Internet-Draft | The Grant Negotiation and Authorization Protocol - Advanced Features | August 2020 |
Hardt | Expires 16 February 2021 | [Page] |
TBD¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 February 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
This document includes additional features for the Grant Negotiation and Authorization Protocol (GNAP) [GNAP], and presumes familiarity and knowledge of GNAP.¶
Terminology¶
This document uses the following terms defined in [GNAP]:¶
Notational Conventions¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in [RFC2119].¶
Certain security-related terms are to be understood in the sense defined in [RFC4949]. These terms include, but are not limited to, "attack", "authentication", "authorization", "certificate", "confidentiality", "credential", "encryption", "identity", "sign", "signature", "trust", "validate", and "verify".¶
Unless otherwise noted, all the protocol parameter names and values are case sensitive.¶
Some protocol parameters are parts of a JSON document, and are referred to in JavaScript notation. For example, foo.bar refers to the "bar" boolean attribute in the "foo" object in the following example JSON document:¶
{ "foo" : { "bar": true } }¶
In addition to creating and reading a Grant as specified in GNAP The GC MAY list, update, delete, and discover a Grant.¶
The GC MAY list the Grants provided to the GC by doing an a GET on the GS URI. The GS MUST respond with a list of Grant URIs [ format TBD] or one of the following errors:¶
The GC updates a Grant by doing an HTTP PUT of a JSON document to the corresponding Grant URI.¶
The JSON document MUST include the following from the [GNAP] Grant Request JSON:¶
and MAY include the following from the [GNAP] Grant Request JSON:¶
The GS MUST respond with one of the standard GNAP responses (Grant Response, Interaction Response, Wait Response) or one of the following errors:¶
from Error Responses Section 8.¶
Following is a non-normative example where the GC wants to update the Grant Request with additional claims:¶
{ "iat" : 15790460234, "uri" : "https://as.example/endpoint/grant/example3", "claims": { "oidc": { "userinfo" : { "email" : { "essential" : true }, "name" : { "essential" : true }, "picture" : null } } } }¶
The GC deletes a Grant by doing an HTTP DELETE of the corresponding Grant URI.¶
The GS MUST respond with OK 200, or one of the following errors:¶
Party A and Party B both want to obtain a Grant from the other party. Each party will be both Grant Client and Grant Server. This would require two complete GNAP flows with an awkward redirect between them, and the User may have to authenticate multiple times as context is lost. Reciprocal Grant simplifies the User experience.¶
In the following sequence, steps 1 - 7 & 9 are a standard GNAP sequence.¶
Party A Party B +--------+ +--------+ | | | | | Client |--(1)-- Create Grant A ->| GS | | | | | | Client |<--- Interaction ---(2)--| GS | | | Response | | | | | | | Client |--(3)--- Read Grant A -->| GS | +---+ | | | | | U | | Client |--(4)--- Interaction --- | - - - | ----->| s | | | Transfer | | | e | | | | GS |<-(5)->| r | | | | | authN | | | | | GS |<-(6)->| | | | | | authZ | | | Client |<------- Grant A ---(7)--| GS | +---+ | | Response | | | | | | | GS |<- Create Grant B --(8)--| Client | +---+ | | user.reciprocal | | | U | | | | | | s |<------ | - - - | --- Interaction --(9)---| GS | | e | | | Transfer | | | r |<-(10)->| GS | | | | | AuthZ | | | | +---+ | GS |--(11)-- Grant B ------->| Client | | | Response | | +--------+ +--------+ Client = Grant Client¶
The User is at the GS, and wants to interact with a Registered Client. The GC has previously configured an initiation_uri at the GS, and the Grant it requires.¶
In this sequence, the GS creates a Grant and redirects the User to the GC's initiation_uri passing a Grant URI:¶
+--------+ +-------+ +------+ | GC | | GS | | User | | | | |<--(1)-->| | | | | | | | | |<----- GS Initiation Redirect --- | - - - | --(2)---| | | (3) | | | | | | verify |--(4)--- Read Grant ------------->| | +------+ | | | | | |<--------- Grant Response --(5)---| | | | | | +--------+ +-------+¶
The GC may want to provide a different experience to the User depending on if a User already exists at the GS. By including one or more identifiers in the Grant Request user.identifiers object, and setting user.exists to true, the GS MAY include a user.exists attribute in a GNAP Interaction Response. The value is true if the GS has a user with one or more of the GC provided identifers, and false if not.¶
A GS indicates support for this feature by returning the features.user_exists attribute in the GS Options response set to true.¶
There are situations where the GC can not, or prefers not, to ask for all identity claims and/or authorizations it requires.¶
In this example sequence, the GC requests an identity claim to determine who the User is. Once the GC learns who the User is, the GC updates the Grant for additional identity claims which the GS prompts the User for and returns to the GC. Once those additional claims are received, the GC updates the Grant with the remaining identity claims required.¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | multi = true | | | | | | | |<--- Interaction Response ---(2)--| | | | multi = true | | | | | | | |--(3)--- Read Grant ------------->| | +------+ | | | | | User | | |--(4)--- Interaction Transfer --- | - - - | ------->| | | | | | | | | | | |<--(5)-->| | | | | | authN | | | |<--------- Grant Response ---(6)--| | | | | (7) | | | | | | eval |--(8)--- Update Grant ----------->| | | | | | multi = true | |<--(9)-->| | | | | | authZ | | | |<--------- Grant Response --(10)--| | | | | | multi = true | | | (11) | | | | | | eval |--(12)-- Update Grant ----------->| | | | | | multi = false | |<--(13)->| | | | | | authZ | | | | | | | | | |<--- Interaction Transfer --(14)- | - - - | --------| | | | | | | | | |<--------- Grant Response --(15)--| | +------+ | | multi = false | | | | | | +--------+ +-------+ Client = Grant Client¶
A GS indicates support for this feature by returning the features.interaction_multi attribute in the GS Options response set to true.¶
TBD¶
Below is a consolidated table of GS APIs from [GNAP] and this document:¶
request | http method | uri | response |
---|---|---|---|
Create Grant | POST | GS URI | interaction, wait, or Grant |
List Grants | GET | GS URI | Grant list |
Verify Grant | PATCH | Grant URI | Grant |
Read Grant | GET | Grant URI | wait, or grant |
Update Grant | PUT | Grant URI | Interaction, wait, or Grant |
Delete Grant | DELETE | Grant URI | success |
Read Access | GET | Access URI | Access |
Update Access | PUT | Access URI | Access |
Delete Access | DELETE | Access URI | success |
GS Options | OPTIONS | GS URI | metadata |
Grant Options | OPTIONS | Grant URI | metadata |
Access Options | OPTIONS | Access URI | metadata |