IETF Logo Mail Archive

Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11

Francis Pouatcha <fpo@adorsys.de> Thu, 16 July 2020 13:59 UTC

Return-Path: <fpo@adorsys.de>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD67D3A085A for <txauth@ietfa.amsl.com>; Thu, 16 Jul 2020 06:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14OPz6v1IwXy for <txauth@ietfa.amsl.com>; Thu, 16 Jul 2020 06:59:37 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B17EE3A086B for <txauth@ietf.org>; Thu, 16 Jul 2020 06:59:36 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id z13so7179463wrw.5 for <txauth@ietf.org>; Thu, 16 Jul 2020 06:59:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lu6Gc9PNJ4C7uY1LkBCMf4AiNmGBtE+4zieZlzNPUGM=; b=aKVfd25JuC2BpzSFPc4QHGso76JbfUAk9C4Iyrylg1TCPQgX9TmFQQ8iIFUx6VcDGK Gfp31aKBUUn4P/5zfdAQ3BQrL+tEpyJ92YIp7sK5UgdHjHwbBo58sWgcdeyhTftgAigl BPIVFty6QMP5ts4UaNH2B/oTrN17dtoRhwueM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lu6Gc9PNJ4C7uY1LkBCMf4AiNmGBtE+4zieZlzNPUGM=; b=lTHwUBMpyCzZwfFbathYCJrCpc32bRpO2lJwTmi189IaW8B4y4XNvzvp1hDLyinI6k W/b1aB1tj4yF9zy8OQ5U21Kkrqmu4TRKE7koATo0rr9xbOicn2Ss1zh/ucw3VetogLVw ZysU86m0kN24VZoQUmp7055t5qHEcu7ZCPF+ELQJM8n0hRIKXSJKtmnkbDMn29prE1+r ZjSAqQrwAWjmlgzRQ9j2sc6cPtx3jSpmXRWSJ3v69Zs7B8z4eNomBUq1/RykmAxwm7o+ 7AWM3H4Bv3n8hZ9T/f2vN9Ebp5+AvQrZsI+I7z08MBNW+VxRZwm1tnSIunOFSqOKbWSm kZOQ==
X-Gm-Message-State: AOAM532m80xK7zufimYytJFkLQaH+EfdiebDtti7i5HbNTKB4CNCXOZN qocw/E8DWjQh2XKovAK658iDy5x3mnR15cuQ8tBTtw==
X-Google-Smtp-Source: ABdhPJze5X2lJcrx2HniV56Ht4BLqcrcjIM1//LSx2++ieo5l4O+LCIx9+YjfPvCjvsduBpCuiuvgmqVSGCMishkeDU=
X-Received: by 2002:a5d:4a84:: with SMTP id o4mr5350745wrq.104.1594907974910; Thu, 16 Jul 2020 06:59:34 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyPqjcWz7njW9cVb6wejY+KaASnskefSpwMqCPs+3WPmfg@mail.gmail.com> <CAD9ie-vV4oh9Qk3Y0sPeewo4jby_S6a=HKTZnoqByxJ6tCHJ+Q@mail.gmail.com> <CAOW4vyOQYvHBBPjMSNx9=S66_JY4RVcVi2DiqL8OjXUyvzxg=w@mail.gmail.com> <CAD9ie-tou5mTnWVguNygj-D6xUdTRjqvxi-+jhC6NbDFY8ZVJQ@mail.gmail.com> <CAOW4vyM0LycEf8q1T4jF=1g8aFyeLw1b4z9emNKWOG=+4iGgzw@mail.gmail.com> <CAM8feuSWeianPu=BD0WVTv5oB+U4ZkjhtKjnAG9RFk15VqJqWA@mail.gmail.com> <CAOW4vyNTXso=tusCrzDVgM63xH4hDsx6epO6tAhh1YekbWBA0A@mail.gmail.com> <f00c75a5-f930-81a6-a50e-2eeffedac691@free.fr>
In-Reply-To: <f00c75a5-f930-81a6-a50e-2eeffedac691@free.fr>
From: Francis Pouatcha <fpo@adorsys.de>
Date: Thu, 16 Jul 2020 09:59:23 -0400
Message-ID: <CAOW4vyOHO1We4UpCPJBKYvj22rsFd1EN6fAXw8w6YOYTUDhF=g@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: txauth@ietf.org, Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000004b5c0605aa8f7318"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/z89T30GvCU03hAY5g24g0OBCZbg>
Subject: Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2020 13:59:40 -0000

Hello Denis,

On Thu, Jul 16, 2020 at 8:45 AM Denis <denis.ietf@free.fr> wrote:

> Hello  Francis,
>
> The first two steps of your scenario are nice, in particular the second
> one:
>
> (2) Service Intent: In order to discover *authorization requirements*,
> the Client sends a service intent to the RS.
>
> This means that the client first contacts the RS, instead of the GS.
>

> However, the third step is missing to disclose to the client these "*authorization
> requirements*", in particular which AS(s),
> it may contact, which attributes are requested and how/when/where the user
> consent is gathered.
>
The response (2) AuthZ Challenge carries the reference to the GS. Mean the
resource server instructs the Client on which GS to approach for
authorization.


