>> On Thu, Jul 2, 2020 at 7:34 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Hi Fabien, sorry for the late reply
>>>
>>> Comments and questions inserted ...
>>>
>>> On Wed, Jun 17, 2020 at 3:47 AM Fabien Imbault <fabien.imbault@gmail.com>
>>> wrote:
>>> <snip>
>>>
>>>>
>>>> Beyond what I said on the redirect, we could probably benefit from a
>>>> more formal definition of the flows (a bit different between the 2
>>>> proposals), as proposed recently by Francis Pouatcha for instance
>>>> (interact/decoupled/embedded flows, TBD).
>>>>
>>>
>>> Which proposal was that?
>>>
>>
>> FI : I'll try to find it back.
>>
>>>
>>>
>>>>
>>>> What I'm missing in both proposals (personal opinion):
>>>>
>>>> - I know that JSON is the usual format, but it would be really useful
>>>> to complement the schemas with some JSON-LD descriptions as well. It would
>>>> ease extensions and interoperability (by avoiding conflicting schemas), and
>>>> could even provide a more generic way of representing verifiable
>>>> presentations (challenge/nonce associated to a domain for instance). While
>>>> most of this work on linked data has been done at W3C, it would add value
>>>> to the current proposal so I think we should consider it.
>>>>
>>>
>>> I'm not understanding how JSON-LD would fit in. Would you provide an
>>> example?
>>>
>>
>> FI : when it comes to extendibility, JSON-LD and JSON schemas could work
>> together to provide a more explicit information on the type of information
>> we're handling. You'll find a comparison at
>> https://w3c.github.io/vc-imp-guide/#benefits-of-json-ld-and-ld-proofs with
>> standard JWT. In practice, this comes handy as a basis for verified
>> credentials, would clarify the OIDC semantics and disambiguate the meaning
>> of specific tokens (see for instance the discussion at
>> https://www.rfc-editor.org/rfc/rfc8417.html#section-4 on "Preventing
>> Confusion between SETs and Other JWTs").
>> https://w3c.github.io/vc-imp-guide/#extending-jwts provides interesting
>> examples.
>>
>
> It appears that you are proposing the JSON-LD be used in claims? Am I
> correct? Or is there somewhere it would be used in the Grant Request JSON?
>
> My understanding of the charter is the GNAP is a transport for claims, and
> that those would be defined somewhere else. OpenID Connect and Verified
> Credentials are good examples. The query for a claims similarly would be
> defined somewhere else.
>
>
>>
>>
>>>
>>>>
>>>> - from an extensibility point of view, I'm not sure it's very useful to
>>>> list all possibilities. For instance, as of now, it wouldn't be possible to
>>>> use the protocol for constrained devices, so there's no real value in
>>>> saying that it could be extended with CoAP (then we need a separate
>>>> document, that references the current GNAP rfc). What's more useful to know
>>>> if the context of the current document, when you're implementing it, is
>>>> what behaviour can really be extended in a fairly straightforward
>>>> way, without changing anything in the core spec. For instance, what can I
>>>> do with other types of tokens than JWT? Neither proposal is very clear as
>>>> to how we would implement extensions in practice.
>>>>
>>>
>>> In XAuth I refer to CoAP not as an extension, but as an one example of
>>> other client authentication mechanisms. While it only applies to CoAP, I
>>> think it is useful to call out how we intend GNAP to be extended.
>>>
>>
>> FI : isn't the charter already covering this?
>>
>
> Yes, but most people that are not in the WG don't read the charter. :)
>
>
>>
>>> Just like OAuth 2.0, the access token is opaque to the client, and it is
>>> not specified, so I'm confused what you mean by "other types of tokens than
>>> JWT"?
>>>
>>> FI : I mean, for instance, linked data proofs, macaroons, and so on.
>>
>
> I see. When I read 'token', I think of access tokens. You are referring to
> what I would call a claims, which per above are defined somewhere else.
>
>
>>
>>>
>>>>
>>>> - from an implementation perspective, it would make sense to decompose
>>>> the flow between the Grant Server (GS) and the login/consent part (as done
>>>> for instance by ory.sh). This way you would separate the concerns: on one
>>>> side you have the HTTP flows (managed by the GS, which can be very
>>>> optimized from a backend perspective), but you can delegate/customize the
>>>> interaction UI to some agreed dedicated endpoint (typically a JS site).
>>>> Maybe that's just a detail which doesn't have its place in the spec, but
>>>> since it would change the flow, it might be important to consider, at least
>>>> as a possibility/extension.
>>>>
>>>
>>> Is the interaction UI not part of the GS though? I agree that an
>>> implementation can decompose those, but that sounds like an implementation
>>> choice of the GS, and not something that requires standardization. I agree
>>> that we want to anticipate the decomposition.* Is there a change in the
>>> flow that would make that easier?
>>>
>>
>> FI : I agree with you on the principle. We're currently testing that to
>> make sure the standard is supporting these kind of implementation choice.
>> In XYZ, it means changing the URI for the interaction, having an additional
>> nonce for the interact server (maybe we can remove that constraint later
>> on, because it changes details in the interaction), and the rest stays the
>> same.
>>
>
> I'd be interested in the details on how you are implementing it!
>
>
>>
>>> *One of the reasons I favor using URIs and methods for the different
>>> functionality of the GS API is that it is easy for a router to route a
>>> request to different components of the GS.
>>>
>>
>> FI : yes, and that's something interesting that we'll need to discuss
>> further.
>>
>
> :)
>
>
>>
>>> /Dick
>>>
>>>>

v2.23.0 | Report a Bug | By Email