idnits 2.17.1
draft-richer-transactional-authz-11.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an Introduction section.
(A line matching the expected section header was found, but with an
unexpected indentation:
' introductions.' )
** There are 74 instances of too long lines in the document, the longest
one being 27 characters in excess of 72.
** The abstract seems to contain references ([RFC2119], [RFC8174]), which
it shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (September 11, 2020) is 1323 days in the past. Is
this intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'RFC8693' is defined on line 3484, but no explicit
reference was found in the text
-- Possible downref: Non-RFC (?) normative reference: ref. 'BCP195'
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-message-signatures-00
== Outdated reference: A later version (-16) exists of
draft-ietf-oauth-dpop-01
== Outdated reference: A later version (-18) exists of
draft-ietf-secevent-subject-identifiers-06
-- Possible downref: Non-RFC (?) normative reference: ref. 'OIDC'
-- Possible downref: Non-RFC (?) normative reference: ref. 'OIDC4IA'
** Obsolete normative reference: RFC 3230 (Obsoleted by RFC 9530)
Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 4 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 GNAP J. Richer, Ed.
3 Internet-Draft Bespoke Engineering
4 Intended status: Standards Track September 11, 2020
5 Expires: March 15, 2021
7 Grant Negotiation Access Protocol
8 draft-richer-transactional-authz-11
10 Abstract
12 This document defines a mechanism for delegating authorization to a
13 piece of software, and conveying that delegation to the software.
14 This delegation can include access to a set of APIs as well as
15 information passed directly to the software.
17 This document has been prepared by the GNAP working group design team
18 of Kathleen Moriarty, Fabien Imbault, Dick Hard, Mike Jones, and
19 Justin Richer. This document is input into the GNAP working group.
21 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
22 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
23 "OPTIONAL" in this document are to be interpreted as described in
24 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
25 capitals, as shown here.
27 Status of This Memo
29 This Internet-Draft is submitted in full conformance with the
30 provisions of BCP 78 and BCP 79.
32 Internet-Drafts are working documents of the Internet Engineering
33 Task Force (IETF). Note that other groups may also distribute
34 working documents as Internet-Drafts. The list of current Internet-
35 Drafts is at https://datatracker.ietf.org/drafts/current/.
37 Internet-Drafts are draft documents valid for a maximum of six months
38 and may be updated, replaced, or obsoleted by other documents at any
39 time. It is inappropriate to use Internet-Drafts as reference
40 material or to cite them other than as "work in progress."
42 This Internet-Draft will expire on March 15, 2021.
44 Copyright Notice
46 Copyright (c) 2020 IETF Trust and the persons identified as the
47 document authors. All rights reserved.
49 This document is subject to BCP 78 and the IETF Trust's Legal
50 Provisions Relating to IETF Documents (https://trustee.ietf.org/
51 license-info) in effect on the date of publication of this document.
52 Please review these documents carefully, as they describe your rights
53 and restrictions with respect to this document. Code Components
54 extracted from this document must include Simplified BSD License text
55 as described in Section 4.e of the Trust Legal Provisions and are
56 provided without warranty as described in the Simplified BSD License.
58 Table of Contents
60 1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 4
61 1.1. Roles . . . . . . . . . . . . . . . . . . . . . . . . . . 4
62 1.2. Sequences . . . . . . . . . . . . . . . . . . . . . . . . 6
63 1.2.1. Redirect-based Interaction . . . . . . . . . . . . . 9
64 1.2.2. User-code Interaction . . . . . . . . . . . . . . . . 11
65 1.2.3. Asynchronous Authorization . . . . . . . . . . . . . 13
66 1.2.4. Software-only Authorization . . . . . . . . . . . . . 14
67 1.2.5. Refreshing an Expired Access Token . . . . . . . . . 15
68 2. Requesting Access . . . . . . . . . . . . . . . . . . . . . . 16
69 2.1. Requesting Resources . . . . . . . . . . . . . . . . . . 18
70 2.1.1. Requesting a Single Access Token . . . . . . . . . . 18
