Re: [GNAP] Authentication mechanisms discovery
Dick Hardt <dick.hardt@gmail.com> Mon, 24 August 2020 16:10 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E9E3A0F84 for <txauth@ietfa.amsl.com>; Mon, 24 Aug 2020 09:10:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMidkgIW8JGz for <txauth@ietfa.amsl.com>; Mon, 24 Aug 2020 09:10:31 -0700 (PDT)
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C6823A10AA for <txauth@ietf.org>; Mon, 24 Aug 2020 09:10:17 -0700 (PDT)
Received: by mail-lj1-x243.google.com with SMTP id m22so10305346ljj.5 for <txauth@ietf.org>; Mon, 24 Aug 2020 09:10:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g94+wMev1dRZ4RwFn5Re79ALIF36w3dzuimbmvmeMf0=; b=rr8LI08iJzLv8Md3QOObqcgNVL+/KqHcCZFmITpJsXQvyw5PbQz/3PWFIXYbU7YkAr NBfONAUfN0U+DTm8dxmdV7LthafOvIw5yhz17rz7tZjQjyQhaS86CKto43Po4c8mw/dj e7Dec+QGl1IQt+CeZ3Dv7OTVG2CwP+VwmdKX5sZU/SZN3sSHnlYWOBF+Vk8y8S+c9lvp jOHAfhwrdphJJRsh0Rnq57V7rIgSeoxyaFaCVkkSLn0Qk417a2L7+/n4czcmRsCshfe1 mso3WDcVPXlAw6gAY+XZol828BB19VkSQete9/XRSwpR+ksE5jxI0fEFm7GyBcNuV2Gu h+hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g94+wMev1dRZ4RwFn5Re79ALIF36w3dzuimbmvmeMf0=; b=D6n38//LrcjfND97ICbEMzMiAZWZIY3YYcqktUwU1Cx8afRAJ1iCzzLd7ZJEp5u6ot FzW5nwLU5iNfEurTTD32UKAu+UmvihMU/KJ7DX2pFNckHdQoTmmvqEi3v39mU4rc3vqT RC9qZLmFjaf4A7hjw16N31n9+6U3qTo5poWO2BqeYheEQKYEHdyM8PEpMvFY5+MdDak1 GMOxONxVms9rjJuMFGYFAQkN9CENowpzcxRCe+GIsGAlh1OvNfXZDdq7J8TIvKWTL/ep wFOCi59oZu9Xm+e+oqx/J6I+U7//FSHY7s4M3T/tVZc5qRxaWiZZOUkxQipZmmTbFl8m htUQ==
X-Gm-Message-State: AOAM532sICDGfc7vd/IlBJ+Dv255wiw6sonYuMPculNgk8JMiqJHysmw iseC+7AedCCAMWw+kS18vZM0DSmlBqRxtfIr4xw=
X-Google-Smtp-Source: ABdhPJyBLXGgOu02OcKmJDK36AHRhR64+/KbwcCQqbZNNukc1Y/ImR+A6QnOCmJuI+I0VrirWJCaa5GAeLHtJIRPka4=
X-Received: by 2002:a2e:2283:: with SMTP id i125mr2907759lji.142.1598285415599; Mon, 24 Aug 2020 09:10:15 -0700 (PDT)
MIME-Version: 1.0
References: <fdf69c9e-6950-b2d2-f889-dd4219fec6f1@free.fr> <CAD9ie-tRG5F=z_Py3RVFOjELPYcGxQPJxepzO_rFQg=XSG+Yaw@mail.gmail.com>
In-Reply-To: <CAD9ie-tRG5F=z_Py3RVFOjELPYcGxQPJxepzO_rFQg=XSG+Yaw@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 24 Aug 2020 09:09:39 -0700
Message-ID: <CAD9ie-t=qFWT=0vezac8dUV7e2TxfswNkr3Qz9TB4XnCmHjSzQ@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000725f1f05ada1d235"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/wUDMLfbNCKu_CPuuF7BkG5yhktk>
Subject: Re: [GNAP] Authentication mechanisms discovery
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 16:10:33 -0000
A comment about an OPTIONS call being the first call in the protocol. While that is possible, I expect most use of the discovery will happen by tooling rather than client software. IE, when developing against an GS, the developers tool chain will check what the GS supports. On Mon, Aug 24, 2020 at 9:05 AM Dick Hardt <dick.hardt@gmail.com> wrote: > Hi Denis > > While it is an interesting idea to use the OPTIONS method at the RS, the > standard way to indicate authentication mechanisms is with a 401 HTTP > response per > https://tools.ietf.org/html/rfc7235#section-3.1 > > And then information about how to authenticate may be in the HTTP > Authorization header. > > This allows an RS to respond to any request including an OPTIONS method > call. > > /Dick > > > ᐧ > > On Mon, Aug 24, 2020 at 1:16 AM Denis <denis.ietf@free.fr> wrote: > >> Hi Dick >> *, * >> >> The following comments have been elaborated after an analysis of your >> draft: draft-hardt-xauth-protocol-13. >> >> *1 ) Authentication mechanisms discovery at the GS* >> >> Sections 3 and 3.7 from draft-hardt-xauth-protocol-13 are proposing to >> support an HTTP OPTIONS request which would be the first request >> when talking to a GS. The goal is to be able to query the authentication >> mechanisms supported by the GS. This would indeed be very useful. >> >> The HTTP OPTIONS request has been first defined in RFC 2616 and refined >> in RFC 7231 (see https://tools.ietf.org/html/rfc7231#section-4.3.7). >> >> RFC 7231 mentions: >> >> A standard format for such a representation is not defined by this >> specification, but might be defined by future extensions to HTTP. >> A client that generates an OPTIONS request containing a payload >> body MUST send a valid Content-Type header field describing >> the representation media type. Although this specification does >> not define any use for such a payload, future extensions to HTTP >> might use the OPTIONS body to make more detailed queries about the >> target resource. >> >> RFC 7231 also mentions: >> >> A server generating a successful response to OPTIONS SHOULD send an >> header fields that might indicate optional features >> implemented by the server and applicable to the target resource, >> including potential extensions not defined by this specification. >> >> However, two types of authentication are possible: user authentication >> and client authentication. If both are supported by the GS, it would be >> possible >> to address this concern either by returning two lists of authentication >> methods or even better by using two different Content-Type header fields >> describing >> the representation media type, since the client is knowing whether it is >> acting or not on behalf of a User. >> >> *2) Authentication mechanisms discovery at the RS* >> >> This HTTP OPTIONS request should also be supported by a RS. When a client >> first contacts a RS, it does not necessarily know the authentication >> methods that are *currently* supported by the RS. This means that the >> same request as the one used for the GS should be available for a RS as >> well. >> >> Denis >> >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> >
- [GNAP] Authentication mechanisms discovery Denis
- Re: [GNAP] Authentication mechanisms discovery Dick Hardt
- Re: [GNAP] Authentication mechanisms discovery Dick Hardt
- Re: [GNAP] Authentication mechanisms discovery Justin Richer
- Re: [GNAP] Authentication mechanisms discovery Tom Jones
- Re: [GNAP] Authentication mechanisms discovery Denis
- Re: [GNAP] Authentication mechanisms discovery Denis
- Re: [GNAP] Authentication mechanisms discovery Dick Hardt
- Re: [GNAP] Authentication mechanisms discovery Denis
- Re: [GNAP] Authentication mechanisms discovery Dick Hardt
- Re: [GNAP] Authentication mechanisms discovery Denis
- Re: [GNAP] Authentication mechanisms discovery Benjamin Kaduk