Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00
Fabien Imbault <fabien.imbault@gmail.com> Fri, 05 February 2021 11:19 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 421663A0C7C for <txauth@ietfa.amsl.com>; Fri, 5 Feb 2021 03:19:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNtnLsffEXNE for <txauth@ietfa.amsl.com>; Fri, 5 Feb 2021 03:19:43 -0800 (PST)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F37AB3A0C7A for <txauth@ietf.org>; Fri, 5 Feb 2021 03:19:42 -0800 (PST)
Received: by mail-io1-xd33.google.com with SMTP id s24so6652658iob.6 for <txauth@ietf.org>; Fri, 05 Feb 2021 03:19:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VKcpYe2izGNMR0C/bRtAhJDeNHMXbFtp+qOT/Xm2dz0=; b=rWbXTLZ2sLVexfv6hqCczgmrp/d2WzqBmIU6/bexPvp/DNz/glbkrK1l+9GaQgt+H+ sNmrJ/kUbJ9dq2oQdBCoFQNzYjesxNJiQsWsu+xM5HDXaJSgmiLnfBX9oTKsFqyqykdV OF7Bnd1KyHUOxH5zIPCPgOOKcipjZvX+PKv4Vlg+ild5zlMvy7qH8nQbaTCa+s4QpOx0 zMTbO1ip+wo9snlvZ7LQ7Z5tDdcLHbk5RDMXUuAioj9jpH/5Z8zA8pxlyakLelfffYpU P+9NN5byxz2w7R1iOYVZfbvJLILD9WSWjq/gZJRcfN58/Gw3nYAqo586KIRef8MFjB11 iqvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VKcpYe2izGNMR0C/bRtAhJDeNHMXbFtp+qOT/Xm2dz0=; b=BXDDn7BV7alcgldzmFvbnvwv7EfmzEy1pF8FXRTm3X9TtsWBTi/+zuZNy31y8a4ujs JDHLelezNkPsZ6/K+fyTeSAT/a3DeO+uk/5qjC8RTZ9H/R61O/eCJQAkZiLqlH66rDMg rLzQUwRgP8XnemB52zT1sjJdp7zghgKTXdH414YHat2x1Ine94di5sr5lnAf5xhttc/K mdHTWm4tFE9zq9KOQkWoNwByrg4pz9XPtWaC8fvOvs7pPY2AQQ7NGm01mZT/NwFbDJ3U V5p9YhYzFGVgnfzNeDdvhftbsoBV0wArNuu1iNTwC1VTpgT+ER9XyMPk2CJMYQ1LpTpK YQ+g==
X-Gm-Message-State: AOAM532bDhjHiH0y/wAWv7jaHk8W6t/DbThqZWHY5VpNILIL87sy+K1I MY6sZ/O7lVMoum4FqVKVu5XqNrRegAI2ogoeiuc=
X-Google-Smtp-Source: ABdhPJxiIiFnqE/jIk4kW9Sb64BdBxe8pMk+QGx3ggsqJ61vrwHACoZqHp7+UbEUZxnSD2ofc8yoJ4TohFxbTopN/3Q=
X-Received: by 2002:a6b:510d:: with SMTP id f13mr3386829iob.141.1612523982133; Fri, 05 Feb 2021 03:19:42 -0800 (PST)
MIME-Version: 1.0
References: <160433257633.23038.15047041472414640530@ietfa.amsl.com> <AB11DC08-C6ED-4045-A8F5-872AD263035D@mit.edu> <FR2P281MB01063C2EA739E892B549611D8D110@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <CAM8feuQcCdQFGUKy-ou7H3Ta38yyN1LR+0XJd9WophRMRdPDEA@mail.gmail.com> <FR2P281MB0106C83420ED3F8DF2723BFD8DE30@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <5b8ac79b-0c0e-18e9-9f80-b5d79e9ae59b@free.fr> <CAM8feuQ346w9EL=-qpJRmMOO_YUp_14gShxcro+pVxnfXTvkzw@mail.gmail.com> <5E214281-2974-4632-AB74-4E068B7EE66B@mit.edu> <CAK2Cwb5ACMxjiph796Lq1U3FZ6Tm_2TCmsKTJZn8Fgc0rzEgZQ@mail.gmail.com> <CAD9ie-vDS9-Cc=cVRc_SDg7z6KxMqySdcfv3ZPSjAzHorZP7UQ@mail.gmail.com> <CAK2Cwb66asqy1MCtW7KNHyW5=H23fWATBds2aKC3Xi88V34=Rw@mail.gmail.com> <CAD9ie-sGRFQMj81g4oWAS=CgHOe5ReDrAXeVzqvW9UL0W0P-Qw@mail.gmail.com> <FR2P281MB0106FEBFFB997265C8A9EF878DE10@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <CAM8feuQiBij5Be2p3he0HwWfC+WaDRVQ6HqEKoq+FfqYJVGNXA@mail.gmail.com> <FR2P281MB0106245AD7828040C4BF0F7E8DE10@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <CAM8feuQc8Thohftk_=ohNByTvZtxRukdQ3xCzMP3K7zdZBO6Lg@mail.gmail.com> <CAM8feuRU-MKuta6fejsLsYXRhpWwfKqZ6D8VaVvkFhbo+sH9pw@mail.gmail.com> <CAK2Cwb4MrJoRc-oohQdAag_rNdecC75xEG1W1JDOLp6me8-KCw@mail.gmail.com> <CAM8feuT6EsJ+jAQ59CKbgkQ9akBLY2aEkLR4Ng_SN8rS_JHHqA@mail.gmail.com> <28180624-08AA-4659-BB22-5D86034E6F51@mit.edu> <CAM8feuQyXv8FtQkZkKgLrJZ6s7J6QvbzXEz1tgctUQmKs9NYeQ@mail.gmail.com> <CAK2Cwb4CFaePZjqmF6xmvrKcPiDCkW3Sahchiy0MP33zTYZOpg@mail.gmail.com> <77D1AE7B-076F-4095-8FAA-7C35D74614BD@mit.edu> <CAK2Cwb6hRPke4gP4Uj_4yr1zxH5WUrJPX7339QnBt=_xcSJhWA@mail.gmail.com> <C3424D2A-73A1-4665-BEBB-AAE4563EF95A@mit.edu> <CAK2Cwb5JM0=xRv447Spvsg8stuzg_hwEQL5dwpoS0MnCknzePw@mail.gmail.com> <CAM8feuQWEgtRzS=9MLq9JpfoLTPcAGEL+TPwDspVqdV7ZxqBzg@mail.gmail.com> <CAK2Cwb55cGXnr6N9D_HuXPsFTU=+ECU_-xCMW-SPZ-aMDB0ksg@mail.gmail.com> <DBA97062-A49B-4DE4-9703-9363166F22ED@mit.edu> <CAK2Cwb67nceatJudcL4kB1BRe4xFX-uhomm7mZoviGqVmfisRw@mail.gmail.com>
