Internet-Draft | The Grant Negotiation and Authorization Protocol | July 2020 |
Hardt | Expires 14 January 2021 | [Page] |
Client software often desires resources or identity claims that are independent of the client. This protocol allows a user and/or resource owner to delegate resource authorization and/or release of identity claims to a server. Client software can then request access to resources and/or identity claims by calling the server. The server acquires consent and authorization from the user and/or resource owner if required, and then returns to the client software the authorization and identity claims that were approved. This protocol may be extended to support alternative authorizations, claims, interactions, and client authentication mechanisms.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 January 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
EDITOR NOTE¶
This document captures a number of concepts that may be adopted by the proposed GNAP working group. Please refer to this document as:¶
XAuth¶
The use of GNAP in this document is not intended to be a declaration of it being endorsed by the proposed GNAP working group.¶
This document describes the core Grant Negotiation and Authorization Protocol (GNAP). The protocol supports the widely deployed use cases supported by OAuth 2.0 [RFC6749] & [RFC6750], OpenID Connect [OIDC] - an extension of OAuth 2.0, as well as other extensions. Related documents include: GNAP - Advanced Features [GNAP_Advanced] and JOSE Authentication [JOSE_Authentication] that describes the JOSE mechanisms for client authentication.¶
The technology landscape has changed since OAuth 2.0 was initially drafted. More interactions happen on mobile devices than PCs. Modern browsers now directly support asymetric cryptographic functions. Standards have emerged for signing and encrypting tokens with rich payloads (JOSE) that are widely deployed.¶
GNAP simplifies the overall architectural model, takes advantage of today's technology landscape, provides support for all the widely deployed use cases, offers numerous extension points, and addresses many of the security issues in OAuth 2.0 by passing parameters securely between parties, rather than via a browser redirection. .¶
While GNAP is not backwards compatible with OAuth 2.0, it strives to minimize the migration effort.¶
GNAP centers around a Grant, a representation of the collection of user identity claims and/or resource authorizations the Client is requesting, and the resulting identity claims and/or resource authorizations granted by the Grant Server (GS).¶
User consent is often required at the GS. GNAP enables a Client and GS to negotiate the interaction mode for the GS to obtain consent.¶
The suggested pronunciation of GNAP is the same as the English word "nap", a silent "g" as in "gnaw".¶
[Editor: suggestions on how to improve this are welcome!]¶
The parties and their relationships to each other:¶
+--------+ +------------+ | User | | Resource | | | | Owner (RO) | +--------+ +------------+ | \ / | | \ / | | \ / | | \ / | +--------+ +---------------+ +------------+ | Client |---->| Grant | | Resource | | | (1) | Server (GS) | _ _ | Server | | |<----| | | (RS) | | | +---------------+ | | | |-------------------------->| | | | (2) | | | |<--------------------------| | +--------+ +------------+¶
This document specifies interactions between the Client and GS (1), and the Client and RS (2).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in [RFC2119].¶
Certain security-related terms are to be understood in the sense defined in [RFC4949]. These terms include, but are not limited to, "attack", "authentication", "authorization", "certificate", "confidentiality", "credential", "encryption", "identity", "sign", "signature", "trust", "validate", and "verify".¶
[Editor: review terms]¶
Unless otherwise noted, all the protocol parameter names and values are case sensitive.¶
Some protocol parameters are parts of a JSON document, and are referred to in JavaScript notation. For example, foo.bar refers to the "bar" boolean attribute in the "foo" object in the following example JSON document:¶
{ "foo" : { "bar": true } }¶
Before any sequence, the Client needs to be manually or programmatically configured for the GS. See GS Options Section 3.7 for details on programmatically acquiring GS metadata.¶
