IETF Logo Mail Archive

Re: [GNAP] Authentication mechanisms discovery

Denis <denis.ietf@free.fr> Tue, 25 August 2020 17:38 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0F93A107F for <txauth@ietfa.amsl.com>; Tue, 25 Aug 2020 10:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.456
X-Spam-Level:
X-Spam-Status: No, score=0.456 tagged_above=-999 required=5 tests=[FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.948, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jh-44hu4w-ud for <txauth@ietfa.amsl.com>; Tue, 25 Aug 2020 10:38:12 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC0B23A107D for <txauth@ietf.org>; Tue, 25 Aug 2020 10:38:11 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d05 with ME id Kte82300G2bcEcA03te9Q0; Tue, 25 Aug 2020 19:38:09 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 25 Aug 2020 19:38:09 +0200
X-ME-IP: 90.79.51.120
To: Dick Hardt <dick.hardt@gmail.com>
Cc: "txauth@ietf.org" <txauth@ietf.org>
References: <fdf69c9e-6950-b2d2-f889-dd4219fec6f1@free.fr> <CAD9ie-tRG5F=z_Py3RVFOjELPYcGxQPJxepzO_rFQg=XSG+Yaw@mail.gmail.com> <CAD9ie-t=qFWT=0vezac8dUV7e2TxfswNkr3Qz9TB4XnCmHjSzQ@mail.gmail.com> <320d584f-ce34-5230-66d5-d7dc6cdceb69@free.fr> <CAD9ie-vKYT7thYGehYAYMKMT0B8u9_Vyq-yCvKVnfbo2eZDNew@mail.gmail.com> <a5fd2f36-b9b1-0ff2-ebe8-a1c2bc9d46ed@free.fr> <CAD9ie-tR+Z8r5zFvWVfdoYBHd=wBFNufu_a1wFS1nUGGyQS-SQ@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <3e683ddf-1bc6-d8b2-2433-ae8fec18d2cb@free.fr>
Date: Tue, 25 Aug 2020 19:38:06 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CAD9ie-tR+Z8r5zFvWVfdoYBHd=wBFNufu_a1wFS1nUGGyQS-SQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DE088F9D0F19F60E8DC96A4C"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/psw4NlCS2BVZSCPv58geb1UhMys>
Subject: Re: [GNAP] Authentication mechanisms discovery
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 17:38:15 -0000

Hi Dick,

> I view unauthenticated OPTIONS calls to the GS returning what is 
> available when unauthenticated.

Yes, if the call is made on the root URL.

> Client authentication mechanisms MAY be returned, but are not required 
> to be returned by the GS.

... or by the RS. :-)

> Your concept of being RS centric is interesting, and sheds light on 
> the features you are requesting. There are many aspects of that to 
> standardize,
> and contrary to a GS centric view, I don't know of common patterns to 
> examine to see what has worked, and what has not worked. I do see how
> an RS centric model could work with the current GNAP protocol.

Really ? I believe that the /current /GNAP protocol would need to be 
modified.

> -- but I am strongly against GNAP *only* being RS centric. In my use 
> cases, I have no need for an RS.

You are pushing onan open door. I already wrote on the thread "Two 
comments on draft-richer-transactional-authz-06":

    There are two cases to consider, one of them is "AS centric" while
    the other one is "RS centric".
    (...)  These two use cases should be supported.

> wrt. user authentication, my response was
>
>     - there are a very wide set of choices on how the user can
>     authenticate.
>     I'm not saying GNAP should not support your model of the user
>     authenticating somewhere other than the GS, but I don't see that
>     as being in the core protocol.
>
> Your response does not seem related to user authentication.

As soon as there is a User choice which requires a User consent, I see a 
need to support an OPTIONS call.

Denis

PS. I will be away from my desk from tomorrow until the end of the week, 
so don't expect replies during that time window.

