Extract RS-focused protocol elements #246
Conversation
|
Deploy preview for gnap-core-protocol-editors-draft ready! Built with commit 19f2ae9 https://deploy-preview-246--gnap-core-protocol-editors-draft.netlify.app |
|
Regarding
Why this specification can't state it even in a more generic way similar to what https://tools.ietf.org/html/rfc8693 does? There are use cases when we may need to exchange an access token and then use it with something completely different than chained RSs. |
|
Maybe this is a bit unrelated but... The self-contained tokens usually contain one or another form of the issuer. What would be the issuer for GNAP? Is it the grant endpoint? |
|
@adeinega I'd be happy to see proposed language to discuss! The limitation is to keep parity with the "token request" mechanism in the core draft: the goal is to get an access token, but based on the context of an existing access token. One of the problems I've always had with RFC8693 is that it tries to be many things at once, from access token exchange to assertion exchange to likely other use cases. If other functions should be added to this spec then we can do that, but hopefully we won't run the same risk of putting everything through the same narrow pipe. Technically since it's a basic GNAP request, you can already return subject identifiers or assertions as well, but we don't currently talk about any of that. Should we? |
|
@adeinega The concept of the "issuer" entirely depends on the type of token. The grant endpoint would be an obvious value for GNAP though, and if we're going to go down the route of discussing token contents from a structural standpoint (or even profile things like JWT or Biscuits or PASETO) then we can make that recommendation. However, the current text is intended to be at a much higher level than that, right now. |
|
@jricher, I also wonder if GNAP is going to support encrypted token introspection responses on its core? |
|
Another thing I would like to understand better if GNAP is going to rely completely on TLS... or it would
TLS isn't going anywhere... It's a must. Although, in certain forms of envs, it's great to have an additional layer on top of it. |
|
Regarding, It's understandable. It's entirely possible I missed something in the current spec but it would be nice to say that a URL of the grant endpoint also represents something the I hope it makes some sense. |
draft-ietf-gnap-resource-servers.md
Outdated
| } | ||
| ~~~ | ||
|
|
||
| The AS responds with a token for the downstream RS2 as described in |
There was a problem hiding this comment.
I would suggest omitting the downstream word for #246 (comment) to make this section more generic. An RS 1 may call RS 2 that belongs to a completely different sec domain. RS 2 may also trust only to its own AS 2... and there is some form of trust established between AS 1 and AS 2. The same applies to the name of this section (Deriving a downstream token). I do hope it makes sense.
There was a problem hiding this comment.
Fair point, I think the current section is tightly focused on the RS going back to the same issuing AS that the original token came from -- this doesn't have to be the case, of course, but for the cases where it's not the issuing AS then as you point out there needs to be some kind of trust happening between the two AS's such that the second AS can make any sense of things. I am a little afraid of the model becoming overly abstract and not giving developers enough to hook on to, but I think it's worth pursuing. I'm going to suggest that if the WG does accept this PR then we continue that conversation in a new issue dedicated to that topic.
draft-ietf-gnap-resource-servers.md
Outdated
| "access": [ | ||
| "dolphin-metadata", "some other thing" | ||
| ], | ||
| "key": { |
There was a problem hiding this comment.
What's about the rotation of keys? Shouldn't it be a list of keys? Without that, we won't have a smooth transition when the client decides to rotate its key.
I still suggest requiring the JWK thumbprint as a value for kid in jwk as protection against misuse.
There was a problem hiding this comment.
In this design, if the key is rotated then whatever the "current" key is will be returned here, replacing the "old" key. I'm not sure I see the value in the overhead that multiple keys would have here just to address this one particular corner. To me it feels like having multiple keys tied to a single access token at any time would be problematic and lead to potential security gaps. Introspection already has to deal with cache inconsistency problems, so an RS is going to need to be robust against something like that anyway. This kind of situation can be talked about in some kind of implementation guide section, perhaps.
There was a problem hiding this comment.
Interestingly... so, your point is that an RS should be robust to handle this. I get it. Although we may still have & deal with an extremely chatty application and there is an unavoidable delay between the decision to rotate its key by the client and what both AS and RS known.
There was a problem hiding this comment.
I still like to hear your thoughts on
I still suggest requiring the JWK thumbprint as a value for kid in jwk as protection against misuse.
There was a problem hiding this comment.