The Client is a web application and wants a Grant from the User:¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | | | | |<--- Interaction Response ---(2)--| | +------+ | | | | | User | | |--(3)--- Interaction Transfer --- | - - - | ------->| (RO) | | | | |<--(4)-->| | | | | | authN | | | | | | | | | | | |<--(5)-->| | | | | | authZ | | | |<--- Interaction Transfer ---(6)- | - - - | --------| | | | | | | | | |--(7)--- Verify Grant ----------->| | +------+ | | | | | |<--------- Grant Response ---(8)--| | | | | | +--------+ +-------+¶
A Client is on a device wants a Grant from the User:¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | | | | |<--- Interaction Response ---(2)--| | +------+ | | | | | User | | |--(3)--- Read Grant ------------->| | | (RO) | | | | |<--(4)-->| | | | | | authN | | | | | | | | | | | |<--(5)---| | | | | | code | | | | | | | | | | | |<--(6)-->| | | | | | authZ | | | | | | | | | |<--------- Grant Response ---(7)--| | | | | | | | | | +--------+ | | | | | | | | +--------+ | | | | | Client |<---- Information URI Redirect -- | - - - | --(8)---| | | Server | | | | | +--------+ +-------+ +------+¶
The Client received an AZ URI from the GS. The Client acquires an access token, calls the RS, and later the access token expires. The Client then gets a fresh access token.¶
+--------+ +----------+ +-------+ | Client | | Resource | | GS | | |--(1)--- Access Resource --->| Server | | | | |<------- Resource Response --| (RS) | | | | | | | | | | |--(2)--- Access Resource --->| | | | | |<------- Error Response -----| | | | | | | | | | | | +----------+ | | | | | | | |--(3)--- Read AuthZ ---------------------->| | | |<------- AuthZ Response -------------------| | | | | | +--------+ +-------+¶
Client Authentication¶
All GS APIs except for GS Options require the Client to authenticate. Authentication mechanisms include:¶
request | http method | uri | response |
---|---|---|---|
GS Options | OPTIONS | GS URI | metadata |
Create Grant | POST | GS URI | interaction, wait, or grant |
Verify Grant | PATCH | Grant URI | grant |
Read Grant | GET | Grant URI | wait, or grant |
Read AuthZ | GET | AZ URI | authorization |
The Client creates a Grant by doing an HTTP POST of a JSON [RFC8259] document to the GS URI. This is a Grant Request.¶
The JSON document MUST include the following from the Request JSON Section 3.5:¶
and MAY include the following from Request JSON Section 3.5¶
The GS MUST respond with one of Grant Response Section 4.1, Interaction Response Section 4.2, Wait Response Section 4.3, or one of the following errors:¶
from Error Responses Section 7.¶
Following is a non-normative example of a web application Client requesting identity claims about the User and read access to the User's contacts:¶
Example 1 { "iat" : 15790460234, "uri" : "https://as.example/endpoint", "method" : "POST, "nonce" : "f6a60810-3d07-41ac-81e7-b958c0dd21e4", "client": { "display": { "name" : "SPA Display Name", "uri" : "https://spa.example/about" } }, "interaction": { "redirect": { "completion_uri" : "https://web.example/return" }, "global" : { "ui_locals" : "de" } }, "authorizations": { "type" : "oauth_scope", "scope" : "read_contacts" }, "claims": { "oidc": { "id_token" : { "email" : { "essential" : true }, "email_verified" : { "essential" : true } }, "userinfo" : { "name" : { "essential" : true }, "picture" : null } } } }¶
Following is a non-normative example of a device Client requesting two different access tokens, one request with "oauth_scope", the other with "oauth_rich":¶
Example 2 { "iat" : 15790460234, "uri" : "https://as.example/endpoint", "method" : "POST, "nonce" : "5c9360a5-9065-4f7b-a330-5713909e06c6", "client": { "id" : "di3872h34dkJW" }, "interaction": { "indirect": { "information_uri": "https://device.example/c/indirect" }, "user_code": { "information_uri": "https://device.example/c/user_code" } }, "authorizations": { "play_music": { "type" : "oauth_scope", "scope" : "play_music", }, "read_user_info: { "type" : "customer_information", "locations": [ "https://example.com/customers", ] "actions": [ "read" ], "datatypes": [ "contacts", "photos" ] } } }¶
[Editor: the "oauth_scope" and "customer_information" types are not normative, but generally representative of what may be defined in [RAR].¶
The Client verifies a Grant by doing an HTTP PATCH of a JSON document to the Grant URI. The Client MUST only verify a Grant once.¶
The JSON document MUST include the following from the Request JSON Section 3.5:¶
Following is a non-normative example:¶
{ "iat" : 15790460235, "uri" : "https://as.example/endpoint/grant/example1", "method" : "PATCH, "nonce" : "9b6afd70-2036-47c9-b953-5dd1fd0c699a", "interaction": { "redirect": { "verification" : "cb4aa22d-2fe1-4321-b87e-bbaa66fbe707" } } }¶
The GS MUST respond with one of Grant Response Section 4.1 or one of the following errors:¶
