| < draft-hardt-xauth-protocol-08.txt | draft-hardt-xauth-protocol-09.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Hardt, Ed. | Network Working Group D. Hardt, Ed. | |||
| Internet-Draft SignIn.Org | Internet-Draft SignIn.Org | |||
| Intended status: Standards Track 6 June 2020 | Intended status: Standards Track 7 June 2020 | |||
| Expires: 8 December 2020 | Expires: 9 December 2020 | |||
| The Grant Negotiation and Authorization Protocol | The Grant Negotiation and Authorization Protocol | |||
| draft-hardt-xauth-protocol-08 | draft-hardt-xauth-protocol-09 | |||
| Abstract | Abstract | |||
| Client software often desires resources or identity claims that are | Client software often desires resources or identity claims that are | |||
| independent of the client. This protocol allows a user and/or | independent of the client. This protocol allows a user and/or | |||
| resource owner to delegate resource authorization and/or release of | resource owner to delegate resource authorization and/or release of | |||
| identity claims to a server. Client software can then request access | identity claims to a server. Client software can then request access | |||
| to resources and/or identity claims by calling the server. The | to resources and/or identity claims by calling the server. The | |||
| server acquires consent and authorization from the user and/or | server acquires consent and authorization from the user and/or | |||
| resource owner if required, and then returns to the client software | resource owner if required, and then returns to the client software | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 8 December 2020. | This Internet-Draft will expire on 9 December 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Parties . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Parties . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Reused Terms . . . . . . . . . . . . . . . . . . . . . . 5 | 1.2. Reused Terms . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1.3. New Terms . . . . . . . . . . . . . . . . . . . . . . . . 6 | 1.3. New Terms . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1.4. Notational Conventions . . . . . . . . . . . . . . . . . 6 | 1.4. Notational Conventions . . . . . . . . . . . . . . . . . 7 | |||
| 2. Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 2. Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 2.1. "redirect" Interaction . . . . . . . . . . . . . . . . . 7 | 2.1. "redirect" Interaction . . . . . . . . . . . . . . . . . 8 | |||
| 2.2. "user_code" Interaction . . . . . . . . . . . . . . . . . 8 | 2.2. "user_code" Interaction . . . . . . . . . . . . . . . . . 9 | |||
| 2.3. Independent RO Authorization . . . . . . . . . . . . . . 10 | 2.3. Independent RO Authorization . . . . . . . . . . . . . . 10 | |||
| 2.4. Resource Server Access . . . . . . . . . . . . . . . . . 11 | 2.4. Resource Server Access . . . . . . . . . . . . . . . . . 11 | |||
| 3. GS APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 3. GS APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.1. GS API Table . . . . . . . . . . . . . . . . . . . . . . 12 | 3.1. GS API Table . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.2. Create Grant . . . . . . . . . . . . . . . . . . . . . . 12 | 3.2. Create Grant . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.3. Read Grant . . . . . . . . . . . . . . . . . . . . . . . 14 | 3.3. Read Grant . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 3.4. Request JSON . . . . . . . . . . . . . . . . . . . . . . 14 | 3.4. Request JSON . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 3.4.1. "client" Object . . . . . . . . . . . . . . . . . . . 14 | 3.4.1. "client" Object . . . . . . . . . . . . . . . . . . . 15 | |||
| 3.4.2. "interaction" Object . . . . . . . . . . . . . . . . 15 | 3.4.2. "interaction" Object . . . . . . . . . . . . . . . . 16 | |||