>
> /Dick
>
> On Tue, Aug 25, 2020 at 9:18 AM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hi Dick,
>
>>     I agree, the 401 response is not the ideal architecture, but it
>>     works for any URI or method.
>>     What if the OPTIONS method itself requires authentication? How
>>     does the RS return how to authenticate?
>>     Does the RS need to support the OPTIONS method on all API endpoints?
>
>     Please remember that there are two different reasons to use the
>     OPTIONS methods: "Authentication mechanisms discovery" and "API
>     discovery".
>     The "Authentication mechanisms discovery"  does not require
>     authentication : this is already stated in the draft.
>
>     The RS returns how to authenticate in the same way that the GS
>     does it, except that it may also indicate which ASs are
>     appropriate and which attributes
>     should be included into an access token.
>
>     Since the OPTIONS method is used to support the User consent, it
>     shall be supported on every API endpoint that requires a user consent.
>
>>     An OPTIONS method at the RS is not forbidden, but just like at
>>     the GS, OPTIONS is a general discovery mechanism, not just for
>>     authentication.
>
>     Not exactly. There would clearly be two flavours of it : one for
>     "Authentication mechanisms discovery" and another one "API discovery".
>
>>     As I have stated previously:
>>
>>     - a real time query only works if the results are standardized.
>>     There are few standardized APIs or standardized "scopes".
>
>     The suggestion is indeed to define return standardized parameters
>     for each of these two flavours.
>
>>     - there are a very wide set of choices on how the user can
>>     authenticate.
>>     I'm not saying GNAP should not support your model of the user
>>     authenticating somewhere other than the GS, but I don't see that
>>     as being in the core protocol.
>
>     Please look again at the major difference between "Authentication
>     mechanisms discovery" and "API discovery". This question is once
>     again
>     whether an "AS centric" method is supported or a "RS centric"
>     method is supported.
>
>     Denis
>
>
>     PS: Once again : "The missing point in
>     draft-hardt-xauth-protocol-13 is the lack of difference between an
>     authentication made by the client application
>     on its own behalf or on behalf of a User". Any comment ?
>
>
>>     ᐧ
>>
>>     On Tue, Aug 25, 2020 at 2:37 AM Denis <denis.ietf@free.fr
>>     <mailto:denis.ietf@free.fr>> wrote:
>>
>>         Hi Dick,
>>
>>         A few arguments:
>>
>>           * The 401 (Unauthorized) status code indicates that the
>>             request has not  been applied because it lacks valid
>>             authentication credentials for the target resource.
>>             Information about how to authenticate is NOT in the HTTP
>>             Authorization header. So it is not a discovery mechanism
>>             but, at best, a trial and error mechanism.
>>
>>           * As already said, reading the documentation is one way,
>>             but making a real time inquiry is another way which is
>>             better for clients acting on behalf of a User.
>>
>>           * If the OPTIONS method call can be used at the GS, it
>>             should not be forbidden to be used as well at the RS.
>>
>>         The missing point in draft-hardt-xauth-protocol-13 is the
>>         lack of difference between an authentication made by the
>>         client application on its own behalf or on behalf of a User.
>>
>>         Denis
>>
>>>         A comment about an OPTIONS call being the first call in the
>>>         protocol.
>>>
>>>         While that is possible, I expect most use of the discovery
>>>         will happen by tooling rather than client software. IE, when
>>>         developing against an GS, the developers tool chain will
>>>         check what the GS supports.
>>>
>>>         On Mon, Aug 24, 2020 at 9:05 AM Dick Hardt
>>>         <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>>>
>>>             Hi Denis
>>>
>>>             While it is an interesting idea to use the OPTIONS
>>>             method at the RS, the standard way to indicate
>>>             authentication mechanisms is with a 401 HTTP response per
>>>             https://tools.ietf.org/html/rfc7235#section-3.1
>>>
>>>             And then information about how to authenticate may be in
>>>             the HTTP Authorization header.
>>>
>>>             This allows an RS to respond to any request including an
>>>             OPTIONS method call.
>>>
>>>             /Dick
>>>
>>>
>>>             ᐧ
>>>
>>>             On Mon, Aug 24, 2020 at 1:16 AM Denis
>>>             <denis.ietf@free.fr <mailto:denis.ietf@free.fr>> wrote:
>>>
>>>                 Hi Dick*,
>>>                 *
>>>
>>>                 The following comments have been elaborated after an
>>>                 analysis of your draft: draft-hardt-xauth-protocol-13.
>>>
>>>                 *1 ) Authentication mechanisms discovery at the GS*
>>>
>>>                 Sections 3 and 3.7 from
>>>                 draft-hardt-xauth-protocol-13 are proposing to
>>>                 support an HTTP OPTIONS request which would be the
>>>                 first request
>>>                 when talking to a GS. The goal is to be able to
>>>                 query the authentication mechanisms supported by the
>>>                 GS. This would indeed be very useful.
>>>
>>>                 The HTTP OPTIONS request has been first defined in
>>>                 RFC 2616 and refined in RFC 7231 (see
>>>                 https://tools.ietf.org/html/rfc7231#section-4.3.7).
>>>
>>>                 RFC 7231 mentions:
>>>
>>>                       A standard format for such a representation is
>>>                 not defined by this specification, but might be
>>>                 defined by future extensions to HTTP.
>>>                       A client that generates an OPTIONS request
>>>                 containing a payload body MUST send a valid
>>>                 Content-Type header field describing
>>>                       the representation media type.Although this
>>>                 specification does not define any use for such a
>>>                 payload, future extensions to HTTP
>>>                       might use the OPTIONS body to make more
>>>                 detailed queries about the target resource.
>>>
>>>                 RFC 7231 also mentions:
>>>
>>>                       A server generating a successful response to
>>>                 OPTIONS SHOULD send an header fields that might
>>>                 indicate optional features
>>>                       implemented by the server and applicable to
>>>                 the target resource, including potential extensions
>>>                 not defined by this specification.
>>>
>>>                 However, two types of authentication are possible:
>>>                 user authentication and client authentication. If
>>>                 both are supported by the GS, it would be possible
>>>                 to address this concern either by returning two
>>>                 lists of authentication methods or even better by
>>>                 using two different Content-Type header fields
>>>                 describing
>>>                 the representation media type, since the client is
>>>                 knowing whether it is acting or not on behalf of a
>>>                 User.*
>>>                 *
>>>
>>>                 *2) Authentication mechanisms discovery at the RS*
>>>
>>>                 This HTTP OPTIONS request should also be supported
>>>                 by a RS. When a client first contacts a RS, it does
>>>                 not necessarily know the authentication
>>>                 methods that are /currently/ supported by the RS.
>>>                 This means that the same request as the one used for
>>>                 the GS should be available for a RS as well.
>>>
>>>                 Denis
>>>
>>>                 -- 
>>>                 TXAuth mailing list
>>>                 TXAuth@ietf.org <mailto:TXAuth@ietf.org>
>>>                 https://www.ietf.org/mailman/listinfo/txauth
>>>
>>
>
>     -- 
>     TXAuth mailing list
>     TXAuth@ietf.org <mailto:TXAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/txauth
>
> ᐧ

v2.23.0 | Report a Bug | By Email