71 2.1.2. Requesting Resources By Reference . . . . . . . . . . 20
72 2.1.3. Requesting Multiple Access Tokens . . . . . . . . . . 22
73 2.2. Requesting User Information . . . . . . . . . . . . . . . 24
74 2.3. Identifying the RC by Key . . . . . . . . . . . . . . . . 24
75 2.3.1. Authenticating the RC . . . . . . . . . . . . . . . . 26
76 2.3.2. Identifying the Client Key By Reference . . . . . . . 26
77 2.4. Identifying the User . . . . . . . . . . . . . . . . . . 27
78 2.4.1. Identifying the User by Reference . . . . . . . . . . 28
79 2.5. Interacting with the User . . . . . . . . . . . . . . . . 29
80 2.5.1. Redirect to an Arbitrary URL . . . . . . . . . . . . 30
81 2.5.2. Open an Application-specific URL . . . . . . . . . . 31
82 2.5.3. Receive a Callback After Interaction . . . . . . . . 31
83 2.5.4. Display a Short User Code . . . . . . . . . . . . . . 34
84 2.5.5. Indicate Desired Interaction Locales . . . . . . . . 34
85 2.5.6. Extending Interaction Capabilities . . . . . . . . . 34
86 2.6. Providing Displayable RC Information . . . . . . . . . . 34
87 2.7. Declaring RC Capabilities . . . . . . . . . . . . . . . . 35
88 2.8. Referencing an Existing Grant Request . . . . . . . . . . 35
89 2.9. Requesting OpenID Connect Claims . . . . . . . . . . . . 36
90 2.10. Extending The Grant Request . . . . . . . . . . . . . . . 37
91 3. Grant Response . . . . . . . . . . . . . . . . . . . . . . . 37
92 3.1. Request Continuation Handle . . . . . . . . . . . . . . . 38
93 3.2. Access Tokens . . . . . . . . . . . . . . . . . . . . . . 38
94 3.2.1. Single Access Token . . . . . . . . . . . . . . . . . 39
95 3.2.2. Multiple Access Tokens . . . . . . . . . . . . . . . 40
96 3.3. Interaction Capabilities . . . . . . . . . . . . . . . . 41
97 3.3.1. Redirection to an arbitrary URL . . . . . . . . . . . 41
98 3.3.2. Launch of an application URL . . . . . . . . . . . . 42
99 3.3.3. Callback to URL . . . . . . . . . . . . . . . . . . . 43
100 3.3.4. Display of a Short User Code . . . . . . . . . . . . 43
101 3.3.5. Extending Interaction Capability Responses . . . . . 44
102 3.4. Returning User Information . . . . . . . . . . . . . . . 44
103 3.5. Returning Dynamically-bound Reference Handles . . . . . . 45
104 3.6. Error response . . . . . . . . . . . . . . . . . . . . . 47
105 3.7. Extending the Response . . . . . . . . . . . . . . . . . 47
106 4. Interaction at the AS . . . . . . . . . . . . . . . . . . . . 47
107 4.1. Interaction at a Redirected URI . . . . . . . . . . . . . 48
108 4.2. Interaction at the User Code URI . . . . . . . . . . . . 48
109 4.3. Interaction through an Application URI . . . . . . . . . 49
110 4.4. Post-Interaction Completion . . . . . . . . . . . . . . . 49
111 4.4.1. Completing Interaction with a Browser Redirect to the
112 Callback URI . . . . . . . . . . . . . . . . . . . . 50
113 4.4.2. Completing Interaction with a Direct HTTP Request
114 Callback . . . . . . . . . . . . . . . . . . . . . . 50
115 4.4.3. Calculating the interaction hash . . . . . . . . . . 51
116 5. Continuing a Grant Request . . . . . . . . . . . . . . . . . 52
117 5.1. Continuing after a Finalized Interaction . . . . . . . . 53
118 5.2. Continuing after Tokens are Issued . . . . . . . . . . . 53
119 6. Token Management . . . . . . . . . . . . . . . . . . . . . . 54
120 6.1. Rotating the Access Token . . . . . . . . . . . . . . . . 54
121 6.2. Revoking the Access Token . . . . . . . . . . . . . . . . 56
122 7. Using Access Tokens . . . . . . . . . . . . . . . . . . . . . 56
123 8. Binding Keys . . . . . . . . . . . . . . . . . . . . . . . . 57
124 8.1. Detached JWS . . . . . . . . . . . . . . . . . . . . . . 58
125 8.2. Attached JWS . . . . . . . . . . . . . . . . . . . . . . 60
126 8.3. Mutual TLS . . . . . . . . . . . . . . . . . . . . . . . 62
127 8.4. DPoP . . . . . . . . . . . . . . . . . . . . . . . . . . 63
128 8.5. HTTP Signing . . . . . . . . . . . . . . . . . . . . . . 65
129 8.6. OAuth PoP . . . . . . . . . . . . . . . . . . . . . . . . 66
130 9. Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 68
131 10. Resource Servers . . . . . . . . . . . . . . . . . . . . . . 69
132 10.1. Introspecting a Token . . . . . . . . . . . . . . . . . 69
133 10.2. Deriving a downstream token . . . . . . . . . . . . . . 70
134 10.3. Registering a Resource Handle . . . . . . . . . . . . . 72
135 10.4. Requesting a Resources With Insufficient Access . . . . 74