In-Reply-To: <CAK2Cwb67nceatJudcL4kB1BRe4xFX-uhomm7mZoviGqVmfisRw@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 05 Feb 2021 12:19:27 +0100
Message-ID: <CAM8feuQEsrj=x9uDi8emNfHEtNqEjeRY0OAQU6VGBay2pCF3YQ@mail.gmail.com>
To: Tom Jones <thomasclinganjones@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, txauth gnap <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000259e6305ba94ffdd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/vrwcNzwTK8oppFLNb4qkw3pYIbE>
Subject: Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2021 11:19:47 -0000
Hi Tom, Thanks, your responses made it clearer for me what you expect from an AS deployed on a mobile. I think we're on the right path to meet the rest of your concerns. There are already a few items on these: - privacy preserving techniques have been discussed and are likely to be included (I think). It's been recognized as a core concern - not exactly sure the meaning you give to discovery here (it's already been used in the WG but with a different meaning I believe). The request or the continuation api provide entry points to pay attention to. Is that enough for your use case ? Do you need something else ? (like SSE?) Cheers Fabien Le jeu. 4 févr. 2021 à 22:10, Tom Jones <thomasclinganjones@gmail.com> a écrit : > discovery is the prime problem. What causes the wallet/AS to wake up and > pay attention. How does the RP know what to ask for without violating user > privacy rights? > > CHAPI would be ok i guess, but that requires cred man to be fixed. Not > sure if it fixes discovery or privacy even then. > > Be the change you want to see in the world ..tom > > > On Thu, Feb 4, 2021 at 12:45 PM Justin Richer <jricher@mit.edu> wrote: > >> Tom, what additional functionality do you see that a browser would need >> to support in order for GNAP to be adopted? For the elements of the core >> protocol today, nothing is needed to change within the browsers — >> everything is built on existing functions. GNAP uses browsers as a tool, >> and I would argue depends on them even less so than OAuth 2 does. >> Extensions could use browser functionality, like using CHAPI to pass >> interaction elements, but the core protocol functions on vanilla browsers >> today. >> >> — Justin >> >> On Feb 4, 2021, at 3:20 PM, Tom Jones <thomasclinganjones@gmail.com> >> wrote: >> >> i assumed that the wallet (aka AS) needed to be a native app, not a PWA >> (which can come from a traditional web server). >> There are folks, lke Kim C, who are working on a PWA, but i agree the >> blocks there seem to be large. >> THe blocks on a native app are simple, easy to describe, and easy to ask >> the browser guys to fix. Not sure if they care tho. >> I have trouble seeing a path to GNAP adoption for retail customers w/o >> some browser support. >> That's why i am mostly silent here. >> >> Be the change you want to see in the world ..tom >> >> >> On Thu, Feb 4, 2021 at 11:43 AM Fabien Imbault <fabien.imbault@gmail.com> >> wrote: >> >>> Fair enough. But loopback limits a lot what you can do... Just for debug >>> it's a pain. >>> But as soon as you try more, it's a bit crazy. Fun to test ipv6 (luckily >>> supported by my ISP) and ddns. But it feels really hacky. >>> Also deployment is a pain, compared to a traditional webserver. >>> >>> Le jeu. 4 févr. 2021 à 20:20, Tom Jones <thomasclinganjones@gmail.com> >>> a écrit : >>> >>>> doesn't work very well on windows uwp. works fine on smartphones >>>> Be the change you want to see in the world ..tom >>>> >>>> >>>> On Thu, Feb 4, 2021 at 11:18 AM Justin Richer <jricher@mit.edu> wrote: >>>> >>>>> OK, thanks — in that case, there are no changes at all to GNAP, which >>>>> is already HTTP driven. The harder parts tend to be where you can’t (or >>>>> don’t want to) use something like that. >>>>> >>>>> — Justin >>>>> >>>>> On Feb 4, 2021, at 2:16 PM, Tom Jones <thomasclinganjones@gmail.com> >>>>> wrote: >>>>> >>>>> yes, loopback >>>>> >>>>> Be the change you want to see in the world ..tom >>>>> >>>>> >>>>> On Thu, Feb 4, 2021 at 11:01 AM Justin Richer <jricher@mit.edu> wrote: >>>>> >>>>>> Tom, can you expand on how exactly the back-channel communication >>>>>> works between on-device components? Do you use HTTP locally? >>>>>> >>>>>> Thanks, >>>>>> — Justin >>>>>> >>>>>> On Feb 4, 2021, at 1:03 PM, Tom Jones <thomasclinganjones@gmail.com> >>>>>> wrote: >>>>>> >>>>>> Justin's analysis of use of the front channel is misleading. >>>>>> It could equally be argued that what i have done is installed an AS >>>>>> on the phone and the communications with it & the PR is back channel. >>>>>> Basically the point is that the old OIDC paradigms are no longer >>>>>> valid. >>>>>> Be the change you want to see in the world ..tom >>>>>> >>>>>> >>>>>> On Thu, Feb 4, 2021 at 7:47 AM Fabien Imbault < >>>>>> fabien.imbault@gmail.com> wrote: >>>>>> >>>>>>> Yes, issue (#168) message based interaction / DIDComm is a tentative >>>>>>> alternative mecanism for the interaction part. Not sure how that would work >>>>>>> in details though, prototyping will probably help here. >>>>>>> Token delivery through continuation seems fine to me. The client >>>>>>> will probably have to wait for the next polling before it receives a token >>>>>>> issued as the result of an asynchronous interaction, but that's not a big >>>>>>> issue. >>>>>>> >>>>>>> But the AS on the phone seems like a harder nut to crack, at least >>>>>>> at first sight. I think that would be awesome, but it gives me headaches, >>>>>>> so I think I'll work on easier stuff right now ;-) >>>>>>> >>>>>>> Fabien >>>>>>> >>>>>>> On Thu, Feb 4, 2021 at 4:30 PM Justin Richer <jricher@mit.edu> >>>>>>> wrote: >>>>>>> >>>>>>>> One of the biggest drawbacks of the current app-centric approaches >>>>>>>> in OIDC (self-issued OP, or SIOP) is that they depend on using the front >>>>>>>> channel and browser redirects to pass everything, which is something that >>>>>>>> GNAP is deliberately getting away from by starting in the back channel. >>>>>>>> >>>>>>>> That said, once a request is kicked off in GNAP, the interaction >>>>>>>> and fulfillment can happen through any number of means. Part of the work >>>>>>>> that’s being done with the “interaction” section is going to help >>>>>>>> facilitate this, and I think that there are some other potential branches >>>>>>>> here. >>>>>>>> >>>>>>>> Token delivery is where things get extra weird though — we are >>>>>>>> explicitly not delivering tokens in the front channel in the core of GNAP, >>>>>>>> we’re using the response from the continuation API. One idea (that isn’t >>>>>>>> particularly well thought out and hasn’t been implemented at all) is to >>>>>>>> have an extension declare an alternative response from the “continue” >>>>>>>> section that’s defined today, which points to the GNPA continuation API. If >>>>>>>> an extension defines some alternative way to deliver tokens, that could >>>>>>>> live alongside a continuation API and the client could indicate support for >>>>>>>> it in its initial request. >>>>>>>> >>>>>>>> In any event, alternative interaction and delivery methods are >>>>>>>> important, and even if we aren’t going to support every last one of them >>>>>>>> directly, the protocol design should at least be aware of them. >>>>>>>> >>>>>>>> — Justin >>>>>>>> >>>>>>>> On Feb 4, 2021, at 8:35 AM, Fabien Imbault < >>>>>>>> fabien.imbault@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi Tom, >>>>>>>> >>>>>>>> Sure, any experience on that would be greatly appreciated, we're >>>>>>>> calling for help here (the point being that I suspect what they're doing is >>>>>>>> not trivial). >>>>>>>> >>>>>>>> Fabien >>>>>>>> >>>>>>>> On Thu, Feb 4, 2021 at 2:21 PM Tom Jones < >>>>>>>> thomasclinganjones@gmail.com> wrote: >>>>>>>> >>>>>>>>> I've had such an app working for over a year. There are issues >>>>>>>>> which are being addressed by the browser Interaction team of oidc. >>>>>>>>> >>>>>>>>> thx ..Tom (mobile) >>>>>>>>> >>>>>>>>> On Thu, Feb 4, 2021, 3:12 AM Fabien Imbault < >>>>>>>>> fabien.imbault@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Francis, >>>>>>>>>> >>>>>>>>>> I've tried a few things with regards to using the AS on a phone, >>>>>>>>>> but it's really quite complex. >>>>>>>>>> >>>>>>>>>> Making that run on a phone comes with quite a bit of trouble. The >>>>>>>>>> most difficult part if that we'd need to use a secure element, but just >>>>>>>>>> installing and hosting a http server securely is not a standard setup at >>>>>>>>>> all. I suggest interested people step in to work on this, as we already >>>>>>>>>> have a lot of work for the (more usual) server case and already handle a >>>>>>>>>> privacy preserving scheme. >>>>>>>>>> >>>>>>>>>> Please let us know what you think. >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Fabien >>>>>>>>>> >>>>>>>>>> On Tue, Nov 24, 2020 at 5:55 AM Fabien Imbault < >>>>>>>>>> fabien.imbault@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Francis, >>>>>>>>>>> >>>>>>>>>>> I've thought a bit more to what you said. I think I'll give it a >>>>>>>>>>> try as a separate experiment (in code, not in theory). Not that I would >>>>>>>>>>> expect it to be included in GNAP, but I kind of like the idea :-) >>>>>>>>>>> >>>>>>>>>>> The direct impact for GNAP would be to think about multiple ASs. >>>>>>>>>>> >>>>>>>>>>> Will let you know. >>>>>>>>>>> >>>>>>>>>>> Fabien >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Le mer. 18 nov. 2020 à 13:06, Francis Pouatcha <fpo@adorsys.de> >>>>>>>>>>> a écrit : >>>>>>>>>>> >>>>>>>>>>>> It would be nice if the protocol was designed at many layers of >>>>>>>>>>>> abstraction. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> - The first layer shall design abstract protocol flows, >>>>>>>>>>>> without specification of the mode and mechanism of interaction. >>>>>>>>>>>> - The second layer can instantiate the first layer for >>>>>>>>>>>> dedicated interaction. Here we can talk http, we can define interactions >>>>>>>>>>>> that presume server based token generation, we can define interaction that >>>>>>>>>>>> run on user device based token generation. >>>>>>>>>>>> >>>>>>>>>>>> This is also the fundament of the structure I proposed for the >>>>>>>>>>>> spec ( >>>>>>>>>>>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/30). >>>>>>>>>>>> >>>>>>>>>>>> /Francis >>>>>>>>>>>> >>>>>>>>>>>> ------------------------------ >>>>>>>>>>>> *From:* Fabien Imbault <fabien.imbault@gmail.com> >>>>>>>>>>>> *Sent:* Wednesday, November 18, 2020 6:35 AM >>>>>>>>>>>> *To:* Francis Pouatcha <fpo@adorsys.de> >>>>>>>>>>>> *Cc:* txauth@ietf.org <txauth@ietf.org>; Dick Hardt < >>>>>>>>>>>> dick.hardt@gmail.com>; Tom Jones <thomasclinganjones@gmail.com>; >>>>>>>>>>>> Denis <denis.ietf@free.fr>; Justin Richer <jricher@mit.edu> >>>>>>>>>>>> *Subject:* Re: [GNAP] Review of >>>>>>>>>>>> draft-ietf-gnap-core-protocol-00 >>>>>>>>>>>> >>>>>>>>>>>> Would make sense, but not so easy as we rely heavily on HTTP. >>>>>>>>>>>> Hence the discussion about deep links and so on. >>>>>>>>>>>> >>>>>>>>>>>> An alternative might be provided by wasm/wasi (running a local >>>>>>>>>>>> sandbox on your phone, for your own AS), but it's really early stage. This >>>>>>>>>>>> also poses another question that Denis has put forward, i.e. how do we >>>>>>>>>>>> handle the multiple AS scenario (likely to occur then). >>>>>>>>>>>> >>>>>>>>>>>> Fabien >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Nov 18, 2020 at 12:16 PM Francis