> Unless the scenario is mandating all the RSs to trust one and only one GS
> and the client to have a relationship with that GS,
> the remaining steps of this scenario do not work.
>
Can you elaborate why it shall not work for many GSs?


>

> Step (5) mandates the GS to know who the owner of a given RS is
>
Step (5) mandates the GS to know the RO, as owner of the target Resource,
but not the RS (Resource Server). Resource not-equals RS.

, and thus mandates the client to disclose to the GS the identity of the
> RS.
>
No. Here there is no requirement from GS to know the RS.


> The consequence is the following : this scenario, *as well as the
> scenario described in draft-hardt-xauth-protocol-13*, allows the GS to
> act as Big Brother.
>
No.

RS will find a way to validate AuthZ produced by any GS. Means RS must
trust that very GS or trust somebody that trusts that very GS (e.g. CA).
GS must not know the RS but must understand the Resource and trust the
Resource Owner, so that GS can validate the RO Grant.

/Francis

>
> Denis
>
> Hello Fabian,
>
> On Thu, Jul 16, 2020 at 4:47 AM Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
>
>> Hi,
>>
>> That's interesting, however the important logic is actually implemented
>> within (5). And so for the reader, it might be quite difficult to
>> understand what we're after (compared to oauth2 for instance). So in my
>> view, this kind of schema has its place, but not at the start of the
>> document where we should primarily be concerned about explaining why
>> someone should read the document..
>>
>> It's also not easy to understand :
>> - why we sometimes use different labels between requests and responses
>> (for instance, 5 and 6)
>>
> Will need support in drafting the correct terms. The main purpose of this
> diagram is to help sharpen the definition of terms and verbs used in the
> draft.
>
> - sometimes we use "grant" and sometimes "authZ", and it doesn't seem very
>> clear what is the difference in use
>>
> IMO: the granting is the process of given permission.
> - RO can grant his Consent to the User or Client
> - GS can turn the RO Grant into an AuthZ.
> - Client can use AuthZ to access a Resource.
>
> A terminology section would be great to clarify.
>>
> Yes. There is a terminology section in there. We need to bring the wissing
> words into the list and sharpen those already there.
>
>>
>> If I understand correctly your remark in 5, you think the
>> request/response scheme (as in XYZ) may be misleading.
>>
> No. XYZ does IMO exactly  that. Just try to be more abstract for a better
> description of the models.
>
>
>> On the contrary, I think it allows support rich interaction scenarios
>> (and especially the ones you describe) with greater flexibility.
>>
> Flexibility shall not be put ahead of formal correctness.
>
>
>> For instance, some would disagree with the assertion that the goal is for
>> the GS to gather consent (see discussion on putting that on client side). A
>> fixed interaction schema has the downside of not permitting other setups.
>>
> This discussion is the result of the lack of sharp terminology. Most of
> the time mixing up gathering consent (the act) and the way consent is
> gathered and transported from RO to GS (the interaction).
> /Francis
>
>
>> Fabien
>>
>> On Thu, Jul 16, 2020 at 5:28 AM Francis Pouatcha <fpo=
>> 40adorsys.de@dmarc.ietf.org> wrote:
>>
>>> Hello Dick,
>>>
>>>
>>>>>>
>>>>>>>
>>>>>>> 2. Abstract Protocol Flow
>>>>>>> I am missing an abstract protocol flow like the one defined in
>>>>>>> https://tools.ietf.org/html/rfc6749#section-1.2.
>>>>>>>
>>>>>>
>>>>>> That's an interesting point. GNAP also has identity claims, so the
>>>>>> abstract flow is somewhat different (there is no Authorization Grant from
>>>>>> the RO), and not all steps always happen. (there may not be steps (E) and
>>>>>> (F) with a Resource Server)
>>>>>>
>>>>>> Would you elaborate on what you think would be useful here, that is
>>>>>> not in the specific flows?
>>>>>>
>>>>> A diagram that generalizes the steps, independently of interaction
>>>>> mode is essential for the reader's navigation of the rest of the
>>>>> document. This is what #section-1.2 of RFC6749 does. I hope we can produce
>>>>> a similar diagram.
>>>>>
>>>>> A subsection of
>>>>> https://tools.ietf.org/html/draft-hardt-xauth-protocol-12#section-1.1
>>>>> could be defined for this.
>>>>>
>>>>
>>>> Interaction modes are one dimension where the steps could be
