IETF Logo Mail Archive

Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)

Dick Hardt <dick.hardt@gmail.com> Mon, 29 June 2020 02:32 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB66C3A00C9 for <txauth@ietfa.amsl.com>; Sun, 28 Jun 2020 19:32:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSCXpDLYPagd for <txauth@ietfa.amsl.com>; Sun, 28 Jun 2020 19:32:57 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FB4B3A00C4 for <txauth@ietf.org>; Sun, 28 Jun 2020 19:32:57 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id 9so16283736ljc.8 for <txauth@ietf.org>; Sun, 28 Jun 2020 19:32:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=odPHMvqmuX65ci95sUsG69TwIdfIYigtt1qV5wz9gzk=; b=UtUTcnsRbRgY2hkpCbFdyVGx/sbFD2buVIej/V4H6HUAOv8dqoBR2yOqceRNl8hRgO 91F10ZDHUEDXjjqtoiT6cvt/SdHbXSJq+nG3vKA6cA+XiZ63BQuiPXz2Hx5rBXZAdN5i DJ+QsBlpOqIXPa/sgLKjkTKWhsYX/qzhlVoJ/0+btmOCYYy1d0hjezhKJumQtHj562ZN TbLW/0m37evLSEgYqcGwIvcTk0mKQy3J+MQ/qCzpiObUIUQ6HBTgatxHltPwaSkkQHKK FEPKS7Q0ZU1Hy/C7Ry6gBxfjlwDLEfdUk8zOhbAxR8tLaA8DpXx6lJS98ggLfKTVaBLy zy+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=odPHMvqmuX65ci95sUsG69TwIdfIYigtt1qV5wz9gzk=; b=gAR6ann0epkndp5ibMwIUIATJ0YLDx/HBqwXzwTUWuyoYoyReS+ZMVIxJgUFz0qelr yul+dQH5GaUHn3pf/ooZ68OTo0kt74pVO62wSiAbo4bhl9Kp9dVMmpitzmiDRiBunwCT vld2GpXV8//+HhNyytTeesfvNRv3ABGoxvcariBUwHUG0ZgYaw11JPigemuJM7RvBw58 5wAPeO9xodFWS9deUAB0TS+KPIkgyelQPY2f3x3ilfWJDT/Mq3+l6YthdSIX1VAW18zW HtWbJ2ms/t+FK3IUAPF0WHCK7LEbgGNRbT96Lj2s8nDCn0/wJFRsUULTG9PR6XyCIbvw n/5Q==
X-Gm-Message-State: AOAM5324aHh2fqvt94aAthauRXXTADGKyPYjWfZJDF3sn8vNlb5jw8it n7dSK2uERuu5yz63qaD9WPtOBmzjQdVFD2D9WcI=
X-Google-Smtp-Source: ABdhPJwWiUrqkw6NjvIgMpCkAgQShec1GkC6VExGx5zqZNscetquM43JIkxkUJ5NSno8MdimQvTZ4NNgJDaxLu9Y/DI=
X-Received: by 2002:a2e:7f10:: with SMTP id a16mr7196862ljd.69.1593397974917; Sun, 28 Jun 2020 19:32:54 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr> <CAD9ie-vrMk_D8WSz7h5aAw_FmnBJDkRJyWQeXTTsAP3ofH0iNg@mail.gmail.com> <353AF4E4-4939-4994-960E-54B0AADC6253@mit.edu> <CAD9ie-ssrJSRgUjAzKRSV4Hzd30ge8Ovw4u14km1HidhQWAFMg@mail.gmail.com> <CAK2Cwb7LimwyWE6iGdq-zBGZXakSZyjExtUGO_ot1eVXTU=-+A@mail.gmail.com> <6A9D6B5D-EA90-4DB4-84A5-8C5AE9AF051B@mit.edu>
In-Reply-To: <6A9D6B5D-EA90-4DB4-84A5-8C5AE9AF051B@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 28 Jun 2020 19:32:18 -0700
Message-ID: <CAD9ie-ukKocP7o+J2=gg8Li5bRdLp0-=177S45htkTcxVn5a3w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Tom Jones <thomasclinganjones@gmail.com>, Denis <denis.ietf@free.fr>, txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000047e7a305a92fe0cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/tlnExvmoaTq_rXL8vPdMSwG200o>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 02:33:00 -0000

In case it was not clear from my email, I was not dismissing anybody's work
as "theoretical".

