[GNAP] GNAP RS-AS interaction questions

Erin Shepherd <erin.shepherd@e43.eu> Wed, 04 December 2024 18:50 UTC

Return-Path: <erin.shepherd@e43.eu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D97FCC1CAF45 for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 10:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e43.eu header.b="ljthbu6U"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="yvdcjJQ6"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRb22_igH4eT for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 10:50:30 -0800 (PST)
Received: from fhigh-b7-smtp.messagingengine.com (fhigh-b7-smtp.messagingengine.com [202.12.124.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E54AC14F739 for <txauth@ietf.org>; Wed, 4 Dec 2024 10:49:38 -0800 (PST)
Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47]) by mailfhigh.stl.internal (Postfix) with ESMTP id 9113B2540133 for <txauth@ietf.org>; Wed, 4 Dec 2024 13:49:37 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-07.internal (MEProxy); Wed, 04 Dec 2024 13:49:37 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e43.eu; h=cc :content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm3; t=1733338177; x=1733424577; bh=R+9tb86gA5 MTQLEWFq0Nx8Qq+woYBzWkSvK6Jy+qLi0=; b=ljthbu6U/MyWXpLaYJhk98lJBU owkzJ2hUQmpVM9xWuZdUxL1ypYFN+llSE6T8dWKK0cxT1j4E5hGgnrdieb/zcYbg /Vq6CQbjSlYrmdGYieOO3qvhnJ4vB0/YYv886f8S3ak9mx0CCapoasPeEGBrqkta rFbA7/JLgvZDvQEmdjlb6HrYw02hOSXRSnj6JVehZT2+xMsUtk4eIEt4dkua/F4c xbe/pQQcCY0YAoa3/phe4cjwLyY1nQ9ZIP3pDKDgj3uWA1Cud+6y7To9WWCFt1eh O39y/yFRnBGBhtQ6RSewOxHEgFRkgRPULqPZRkR4d6w9k+v5SiqjUfY0MzIQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1733338177; x=1733424577; bh=R+9tb86gA5MTQLEWFq0Nx8Qq+woYBzWkSvK 6Jy+qLi0=; b=yvdcjJQ6g2MsDm98A2cycXTR6sOtMvDl1D+X8zp5FBHWKezvlND 9ACXVnpnh6JBzvCcgcdtrDPYDoo+ltGk5obJFe4UPiPNq7Dr3QRKO/YnU8hnfxE4 C7sRII5FlU8R6iEhgZyMUKgjiqgUFVAsPIAogoECZfGsloBgT5bRhA4A76BUptV1 IpcOr3I9BjOEC5cVn5max1tvCvctVTxTfRPp/XkDCzN/FL6zFDVESe9yd/t5wIIm Ylwfm+okuGgxug+1tUOY5/rl+9ojkJdrTNvToSt2OU/J9gc6uQUEzJEJY5UPshUC 8OuEx81x4sRP4zBVu6Wz2xs2t+3faoXEuqQ==
X-ME-Sender: <xms:QaRQZ9lvo3cfFyQY-ulPhI68BnjIE0N6mESD6HYspA-1pE22SMH3Ig> <xme:QaRQZ42xFVlv6r3cGOY5VHYt0Z89BDnFaSdrRWX02K26qV4YZhAEDg7cGVP3PS9ez 0igbkTpsE_DuwwOGqk>
X-ME-Received: <xmr:QaRQZzqfHVda0V-EtpzwrK4SfXI9rvwKmK50msqWN9l28rnyXB1hnJCoKXfwCe3QpBd_EpGgBQsm0-Rbg6slJvfjQxIaiAk>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrieehgdduudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhtgfggg fukfffvffosehtqhhmtdhhtdejnecuhfhrohhmpefgrhhinhcuufhhvghphhgvrhguuceo vghrihhnrdhshhgvphhhvghrugesvgegfedrvghuqeenucggtffrrghtthgvrhhnpedvje ettdelledtteekgeeuffduteffvdegveehudeiieehjeehgfejvdfgheelleenucevlhhu shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegvrhhinhdrshhhvg hphhgvrhgusegvgeefrdgvuhdpnhgspghrtghpthhtohepuddpmhhouggvpehsmhhtphho uhhtpdhrtghpthhtohepthigrghuthhhsehivghtfhdrohhrgh
X-ME-Proxy: <xmx:QaRQZ9lTBg9oFf4RdAZjBtl_an-guMupOq33_AyW5MMaHSSVT8nY9g> <xmx:QaRQZ71tVst6_ytT8dQdnX8s7FYplJGRmHBQQxI2C1pVAuJFlsz6Ow> <xmx:QaRQZ8sjh8umYG1z8CV-RvA4V2_7dLapb-jXqhn-L7cfEpZUrW4IOw> <xmx:QaRQZ_UwdI6-sI_NCSYsjpqJDdClDA80IlQhuH1yQ7J0E44l5PAJBw> <xmx:QaRQZ0-hmN6RVKLKFsIrLCYXrEjjMfT18XJ6BXwGVTLeRWIy2KnlDMT_>
Feedback-ID: i313944f9:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <txauth@ietf.org>; Wed, 4 Dec 2024 13:49:36 -0500 (EST)
From: Erin Shepherd <erin.shepherd@e43.eu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Message-Id: <2FE68756-A13B-4CB4-9318-26A007F261D2@e43.eu>
Date: Wed, 04 Dec 2024 19:49:24 +0100
To: txauth@ietf.org
X-Mailer: Apple Mail (2.3774.500.171.1.1)
Message-ID-Hash: UA6UWIMOHLF6FU3FYZDBUIGPDOEV766Q
X-Message-ID-Hash: UA6UWIMOHLF6FU3FYZDBUIGPDOEV766Q
X-MailFrom: erin.shepherd@e43.eu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [GNAP] GNAP RS-AS interaction questions
List-Id: GNAP <txauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/trDmZ9XsW4nqRjiL2vgrQc0hkO8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Owner: <mailto:txauth-owner@ietf.org>
List-Post: <mailto:txauth@ietf.org>
List-Subscribe: <mailto:txauth-join@ietf.org>
List-Unsubscribe: <mailto:txauth-leave@ietf.org>