136 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74
137 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 74
138 13. Security Considerations . . . . . . . . . . . . . . . . . . . 75
139 14. Privacy Considerations . . . . . . . . . . . . . . . . . . . 75
140 15. Normative References . . . . . . . . . . . . . . . . . . . . 75
141 Appendix A. Document History . . . . . . . . . . . . . . . . . . 77
142 Appendix B. Component Data Models . . . . . . . . . . . . . . . 80
143 Appendix C. Example Protocol Flows . . . . . . . . . . . . . . . 80
144 C.1. Redirect-Based User Interaction . . . . . . . . . . . . . 80
145 C.2. Secondary Device Interaction . . . . . . . . . . . . . . 84
146 Appendix D. No User Involvement . . . . . . . . . . . . . . . . 86
147 D.1. Asynchronous Authorization . . . . . . . . . . . . . . . 87
148 D.2. Applying OAuth 2 Scopes and Client IDs . . . . . . . . . 90
149 Appendix E. JSON Structures and Polymorphism . . . . . . . . . . 91
150 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 92
152 1. Protocol
154 This protocol allows a piece of software to request delegated
155 authorization to an API, protected by an authorization server usually
156 on behalf of a resource owner. The user operating the software may
157 interact with the authorization server to authenticate, provide
158 consent, and authorize the request.
160 The process by which the delegation happens is known as a grant, and
161 the GNAP protocol allows for the negotiation of the grant process
162 over time by multiple parties.
164 This protocol solves many of the same use cases as OAuth 2.0
165 [RFC6749], OpenID Connect [OIDC], and the family of protocols that
166 have grown up around that ecosystem. However, GNAP is not an
167 extension of OAuth 2.0 and is not intended to be directly compatible
168 with OAuth 2.0. GNAP seeks to provide functionality and solve use
169 cases that OAuth 2.0 cannot easily or cleanly address. Even so, GNAP
170 and OAuth 2.0 will exist in parallel for many deployments, and
171 considerations have been taken to facilitate the mapping and
172 transition from legacy systems to GNAP. Some examples of these can
173 be found in Appendix D.2.
175 1.1. Roles
177 The parties in the GNAP protocol perform actions under different
178 roles. Roles are defined by the actions taken and the expectations
179 leveraged on the role by the overall protocol.
181 Authorization Server (AS) Manages the requested delegations for the
182 RO. The AS issues tokens and directly delegated information to
183 the RC. The AS is defined by its grant endpoint, a single URL
184 that accepts a POST request with a JSON payload. The AS could
185 also have other endpoints, including interaction endpoints and
186 user code endpoints, and these are introduced to the RC as needed
187 during the delegation process.
189 Resource Client (RC, aka "client") Requests tokens from the AS and
190 uses tokens at the RS. The RC is identified by its key, and can
191 be known to the AS prior to the first request. The AS determines
192 which policies apply to a given RC, including what it can request
193 and on whose behalf.
195 Resource Server (RS) Accepts tokens from the RC issued by the AS and
196 serves delegated resources on behalf of the RO. There could be
197 multiple RSs protected by the AS that the RC will call.
199 Resource Owner (RO) Authorizes the request from the RC to the RS,
200 often interactively at the AS.
202 Requesting Party (RQ, aka "user") Operates and interacts with the
203 RC.
205 The GNAP protocol design does not assume any one deployment
206 architecture, but instead attempts to define roles that can be
207 fulfilled in a number of different ways for different use cases. As
208 long as a given role fulfills all of its obligations and behaviors as
209 defined by the protocol, GNAP does not make additional requirements
210 on its structure or setup.
212 Multiple roles can be fulfilled by the same party, and a given party
213 can switch roles in different instances of the protocol. For
214 example, the RO and RQ in many instances are the same person, where a
215 user is authorizing the RC to act on their own behalf at the RS. In
216 this case, one party fulfills both of the RO and RQ roles, but the
217 roles themselves are still defined separately from each other to
218 allow for other use cases where they are fulfilled by different
219 parties.