Pouatcha < >>>>>>>>>>>> fpo@adorsys.de> wrote: >>>>>>>>>>>> >>>>>>>>>>>> We are drifting away from the original problem space. >>>>>>>>>>>> >>>>>>>>>>>> - My original mention was about the "POST" request, that >>>>>>>>>>>> subsumes that the "AS" is a "Server". Designing a new protocol, we cannot >>>>>>>>>>>> afford this limitation. >>>>>>>>>>>> - I just mentioned SIOP to show a known and closed example? >>>>>>>>>>>> Let us not focus on the device local discovery scheme (like openid:) for >>>>>>>>>>>> now. >>>>>>>>>>>> - As capability of holding private keys on user device >>>>>>>>>>>> evolves, server-based issuing of token will be fading out giving way to >>>>>>>>>>>> device local generation of token. >>>>>>>>>>>> >>>>>>>>>>>> While designing GNAP, let us assume the AS-Role can be >>>>>>>>>>>> exercised on a user device and design the protocol to honor that. >>>>>>>>>>>> >>>>>>>>>>>> Best regards, >>>>>>>>>>>> /Francis >>>>>>>>>>>> ------------------------------ >>>>>>>>>>>> *From:* TXAuth <txauth-bounces@ietf.org> on behalf of Dick >>>>>>>>>>>> Hardt <dick.hardt@gmail.com> >>>>>>>>>>>> *Sent:* Tuesday, November 17, 2020 1:28 PM >>>>>>>>>>>> *To:* Tom Jones <thomasclinganjones@gmail.com> >>>>>>>>>>>> *Cc:* Fabien Imbault <fabien.imbault@gmail.com>; Denis < >>>>>>>>>>>> denis.ietf@free.fr>; GNAP Mailing List <txauth@ietf.org>; >>>>>>>>>>>> Justin Richer <jricher@mit.edu> >>>>>>>>>>>> *Subject:* Re: [GNAP] Review of >>>>>>>>>>>> draft-ietf-gnap-core-protocol-00 >>>>>>>>>>>> >>>>>>>>>>>> Got it. >>>>>>>>>>>> >>>>>>>>>>>> So web apps invoke a openid: deep link and hope there is an app >>>>>>>>>>>> to handle the openid: scheme? ... and that it is the user's wallet rather >>>>>>>>>>>> than some malware that has registered openid: on the mobile device? >>>>>>>>>>>> >>>>>>>>>>>> A native app can attempt to open a deep link associated with an >>>>>>>>>>>> app, and will fail if the app is not there. If the app is there, it will be >>>>>>>>>>>> opened, so this can't be used to silently test if an app is present, but it >>>>>>>>>>>> does allow a native app to provide an alternative experience if an app is >>>>>>>>>>>> not present. I don't think this works with custom schemes ... and I don't >>>>>>>>>>>> know how it could work from a web app on the phone with the current Safari >>>>>>>>>>>> APIs. >>>>>>>>>>>> >>>>>>>>>>>> Apple warns against using custom schemes [1] ... but perhaps >>>>>>>>>>>> they can be convinced to make openid: a managed scheme similar to mailto:, >>>>>>>>>>>> tel:, sms:, facetime: ? >>>>>>>>>>>> >>>>>>>>>>>> [1] >>>>>>>>>>>> https://developer.apple.com/documentation/xcode/allowing_apps_and_websites_to_link_to_your_content/defining_a_custom_url_scheme_for_your_app >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ᐧ >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Nov 17, 2020 at 10:06 AM Tom Jones < >>>>>>>>>>>> thomasclinganjones@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> You are - that is not standard which is opeind:// >>>>>>>>>>>> This is the one step that still needs to be optimized for SIOP >>>>>>>>>>>> to have good UX. >>>>>>>>>>>> Peace ..tom >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Nov 17, 2020 at 9:59 AM Dick Hardt < >>>>>>>>>>>> dick.hardt@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Tom >>>>>>>>>>>> >>>>>>>>>>>> I watched your video (I watched at 2X speed) >>>>>>>>>>>> >>>>>>>>>>>> Looks like the employment website app that is using >>>>>>>>>>>> localhost:8765 to communicate with the wallet. Am I correct? >>>>>>>>>>>> >>>>>>>>>>>> /Dick >>>>>>>>>>>> ᐧ >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Nov 17, 2020 at 9:46 AM Tom Jones < >>>>>>>>>>>> thomasclinganjones@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Well, here's a demo. Note that in this case the AS is not >>>>>>>>>>>> online all of the time, so