On Sun, Jun 28, 2020 at 10:50 AM Justin Richer <jricher@mit.edu> wrote:

> I’m also worried about feature creep, but it’s something that the group
> can guard against in very practical ways. It’s dangerous to dismiss someone
> else’s work as “only theoretical”, especially because GNAP is going to draw
> from a different sent of circumstances that are going to be outside the
> experience of the core OAuth community, and that’s a really good thing.
>
> But I believe that we can apply a set of sensible criteria to things:
>
>  - Is there an implementation (even a proof of concept)? Running code
> makes bad assumptions come out in sharp relief, and we need to test these
> assumptions constantly. But also keep in mind that running code can be
> changed.
>  - Is there an existing, perhaps more convoluted, solution out there?
> Pulling disparate systems under a common structure should be a way of
> working here. But this only works if it can come “in common” and we aren’t
> stretching the abstractions so much that they’re meaningless.
>  - Does it fit in the GNAP model along with other work? This might mean we
> have to adjust the model, but such adjustments shouldn’t be at the expense
> of all other use cases. Sometimes, things don’t fit, and that’s ok.
>
> Cohesiveness of the GNAP solution will come from applying good engineering
> and questioning assumptions about our existing and proposed solutions. It’s
> important that we know the :why: of things and not just the :what:. The
> last thing I think we want is a protocol that is actually a bunch of
> completely different protocols with switched behavior. This is one of the
> biggest complaints that I see about OAuth 2’s “framework” approach and I
> think we have an opportunity to do much better here *if we get the model
> right*. That’s going to take time and effort, but I believe it’s
> possible, and I look forward to building that with everyone here.
>
> Right now, our best focus is going to be use cases — what do people want
> to :do: with GNAP — and what those use cases say about our model and
> assumptions going in to the solution space. There are a number of valuable
> points in both Tom and Denis’s discussion below. Some of it fits, some of
> it doesn’t. Some of it might be better for an extension. Some of it might
> be counter to what we’re after.
>
> Discussing all of that is why we’re all in a standards working group and
> not just building a commercial product.
>
>  — Justin
>
> On Jun 27, 2020, at 4:45 PM, Tom Jones <thomasclinganjones@gmail.com>
> wrote:
>
> +1 - Right on Justin.
> Peace ..tom
>
>
> On Sat, Jun 27, 2020 at 1:15 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> +1 to 'We shouldn’t let “OAuth 2 doesn’t do it that way” be the limiting
>> factor here.'
>>
>> Conversely, I worry about scope creep if we are forced to complicate the
>> protocol to cover use cases that are only theoretical. (I'm not implying
>> that any of the use cases discussed in this thread are in that category).
>>
>> /Dick
>>
>> On Sat, Jun 27, 2020 at 12:56 PM Justin Richer <jricher@mit.edu> wrote:
>>
>>> Removing the IESG as this is really a more internal-to-the-group
>>> discussion, as it comes down to the scope of use cases that we want to
>>> address here in GNAP.
>>>
>>> While it is definitely important to understand how and why OAuth 2 does
>>> things, we do need to keep use cases like Denis’s in mind. It’s not unheard
>>> of today for a single OAuth 2 RS to accept tokens from multiple AS’s. In
>>> fact, we’ve even got cases with things like the Solid project where the RS
>>> will take a token from :any: AS so long as it can verify that it’s approved
>>> by the resource owner. While the Solid platform has its own special
>>> layering in place to allow this, our model should not assume a closely-tied
>>> connection between an RS and any single AS. The question of :how: we solve
>>> that is, of course, up to the WG to figure out over time.
>>>
>>> Taking that even further, I think the idea of an AS that’s personal to
>>> the user, to promote privacy and control, is a very good one. In fact, this
>>> is one of the main selling points of UMA2 and its federated authorization
>>> mechanisms. With GNAP, we might be able to deliver on this promise even
>>> more than UMA has been able to, and it’s my hope that we can have a
>>> cohesive protocol that allows both user-to-self and user-to-another
>>> delegation sharing without needing to use different mechanisms.
>>>
>>> Additionally, the RS-first method is also something from the UMA2 work
>>> that we should be working on, as it touches on AS discovery, AS/RS