| 3.4.3. "user" Object . . . . . . . . . . . . . . . . . . . . 15 | 3.4.3. "user" Object . . . . . . . . . . . . . . . . . . . . 16 | |||
| 3.4.4. "authorization" Object . . . . . . . . . . . . . . . 16 | 3.4.4. "authorization" Object . . . . . . . . . . . . . . . 17 | |||
| 3.4.5. "authorizations" Object . . . . . . . . . . . . . . . 16 | 3.4.5. "authorizations" Object . . . . . . . . . . . . . . . 17 | |||
| 3.4.6. "claims" Object . . . . . . . . . . . . . . . . . . . 16 | 3.4.6. "claims" Object . . . . . . . . . . . . . . . . . . . 17 | |||
| 3.5. Read Authorization . . . . . . . . . . . . . . . . . . . 17 | 3.5. Read Authorization . . . . . . . . . . . . . . . . . . . 18 | |||
| 3.6. GS Options . . . . . . . . . . . . . . . . . . . . . . . 17 | 3.6. GS Options . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 4. GS Responses . . . . . . . . . . . . . . . . . . . . . . . . 18 | 4. GS Responses . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 4.1. Grant Response . . . . . . . . . . . . . . . . . . . . . 18 | 4.1. Grant Response . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 4.2. Interaction Response . . . . . . . . . . . . . . . . . . 19 | 4.2. Interaction Response . . . . . . . . . . . . . . . . . . 20 | |||
| 4.3. Wait Response . . . . . . . . . . . . . . . . . . . . . . 20 | 4.3. Wait Response . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 4.4. Response JSON . . . . . . . . . . . . . . . . . . . . . . 21 | 4.4. Response JSON . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 4.4.1. "client" Object . . . . . . . . . . . . . . . . . . . 21 | 4.4.1. "client" Object . . . . . . . . . . . . . . . . . . . 22 | |||
| 4.4.2. "interaction" Object . . . . . . . . . . . . . . . . 21 | 4.4.2. "interaction" Object . . . . . . . . . . . . . . . . 22 | |||
| 4.4.3. "user" Object . . . . . . . . . . . . . . . . . . . . 21 | 4.4.3. "user" Object . . . . . . . . . . . . . . . . . . . . 22 | |||
| 4.4.4. "authorization" Object . . . . . . . . . . . . . . . 21 | 4.4.4. "authorization" Object . . . . . . . . . . . . . . . 22 | |||
| 4.4.5. "authorizations" Object . . . . . . . . . . . . . . . 22 | 4.4.5. "authorizations" Object . . . . . . . . . . . . . . . 23 | |||
| 4.4.6. "claims" Object . . . . . . . . . . . . . . . . . . . 22 | 4.4.6. "claims" Object . . . . . . . . . . . . . . . . . . . 23 | |||
| 4.4.7. "warnings" JSON Array . . . . . . . . . . . . . . . . 22 | 4.4.7. "warnings" JSON Array . . . . . . . . . . . . . . . . 23 | |||
| 4.5. Authorization JSON . . . . . . . . . . . . . . . . . . . 23 | 4.5. Authorization JSON . . . . . . . . . . . . . . . . . . . 24 | |||
| 4.6. Response Verification . . . . . . . . . . . . . . . . . . 24 | 4.6. Response Verification . . . . . . . . . . . . . . . . . . 25 | |||
| 5. Interaction Modes . . . . . . . . . . . . . . . . . . . . . . 24 | 5. Interaction Modes . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 5.1. "redirect" . . . . . . . . . . . . . . . . . . . . . . . 24 | 5.1. "redirect" . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 5.2. "indirect" . . . . . . . . . . . . . . . . . . . . . . . 24 | 5.2. "indirect" . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 5.3. "user_code" . . . . . . . . . . . . . . . . . . . . . . . 25 | 5.3. "user_code" . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 6. RS Access . . . . . . . . . . . . . . . . . . . . . . . . . . 25 | 6. RS Access . . . . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 7. Error Responses . . . . . . . . . . . . . . . . . . . . . . . 26 | 7. Error Responses . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 8. Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 8. Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 9. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 26 | 9. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 10. Rational . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 10. Rational . . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 29 | 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 | 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | |||