Hi,

I’ve been looking at implementing GNAP with some interest (on the whole I find it a very readable and straight-forward specification!) but I’ve spotted a few of areas of difficulty:

1. The GNAP-RS spec says, in the introspection response

  iss (string): REQUIRED. Grant endpoint URL of the AS that issued this token.

This seems a little limiting? Let’s say I have an existing OAuth IDP that I’m adding GNAP support to; it seems that the spec basically requires that a GNAP RS will see different sub+iss values from an OAuth RS?


2. The GNAP-RS spec lists five different token formats that an AS can declare support for but provides no information regarding the contents or validation of those tokens. It seems like the only way (within the written text of the specification) to validate a token would be to submit it to the introspection endpoint, which seems like it rather defeats the purpose of knowing the format.

I would have liked to see some guidance on

* How to locate the AS’ token signing keys for "jwt-signed” access tokens
* How to agree encryption keys for "jwt-encrypted” access tokens
* Required JWT claims & claim values
* Similar for the other formats (with which I have less experience)

i.e. something along the lines of RFC 9068 I guess (That could perhaps even have been referenced directly, with minor differences?

3. As far as I can tell, there’s no way for the AS to return subject information to the RS beyond the fixed set of introspection response values?

I would have expected something similar to the Subject Information defined in GNAP s3.4 to be returned (or requitable)

4. Its unfortunate that the discovery URI was not defined to work by splicing /.well-known/gnap-as-rs into the start of the path segment in the same way as OAuth Authorisation Server Metadata is. Oh well, such is life, it would appear.

- Erin