IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Justin Richer <jricher@mit.edu> Mon, 14 December 2020 20:29 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E8A3A1BD7 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 12:29:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.016
X-Spam-Level:
X-Spam-Status: No, score=0.016 tagged_above=-999 required=5 tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjUiXUsMVkjY for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 12:29:11 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69FA3A1BD5 for <txauth@ietf.org>; Mon, 14 Dec 2020 12:29:10 -0800 (PST)
Received: from [192.168.1.19] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BEKT3xs005855 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Dec 2020 15:29:04 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <9CDE8448-B4CD-4DC5-842D-3C58C5A322ED@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_90954ED7-9635-4D20-A232-31A14968CD1F"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Mon, 14 Dec 2020 15:29:03 -0500
In-Reply-To: <CAJot-L0WAn2EqYO=mCVoq4Qm5TPTO7FNjtohriOn8tZHsNCJHQ@mail.gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, Dick Hardt <dick.hardt@gmail.com>, Fabien Imbault <fabien.imbault@gmail.com>, txauth gnap <txauth@ietf.org>, Steve Moore <srmoore@gmail.com>
To: Warren Parad <wparad@rhosys.ch>
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com> <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com> <CAJot-L0WAn2EqYO=mCVoq4Qm5TPTO7FNjtohriOn8tZHsNCJHQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/t8cfnHapn_NP5KmD5WQG-hXmJlc>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 20:29:13 -0000

Warren,

(as editor):

Your proposal below is not dissimilar to what’s in the current spec text: the URI is required, and the access token is optional. If the access token is included, the client has to include it in its request. The feedback from the working group during the IETF109 meeting, and leading up to it, was nearly universally that this optionality was not helpful, especially to client developers. The editors’ PR being discussed here removes that optionality by making both fields required with only one method of presentation, and therefore a single code path for the client.

 — Justin

> On Dec 14, 2020, at 3:11 PM, Warren Parad <wparad@rhosys.ch> wrote:
> 
> Here's a terrible alternative:
> 
> It would seem to me that one compromise could be making the object extensible by authorization servers (and their corresponding SDK). In a similar way that JWTs are extensible, we could require explicitly the URI in the spec, and an optional object to be defined by the AS.
> 
> --------
> 
> One source of the problem could be that the language for taking the response object and converting it back into a request one is not well defined.
> Instead if we allowed an optional headers object to be returned:
> {
>     uri: "https://as/grant/{grantId} <https://as/grant/%7BgrantId%7D>",
>     headers: {
>         'Authorization': 'Bearer ${accessToken}
>     }
> }
> 
> Thereby explicitly telling the client what they need to return back. It avoids the problem of "what to name these things" and also ensures that the data is exactly what the server expects. Additionally it sidesteps the naming issue, where to include tokens, and whether to include them at all.
> 
> Otherwise it sucks to be in a situation where the benefits/detriments aren't clear to everyone, and potentially we can choose a path forward where both approaches could be used without requiring other clients to jump over arbritrary hurdles suchs as custom implementations.
> 
> 
> Warren Parad
> Founder, CTO
> Secure your user data and complete your authorization architecture. Implement Authress <https://bit.ly/37SSO1p>.
> 
> 
> On Mon, Dec 14, 2020 at 8:46 PM Aaron Parecki <aaron@parecki.com <mailto:aaron@parecki.com>> wrote:
> Thanks for the clear description. However saying "has no security concerns" is a bold claim. Can you clarify how you will ensure that there are no security concerns with this method?
> 
> My main worry with this is people will start to get "creative" with the values of the things in this URL. We've seen this over and over, everything from using plaintext data in JWT access tokens in OAuth (now the access token contents are visible to clients), to putting data in the OAuth "state" parameter (easy to exploit unless it's signed/encrypted), and I'm sure someone somewhere is putting things in the authorization code that they shouldn't.
> 
> Aaron
> 
> 
> On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
> 
> I am proposing a URI that is straight forward, and has no security concerns.
> 
> For example, the URI could be:
> 
> <as uri>/grant/<unique grant id>
> 
> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f <https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f>
> 
> The routing code in the AS then is:
> 
> router.post <http://router.post/>(      '/', grant.create);
> router.get(        '/grant/:grant', grant.read);
> router.post <http://router.post/>(      '/grant/:grant', grant.update);
> router.delete(   '/grant/:grant', grant.delete);
> router.options( '/grant/:grant', grant.options);
> 
> Where there is a "grant" module to manage for working with grant requests.
> 
> /Dick
> 
> ps: your previous email, and this one, are making the discussion personal. Happy to discuss privately.
> 
> ᐧ
> -- 
> TXAuth mailing list
> TXAuth@ietf.org <mailto:TXAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>
> -- 
> TXAuth mailing list
> TXAuth@ietf.org <mailto:TXAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>

v2.23.0 | Report a Bug | By Email