it is really implicit flow and the OIDC id-token >>>>>>>>>>>> comes from the siop device directly. >>>>>>>>>>>> (whether this is front-channel or back channel is no longer an >>>>>>>>>>>> interesting question.) >>>>>>>>>>>> Now if an always-on AS is required, that is possible, but >>>>>>>>>>>> probably beyond the scope of this effort and would require something like >>>>>>>>>>>> an agent-in-the-sky (with diamonds). >>>>>>>>>>>> here is the link to the 9 min video https://youtu.be >>>>>>>>>>>> /Tq4hw7X5SW0 >>>>>>>>>>>> <https://urldefense.us/v2/url?u=https-3A__youtu.be_Tq4hw7X5SW0&d=DwMFaQ&c=2plI3hXH8ww3j2g8pV19QHIf4SmK_I-Eol_p9P0CttE&r=D5lnfoa2MVZWELqVbbz71ooelbP7rVGCjGDSBNvUpYQ&m=ixsudGSr_dhG-SLiatb4Sz9FWslmywnYyZAOLgZxhl8&s=jdLLy0G1JTQCAOBZ6PeUgI0kiCtVJXrru0VToYWlNZ8&e=> >>>>>>>>>>>> Peace ..tom >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Nov 17, 2020 at 9:20 AM Justin Richer <jricher@mit.edu> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Ultimately, in most situations like these in the real world, >>>>>>>>>>>> the hurdle isn’t technical compatibility so much as it is trust >>>>>>>>>>>> compatibility. The RP (client) needs to have some incentive to trust the >>>>>>>>>>>> assertions and identity information that’s coming from the AS. The same is >>>>>>>>>>>> true for an RS trusting tokens from the AS. The hard question is less “how” >>>>>>>>>>>> to do that (which SSI answers), but more “why” to do that (which SSI >>>>>>>>>>>> doesn’t answer very well, because it’s a hard question). >>>>>>>>>>>> >>>>>>>>>>>> Still: it’s definitely a question about how to support this “AS >>>>>>>>>>>> on device” element. We’ve got the start of it more than OAuth2/OIDC have by >>>>>>>>>>>> allowing the bootstrap of the process from a starting call: the interaction >>>>>>>>>>>> and continuation URIs handed back by the AS don’t need to be the same URIs >>>>>>>>>>>> that the client starts with, so just like SIOP the process can start in >>>>>>>>>>>> HTTP and potentially move to other communication channels. A major >>>>>>>>>>>> difference is that we aren’t dependent on the assumption that the user will >>>>>>>>>>>> always be in a browser at some stage, and so the whole raft of >>>>>>>>>>>> front-channel messages that SIOP relies on doesn’t fly. That said, we’ve >>>>>>>>>>>> got an opportunity to more explicitly open up alternative communication >>>>>>>>>>>> channels here, and that’s something I’d like to see engineered, even if >>>>>>>>>>>> it’s an extension. I’d love to see a concrete proposal as to how that would >>>>>>>>>>>> work over specific protocols, starting with what we’ve got today. >>>>>>>>>>>> >>>>>>>>>>>> — Justin >>>>>>>>>>>> >>>>>>>>>>>> On Nov 17, 2020, at 12:03 PM, Fabien Imbault < >>>>>>>>>>>> fabien.imbault@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Denis, hi Francis, >>>>>>>>>>>> >>>>>>>>>>>> At some point integration with SSI (on the authentication side) >>>>>>>>>>>> will probably occur, including amongst other possibilities SIOP (since they >>>>>>>>>>>> work with OpenID a part of the work will probably be made easier). >>>>>>>>>>>> >>>>>>>>>>>> That being said, Denis is right. It's not an AS. Technically >>>>>>>>>>>> it's entirely possible to rely on a decentralized wallet (for instance on >>>>>>>>>>>> your phone) and a centralized AS. I know of a few studies on how to >>>>>>>>>>>> decentralize the AS itself (for instance >>>>>>>>>>>> https://tools.ietf.org/html/draft-hardjono-oauth-decentralized-02 >>>>>>>>>>>> ). >>>>>>>>>>>> Maybe it exists, but I'm still looking for real scenarios (or >>>>>>>>>>>> even architectures) where an AS is deployed directly on a phone, and under >>>>>>>>>>>> the sole authority of the RO, while being compatible with the rest of the >>>>>>>>>>>> world. >>>>>>>>>>>> >>>>>>>>>>>> Cheers, >>>>>>>>>>>> Fabien >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Nov 17, 2020 at 5:45 PM Denis <denis.ietf@free.fr> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello Francis, >>>>>>>>>>>> >>>>>>>>>>>> See two comments in line. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> B) Current Document >>>>>>>>>>>> >>>>>>>>>>>> Roles description shall not hold any assumption on the physical >>>>>>>>>>>> structure of the party fulfilling the roles. >>>>>>>>>>>> [FI] not sure what you mean >>>>>>>>>>>> >>>>>>>>>>>> [FP] for example, we assume the AS is a server! In most SSI >>>>>>>>>>>> based use cases, the AS will be running on the user device. See SIOP ( >>>>>>>>>>>> https://identity.foundation/did-siop/). >>>>>>>>>>>> >>>>>>>>>>>> I browsed through the two drafts, i.e. : >>>>>>>>>>>> >>>>>>>>>>>> - Decentralized Identifiers (DIDs) v1.0 Core architecture, >>>>>>>>>>>> data model, and representations W3C Working Draft 08 November 2020 >>>>>>>>>>>> - Self-Issued OpenID Connect Provider DID Profile v0.1. DIF >>>>>>>>>>>> Working Group Draft >>>>>>>>>>>> >>>>>>>>>>>> At no place within these two documents, it is possible to >>>>>>>>>>>> imagine that "the AS will be running on the user device". >>>>>>>>>>>> >>>>>>>>>>>> From section 3 of the DIF Working Group Draft: >>>>>>>>>>>> >>>>>>>>>>>> "Unlike the OIDC Authorization Code Flow as per >>>>>>>>>>>> [OIDC.Core], the SIOP will not return an access token to the RP". >>>>>>>>>>>> >>>>>>>>>>>> An Identity Wallet is not an AS. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Roles: >>>>>>>>>>>> -> grant endpoint of the AS: Why is this a post request? This >>>>>>>>>>>> eliminates the chance of having user device hosted AS (no server). >>>>>>>>>>>> [FI] what would you propose instead? >>>>>>>>>>>> Would also be interested to understand better the deployment >>>>>>>>>>>> model when there is no server. That's something that was discussed several >>>>>>>>>>>> times but I'm still missing the underlying architecture and use case. >>>>>>>>>>>> >>>>>>>>>>>> [FP] See above (SIOP). There will be a lot of identity wallets >>>>>>>>>>>> operated on end user device. >>>>>>>>>>>> >>>>>>>>>>>> See the above comment. Please, do not confuse an Identity >>>>>>>>>>>> Wallet with an Authentication Server (AS). >>>>>>>>>>>> >>>>>>>>>>>> Denis >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -> Resource Owner (RO) : Authorizes the request? Does it >>>>>>>>>>>> authorize the request or the access to a resource? >>>>>>>>>>>> [FI] yes, we should make the wording clearer >>>>>>>>>>>> >>>>>>>>>>>> Missing Section Interactions: >>>>>>>>>>>> --> This section shall introduce the notion of interaction >>>>>>>>>>>> before we start listing interaction types. >>>>>>>>>>>> [FI] yes >>>>>>>>>>>> >>>>>>>>>>>> Interaction Types: >>>>>>>>>>>> --> I prefer a classification with Redirect, Decoupled and >>>>>>>>>>>> Embedded is. In the draft, we have one redirect and 2 decouple interactions >>>>>>>>>>>> and nothing else. >>>>>>>>>>>> [FI] this should be handled as a specific discussion item. As a >>>>>>>>>>>> reminder, how would you define embedded? >>>>>>>>>>>> >>>>>>>>>>>> In practice there's at least these modes: >>>>>>>>>>>> - redirect and redirect back >>>>>>>>>>>> - redirect to different browser or device >>>>>>>>>>>> - user code >>>>>>>>>>>> - CIBA >>>>>>>>>>>> >>>>>>>>>>>> [FP] This classification is limited. >>>>>>>>>>>> >>>>>>>>>>>> - Redirect: same device, same or different user agents >>>>>>>>>>>> (browser, mobile app, desktop app, ...) >>>>>>>>>>>> - Decoupled: different devices >>>>>>>>>>>> - Embedded : RC carries RO authorization to AS >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Resource Access Request vs. Resource Request >>>>>>>>>>>> --> Both are mixed up. No clarification of the context of each >>>>>>>>>>>> section. >>>>>>>>>>>> [FI] could you clarify what you'd expect. Btw on this topic, >>>>>>>>>>>> there's a more general discussion on whether we should make a distinction >>>>>>>>>>>> or not. >>>>>>>>>>>> >>>>>>>>>>>> [FP]: Here: >>>>>>>>>>>> >>>>>>>>>>>> - Resource Access Request: Requesting Access to a resource. >>>>>>>>>>>> Response is an access token (or any type of grant) >>>>>>>>>>>> - Resource Request: Request the resource. Response is the >>>>>>>>>>>> resource (or a corresponding execution) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Token Content Negotiation >>>>>>>>>>>> --> Not expressed as such. This is central to GNAP and not >>>>>>>>>>>> represented enough in the document. >>>>>>>>>>>> [FI] right. This should be a specific discussion item. >>>>>>>>>>>> >>>>>>>>>>>> Requesting "User" Information >>>>>>>>>>>> we identify two types of users: RQ and RO. It will be better >>>>>>>>>>>> not to refer to a user in this draft, but either to a RQ or an RO. >>>>>>>>>>>> [FI] yes that would avoid potential misunderstandings. Although >>>>>>>>>>>> in the end, people will translate RQ into user or end-user most of the >>>>>>>>>>>> time. Cf in definition, currently we have Requesting Party >>>>>>>>>>>> (RQ, aka "user") >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Interaction Again >>>>>>>>>>>> -> For each interaction type, we will have to describe the >>>>>>>>>>>> protocol flow and the nature and behavior of involved Roles (Parties), >>>>>>>>>>>> Elements, Requests. >>>>>>>>>>>> [FI] yes >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [FP] Will these and into tickets? >>>>>>>>>>>> >>>>>>>>>>>> Best regards. >>>>>>>>>>>> /Francis >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> TXAuth mailing list >>>>>>>>>>>> TXAuth@ietf.org >>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> TXAuth mailing list >>>>>>>>>>>> TXAuth@ietf.org >>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> TXAuth mailing list >>>>>>>>>>>> TXAuth@ietf.org >>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> TXAuth mailing list >>>>>>>>>>>> TXAuth@ietf.org >>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> -- >>>>>> TXAuth mailing list >>>>>> TXAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>> >>>>>> >>>>>> >>>>> -- >>>> TXAuth mailing list >>>> TXAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/txauth >>>> >>> >>
- [GNAP] I-D Action: draft-ietf-gnap-core-protocol-… internet-drafts
- Re: [GNAP] I-D Action: draft-ietf-gnap-core-proto… Justin Richer
- [GNAP] Review of draft-ietf-gnap-core-protocol-00 Francis Pouatcha
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Francis Pouatcha
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Denis
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Justin Richer
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Dick Hardt
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Dick Hardt
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Dick Hardt
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Dick Hardt
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Francis Pouatcha
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Francis Pouatcha
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Justin Richer
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Justin Richer
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Justin Richer
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Justin Richer
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Justin Richer
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Adrian Gropper
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Francis Pouatcha
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Justin Richer
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Tom Jones
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Adrian Gropper
- Re: [GNAP] Review of draft-ietf-gnap-core-protoco… Fabien Imbault