Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
Dick Hardt <dick.hardt@gmail.com> Mon, 29 June 2020 02:32 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB66C3A00C9 for <txauth@ietfa.amsl.com>; Sun, 28 Jun 2020 19:32:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSCXpDLYPagd for <txauth@ietfa.amsl.com>; Sun, 28 Jun 2020 19:32:57 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FB4B3A00C4 for <txauth@ietf.org>; Sun, 28 Jun 2020 19:32:57 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id 9so16283736ljc.8 for <txauth@ietf.org>; Sun, 28 Jun 2020 19:32:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=odPHMvqmuX65ci95sUsG69TwIdfIYigtt1qV5wz9gzk=; b=UtUTcnsRbRgY2hkpCbFdyVGx/sbFD2buVIej/V4H6HUAOv8dqoBR2yOqceRNl8hRgO 91F10ZDHUEDXjjqtoiT6cvt/SdHbXSJq+nG3vKA6cA+XiZ63BQuiPXz2Hx5rBXZAdN5i DJ+QsBlpOqIXPa/sgLKjkTKWhsYX/qzhlVoJ/0+btmOCYYy1d0hjezhKJumQtHj562ZN TbLW/0m37evLSEgYqcGwIvcTk0mKQy3J+MQ/qCzpiObUIUQ6HBTgatxHltPwaSkkQHKK FEPKS7Q0ZU1Hy/C7Ry6gBxfjlwDLEfdUk8zOhbAxR8tLaA8DpXx6lJS98ggLfKTVaBLy zy+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=odPHMvqmuX65ci95sUsG69TwIdfIYigtt1qV5wz9gzk=; b=gAR6ann0epkndp5ibMwIUIATJ0YLDx/HBqwXzwTUWuyoYoyReS+ZMVIxJgUFz0qelr yul+dQH5GaUHn3pf/ooZ68OTo0kt74pVO62wSiAbo4bhl9Kp9dVMmpitzmiDRiBunwCT vld2GpXV8//+HhNyytTeesfvNRv3ABGoxvcariBUwHUG0ZgYaw11JPigemuJM7RvBw58 5wAPeO9xodFWS9deUAB0TS+KPIkgyelQPY2f3x3ilfWJDT/Mq3+l6YthdSIX1VAW18zW HtWbJ2ms/t+FK3IUAPF0WHCK7LEbgGNRbT96Lj2s8nDCn0/wJFRsUULTG9PR6XyCIbvw n/5Q==
X-Gm-Message-State: AOAM5324aHh2fqvt94aAthauRXXTADGKyPYjWfZJDF3sn8vNlb5jw8it n7dSK2uERuu5yz63qaD9WPtOBmzjQdVFD2D9WcI=
X-Google-Smtp-Source: ABdhPJwWiUrqkw6NjvIgMpCkAgQShec1GkC6VExGx5zqZNscetquM43JIkxkUJ5NSno8MdimQvTZ4NNgJDaxLu9Y/DI=
X-Received: by 2002:a2e:7f10:: with SMTP id a16mr7196862ljd.69.1593397974917; Sun, 28 Jun 2020 19:32:54 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr> <CAD9ie-vrMk_D8WSz7h5aAw_FmnBJDkRJyWQeXTTsAP3ofH0iNg@mail.gmail.com> <353AF4E4-4939-4994-960E-54B0AADC6253@mit.edu> <CAD9ie-ssrJSRgUjAzKRSV4Hzd30ge8Ovw4u14km1HidhQWAFMg@mail.gmail.com> <CAK2Cwb7LimwyWE6iGdq-zBGZXakSZyjExtUGO_ot1eVXTU=-+A@mail.gmail.com> <6A9D6B5D-EA90-4DB4-84A5-8C5AE9AF051B@mit.edu>
In-Reply-To: <6A9D6B5D-EA90-4DB4-84A5-8C5AE9AF051B@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 28 Jun 2020 19:32:18 -0700
Message-ID: <CAD9ie-ukKocP7o+J2=gg8Li5bRdLp0-=177S45htkTcxVn5a3w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Tom Jones <thomasclinganjones@gmail.com>, Denis <denis.ietf@free.fr>, txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000047e7a305a92fe0cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/tlnExvmoaTq_rXL8vPdMSwG200o>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 02:33:00 -0000
In case it was not clear from my email, I was not dismissing anybody's work as "theoretical". On Sun, Jun 28, 2020 at 10:50 AM Justin Richer <jricher@mit.edu> wrote: > I’m also worried about feature creep, but it’s something that the group > can guard against in very practical ways. It’s dangerous to dismiss someone > else’s work as “only theoretical”, especially because GNAP is going to draw > from a different sent of circumstances that are going to be outside the > experience of the core OAuth community, and that’s a really good thing. > > But I believe that we can apply a set of sensible criteria to things: > > - Is there an implementation (even a proof of concept)? Running code > makes bad assumptions come out in sharp relief, and we need to test these > assumptions constantly. But also keep in mind that running code can be > changed. > - Is there an existing, perhaps more convoluted, solution out there? > Pulling disparate systems under a common structure should be a way of > working here. But this only works if it can come “in common” and we aren’t > stretching the abstractions so much that they’re meaningless. > - Does it fit in the GNAP model along with other work? This might mean we > have to adjust the model, but such adjustments shouldn’t be at the expense > of all other use cases. Sometimes, things don’t fit, and that’s