The Client reads a Grant by doing an HTTP GET of the corresponding Grant URI. The Client MAY read a Grant until it expires or has been invalidated.¶
The GS MUST respond with one of Grant Response Section 4.1, Wait Response Section 4.3, or one of the following errors:¶
The client object MUST only one of the following:¶
display - the display object contains the following attributes:¶
The GS will show the the User the display.name and display.uri values when prompting for authorization.¶
[Editor: a max length for the name and URI so a GS can reserve appropriate space?]¶
The interaction object contains one or more interaction mode objects per Section 5 representing the interactions the Client is willing to provide the User. In addition to the interaction mode objects, the interaction object may contain the "global" object;¶
global - an optional object containing parameters that are applicable for all interaction modes. Only one attribute is defined in this document:¶
[Editor: ui_locales is taken from OIDC. Why space-separated and not a JSON array?]¶
Contains either an authorization request object, or key / value pairs, where each unique key is created by the client, and the value is an authorization request object Section 3.5.5. The key value of "type" is reserved and MUST not be used by the client. The GS detects the authorizations object contains an authorization request object by the presence of the "type" property.¶
[Editor: in the example we made up the "oauth_scope" type as a way of using existing OAuth scopes.]¶
[Editor: rather then using the "type" property to differentiate between singular and plural authorization requests, the authorization could be an array, which would allow multiple types to be included in a single authorization, per the latest {{RAR} document}, and detection is if authorizations contains an array(singular), or object(plural)]¶
The Client acquires and refreshes an Authorization by doing an HTTP GET to the corresponding AZ URI.¶
The GS MUST respond with a Authorization JSON document Section 4.5, or one of the following errors:¶
The Client can get the metadata for the GS by doing an HTTP OPTIONS of the corresponding GS URI. This is the only API where the GS MAY respond to an unauthenticated request.¶
The GS MUST respond with the the following JSON document:¶
authorization - an object containing the authorizations the Client may request from the GS, if any.¶
claims - an object containing the identity claims the Client may request from the GS, if any, and what public keys the claims will be signed with.¶
or one of the following errors:¶
There are three successful responses to a Grant Request: Grant Response, Interaction Response, or Wait Response.¶
The Grant Response MUST include the following from the Response JSON Section 4.4¶
and MAY include the following from the Response JSON Section 4.4¶
Example non-normative Grant Response JSON document for Example 1 in Section 3.2:¶
{ "iat" : 15790460234, "nonce" : "f6a60810-3d07-41ac-81e7-b958c0dd21e4", "uri" : "https://as.example/endpoint/grant/example1", "expires_in" : 300 "authorizations": { "access": { "type" : "oauth_scope", "scope" : "read_contacts" }, "expires_in" : 3600, "mechanism" : "bearer", "token" : "eyJJ2D6.example.access.token.mZf9p" }, "claims": { "oidc": { "id_token" : "eyJhbUzI1N.example.id.token.YRw5DFdbW", "userinfo" : { "name" : "John Doe", "picture" : "https://photos.example/p/eyJzdkiO" } } } }¶
Note in this example the access token can not be refreshed, and expires in an hour.¶
Example non-normative Grant Response JSON document for Example 2 in Section 3.2:¶
{ "iat" : 15790460234, "nonce" : "5c9360a5-9065-4f7b-a330-5713909e06c6", "uri" : "https://as.example/endpoint/grant/example2", "authorizations": { "play_music": { "uri" : "https://as.example/endpoint/authz/example2" }, "read_user_info: { "uri" " "https://as.example/endpoint/authz/"} } }¶
Note in this example the GS only provided the AZ URIs, and Client must acquire the Authorizations per Section 3.6¶
[Editor: the Client needs to remember if it asked for a single, or multiple authorizations, as there is no crisp algorithm for differentiating between the responses]¶
The Interaction Response MUST include the following from the Response JSON Section 4.4¶
and MAY include the following from the Response JSON Section 4.4¶
A non-normative example of an Interaction Response follows:¶
{ "iat" : 15790460234, "nonce" : "0d1998d8-fbfa-4879-b942-85a88bff1f3b", "uri" : "https://as.example/endpoint/grant/example4", "interaction" : { "redirect" : { "redirect_uri" : "https://as.example/i/example4" } } }¶
The Wait Response MUST include the following from the Response JSON Section 4.4¶