221 For another example, in some complex scenarios, an RS receiving
222 requests from one RC can act as an RC for a downstream secondary RS
223 in order to fulfill the original request. In this case, one piece of
224 software is both an RS and an RC from different perspectives, and it
225 fulfills these roles separately as far as the overall protocol is
226 concerned.
228 A single role need not be deployed as a monolithic service. For
229 example, An RC could have components that are installed on the RQ's
230 device as well as a back-end system that it communicates with. If
231 both of these components participate in the delegation protocol, they
232 are both considered part of the RC.
234 For another example, an AS could likewise be built out of many
235 constituent components in a distributed architecture. The component
236 that the RC calls directly could be different from the component that
237 the the RO interacts with to drive consent, since API calls and user
238 interaction have different security considerations in many
239 environments. Furthermore, the AS could need to collect identity
240 claims about the RO from one system that deals with user attributes
241 while generating access tokens at another system that deals with
242 security rights. From the perspective of GNAP, all of these are
243 pieces of the AS and together fulfill the role of the AS as defined
244 by the protocol.
246 [[ Editor's note: The names for the roles are an area of ongoing
247 discussion within the working group, as is the appropriate precision
248 of what activities and expectations a particular role covers. In
249 particular, the AS might be formally decomposed into delegation
250 components, that the client talks to, and interaction components,
251 that the user talks to. ]]
253 1.2. Sequences
255 The GNAP protocol can be used in a variety of ways to allow the core
256 delegation process to take place. Many portions of this process are
257 conditionally present depending on the context of the deployments,
258 and not every step in this overview will happen in all circumstances.
260 Note that a connection between roles in this process does not
261 necessarily indicate that a specific protocol message is sent across
262 the wire between the components fulfilling the roles in question, or
263 that a particular step is required every time. In some
264 circumstances, the information needed at a given stage is
265 communicated out-of-band or is pre-configured between the components
266 or entities performing the roles. For example, one entity can fulfil
267 multiple roles, and so explicit communication between the roles is
268 not necessary within the protocol flow.
270 +------------+ +------------+
271 | Requesting | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | Resource |
272 | Party (RQ) | | Owner (RO) |
273 +------------+ +------------+
274 + +
275 + +
276 (A) (B)
277 + +
278 + +
279 +--------+ + +------------+
280 |Resource|--------------(1)-------+----->| Resource |
281 | Client | + | Server |
282 | (RC) | +---------------+ | (RS) |
283 | |--(2)->| Authorization | | |
284 | |<-(3)--| Server | | |
285 | | | (AS) | | |
286 | |--(4)->| | | |
287 | |<-(5)--| | | |
288 | |--------------(6)------------->| |
289 | | | |<-(7)--| |
290 | |<-------------(8)------------->| |
291 | |--(9)->| | | |
292 | |<-(10)-| | | |
293 | |--------------(11)------------>| |
294 | | | |<-(12)-| |
295 | |-(13)->| | | |
296 | | | | | |
297 +--------+ +---------------+ +------------+
299 Legend
300 + + + indicates a possible interaction with a human
301 ----- indicates an interaction between protocol roles
302 ~ ~ ~ indicates a potential equivalence or communication between roles
304 * (A) The RQ interacts with the RC to indicate a need for resources
305 on behalf of the RO. This could identify the RS the RC needs to
306 call, the resources needed, or the RO that is needed to approve
307 the request. Note that the RO and RQ are often the same entity in
308 practice.
310 * (1) The RC attempts to call the RS (Section 10.4) to determine
311 what access is needed. The RS informs the RC that access can be
312 granted through the AS.
314 * (2) The RC requests access at the AS (Section 2).
316 * (3) The AS processes the request and determines what is needed to
317 fulfill the request. The AS sends its response to the RC
318 (Section 3).
320 * (B) If interaction is required, the AS interacts with the RO
321 (Section 4) to gather authorization. The interactive component of
322 the AS can function using a variety of possible mechanisms
323 including web page redirects, applications, challenge/response
324 protocols, or other methods. The RO approves the request for the
325 RC being operated by the RQ. Note that the RO and RQ are often
326 the same entity in practice.
328 * (4) The RC continues the grant at the AS (Section 5).
330 * (5) If the AS determines that access can be granted, it returns a
331 response to the RC (Section 3) including an access token
332 (Section 3.2) for calling the RS and any directly returned
333 information (Section 3.4) about the RO.
335 * (6) The RC uses the access token (Section 7) to call the RS.
337 * (7) The RS determines if the token is sufficient for the request
338 by examining the token, potentially calling the AS (Section 10.1).
340 * (8) The RC to call the RS (Section 7) using the access token until
341 the RS or RC determine that the token is no longer valid.
343 * (9) When the token no longer works, the RC fetches an updated
344 access token (Section 6.1) based on the rights granted in (5).
346 * (10) The AS issues a new access token (Section 3.2) to the RC.
348 * (11) The RC uses the new access token (Section 7) to call the RS.
350 * (12) The RS determines if the new token is sufficient for the
351 request by examining the token, potentially calling the AS
352 (Section 10.1).
354 * (13) The RC disposes of the token (Section 6.2) once the RC has
355 completed its access of the RS.
357 The following sections and Appendix C contain specific guidance on
358 how to use the GNAP protocol in different situations and deployments.
360 1.2.1. Redirect-based Interaction
362 In this example flow, the RC is a web application that wants access
363 to resources on behalf of the current user, who acts as both the
364 requesting party (RQ) and the resource owner (RO). Since the RC is
365 capable of directing the user to an arbitrary URL and receiving
366 responses from the user's browser, interaction here is handled
367 through front-channel redirects using the user's browser. The RC
368 uses a persistent session with the user to ensure the same user that
369 is starting the interaction is the user that returns from the
370 interaction.
372 +--------+ +--------+ +------+
373 | RC | | AS | | RO |
374 | | | | | + |
375 | |< (1) + Start Session + + + + + + + + + + + + + + + +| RQ |
376 | | | | |(User)|
377 | |--(2)--- Request Access --------->| | | |
378 | | | | | |
379 | |<-(3)-- Interaction Needed -------| | | |
380 | | | | | |
381 | |+ (4) + Redirect for Interaction + + + + + + + + + > | |
382 | | | | | |
383 | | | |<+ (5) +>| |
384 | | | | AuthN | |
385 | | | | | |
386 | | | |<+ (6) +>| |
387 | | | | AuthZ | |
388 | | | | | |
389 | |< (7) + Redirect for Continuation + + + + + + + + + +| |
390 | | | | +------+
391 | |--(8)--- Continue Request ------->| |
392 | | | |
393 | |<-(9)----- Grant Access ----------| |
394 | | | |
395 +--------+ +--------+
397 1. The RC establishes a verifiable session to the user, in the role
398 of the RQ.
400 2. The RC requests access to the resource (Section 2). The RC
401 indicates that it can redirect to an arbitrary URL
402 (Section 2.5.1) and receive a callback from the browser
403 (Section 2.5.3). The RC stores verification information for its
404 callback in the session created in (1).
406 3. The AS determines that interaction is needed and responds
407 (Section 3) with a URL to send the user to (Section 3.3.1) and
408 information needed to verify the callback (Section 3.3.3) in (7).
409 The AS also includes information the RC will need to continue the
410 request (Section 3.1) in (8). The AS associates this
411 continuation information with an ongoing request that will be
412 referenced in (4), (6), and (8).
414 4. The RC stores the verification and continuation information from
415 (3) in the session from (1). The RC then redirects the user to
416 the URL (Section 4.1) given by the AS in (3). The user's browser
417 loads the interaction redirect URL. The AS loads the pending
418 request based on the incoming URL generated in (3).
420 5. The user authenticates at the AS, taking on the role of the RO.
422 6. As the RO, the user authorizes the pending request from the RC.
424 7. When the AS is done interacting with the user, the AS redirects
425 the user back (Section 4.4.1) to the RC using the callback URL
426 provided in (2). The callback URL is augmented with an
427 interaction reference that the AS associates with the ongoing
428 request created in (2) and referenced in (4). The callback URL
429 is also augmented with a hash of the security information
430 provided in (2) and (3). The RC loads the verification
431 information from (2) and (3) from the session created in (1).
432 The RC calculates a hash (Section 4.4.3) based on this
433 information and continues only if the hash validates. Note that
434 the RC needs to ensure that the parameters for the incoming
435 request match those that it is expecting from the session created
436 in (1). The RC also needs to be prepared for the RQ never being
437 returned to the RC and handle time outs appropriately.
439 8. The RC loads the continuation information from (3) and sends the
440 interaction reference from (7) in a request to continue the
441 request (Section 5.1). The AS validates the interaction
442 reference ensuring that the reference is associated with the
443 request being continued.
445 9. If the request has been authorized, the AS grants access to the
446 information in the form of access tokens (Section 3.2) and direct
447 subject information (Section 3.4) to the RC.
449 An example set of protocol messages for this method can be found in
450 Appendix C.1.
452 1.2.2. User-code Interaction
454 In this example flow, the RC is a device that is capable of
455 presenting a short, human-readable code to the user and directing the
456 user to enter that code at a known URL. The RC is not capable of
457 presenting an arbitrary URL to the user, nor is it capable of
458 accepting incoming HTTP requests from the user's browser. The RC
459 polls the AS while it is waiting for the RO to authorize the request.
460 The user's interaction is assumed to occur on a secondary device. In
461 this example it is assumed that the user is both the RQ and RO,
462 though the user is not assumed to be interacting with the RC through
463 the same web browser used for interaction at the AS.
465 +--------+ +--------+ +------+
466 | RC | | AS | | RO |
467 | |--(1)--- Request Access --------->| | | + |
468 | | | | | RQ |
469 | |<-(2)-- Interaction Needed -------| | |(User)|
470 | | | | | |
471 | |+ (3) + + Display User Code + + + + + + + + + + + + >| |
472 | | | | | |
473 | | | |<+ (4) +>| |
474 | | | | Code | |
475 | |--(8)--- Continue Request (A) --->| | | |
476 | | | |<+ (5) +>| |
477 | |<-(9)-- Not Yet Granted (Wait) ---| | AuthN | |
478 | | | | | |
479 | | | |<+ (6) +>| |
480 | | | | AuthZ | |
481 | | | | | |
482 | | | |<+ (7) +>| |
483 | | | |Completed| |
484 | | | | | |
485 | |--(10)-- Continue Request (B) --->| | +------+
486 | | | |
487 | |<-(11)----- Grant Access ---------| |
488 | | | |
489 +--------+ +--------+
491 1. The RC requests access to the resource (Section 2). The RC
492 indicates that it can display a user code (Section 2.5.4).
494 2. The AS determines that interaction is needed and responds
495 (Section 3) with a user code to communicate to the user
496 (Section 3.3.4). This could optionally include a URL to direct
497 the user to, but this URL should be static and so could be
498 configured in the RC's documentation. The AS also includes
499 information the RC will need to continue the request
500 (Section 3.1) in (8) and (10). The AS associates this
501 continuation information with an ongoing request that will be
502 referenced in (4), (6), (8), and (10).
504 3. The RC stores the continuation information from (2) for use in
505 (8) and (10). The RC then communicates the code to the user
506 (Section 4.1) given by the AS in (2).
508 4. The user's directs their browser to the user code URL. This URL
509 is stable and can be communicated via the RC's documentation,
510 the AS documentation, or the RC software itself. Since it is
511 assumed that the RO will interact with the AS through a
512 secondary device, the RC does not provide a mechanism to launch
513 the RO's browser at this URL. The user enters the code
514 communicated in (3) to the AS. The AS validates this code
515 against a current request in process.
517 5. The user authenticates at the AS, taking on the role of the RO.
519 6. As the RO, the user authorizes the pending request from the RC.
521 7. When the AS is done interacting with the user, the AS indicates
522 to the RO that the request has been completed.
524 8. Meanwhile, the RC loads the continuation information stored at
525 (3) and continues the request (Section 5). The AS determines
526 which ongoing access request is referenced here and checks its
527 state.
529 9. If the access request has not yet been authorized by the RO in
530 (6), the AS responds to the RC to continue the request
531 (Section 3.1) at a future time through additional polling. This
532 response can include refreshed credentials as well as
533 information regarding how long the RC should wait before calling
534 again. The RC replaces its stored continuation information from
535 the previous response (2). Note that the AS may need to
536 determine that the RO has not approved the request in a
537 sufficient amount of time and return an appropriate error to the
538 RC.
540 10. The RC continues to poll the AS (Section 5) with the new
541 continuation information in (9).
543 11. If the request has been authorized, the AS grants access to the
544 information in the form of access tokens (Section 3.2) and
545 direct subject information (Section 3.4) to the RC.
547 An example set of protocol messages for this method can be found in
548 Appendix C.2.
550 1.2.3. Asynchronous Authorization
552 In this example flow, the RQ and RO roles are fulfilled by different
553 parties, and the RO does not interact with the RC. The AS reaches
554 out asynchronously to the RO during the request process to gather the
555 RO's authorization for the RC's request. The RC polls the AS while
556 it is waiting for the RO to authorize the request.