ok. > > Cohesiveness of the GNAP solution will come from applying good engineering > and questioning assumptions about our existing and proposed solutions. It’s > important that we know the :why: of things and not just the :what:. The > last thing I think we want is a protocol that is actually a bunch of > completely different protocols with switched behavior. This is one of the > biggest complaints that I see about OAuth 2’s “framework” approach and I > think we have an opportunity to do much better here *if we get the model > right*. That’s going to take time and effort, but I believe it’s > possible, and I look forward to building that with everyone here. > > Right now, our best focus is going to be use cases — what do people want > to :do: with GNAP — and what those use cases say about our model and > assumptions going in to the solution space. There are a number of valuable > points in both Tom and Denis’s discussion below. Some of it fits, some of > it doesn’t. Some of it might be better for an extension. Some of it might > be counter to what we’re after. > > Discussing all of that is why we’re all in a standards working group and > not just building a commercial product. > > — Justin > > On Jun 27, 2020, at 4:45 PM, Tom Jones <thomasclinganjones@gmail.com> > wrote: > > +1 - Right on Justin. > Peace ..tom > > > On Sat, Jun 27, 2020 at 1:15 PM Dick Hardt <dick.hardt@gmail.com> wrote: > >> +1 to 'We shouldn’t let “OAuth 2 doesn’t do it that way” be the limiting >> factor here.' >> >> Conversely, I worry about scope creep if we are forced to complicate the >> protocol to cover use cases that are only theoretical. (I'm not implying >> that any of the use cases discussed in this thread are in that category). >> >> /Dick >> >> On Sat, Jun 27, 2020 at 12:56 PM Justin Richer <jricher@mit.edu> wrote: >> >>> Removing the IESG as this is really a more internal-to-the-group >>> discussion, as it comes down to the scope of use cases that we want to >>> address here in GNAP. >>> >>> While it is definitely important to understand how and why OAuth 2 does >>> things, we do need to keep use cases like Denis’s in mind. It’s not unheard >>> of today for a single OAuth 2 RS to accept tokens from multiple AS’s. In >>> fact, we’ve even got cases with things like the Solid project where the RS >>> will take a token from :any: AS so long as it can verify that it’s approved >>> by the resource owner. While the Solid platform has its own special >>> layering in place to allow this, our model should not assume a closely-tied >>> connection between an RS and any single AS. The question of :how: we solve >>> that is, of course, up to the WG to figure out over time. >>> >>> Taking that even further, I think the idea of an AS that’s personal to >>> the user, to promote privacy and control, is a very good one. In fact, this >>> is one of the main selling points of UMA2 and its federated authorization >>> mechanisms. With GNAP, we might be able to deliver on this promise even >>> more than UMA has been able to, and it’s my hope that we can have a >>> cohesive protocol that allows both user-to-self and user-to-another >>> delegation sharing without needing to use different mechanisms. >>> >>> Additionally, the RS-first method is also something from the UMA2 work >>> that we should be working on, as it touches on AS discovery, AS/RS >>> communication, and a few other aspects of the protocol design. It’s not a >>> trivial problem by any stretch, and there are huge privacy and security >>> implications, but there’s both need for it and some good prior art to pull >>> from. In fact, XYZ’s whole notion of a “transaction handle” is an >>> adaptation of UMA2’s “permission ticket”. In UMA, this ticket is first >>> issued to the RS by the AS, and the RS then hands it to the client, which >>> starts the negotiation for access. I envision something very similar >>> happening here with GNAP, where a client can get something to bootstrap the >>> process at the AS. The important thing, to me, is that we don’t have to >>> jump through a