Regarding with cache inconsistency problems, to be completely pedantic, the response, as well as the spec, includes Cache-Control: no-store. So, it's forbidden. You may allow omitting it for the introspection endpoint's response.
There was a problem hiding this comment.
HTTP Cache and functional application cache are totally separate from each other. You can disable an HTTP cache but still have an application save the results and simply not make another HTTP call again.
There was a problem hiding this comment.
JWK identifiers are varied and can have meaning inside of an environment (such as date/timestamps, service identifiers, etc), requiring a specific format will limit the utility of the protocol unnecessarily as it adds no additional benefits.
| type of request is used only for calls to the RS during a discovery phase as | ||
| described in {{rs-request-without-token}}. | ||
| - When neither an access token nor key proof are used, this is an unsecured request. This type | ||
| of request is not used in the core protocol of GNAP. |
There was a problem hiding this comment.
Ok, but the previous text was clearer as to what we're referring to. Could lonk to the proper section in I-D.draft-ietf-gnap-resource-servers as an example?
There was a problem hiding this comment.
We could point externally to that, but I took the reference out because one should never be making this kind of unprotected call in any of GNAP's core. So, this bullet was really just supposed to complete the matrix of possibilities and say "don't do this" -- the exception is in the extension that allows bootstrapping.
draft-ietf-gnap-resource-servers.md
Outdated
| email: [email protected] | ||
| uri: https://acert.io/ | ||
|
|
||
| normative: |
There was a problem hiding this comment.
Probably should review that list, I guess there's a lot we don't use in here specifically, except from gnap core.
There was a problem hiding this comment.
Yes, and the tools will throw warnings for unused references that we can use to trim things -- I just left the list as-is for now as we settle on which text goes where to avoid compilation errors for now.
There was a problem hiding this comment.
I think that's a good starting point.
A few general remarks:
- Seems to me that 3.3 is more an AS facing API. We could have a paragraph 3 focused on RS APIs (well known, registering a resource handle, etc.), and regroup the other items in a section that discusses how the RS reacts when a client calls it (i.e. current sections 3.3, 4 and 5)
- Will we need some kind of resource_server instance to declare a stable "resource_server": "7C7C4AZ9KHRS6X63AJAO"? (beyond tne reference, which seems chosen here by the RS?)
|
jricher
added
the
Pending Merge
draft-ietf-gnap-resource-servers.md
Outdated
| POST /introspect HTTP/1.1 | ||
| Host: server.example.com | ||
| Content-Type: application/json | ||
| Detached-JWS: ejy0... |
There was a problem hiding this comment.
resource_server identifier could be a part of Detached-JWS. In this case, you might want to omit it from the actual request. I don't see any reason to specify it twice.
There was a problem hiding this comment.
The identifier is not defined as part of that structure, it's defined as part of the body of the request where needed. There's no need to overload it. DPoP overloads the key identifier here because it has no other choice.
draft-ietf-gnap-resource-servers.md
Outdated
| Detached-JWS: ejy0... | ||
|
|
||
| { | ||
| "access_token": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", |
There was a problem hiding this comment.
This section doesn't specify the required field in the introspection request. At least, the "access_token" field should be required, right?
There was a problem hiding this comment.
Yes, all these sections need to be more clearly defined, the goal of this PR is just to get the right separation in place, so that work like this point can continue in the right place.
There was a problem hiding this comment.
I am guessing that resource_server could be also provided by value. Is this right?
There was a problem hiding this comment.
@adeinega Yes, that's the intent of the "authenticating the RS" section, it would be parallel to how clients are identified in the core document.
|
Folks, I have a strong preference for the new document to live in its own repo (see https://www.rfc-editor.org/rfc/rfc8874.html#name-repositories for pros and cons). Any objections? |
|
@yaronf I'm fine with this being in its own repository or in the same one -- I've used both in different groups and each has its benefits and drawbacks. If the chairs set up the repo I can import the support code and check in this document in its own PR. |
|
RS document now moved to https://github.com/ietf-wg-gnap/gnap-resource-servers |
jricher
removed
the
Pending Merge
This change set extracts the resource-server-focused elements of GNAP to allow the core protocol to focus on the client-AS relationship while this new document
can focus on the RS-AS relationship.
Closes #114
RS section now at: https://github.com/ietf-wg-gnap/gnap-resource-servers