and MAY include the following from the Response JSON Section 4.4¶
A non-normative example of Wait Response follows:¶
{ "iat" : 15790460234, "nonce" : "0d1998d8-fbfa-4879-b942-85a88bff1f3b", "uri" : "https://as.example/endpoint/grant/example5", "wait" : 300 }¶
Details of the JSON document:¶
The GS may¶
If the GS wants the Client to start the interaction, the GS MUST return an interaction object containing one or more interaction mode responses per Section 5 to one or more of the interaction mode requests provided by the Client.¶
The authorizations object MUST contain either an authorization response object Section 4.4.5, or a key / value pair for each key in the Grant Request "authorizations" objectSection 3.5.4, and the value is an authorization response object Section 4.4.5.¶
The authorization response object MUST contain only a "uri" attribute or the following from Authorization JSON Section 4.5:¶
The authorization object MAY contain any of the following from Authorization JSON Section 4.5:¶
If there is no "uri" attribute, the access token can not be refreshed. If only the "uri" attribute is present, the Client MUST acquire the Authorization per Section 3.6¶
The claims object is a response to the Grant Request "claims" object Section 3.5.6.¶
oidc¶
vc¶
The verified claims the user consented to be released. [Editor: details TBD]¶
The Authorization JSON is a Grant Response Authorization Object Section 4.4.5 or the response to a Read AuthZ request by the Client Section 3.6.¶
access - an object containing the access granted:¶
[Editor: would an optional expiry for the Authorization be useful?]¶
The following is a non-normative example of Authorization JSON:¶
{ "mechanism" : "bearer", "token" : "eyJJ2D6.example.access.token.mZf9p" "expires_in" : 3600, "uri" : "https://as.example/endpoint/authz/example2", "access": { "type" : "oauth_scope", "scope" : "read_calendar write_calendar" } }¶
On receipt of a response, the Client MUST verify the following:¶
This document defines three interaction modes: "redirect", "indirect", and "user_code". Extensions may define additional interaction modes.¶
The "global" attribute is reserved in the interaction object for attributes that apply to all interaction modes.¶
A Redirect Interaction is characterized by the Client redirecting the User's browser to the GS, the GS interacting with the User, and then GS redirecting the User's browser back to the Client. The GS correlates the Grant Request with the unique redirect_uri, and the Client correlates the Grant Request with the unique completion_uri.¶
The request "interaction" object contains:¶
The response "interaction" object contains:¶
If the GS indicates that Grant Verification is required, the GS MUST add a 'verification' query parameter with a value of a unique verification code to the completion_uri.¶
On receiving the verification code in the redirect from the GS, the Client makes a Verify Grant request (Section 3.3) with the verification code.¶
An Indirect Interaction is characterized by the Client causing the User's browser to load the indirect_uri at GS, the GS interacting with the User, and then the GS MAY optionally redirect the User's Browser to a information_uri. There is no mechanism for the GS to redirect the User's browser back to the Client.¶
Examples of how the Client may initiate the interaction are encoding the indirect_uri as a code scannable by the User's mobile device, or launching a system browser from a command line interface (CLI) application.¶
The "indirect" mode is susceptible to session fixation attacks. See TBD in the Security Considerations for details.¶
The request "interaction" object contains:¶
The response "interaction" object contains:¶
An Indirect Interaction is characterized by the Client displaying a code and a URI for the User to load in a browser and then enter the code. [Editor: recommend a minimum entropy?]¶
The request "interaction" object contains:¶
The response "interaction" object contains:¶
The mechanism the Client MUST use to access an RS is in the Authorization JSON "mechanism" attribute Section 4.4.5.¶
The "bearer" mechanism is defined in Section 2.1 of [RFC6750]¶
The "jose" and "jose+body" mechanisms are defined in [JOSE_Authentication]¶
A non-normative "bearer" example of the HTTP request headers follows:¶
GET /calendar HTTP/2 Host: calendar.example Authorization: bearer eyJJ2D6.example.access.token.mZf9pTSpA¶
This standard can be extended in a number of areas:¶
Client Authentication Mechanisms¶
Grant¶
Top Level¶
"client" Object¶
"user" Object¶
"authorization" Object¶
"claims" Object¶