bunch of weird hoops such that the AS-first and RS-first >>> cases look completely different, as they do in UMA2 and OAuth 2 >>> respectively today. We’ve got the chance to have a clean and cohesive >>> protocol here, let’s not miss that opportunity. >>> >>> So in sum, the trust model of OAuth 2 is not sufficient to cover >>> everything, and the model that Denis is proposing is something we should at >>> least look at as a use case. Where Denis and I seem to disagree is whether >>> this trust model should be the :only: one that we address with the >>> protocol. I strongly believe, as I believe much of this group does, that we >>> can’t discount or ignore (or make things overly difficult for) the tightly >>> bound AS/RS combos, or any type of static setup where the RS offloads its >>> trust fully to the AS. But it’s my belief that we should be able to do so >>> without needlessly throwing out all of the OAuth 2 use cases. >>> >>> We shouldn’t let “OAuth 2 doesn’t do it that way” be the limiting factor >>> here. We need to understand the what and wherefore of things that OAuth 2 >>> is bad at, otherwise we’re just going to re-invent OAuth 2 and inherit its >>> problems. >>> >>> — Justin >>> >>> On Jun 26, 2020, at 1:39 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >>> >>> Denis, thanks for sharing your thoughts, some clarifications on your >>> statements inserted: >>> >>> On Fri, Jun 26, 2020 at 9:42 AM Denis <denis.ietf@free.fr> wrote: >>> <snip> >>> >>>> *New proposed charter* >>>> >>>> <snip> >>> >>>> >>>> Resource servers inform their clients about which access token formats >>>> are acceptable and depending upon the king of operation >>>> that is requested, which kind of attributes are needed and from which >>>> ASs that my be obtained. >>>> >>>> While at times this may be appropriate, at other times disclosing the >>> attributes the RS requires is not needed by the client. For example, an >>> enterprise client accessing a resource does not need to know which groups a >>> user belongs to, but the RS may require that to determine if the user >>> running the client has access... >>> >>>> >>>> A major difference with OAuth 2.0 is that there is no bilateral trust >>>> relationship between an authorization server and a resource server: >>>> for a given category of attributes, a resource server may trust one or >>>> more authorization servers. Another major difference with OAuth 2.0. >>>> is that the content of an attributes token is meant to be accessible to >>>> the client. >>>> >>>> This is not how OAuth 2.0 works. See slides 7 and 8 from my original >>> IETF presentation on what became OAuth 2.0 >>> >>> https://www.slideshare.net/gueste648b/ietf-77-oauth-wrap-presentation >>> >>> The AS may not even know who the RS (or PR in the slides) is. >>> >>> <snip> >>> >>>> >>>> I got rid of the word "delegation": the client does not delegate >>>> anything to an authorization server. If it would, this would mean that the >>>> authorization server >>>> would be able to act as the client and could know everything that the >>>> client will do, which comes into contradiction with the user's privacy. >>>> >>> >>> The above is not true. >>> >>> The Resource Owner is delegating access control to the AS in >>> authorization use cases. >>> >>> The client is may be delegating user authentication to the AS in >>> identity claim use cases. >>> >>> The AS can act as the client in many OAuth deployments, as the access >>> token is a bearer token. That does not mean the AS knows what the client is >>> doing. >>> >>> /Dick >>> >>> ᐧ >>> -- >>> Txauth mailing list >>> Txauth@ietf.org >>> https://www.ietf.org/mailman/listinfo/txauth >>> >>> >>> -- >>> Txauth mailing list >>> Txauth@ietf.org >>> https://www.ietf.org/mailman/listinfo/txauth >>> >> -- >> Txauth mailing list >> Txauth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> > >
- [Txauth] WG Review: Grant Negotiation and Authori… The IESG
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Mike Varley
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer