IETF Logo Mail Archive

[Txauth] updated draft-hardt-xauth-protocol (-11) and an implementation!

Dick Hardt <dick.hardt@gmail.com> Mon, 06 July 2020 18:14 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6080B3A0602 for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 11:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jo2FrD3aylhI for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 11:14:36 -0700 (PDT)
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 913BF3A0795 for <txauth@ietf.org>; Mon, 6 Jul 2020 11:14:35 -0700 (PDT)
Received: by mail-lf1-x143.google.com with SMTP id g2so23167496lfb.0 for <txauth@ietf.org>; Mon, 06 Jul 2020 11:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=UJ1G4yhvvOiEHj6NdNZ3sz47jPn7xrW5nYXpE+KS2d4=; b=a9xMMy6o6+5oZPMvY3M9cuDUD56qOsGQ4lI8ruRmfHWrTYuw+wWG+dXV2yBgvCdREe 5BUYMXsu7sjD7tgqssPjRxg/5zfMhNy68FspbMZV48Jvq5BbIqVzoJ+hgmxETO2ETwH2 OqGINzGSV8bjzw3FhDyR/San1mLlt2HDsJtnie1UKy/RNKIvxn5j7Ee9cgu5t9S6xlyt LmMVN1iiAVszhB+yRGpzZ87wq5IXT9VkRPays9mnD8Mj4UOpxGWyBPeKHCwvWuvmzE/Q Nd7ap2ZuVvkIOwF/kgqoP6yvJ/QwWXga1JAMTvKDyxE0D+h6ZQx55tboJyhixYpBtEBL d7gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=UJ1G4yhvvOiEHj6NdNZ3sz47jPn7xrW5nYXpE+KS2d4=; b=EepWY4lQqUv7mqM/4p08ckRW5d7+goT00vUW5LBPC4lGu7wzSin9IESTDwq6R2hhNU FcVBCSYg4fREn36GP6yuW8vF5Y05a6X7LCWDL7AJvAiwyRXwd8Hbfe+ydkBIk08VvcKY gjSkqMefk3dqxOL0RmjPTN5/zMDwBGnk4GNnF2an18NxbOg0bGni6x1FG/dapkiT88ff EzSa7OLkbLI0+/poLeMOHiNYe5jh1T13KyjUQlP2Qy3o8wjhdFRGrCTMk0JBvaTRYNPD 6u+hRg+frGaqUw+5hVEVQ0tqUpUBoHJSGO8ZAgHNZxzzc23RqBcIHBVobhQHGhiWOrlI CyUQ==
X-Gm-Message-State: AOAM531cXwYLxd1nkwg81MN/y39M+djqgc5GOUj5hFAwByj+L2uQgdt5 2SMMbxliEvuTe0bJq9DvjP8I0Ca/6cW2xA7r4y4jeF/yReE=
X-Google-Smtp-Source: ABdhPJxx2fa0HpIgNE5XbdYbBDrFBiOU/ZsesCMDeQPLTAilL7sBsYCxUdTrH03y/PoFIQm9WxZalrUOKPtU3ZgYS6Q=
X-Received: by 2002:a19:c8a:: with SMTP id 132mr30770186lfm.23.1594059273042; Mon, 06 Jul 2020 11:14:33 -0700 (PDT)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 06 Jul 2020 11:13:57 -0700
Message-ID: <CAD9ie-tBa9Hc6o-EK80LQ-XJYtx367=W5ma6rXWHHykLgL9tfQ@mail.gmail.com>
To: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b87db805a9c9d84c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/xjzpcx-Z1WfWVVK0mcUXQXnzjk0>
Subject: [Txauth] updated draft-hardt-xauth-protocol (-11) and an implementation!
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 18:14:39 -0000

I have updated the draft based on my implementation experience:

https://tools.ietf.org/html/draft-hardt-xauth-protocol-11

(note that the links at the top of the page are messed up -- I managed to
break the IETF tool)

I also updated the JOSE spec

https://tools.ietf.org/html/draft-hardt-gnap-jose-01

Here is the implementation in nodejs:

https://github.com/dickhardt/XAuth-poc

I implemented a CLI client that uses the indirect interaction mode, and a
web client that uses the redirect interaction mode.
The PoC supports no client authentication, and the proposed JOSE client
authentication mechanism.

The CLI client supports a QR code scan, or a -f flag can be set to fake out
the user -- handy for development.

All the protocol call and signing work is inline in the clients. I have not
made an attempt to create a module to support the protocol client side.

I wrote up some learnings here:

https://github.com/dickhardt/XAuth-poc/wiki/Lessons-Learned---draft-11---initial-version

Copy and pasted below:
Confirmations:

   - claims.[schema] works well to determine if claims schema is supported
   - authorization.type worked well to detect the authorization schema
   - separate DBs for client.id (registered clients) and client.handle
   (dynamic clients) keeps these similar, but different storage systems
   independent. Have to detect which type of client, but code was not onerous.
   - separate identifiers for dynamic and registered clients made it easy
   to have policy that let registered clients do things not available for
   dynamic clients (write access) and to require Grant Verification.
   - interaction modes made it easy to evaluate what would happen in
   interaction and decide what was allowed and not allowed
   - representing grants and authorizations as URIs and using methods for
   different APIs made routing to different modules simple. Adding a new API,
   Grant Verification was simple.
   - the top level objects made it easy to decompose validating and
   processing user, client, interaction, claims, and authorizations
   - warnings about ignored parameters looks useful, but coding it is
   brittle - JSON Schema may make it declarative
   - once a decoded JOSE token was available, it was simple to acquire the
   embedded JWK for a dynamic client
   - Grant and AZ ids in URI made it easy to return 404 early. Also made it
   easy to get client key.

<https://github.com/dickhardt/XAuth-poc/wiki/Lessons-Learned---draft-11---initial-version#lessons>
Lessons

   - Implementation stored registered and dynamic clients in two different
   databases. Code has to switch between the two. For simpler implementations
   store client.id and client.handle in same DB.
   - space separated scopes from OAuth 2.x is a coding thunk
   - OIDC claims having a null value is a thunk. Had to use hasOwnProperty
   instead of just testing value
   - claims.oidc.userinfo.mail is a long path to ask for a claim. Perhaps
   have oidc_userinfo and oidc_id_token?
   - separate top level objects for authorization and authorizations seems
   clumsy - perhaps detect plurality by detecting 'type' property? 'type'
   would be reserved for clients to not use. If no 'type', then each property
   is a separate authorization request. Or always have plural, but then an
   extra level for the common, single authorization use case.
   - having a '-' in a property name is messy in JS
   - parsing and peaking into JSON or decoding the JOSE object to find
   client info in Create Grant is required before authentication can happen.
   Took a while to figure out the right order to structure routing and
   middleware.
   - JSON Schema <https://json-schema.org/> looks like it may simplify
   input JSON validation. Also useful for validating responses in automated
   testing. IETF IDs have not been picked up in a WG so far.
   - My HTML skills suck
   - My ES6 knowledge is lacking

v2.23.0 | Report a Bug | By Email