558 +--------+ +--------+ +------+
559 | RC | | AS | | RO |
560 | |--(1)--- Request Access --------->| | | |
561 | | | | | |
562 | |<-(2)-- Not Yet Granted (Wait) ---| | | |
563 | | | |<+ (3) +>| |
564 | | | | AuthN | |
565 | |--(6)--- Continue Request (A) --->| | | |
566 | | | |<+ (4) +>| |
567 | |<-(7)-- Not Yet Granted (Wait) ---| | AuthZ | |
568 | | | | | |
569 | | | |<+ (5) +>| |
570 | | | |Completed| |
571 | | | | | |
572 | |--(8)--- Continue Request (B) --->| | +------+
573 | | | |
574 | |<-(9)------ Grant Access ---------| |
575 | | | |
576 +--------+ +--------+
578 1. The RC requests access to the resource (Section 2). The RC does
579 not send any interactions capabilities to the server, indicating
580 that it does not expect to interact with the RO. The RC can also
581 signal which RO it requires authorization from, if known, by
582 using the user request section (Section 2.4).
584 2. The AS determines that interaction is needed, but the RC cannot
585 interact with the RO. The AS responds (Section 3) with the
586 information the RC will need to continue the request
587 (Section 3.1) in (6) and (8), including a signal that the RC
588 should wait before checking the status of the request again. The
589 AS associates this continuation information with an ongoing
590 request that will be referenced in (3), (4), (5), (6), and (8).
592 3. The AS determines which RO to contact based on the request in
593 (1), through a combination of the user request (Section 2.4), the
594 resources request (Section 2.1), and other policy information.
595 The AS contacts the RO and authenticates them.
597 4. The RO authorizes the pending request from the RC.
599 5. When the AS is done interacting with the RO, the AS indicates to
600 the RO that the request has been completed.
602 6. Meanwhile, the RC loads the continuation information stored at
603 (3) and continues the request (Section 5). The AS determines
604 which ongoing access request is referenced here and checks its
605 state.
607 7. If the access request has not yet been authorized by the RO in
608 (6), the AS responds to the RC to continue the request
609 (Section 3.1) at a future time through additional polling. This
610 response can include refreshed credentials as well as information
611 regarding how long the RC should wait before calling again. The
612 RC replaces its stored continuation information from the previous
613 response (2). Note that the AS may need to determine that the RO
614 has not approved the request in a sufficient amount of time and
615 return an appropriate error to the RC.
617 8. The RC continues to poll the AS (Section 5) with the new
618 continuation information from (7).
620 9. If the request has been authorized, the AS grants access to the
621 information in the form of access tokens (Section 3.2) and direct
622 subject information (Section 3.4) to the RC.
624 An example set of protocol messages for this method can be found in
625 Appendix D.1.
627 1.2.4. Software-only Authorization
629 In this example flow, the AS policy allows the RC to make a call on
630 its own behalf, without the need for a RO to be involved at runtime
631 to approve the decision. Since there is no explicit RO, the RC does
632 not interact with an RO.
634 +--------+ +--------+
635 | RC | | AS |
636 | |--(1)--- Request Access --------->| |
637 | | | |
638 | |<-(2)---- Grant Access -----------| |
639 | | | |
640 +--------+ +--------+
642 1. The RC requests access to the resource (Section 2). The RC does
643 not send any interactions capabilities to the server.
645 2. The AS determines that the request is been authorized, the AS
646 grants access to the information in the form of access tokens
647 (Section 3.2) and direct subject information (Section 3.4) to the
648 RC.
650 An example set of protocol messages for this method can be found in
651 Appendix D.
653 1.2.5. Refreshing an Expired Access Token
655 In this example flow, the RC receives an access token to access a
656 resource server through some valid GNAP process. The RC uses that
657 token at the RS for some time, but eventually the access token
658 expires. The RC then gets a new access token by rotating the expired
659 access token at the AS using the token's management URL.
661 +--------+ +--------+
662 | RC | | AS |
663 | |--(1)--- Request Access ----------------->| |
664 | | | |
665 | |<-(2)--- Grant Access --------------------| |
666 | | | |
667 | | +--------+ | |
668 | |--(3)--- Access Resource --->| RS | | |
669 | | | | | |
670 | |<-(4)--- Error Response -----| | | |
671 | | +--------+ | |
672 | | | |
673 | |--(5)--- Rotate Token ------------------->| |
674 | | | |
675 | |<-(6)--- Rotated Token -------------------| |
676 | | | |
677 +--------+ +--------+
679 1. The RC requests access to the resource (Section 2).
