Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary

[Francis Pouatcha <fpo@adorsys.de>]

On Tue, Jul 21, 2020 at 1:59 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> FYI: I consider the release of claims to be an "authorization" as well.
>
Great. Then it is included.

>
> IE, the user authorizes the GS to release a DOB claim to a Client.
>
I guess you mean the "RO" authorizes the GS to release a DOB!

>
>
>
> On Tue, Jul 21, 2020 at 10:42 AM Francis Pouatcha <fpo@adorsys.de> wrote:
>
>>
>> On Tue, Jul 21, 2020 at 12:00 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Thanks for putting this together Francis. I like how you have put
>>> different aspects of a definition into separate points. It reinforces the
>>> multiple aspects.
>>>
>>> I don't see identity claims in your definitions. Was that intentional,
>>> or an oversight.
>>>
>> The extensive dictionary will surely include more terms.
>>
>> I limited the list to terms relevant to the abstract sequence for now.
>> Making an effort to keep the discussion focused on the abstract sequence.
>>
>> As we are talking authorization, identities are second class citizens,
>> focus shall be on Negotiating and Obtaining the AuthZ to access a Resource.
>>
>>>
>>> wrt. Registered Client / Dynamic Client - in my experience putting the
>>> definitions together helps a reader grasp all the various terms used.
>>>
>> Yes, this clarification belongs in the dictionary. Intentionally left it
>> out here to avoid diverging the discussion.
>>
>>>
>>> Curious why you include "party" in the definition. I would not have
>>> thought that had a definition unique to GNAP.
>>>
>> I derived this from your subsection "Parties". As all participants in the
>> abstract sequence are "parties", the word seems too heavy to be left
>> undefined. Also essential to know which words in the dictionary do not
>> refer to parties like Resource, Grant, AuthZ, ...
>>
>>>
>>>
>>> On Mon, Jul 20, 2020 at 6:01 PM Francis Pouatcha <fpo@adorsys.de> wrote:
>>>
>>>> Hello Dick,
>>>>
>>>> Here is (in a new thread) the promised attempt to define terms of
>>>> interest in the GNAP protocol.
>>>>
>>>> Party - represents a role in the GNAP protocol flow. A party can take
>>>> the form of a web service, an application installed on the user device and
>>>> acting autonomously or the form of a natural person (resp. of an autonomous
>>>> device) using an application to interact with other parties.
>>>>
>>>> Resource - a piece of data or web service
>>>>       - controlled by a Resource Owner (RO),
>>>>       - held and guarded by a Resource Server (RS) and
>>>>       - serviced by the RS to a Client, if the Client provides a valid
>>>> Authorization.
>>>>
>>>> Resource Owner (RO) - the party that
>>>>       - owns a Resource,
>>>>       - relies on the services the GS to manage access to that Resource
>>>> and
>>>>       - relies on the services of a RS to hold the Resource and guard
>>>> access to that Resource.
>>>>
>>>> Resource Server (RS) - the party that
>>>>       - holds a resource and guards access to that resource on behalf
>>>> of the RO,
>>>>       - services the Resource to the requesting Client, provided the
>>>> Client presents a valid Authorization.
>>>>       The RS is generally deployed as a web service.
>>>>
>>>> Grant Server (GS) - the party that manages access to a Resource on
>>>> behalf of the RO. For each Resource access request, the GS might request
>>>> the consent of the RO and produce a corresponding Authorization that is
>>>> given to the requesting Client.
>>>>
>>>> Consent - act of an RO approving the release of a Resource he owns to a
>>>> Client.
>>>>
>>>> Grant - material form of an RO Consent. In order not to interact with
>>>> the RO on each Resource access request, the GS might store the RO Consent
>>>> in the form of a Grant for reuse.
>>>>
>>>> Authorization - externalized form of a Grant as known to the GS and the
>>>> RS.
>>>>       - The GS converts a Grant into an Authorization for use in a
>>>> Resource access request.
>>>>       - The RS evaluates an Authorization to decide on whether or not
>>>> to release the Resource to the Client.
>>>>
>>>> Client - the party that provides the infrastructure used by a User to
>>>> access a Resource. The client infrastructure is designed to:
>>>>       - Receive the resource access request from the User,
>>>>       - Interact with the RS to discover authorization requirements,
>>>>       - Interact with the GS to obtain an Authorization to access the
>>>> Resource,
>>>>       - Interact with the RS to access the Resource on behalf of the
>>>> User.
>>>>
>>>> User - the party using the infrastructure of the Client to gain access
>>>> to a Resource.
>>>>
>>>> This dictionary is supposed to be the base for further discussions that
>>>> will allow us to provide each term with just enough description to reduce
>>>> ambiguities and misunderstandings in further exchanges. I intentionally
>>>> omitted the specification of the type and nature of each party (For example
>>>> Client / Registered Client / Dynamic Client). Such elaborations belong IMO
>>>> in proper subsections.
>>>>
>>>> Comments are welcome.
>>>>
>>>> Best regards.
>>>> --
>>>> Francis Pouatcha
>>>> Co-Founder and Technical Lead
>>>> adorsys GmbH & Co. KG
>>>> https://adorsys-platform.de/solutions/
>>>>
>>>
>>
>> --
>> Francis Pouatcha
>> Co-Founder and Technical Lead
>> adorsys GmbH & Co. KG
>> https://adorsys-platform.de/solutions/
>>
>

-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/