[Txauth] updated draft-hardt-xauth-protocol (-11) and an implementation!
Dick Hardt <dick.hardt@gmail.com> Mon, 06 July 2020 18:14 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6080B3A0602 for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 11:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jo2FrD3aylhI for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 11:14:36 -0700 (PDT)
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 913BF3A0795 for <txauth@ietf.org>; Mon, 6 Jul 2020 11:14:35 -0700 (PDT)
Received: by mail-lf1-x143.google.com with SMTP id g2so23167496lfb.0 for <txauth@ietf.org>; Mon, 06 Jul 2020 11:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=UJ1G4yhvvOiEHj6NdNZ3sz47jPn7xrW5nYXpE+KS2d4=; b=a9xMMy6o6+5oZPMvY3M9cuDUD56qOsGQ4lI8ruRmfHWrTYuw+wWG+dXV2yBgvCdREe 5BUYMXsu7sjD7tgqssPjRxg/5zfMhNy68FspbMZV48Jvq5BbIqVzoJ+hgmxETO2ETwH2 OqGINzGSV8bjzw3FhDyR/San1mLlt2HDsJtnie1UKy/RNKIvxn5j7Ee9cgu5t9S6xlyt LmMVN1iiAVszhB+yRGpzZ87wq5IXT9VkRPays9mnD8Mj4UOpxGWyBPeKHCwvWuvmzE/Q Nd7ap2ZuVvkIOwF/kgqoP6yvJ/QwWXga1JAMTvKDyxE0D+h6ZQx55tboJyhixYpBtEBL d7gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=UJ1G4yhvvOiEHj6NdNZ3sz47jPn7xrW5nYXpE+KS2d4=; b=EepWY4lQqUv7mqM/4p08ckRW5d7+goT00vUW5LBPC4lGu7wzSin9IESTDwq6R2hhNU FcVBCSYg4fREn36GP6yuW8vF5Y05a6X7LCWDL7AJvAiwyRXwd8Hbfe+ydkBIk08VvcKY gjSkqMefk3dqxOL0RmjPTN5/zMDwBGnk4GNnF2an18NxbOg0bGni6x1FG/dapkiT88ff EzSa7OLkbLI0+/poLeMOHiNYe5jh1T13KyjUQlP2Qy3o8wjhdFRGrCTMk0JBvaTRYNPD 6u+hRg+frGaqUw+5hVEVQ0tqUpUBoHJSGO8ZAgHNZxzzc23RqBcIHBVobhQHGhiWOrlI CyUQ==
X-Gm-Message-State: AOAM531cXwYLxd1nkwg81MN/y39M+djqgc5GOUj5hFAwByj+L2uQgdt5 2SMMbxliEvuTe0bJq9DvjP8I0Ca/6cW2xA7r4y4jeF/yReE=
X-Google-Smtp-Source: ABdhPJxx2fa0HpIgNE5XbdYbBDrFBiOU/ZsesCMDeQPLTAilL7sBsYCxUdTrH03y/PoFIQm9WxZalrUOKPtU3ZgYS6Q=
X-Received: by 2002:a19:c8a:: with SMTP id 132mr30770186lfm.23.1594059273042; Mon, 06 Jul 2020 11:14:33 -0700 (PDT)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 06 Jul 2020 11:13:57 -0700
Message-ID: <CAD9ie-tBa9Hc6o-EK80LQ-XJYtx367=W5ma6rXWHHykLgL9tfQ@mail.gmail.com>
To: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b87db805a9c9d84c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/xjzpcx-Z1WfWVVK0mcUXQXnzjk0>
Subject: [Txauth] updated draft-hardt-xauth-protocol (-11) and an implementation!
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 18:14:39 -0000
I have updated the draft based on my implementation experience: https://tools.ietf.org/html/draft-hardt-xauth-protocol-11 (note that the links at the top of the page are messed up -- I managed to break the IETF tool) I also updated the JOSE spec https://tools.ietf.org/html/draft-hardt-gnap-jose-01 Here is the implementation in nodejs: https://github.com/dickhardt/XAuth-poc I implemented a CLI client that uses the indirect interaction mode, and a web client that uses the redirect interaction mode. The PoC supports no client authentication, and the proposed JOSE client authentication mechanism. The CLI client supports a QR code scan, or a -f flag can be set to fake out the user -- handy for development. All the protocol call and signing work is inline in the clients. I have not made an attempt to create a module to support the protocol client side. I wrote up some learnings here: https://github.com/dickhardt/XAuth-poc/wiki/Lessons-Learned---draft-11---initial-version Copy and pasted below: Confirmations: - claims.[schema] works well to determine if claims schema is supported - authorization.type worked well to detect the authorization schema - separate DBs for client.id (registered clients) and client.handle (dynamic clients) keeps these similar, but different storage systems independent. Have to detect which type of client, but code was not onerous. - separate identifiers for dynamic and registered clients made it easy to have policy that let registered clients do things not available for dynamic clients (write access) and to require Grant Verification. - interaction modes made it easy to evaluate what would happen in interaction and decide what was allowed and not allowed - representing grants and authorizations as URIs and using methods for different APIs made routing to different modules simple. Adding a new API, Grant Verification was simple. - the top level objects made it easy to decompose validating and processing user, client, interaction, claims, and authorizations - warnings about ignored parameters looks useful, but coding it is brittle - JSON Schema may make it declarative - once a decoded JOSE token was available, it was simple to acquire the embedded JWK for a dynamic client - Grant and AZ ids in URI made it easy to return 404 early. Also made it easy to get client key. <https://github.com/dickhardt/XAuth-poc/wiki/Lessons-Learned---draft-11---initial-version#lessons> Lessons - Implementation stored registered and dynamic clients in two different databases. Code has to switch between the two. For simpler implementations store client.id and client.handle in same DB. - space separated scopes from OAuth 2.x is a coding thunk - OIDC claims having a null value is a thunk. Had to use hasOwnProperty instead of just testing value - claims.oidc.userinfo.mail is a long path to ask for a claim. Perhaps have oidc_userinfo and oidc_id_token? - separate top level objects for authorization and authorizations seems clumsy - perhaps detect plurality by detecting 'type' property? 'type' would be reserved for clients to not use. If no 'type', then each property is a separate authorization request. Or always have plural, but then an extra level for the common, single authorization use case. - having a '-' in a property name is messy in JS - parsing and peaking into JSON or decoding the JOSE object to find client info in Create Grant is required before authentication can happen. Took a while to figure out the right order to structure routing and middleware. - JSON Schema <https://json-schema.org/> looks like it may simplify input JSON validation. Also useful for validating responses in automated testing. IETF IDs have not been picked up in a WG so far. - My HTML skills suck - My ES6 knowledge is lacking