IETF Logo Mail Archive

Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)

Tom Jones <thomasclinganjones@gmail.com> Sat, 27 June 2020 20:45 UTC

Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AAD83A0795 for <txauth@ietfa.amsl.com>; Sat, 27 Jun 2020 13:45:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ndc3ini-ZqHX for <txauth@ietfa.amsl.com>; Sat, 27 Jun 2020 13:45:15 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A902C3A0778 for <txauth@ietf.org>; Sat, 27 Jun 2020 13:45:15 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id 18so11899574otv.6 for <txauth@ietf.org>; Sat, 27 Jun 2020 13:45:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UcJQvoMr9muj3LyO9viNQSUrEs0M58hclN/TLYj1ZwI=; b=VXQQCePReMgR+vGoeK6skE/1+I7kdyDsrYU53DFaYwq4WdQFYQizIGUmMzh2UPEVDu sIele0uaLBnqWzZbddtCddR9hUruWt/w9Ef+CUoXwOA7F5MoONYSc1D+f4VJ93Ci58QU 5Eg1U8UJuj96JF13EO4ArwmLLWrAT0vjMH4Q7c+Ei2xye0jsongcb4w016sT5rFTPi6c 0NY9qoH+aqKwEiDocCG0e4+PkyOFccwE4/xFar35ZnXctITDt6naMeAmFKgFvtua3zUc gHM44jHN2NnzRcv4l3VoRwsrWtgYtoxTggzzXM6aIBQWQesvEw5crjc6K1rktrq+JwMe F/GQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UcJQvoMr9muj3LyO9viNQSUrEs0M58hclN/TLYj1ZwI=; b=DaH4rnV4VAllKsykXSQXE3TbqjK0N5g7JJaVJMYswR2TtLSAVkQCaocnJoYgRK4PMv QmP9YRIZj1ghxZhMpnWZOT3BajlGARQu6p5RCiMYU117NWymANr9+3dk+bEAWjmYx+By NoeKsE6uoyMcXwGAuRwTGim0961GL8QPD9pu5uEAzE1ZSxtA7kB+fneFQEQ/PEixEsQg wqC09knioiJZDSU1QiMHpacwhkslxNJzVdJuBtVPzBH5Aokrl/3BKkfZpwpFoTlb1Qc6 M6NuZSoDaM1pCGgjLJKWptKtWMalhZW2YJzgWXHtDvy7XE1xMjG4zsJtbb19srS2kvxE 7btQ==
X-Gm-Message-State: AOAM531RlL95Xma8N1dlByYYEyYCTt1Obv8aSstOczvPYRID+KAXXPLk 5uEH2J0CZ4aYKiLEV26JA+OiPFmvsKeZLnRIwH4=
X-Google-Smtp-Source: ABdhPJxtKVGVUL7YIOuSwOpOmFGoMF0m3kq4uWM9Z0pV/pu/p6LPlo+x4SKkvp2pZjwLGZYfTlw9PwQrTWJ7DO39W7I=
X-Received: by 2002:a05:6830:4cd:: with SMTP id s13mr1922690otd.358.1593290714936; Sat, 27 Jun 2020 13:45:14 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr> <CAD9ie-vrMk_D8WSz7h5aAw_FmnBJDkRJyWQeXTTsAP3ofH0iNg@mail.gmail.com> <353AF4E4-4939-4994-960E-54B0AADC6253@mit.edu> <CAD9ie-ssrJSRgUjAzKRSV4Hzd30ge8Ovw4u14km1HidhQWAFMg@mail.gmail.com>
In-Reply-To: <CAD9ie-ssrJSRgUjAzKRSV4Hzd30ge8Ovw4u14km1HidhQWAFMg@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Sat, 27 Jun 2020 13:45:03 -0700
Message-ID: <CAK2Cwb7LimwyWE6iGdq-zBGZXakSZyjExtUGO_ot1eVXTU=-+A@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, Denis <denis.ietf@free.fr>, txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000016790a05a916e76b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/uoLROsVR3QkKZWXmxNEE-66tBzI>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2020 20:45:18 -0000