>>> communication, and a few other aspects of the protocol design. It’s not a
>>> trivial problem by any stretch, and there are huge privacy and security
>>> implications, but there’s both need for it and some good prior art to pull
>>> from. In fact, XYZ’s whole notion of a “transaction handle” is an
>>> adaptation of UMA2’s “permission ticket”. In UMA, this ticket is first
>>> issued to the RS by the AS, and the RS then hands it to the client, which
>>> starts the negotiation for access. I envision something very similar
>>> happening here with GNAP, where a client can get something to bootstrap the
>>> process at the AS. The important thing, to me, is that we don’t have to
>>> jump through a bunch of weird hoops such that the AS-first and RS-first
>>> cases look completely different, as they do in UMA2 and OAuth 2
>>> respectively today. We’ve got the chance to have a clean and cohesive
>>> protocol here, let’s not miss that opportunity.
>>>
>>> So in sum, the trust model of OAuth 2 is not sufficient to cover
>>> everything, and the model that Denis is proposing is something we should at
>>> least look at as a use case. Where Denis and I seem to disagree is whether
>>> this trust model should be the :only: one that we address with the
>>> protocol. I strongly believe, as I believe much of this group does, that we
>>> can’t discount or ignore (or make things overly difficult for) the tightly
>>> bound AS/RS combos, or any type of static setup where the RS offloads its
>>> trust fully to the AS. But it’s my belief that we should be able to do so
>>> without needlessly throwing out all of the OAuth 2 use cases.
>>>
>>> We shouldn’t let “OAuth 2 doesn’t do it that way” be the limiting factor
>>> here. We need to understand the what and wherefore of things that OAuth 2
>>> is bad at, otherwise we’re just going to re-invent OAuth 2 and inherit its
>>> problems.
>>>
>>>  — Justin
>>>
>>> On Jun 26, 2020, at 1:39 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>> Denis, thanks for sharing your thoughts, some clarifications on your
>>> statements inserted:
>>>
>>> On Fri, Jun 26, 2020 at 9:42 AM Denis <denis.ietf@free.fr> wrote:
>>> <snip>
>>>
>>>> *New proposed charter*
>>>>
>>>> <snip>
>>>
>>>>
>>>> Resource servers inform their clients about which access token formats
>>>> are acceptable and depending upon the king of operation
>>>> that is requested, which kind of attributes are needed and from which
>>>> ASs that my be obtained.
>>>>
>>>> While at times this may be appropriate, at other times disclosing the
>>> attributes the RS requires is not needed by the client. For example, an
>>> enterprise client accessing a resource does not need to know which groups a
>>> user belongs to, but the RS may require that to determine if the user
>>> running the client has access...
>>>
>>>>
>>>> A major difference with OAuth 2.0 is that there is no bilateral trust
>>>> relationship between an authorization server and a resource server:
>>>> for a given category of attributes, a resource server may trust one or
>>>> more authorization servers. Another major difference with OAuth 2.0.
>>>> is that the content of an attributes token is meant to be accessible to
>>>> the client.
>>>>
>>>> This is not how OAuth 2.0 works. See slides 7 and 8 from my original
>>> IETF presentation on what became OAuth 2.0
>>>
>>> https://www.slideshare.net/gueste648b/ietf-77-oauth-wrap-presentation
>>>
>>> The AS may not even know who the RS (or PR in the slides) is.
>>>
>>> <snip>
>>>
>>>>
>>>> I got rid of the word "delegation": the client does not delegate
>>>> anything to an authorization server. If it would, this would mean that the
>>>> authorization server
>>>> would be able to act as the client and could know everything that the
>>>> client will do, which comes into contradiction with the user's privacy.
>>>>
>>>
>>> The above is not true.
>>>
>>> The Resource Owner is delegating access control to the AS in
>>> authorization use cases.
>>>
>>> The client is may be delegating user authentication to the AS in
>>> identity claim use cases.
>>>
>>> The AS can act as the client in many OAuth deployments, as the access
>>> token is a bearer token. That does not mean the AS knows what the client is
>>> doing.
>>>
>>> /Dick
>>>
>>> ᐧ
>>> --
>>> Txauth mailing list
>>> Txauth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>>>
>>> --
>>> Txauth mailing list
>>> Txauth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>> --
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>
>

v2.23.0 | Report a Bug | By Email