Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary

[Francis Pouatcha <fpo@adorsys.de>]

On Tue, Jul 21, 2020 at 12:00 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> Thanks for putting this together Francis. I like how you have put
> different aspects of a definition into separate points. It reinforces the
> multiple aspects.
>
> I don't see identity claims in your definitions. Was that intentional, or
> an oversight.
>
The extensive dictionary will surely include more terms.

I limited the list to terms relevant to the abstract sequence for now.
Making an effort to keep the discussion focused on the abstract sequence.

As we are talking authorization, identities are second class citizens,
focus shall be on Negotiating and Obtaining the AuthZ to access a Resource.

>
> wrt. Registered Client / Dynamic Client - in my experience putting the
> definitions together helps a reader grasp all the various terms used.
>
Yes, this clarification belongs in the dictionary. Intentionally left it
out here to avoid diverging the discussion.

>
> Curious why you include "party" in the definition. I would not have
> thought that had a definition unique to GNAP.
>
I derived this from your subsection "Parties". As all participants in the
abstract sequence are "parties", the word seems too heavy to be left
undefined. Also essential to know which words in the dictionary do not
refer to parties like Resource, Grant, AuthZ, ...

>
>
> On Mon, Jul 20, 2020 at 6:01 PM Francis Pouatcha <fpo@adorsys.de> wrote:
>
>> Hello Dick,
>>
>> Here is (in a new thread) the promised attempt to define terms of
>> interest in the GNAP protocol.
>>
>> Party - represents a role in the GNAP protocol flow. A party can take the
>> form of a web service, an application installed on the user device and
>> acting autonomously or the form of a natural person (resp. of an autonomous
>> device) using an application to interact with other parties.
>>
>> Resource - a piece of data or web service
>>       - controlled by a Resource Owner (RO),
>>       - held and guarded by a Resource Server (RS) and
>>       - serviced by the RS to a Client, if the Client provides a valid
>> Authorization.
>>
>> Resource Owner (RO) - the party that
>>       - owns a Resource,
>>       - relies on the services the GS to manage access to that Resource
>> and
>>       - relies on the services of a RS to hold the Resource and guard
>> access to that Resource.
>>
>> Resource Server (RS) - the party that
>>       - holds a resource and guards access to that resource on behalf of
>> the RO,
>>       - services the Resource to the requesting Client, provided the
>> Client presents a valid Authorization.
>>       The RS is generally deployed as a web service.
>>
>> Grant Server (GS) - the party that manages access to a Resource on behalf
>> of the RO. For each Resource access request, the GS might request the
>> consent of the RO and produce a corresponding Authorization that is given
>> to the requesting Client.
>>
>> Consent - act of an RO approving the release of a Resource he owns to a
>> Client.
>>
>> Grant - material form of an RO Consent. In order not to interact with the
>> RO on each Resource access request, the GS might store the RO Consent in
>> the form of a Grant for reuse.
>>
>> Authorization - externalized form of a Grant as known to the GS and the
>> RS.
>>       - The GS converts a Grant into an Authorization for use in a
>> Resource access request.
>>       - The RS evaluates an Authorization to decide on whether or not to
>> release the Resource to the Client.
>>
>> Client - the party that provides the infrastructure used by a User to
>> access a Resource. The client infrastructure is designed to:
>>       - Receive the resource access request from the User,
>>       - Interact with the RS to discover authorization requirements,
>>       - Interact with the GS to obtain an Authorization to access the
>> Resource,
>>       - Interact with the RS to access the Resource on behalf of the User.
>>
>> User - the party using the infrastructure of the Client to gain access to
>> a Resource.
>>
>> This dictionary is supposed to be the base for further discussions that
>> will allow us to provide each term with just enough description to reduce
>> ambiguities and misunderstandings in further exchanges. I intentionally
>> omitted the specification of the type and nature of each party (For example
>> Client / Registered Client / Dynamic Client). Such elaborations belong IMO
>> in proper subsections.
>>
>> Comments are welcome.
>>
>> Best regards.
>> --
>> Francis Pouatcha
>> Co-Founder and Technical Lead
>> adorsys GmbH & Co. KG
>> https://adorsys-platform.de/solutions/
>>
>

-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/