| 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 | 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 14.1. Normative References . . . . . . . . . . . . . . . . . . 29 | 14.1. Normative References . . . . . . . . . . . . . . . . . . 30 | |||
| 14.2. Informative References . . . . . . . . . . . . . . . . . 31 | 14.2. Informative References . . . . . . . . . . . . . . . . . 32 | |||
| Appendix A. Document History . . . . . . . . . . . . . . . . . . 31 | Appendix A. Document History . . . . . . . . . . . . . . . . . . 32 | |||
| A.1. draft-hardt-xauth-protocol-00 . . . . . . . . . . . . . . 31 | A.1. draft-hardt-xauth-protocol-00 . . . . . . . . . . . . . . 32 | |||
| A.2. draft-hardt-xauth-protocol-01 . . . . . . . . . . . . . . 31 | A.2. draft-hardt-xauth-protocol-01 . . . . . . . . . . . . . . 32 | |||
| A.3. draft-hardt-xauth-protocol-02 . . . . . . . . . . . . . . 32 | A.3. draft-hardt-xauth-protocol-02 . . . . . . . . . . . . . . 33 | |||
| A.4. draft-hardt-xauth-protocol-03 . . . . . . . . . . . . . . 32 | A.4. draft-hardt-xauth-protocol-03 . . . . . . . . . . . . . . 33 | |||
| A.5. draft-hardt-xauth-protocol-04 . . . . . . . . . . . . . . 32 | A.5. draft-hardt-xauth-protocol-04 . . . . . . . . . . . . . . 33 | |||
| A.6. draft-hardt-xauth-protocol-05 . . . . . . . . . . . . . . 32 | A.6. draft-hardt-xauth-protocol-05 . . . . . . . . . . . . . . 33 | |||
| A.7. draft-hardt-xauth-protocol-06 . . . . . . . . . . . . . . 33 | A.7. draft-hardt-xauth-protocol-06 . . . . . . . . . . . . . . 34 | |||
| A.8. draft-hardt-xauth-protocol-07 . . . . . . . . . . . . . . 33 | A.8. draft-hardt-xauth-protocol-07 . . . . . . . . . . . . . . 34 | |||
| A.9. draft-hardt-xauth-protocol-08 . . . . . . . . . . . . . . 33 | A.9. draft-hardt-xauth-protocol-08 . . . . . . . . . . . . . . 34 | |||
| Appendix B. Comparison with OAuth 2.0 and OpenID Connect . . . . 33 | Appendix B. Comparison with OAuth 2.0 and OpenID Connect . . . . 34 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 34 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 35 | |||
| 1. Introduction | 1. Introduction | |||
| *EDITOR NOTE* | ||||
| _This document captures a number of concepts that may be adopted by | ||||
| the proposed GNAP working group. Please refer to this document as:_ | ||||
| *XAuth* | ||||
| _The use of GNAP in this document is not intended to be a declaration | ||||
| of it being endorsed by the proposed GNAP working group._ | ||||
| This document describes the core Grant Negotiation and Authorization | This document describes the core Grant Negotiation and Authorization | |||
| Protocol (GNAP). The protocol supports the widely deployed use cases | Protocol (GNAP). The protocol supports the widely deployed use cases | |||
| supported by OAuth 2.0 [RFC6749] & [RFC6750], OpenID Connect [OIDC] - | supported by OAuth 2.0 [RFC6749] & [RFC6750], OpenID Connect [OIDC] - | |||
| an extension of OAuth 2.0, as well as other extensions. Related | an extension of OAuth 2.0, as well as other extensions. Related | |||
| documents include: GNAP - Advanced Features [GNAP_Advanced] and JOSE | documents include: GNAP - Advanced Features [GNAP_Advanced] and JOSE | |||
| Authentication [JOSE_Authentication] that describes the JOSE | Authentication [JOSE_Authentication] that describes the JOSE | |||
| mechanisms for client authentication. | mechanisms for client authentication. | |||
| The technology landscape has changed since OAuth 2.0 was initially | The technology landscape has changed since OAuth 2.0 was initially | |||
| drafted. More interactions happen on mobile devices than PCs. | drafted. More interactions happen on mobile devices than PCs. | |||
| End of changes. 8 change blocks. | ||||
| 60 lines changed or deleted | 70 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||