+1 - Right on Justin.
Peace ..tom


On Sat, Jun 27, 2020 at 1:15 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> +1 to 'We shouldn’t let “OAuth 2 doesn’t do it that way” be the limiting
> factor here.'
>
> Conversely, I worry about scope creep if we are forced to complicate the
> protocol to cover use cases that are only theoretical. (I'm not implying
> that any of the use cases discussed in this thread are in that category).
>
> /Dick
>
> On Sat, Jun 27, 2020 at 12:56 PM Justin Richer <jricher@mit.edu> wrote:
>
>> Removing the IESG as this is really a more internal-to-the-group
>> discussion, as it comes down to the scope of use cases that we want to
>> address here in GNAP.
>>
>> While it is definitely important to understand how and why OAuth 2 does
>> things, we do need to keep use cases like Denis’s in mind. It’s not unheard
>> of today for a single OAuth 2 RS to accept tokens from multiple AS’s. In
>> fact, we’ve even got cases with things like the Solid project where the RS
>> will take a token from :any: AS so long as it can verify that it’s approved
>> by the resource owner. While the Solid platform has its own special
>> layering in place to allow this, our model should not assume a closely-tied
>> connection between an RS and any single AS. The question of :how: we solve
>> that is, of course, up to the WG to figure out over time.
>>
>> Taking that even further, I think the idea of an AS that’s personal to
>> the user, to promote privacy and control, is a very good one. In fact, this
>> is one of the main selling points of UMA2 and its federated authorization
>> mechanisms. With GNAP, we might be able to deliver on this promise even
>> more than UMA has been able to, and it’s my hope that we can have a
>> cohesive protocol that allows both user-to-self and user-to-another
>> delegation sharing without needing to use different mechanisms.
>>
>> Additionally, the RS-first method is also something from the UMA2 work
>> that we should be working on, as it touches on AS discovery, AS/RS
>> communication, and a few other aspects of the protocol design. It’s not a
>> trivial problem by any stretch, and there are huge privacy and security
>> implications, but there’s both need for it and some good prior art to pull
>> from. In fact, XYZ’s whole notion of a “transaction handle” is an
>> adaptation of UMA2’s “permission ticket”. In UMA, this ticket is first
>> issued to the RS by the AS, and the RS then hands it to the client, which
>> starts the negotiation for access. I envision something very similar
>> happening here with GNAP, where a client can get something to bootstrap the
>> process at the AS. The important thing, to me, is that we don’t have to
>> jump through a bunch of weird hoops such that the AS-first and RS-first
>> cases look completely different, as they do in UMA2 and OAuth 2
>> respectively today. We’ve got the chance to have a clean and cohesive
>> protocol here, let’s not miss that opportunity.
>>
>> So in sum, the trust model of OAuth 2 is not sufficient to cover
>> everything, and the model that Denis is proposing is something we should at
>> least look at as a use case. Where Denis and I seem to disagree is whether
>> this trust model should be the :only: one that we address with the
>> protocol. I strongly believe, as I believe much of this group does, that we
>> can’t discount or ignore (or make things overly difficult for) the tightly
>> bound AS/RS combos, or any type of static setup where the RS offloads its
>> trust fully to the AS. But it’s my belief that we should be able to do so
>> without needlessly throwing out all of the OAuth 2 use cases.
>>
>> We shouldn’t let “OAuth 2 doesn’t do it that way” be the limiting factor
>> here. We need to understand the what and wherefore of things that OAuth 2
>> is bad at, otherwise we’re just going to re-invent OAuth 2 and inherit its
>> problems.
>>
>>  — Justin
>>
>> On Jun 26, 2020, at 1:39 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> Denis, thanks for sharing your thoughts, some clarifications on your
>> statements inserted:
>>
>> On Fri, Jun 26, 2020 at 9:42 AM Denis <denis.ietf@free.fr> wrote:
>> <snip>
>>
>>> *New proposed charter*
>>>
>>> <snip>
>>
>>>
>>> Resource servers inform their clients about which access token formats
>>> are acceptable and depending upon the king of operation
>>> that is requested, which kind of attributes are needed and from which
>>> ASs that my be obtained.
>>>
>>> While at times this may be appropriate, at other times disclosing the
>> attributes the RS requires is not needed by the client. For example, an
>> enterprise client accessing a resource does not need to know which groups a
>> user belongs to, but the RS may require that to determine if the user
>> running the client has access...
>>
>>>
>>> A major difference with OAuth 2.0 is that there is no bilateral trust
>>> relationship between an authorization server and a resource server:
>>> for a given category of attributes, a resource server may trust one or
>>> more authorization servers. Another major difference with OAuth 2.0.
>>> is that the content of an attributes token is meant to be accessible to
>>> the client.
>>>
>>> This is not how OAuth 2.0 works. See slides 7 and 8 from my original
>> IETF presentation on what became OAuth 2.0
>>
>> https://www.slideshare.net/gueste648b/ietf-77-oauth-wrap-presentation
>>
>> The AS may not even know who the RS (or PR in the slides) is.
>>
>> <snip>
>>
>>>
>>> I got rid of the word "delegation": the client does not delegate
>>> anything to an authorization server. If it would, this would mean that the
>>> authorization server
>>> would be able to act as the client and could know everything that the
>>> client will do, which comes into contradiction with the user's privacy.
>>>
>>
>> The above is not true.
>>
>> The Resource Owner is delegating access control to the AS in
>> authorization use cases.
>>
>> The client is may be delegating user authentication to the AS in identity
>> claim use cases.
>>
>> The AS can act as the client in many OAuth deployments, as the access
>> token is a bearer token. That does not mean the AS knows what the client is
>> doing.
>>
>> /Dick
>>
>> ᐧ
>> --
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>>
>> --
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email