>>>> generalized, but some steps are optional. For example, the User may not
>>>> interact with the GS, and the GS may interact with the RO. The Client may
>>>> only want claims, and there would be no step of the Client calling the RS.
>>>>
>>>> A generalized diagram would need to include all optional steps so that
>>>> it did not mislead a reader into thinking the diagram included all general
>>>> steps, but it does not seem that is what you are asking for as you wrote:
>>>>
>>>> A subsection of
>>>> https://tools.ietf.org/html/draft-hardt-xauth-protocol-12#section-1.1
>>>> could be defined for this."
>>>>
>>>> Perhaps you can share how you think the diagram would look?
>>>>
>>> find below my proposal of an abstract sequence diagram.
>>>
>>> +----+  +------+  +---+  +---+  +---+
>>> |User|  |Client|  |RS |  |GS |  |RO |
>>> +----+  +------+  +---+  +-+-+  +-+-+
>>>   |(1) Service Request     |      |
>>>   |-------->|       |      |      |
>>>   |         |(2) Service Intent   |
>>>   |         |------>|      |      |
>>>   |         |(3) AuthZ Challenge  |
>>>   |         |<------|      |      |
>>>   |         |(4) AuthZ Request    |
>>>   |         |------------->|      |
>>>   |         |       |      |(5) Consent Request
>>>   |         |       |      |----->|
>>>   |         |       |      |(6) Grant Consent
>>>   |         |       |      |<-----|
>>>   |         |(7) Grant Access (Token)
>>>   |         |<-------------|      |
>>>   |         |(8) Service Request (Token)
>>>   |         +------>+      |      |
>>>   |         |(9) Service Response |
>>>   |         |<------|      |      |
>>>   |(10) Service Response   |      |
>>>   +<--------|       |      |      |
>>>   +         +       +      +      +
>>>
>>> (1) Service Request: This is the service request sent by a User to the
>>> Client. This can be a simple file read request or even a complex payment
>>> initiation request.
>>>
>>> (2) Service Intent: In order to discover authorization requirements, the
>>> Client sends a service intent to the RS.
>>>
>>> (3) AuthZ Challenge: The response to a service intent request is
>>> generally an AuthZ Challenge. The content of this AuthZ Challenge, can be
>>> an identification challenge, an AuthZ exemption, or details on requested
>>> AuthZ. The content AuthZ Challenge can be similar to the oAuth2 RAR.
>>>
>>> (4) AuthZ Request : the Client sends an AuthZ Request to the GS
>>> including the AuthZ Challenge. This request can be similar to the oAuth PAR
>>> request.
>>>
>>> (5) Requests Consent : GS sends consent request to RO.
>>> Remark: The abstract protocol flow does not display a response of the
>>> request (4) to the Client. This is IMO a general misunderstanding. This
>>> protocol wants the GS to collect a consent from the RO.
>>> - In the case of a "redirect interaction", GS will use transport
>>> infrastructure provided by the Client to instruct the User to send the RO
>>> to the GS (in most cases, user and RO are identical).
>>> - In the case of a "decoupled interaction", GS will directly contact RO
>>> and collect consent in a direct interaction with the RO (see CIBA).
>>> - In the case of an "embedded interaction", GS will allow the Client to
>>> directly collect the Consent of the RO in a direct interaction with the
>>> User.
>>>
>>> (6) Grant Consent : RO return a Consent Grant to GS.
>>>
>>> (7) Grant Access : GS produces the corresponding access token and
>>> returns it to Client.
>>>
>>> (8) Service Request : Client uses the access token to send the service
>>> request to RS.
>>>
>>> (9) and (10) are self explaining....
>>>
>>> One of our upcoming exercises will be to challenge this abstract
>>> protocol flow with existing interactions (and if possible associated use
>>> cases) to see if we are missing something. After an agreement on the
>>> abstract protocol flow we can make sure each interaction provides a mapping
>>> to step 1 to 10.
>>>
>>> I will strip the rest of the post here. And bring further responses in
>>> separate mails.
>>>
>>> Best regards.
>>> /Francis
>>>
>>>> ᐧ
>>>>
>>> --
>>> Francis Pouatcha
>>> Co-Founder and Technical Lead
>>> adorsys GmbH & Co. KG
>>> https://adorsys-platform.de/solutions/
>>> --
>>> Txauth mailing list
>>> Txauth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>>
>
> --
> Francis Pouatcha
> Co-Founder and Technical Lead
> adorsys GmbH & Co. KG
> https://adorsys-platform.de/solutions/
>
>
>

-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/

v2.23.0 | Report a Bug | By Email