Re: [GNAP] Gathering Consent and Authorization

Fabien Imbault <> Fri, 09 April 2021 15:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EEB263A24F1 for <>; Fri, 9 Apr 2021 08:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cWWNx-l6otjg for <>; Fri, 9 Apr 2021 08:33:29 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 53B3E3A1A07 for <>; Fri, 9 Apr 2021 08:33:29 -0700 (PDT)
Received: by with SMTP id w2so5021557ilj.12 for <>; Fri, 09 Apr 2021 08:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YW9T2WhvkomXNiBJc/4EwKAogQ5gI1MrVAAKUGGWZv8=; b=bfN0QJTqO29aIQ+X1aKaTetAmGcPtu0cO7aunCae+6IvP9IfAU0Gtp8hEQV2PXFUpw wEK0hQQC1tQF1idCUEUVuPgGJvyiIunBwyWcgYHFIetF8Ktxk+U8OXfWELfyKVqIAIvF RyYt2P1bcC4gtVnjnP6+snie/jOZ0BGu4vlii1jUCxMujj0nSZIRwraC580sRYgRnHrZ KpsagCau5QCfX46QeQOsZzvlFazDbvnyaONOIaJjFHo7p0uKKZSBNJv8acL6L7OEKsN3 uAM1dWvp2Nf/T7/4ZYe/yYPmHrtqLYSYxIZFd0UY/FIMx0FJJqi6P3HPyV+JWfsnXfDi q6NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YW9T2WhvkomXNiBJc/4EwKAogQ5gI1MrVAAKUGGWZv8=; b=MSJGPF3ObuPyCYcLsv04RXrigCDv+D3D8X6eR3rP+jTmGGgu+026Zoal4GHvJ/5qkL UnAnI0luFnt3DI9mKWvIbqEqqyBTKqORKBCUYEL8L4kKRFqtIK+kRllH4Iz1/1ntohu5 zcOdChwzGk1BQ5pbj773dpd/+OZwymtosmqGtzRHn9zuYx/lfI/1qOo7Mnz3fIki8ZcN 8hcvkDsc4VaCozjrloAuU+CjrLiCwoDhe0LsF2NsZq+zqnVJMOmD/KP2MJI/VxrX4ok4 EO+Kmi0yBTodu8tit/bIzprwOVvreIrZPI4LbOjlyWsIFNhpK3UVTi+2wjBA639v5/2u 9Rcw==
X-Gm-Message-State: AOAM533XUcdPmByMRPn2SqF/qd76Jz4UfUoOAPNnpi2O7c30L7N+kSgw Qho0WtVanWO2BK+PQCa3V2d0hv0gGOCHxhDe2UA=
X-Google-Smtp-Source: ABdhPJwNHvQHPK5aB9myakklhZrtknQDqdFFp5SDUKow3eI2ULjV6WNqeVdXWZ0BTNz7ItwERsZPrBZANcHo+Idu/x4=
X-Received: by 2002:a05:6e02:4aa:: with SMTP id e10mr2274297ils.188.1617982407477; Fri, 09 Apr 2021 08:33:27 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Fabien Imbault <>
Date: Fri, 9 Apr 2021 17:33:16 +0200
Message-ID: <>
To: Denis <>
Cc: Justin Richer <>, GNAP Mailing List <>
Content-Type: multipart/alternative; boundary="000000000000a68d1a05bf8be2ef"
Archived-At: <>
Subject: Re: [GNAP] Gathering Consent and Authorization
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Apr 2021 15:33:34 -0000


Remember that for convenience, the PR generates an HTML draft, so you
should be able to read easily.

In particular section 4 is now called Determining Authorization and Consent.


On Fri, Apr 9, 2021 at 5:12 PM Denis <> wrote:

> Hi  Justin,
> "Gathering Consent"  is not solely related with a section that would be
> called “Interaction at the AS”.
> For authorizing a method on an object, the RS (or more precisely the RO
> controlling that object) is wishing to obtain some privileges
> (i.e. attributes types and /or rights ) inside an access token that may be
> issued by *one AS among several ASs*.
> The privileges a RS is wishing to obtain should be proportionate to the
> method that is being requested on the object. This means that
> in the first access to a RS, the client should advertise both the method
> and the object on which the method applies and then in its response,
> the RS should indicate which choices are possible and the reason(s) behind
> each choice ("User Notice").
> In general, it is possible to decompose the end-user choice into three
> consecutive choices:
> a) a first choice for selecting the AS,
> b) a second choice for selecting different privileges *types *(i.e.
> attributes types and /or rights types) for the selected AS,
> c) a third choice selecting different privileges *values *for the
> selected privileges types (i.e. attributes type values and /or rights types
> values)
> If a RS is only trusting one AS, the first choice becomes a YES or NO
> question. The second choice must be based on information provided by the RS,
> since only the RS is knowing the rational to request some set of
> privileges. In such a case , the dialogue with the end-user can be done
> either
> *directly at the RS* or *locally at the client* using information
> provided by the RS. The third choice must be done at the AS.
> If a RS is trusting more than one AS, the first and the second choices
> must be done before contacting an AS (see above), while the third choice
> must be done at the AS.
> Denis
> PS. I have not yet read through the new text.
> We’ve recently had a lot of good discussion about the nature and role of
> the AS within GNAP, and the editors stated that we would be working on new
> text to incorporate this discussion. With that in mind, I wanted to bring
> everyone’s attention to a PR that makes some big changes to the core spec,
> though mostly in the description of how components work and less with the
> normative syntax of the protocol itself.
> This rewrites the section that is currently “Interaction at the AS” to
> better describe the wider range of possibilities for the authorization
> process. Note that this PR hasn’t been tagged as “pending merge” by the
> editors yet, which means there’s not a review deadline in place yet, but
> since it’s such a big change we’d like to get it in somewhat soon. Please
> go read through the new text and help improve it!
> Thank you,
>  — Justin
> --
> TXAuth mailing list