interaction modes¶
Continuous Authentication¶
[Editor: do we specify access token introspection in this document, or leave that to an extension?]¶
Why do Clients now always use Asymetric cryptography? Why not keep the client secret?¶
In the past, asymetric cryptography was relatively computational expensive. Modern browsers now have asymetric cryptographic APIs available, and modern hardware has significantly reduced the computational impact.¶
Why have both Client ID and Client Handle?¶
While they both refer to a Client in the protocol, the Client ID refers to a pre-registered client,and the Client Handle is specific to an instance of a Dynamic Client. Using separate terms clearly differentiates which identifier is being presented to the GS.¶
Why allow Client and GS to negotiate the user interaction mode?¶
The Client knows what interaction modes it is capable of, and the GS knows which interaction modes it will permit for a given Grant Request. The Client can then present the intersection to the User to choose which one is preferred. For example, while a device based Client may be willing to do both "indirect" and "user_code", a GS may not enable "indirect" for concern of a session fixation attack. Additional interaction modes will likely become available which allows new modes to be negotiated between Client and GS as each adds additional interaction modes.¶
Why have both claims and authorizations?¶
There are use cases for each that are independent: authenticating a user and providing claims vs granting access to a resource. A request for an authorization returns an access token which may have full CRUD capabilities, while a request for a claim returns the claim about the User - with no create, update or delete capabilities. While the UserInfo endpoint in OIDC may be thought of as a resource, separating the concepts and how they are requested keeps each of them simpler in the Editor's opinion. :)¶
Why do some of the JSON objects only have one child, such as the identifiers object in the user object in the Grant Request?¶
It is difficult to forecast future use cases. Having more resolution may mean the difference between a simple extension, and a convoluted extension. For example, the "global" object in the "interaction" object allows new global parameters to be added without impacting new interaction modes.¶
Why is the "iss" included in the "oidc" identifier object? Would the "sub" not be enough for the GS to identify the User?¶
This decouples the GS from the OpenID Provider (OP). The GS identifier is the GS URI, which is the endpoint at the GS. The OP issuer identifier will likely not be the same as the GS URI. The GS may also provide claims from multiple OPs.¶
Why is there not a UserInfo endpoint as there is with OpenID Connect?¶
Since the Client can Read Grant at any time, it get the same functionality as the UserInfo endpoint, without the Client having to manage a separate access token and refresh token. If the Client would like additional claims, it can Update Grant, and the GS will let the Client know if an interaction is required to get any of the additional claims, which the Client can then start.¶
[Editor: is there some other reason to have the UserInfo endpoint?]¶
Why use URIs for the Grant and Authorization?¶
Why use the OPTIONS method on the GS URI? Why not use a .well-known mechanism?¶
Having the GS URI endpoint respond to the metadata allows the GS to provide Client specific results using the same Client authentication used for other requests to the GS. It also reduces the risk of a mismatch between the advertised metadata, and the actual metadata. A .well-known discovery mechanism may be defined to resolve from a hostname to the GS URI.¶
Why is there a Verify Grant? The Client can protect itself from session fixation without it.¶
Client implementations may not always follow the best practices. The Verify Grant allows the GS to ensure there is not a session fixation as the instance of the Client making creating the Grant is the one that gets the verification code in the redirect.¶
**Why use the [OIDC] claims rather than the [IANA_JWT] list of claims?¶
The [IANA_JWT] claims include claims that are not identity claims, and [IANA_JWT] references the [OIDC] claims, and [OIDC] 5.1 are only identity claims.¶
This draft derives many of its concepts from Justin Richer's Transactional Authorization draft [TxAuth].¶
Additional thanks to Justin Richer and Annabelle Richard Backman for their strong critique of earlier drafts.¶
Changed Features¶
The major changes between GNAP and OAuth 2.0 and OpenID Connect are:¶
Preserved Features¶
New Features¶