IETF Logo Mail Archive

Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)

Dick Hardt <dick.hardt@gmail.com> Fri, 26 June 2020 17:40 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC3D3A0BA8; Fri, 26 Jun 2020 10:40:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g82L9JwRjq_P; Fri, 26 Jun 2020 10:40:35 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 416543A0A40; Fri, 26 Jun 2020 10:40:35 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id b25so7593102ljp.6; Fri, 26 Jun 2020 10:40:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p9lmV2Tucg5GAGVmtgA/+7UiROpSNXK+2qmmYwD2CuI=; b=nW7tmXSSBeMzpy4klXT+0i+kGk9a4UNlKmve8tlOESeTbT6Qu2I+e3WSpf8WjUBuz1 GrAmHGz4j3wFEmbqS73O9BPjOh9hyKoP1hh10durNwrAFnnsKRQrcvnbLWoExr5e22kz PqA8qxoa6Ukr3R/oCOnqIuNAYBp62AM0imZseZyxMfbkyXRe1fDOJ0eXrh4oMdmGbiJB lEI4jbsqMwuJd2ZQtXg2ZjZlXwj/PWR+TTfTPMF2VLI1TfZJeuMyzP9+P9iNQ8R4GjEg 5zKFI5cQxrYXf1rHeKBkdHRGF+P9awjLGgFlA4t/r3r6c5wLyI7Fca3dmxbRTn2TfW4c vZUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p9lmV2Tucg5GAGVmtgA/+7UiROpSNXK+2qmmYwD2CuI=; b=oCgAtYYbX2WgspORWW7q5QVUGNzL4JI2MaXjbPDhDBh46nIpeLA/n8YAAXhQY4MCsW zYB4ePaVxuLgluk4Haw5qZ5vpgkbBnj2G2XauCfQ8ym0hlMPwn2BUB538bvMR8svsX0A UT81Xg/de/+getAfmFQwWlA5VNmJb2dK2VJEXaRcJekTQd3KUn9PR2+5zntln6EVdg6Y F3xlDE3fT1pjugVE/SPoOHlxopXt5Nns9V6brtYoMQsMNEHHkhBIMW5lsNqdhYXk0aOc HXl5QkRGP+YY+U9ARaAjnxY8sNStjEBTZLf8XY6Kt39sn4foIuMi4XvqjdLoe5Vetpwk ldJQ==
X-Gm-Message-State: AOAM533jH1ms5xfkfU8m/Yv1IAAudyzZ+r/x+Hvj6uBzBK9a0xf0X1nI 6a7ll43pHGcN3Z1KkETP72BGEYoWPls34iYa96A=
X-Google-Smtp-Source: ABdhPJwz7witqgDdpe8h3I0L9hCbuOkA6sOk7sPxeSglbjV4jQ1U3Q/HLdsF4cJs5V93JrnUIiB95SDlVZ7kFAqcQP0=
X-Received: by 2002:a2e:7f10:: with SMTP id a16mr2071743ljd.69.1593193233286; Fri, 26 Jun 2020 10:40:33 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr>
In-Reply-To: <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 26 Jun 2020 10:39:57 -0700
Message-ID: <CAD9ie-vrMk_D8WSz7h5aAw_FmnBJDkRJyWQeXTTsAP3ofH0iNg@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: iesg@ietf.org, txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ba898805a90034d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/pJ4YTELRF4nv7ydtF6GPTMNSU1I>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 17:40:37 -0000

Denis, thanks for sharing your thoughts, some clarifications on your
statements inserted:

On Fri, Jun 26, 2020 at 9:42 AM Denis <denis.ietf@free.fr> wrote:
<snip>

> *New proposed charter*
>
> <snip>

>
> Resource servers inform their clients about which access token formats are
> acceptable and depending upon the king of operation
> that is requested, which kind of attributes are needed and from which ASs
> that my be obtained.
>
> While at times this may be appropriate, at other times disclosing the
attributes the RS requires is not needed by the client. For example, an
enterprise client accessing a resource does not need to know which groups a
user belongs to, but the RS may require that to determine if the user
running the client has access.

>
> A major difference with OAuth 2.0 is that there is no bilateral trust
> relationship between an authorization server and a resource server:
> for a given category of attributes, a resource server may trust one or
> more authorization servers. Another major difference with OAuth 2.0.
> is that the content of an attributes token is meant to be accessible to
> the client.
>
> This is not how OAuth 2.0 works. See slides 7 and 8 from my original IETF
presentation on what became OAuth 2.0

https://www.slideshare.net/gueste648b/ietf-77-oauth-wrap-presentation

The AS may not even know who the RS (or PR in the slides) is.

<snip>

>
> I got rid of the word "delegation": the client does not delegate anything
> to an authorization server. If it would, this would mean that the
> authorization server
> would be able to act as the client and could know everything that the
> client will do, which comes into contradiction with the user's privacy.
>

The above is not true.

The Resource Owner is delegating access control to the AS in authorization
use cases.

The client is may be delegating user authentication to the AS in identity
claim use cases.

The AS can act as the client in many OAuth deployments, as the access token
is a bearer token. That does not mean the AS knows what the client is
doing.

/Dick

ᐧ

v2.23.0 | Report a Bug | By Email