681 2. The AS grants access to the resource (Section 3) with an access
682 token (Section 3.2) usable at the RS. The access token response
683 includes a token management URI.
685 3. The RC presents the token (Section 7) to the RS. The RS
686 validates the token and returns an appropriate response for the
687 API.
689 4. When the access token is expired, the RS responds to the RC with
690 an error.
692 5. The RC calls the token management URI returned in (2) to rotate
693 the access token (Section 6.1). The RC presents the access token
694 as well as the appropriate key.
696 6. The AS validates the rotation request including the signature and
697 keys presented in (5) and returns a new access token
698 (Section 3.2.1). The response includes a new access token and
699 can also include updated token management information, which the
700 RC will store in place of the values returned in (2).
702 2. Requesting Access
704 To start a request, the RC sends JSON [RFC8259] document with an
705 object as its root. Each member of the request object represents a
706 different aspect of the RC's request. Each field is described in
707 detail in a section below.
709 resources Describes the rights that the RC is requesting for one or
710 more access tokens to be used at RS's. Section 2.1
712 subject Describes the information about the RO that the RC is
713 requesting to be returned directly in the response from the AS.
714 Section 2.2
716 key Identifies the key that the RC will use to protect this request
717 and any continuation requests at the AS. Section 2.3
719 user Identifies the RQ to the AS in a manner that the AS can verify,
720 either directly or by interacting with the RQ to determine their
721 status as the RO. Section 2.4
723 interact Describes the capabilities that the RC has for allowing the
724 RO to interact with the AS. Section 2.5
726 display Describes the user-facing information about the RC used in
727 interactions at the AS. Section 2.6
729 capabilities Identifies named extension capabilities that the RC can
730 use, signaling to the AS which extensions it can use. Section 2.7
732 existing_grant Identifies a previously-existing grant that the RC is
733 extending with this request. Section 2.8
735 claims Identifies the identity claims to be returned as part of an
736 OpenID Connect claims request. Section 2.9
738 Additional members of this request object can be defined by
739 extensions to this protocol as described in Section 2.10
741 A non-normative example of a grant request is below:
743 {
744 "resources": [
745 {
746 "type": "photo-api",
747 "actions": [
748 "read",
749 "write",
750 "dolphin"
751 ],
752 "locations": [
753 "https://server.example.net/",
754 "https://resource.local/other"
755 ],
756 "datatypes": [
757 "metadata",
758 "images"
759 ]
760 },
761 "dolphin-metadata"
762 ],
763 "key": {
764 "proof": "jwsd",
765 "jwk": {
766 "kty": "RSA",
767 "e": "AQAB",
768 "kid": "xyz-1",
769 "alg": "RS256",
770 "n": "kOB5rR4Jv0GMeL...."
771 }
772 },
773 "interact": {
774 "redirect": true,
775 "callback": {
776 "method": "redirect",
777 "uri": "https://client.example.net/return/123455",
778 "nonce": "LKLTI25DK82FX4T4QFZC"
779 }
780 },
781 "display": {
782 "name": "My Client Display Name",
783 "uri": "https://example.net/client"
784 },
785 "capabilities": ["ext1", "ext2"],
786 "subject": {
787 "sub_ids": ["iss-sub", "email"],
788 "assertions": ["id_token"]
789 }
790 }
792 The request MUST be sent as a JSON object in the body of the HTTP
793 POST request with Content-Type "application/json", unless otherwise
794 specified by the signature mechanism.
796 2.1. Requesting Resources
798 If the RC is requesting one or more access tokens for the purpose of
799 accessing an API, the RC MUST include a "resources" element. This
800 element MUST be an array (for a single access token (Section 2.1.1))
801 or an object (for multiple access tokens (Section 2.1.3)), as
802 described in the following sections.
804 2.1.1. Requesting a Single Access Token
806 When requesting an access token, the RC MUST send a "resources"
807 element containing a JSON array. The elements of the JSON array
808 represent rights of access that the RC is requesting in the access
809 token. The requested access is the sum of all elements within the
810 array.
812 The RC declares what access it wants to associated with the resulting
813 access token using objects that describe multiple dimensions of
814 access. Each object contains a "type" property that determines the
815 type of API that the RC is calling.
817 type The type of resource request as a string. This field MAY
818 define which other elements are allowed in the request. This
819 element is REQUIRED.
821 The value of this field is under the control of the AS. This field
822 MUST be compared using an exact byte match of the string value
823 against known types by the AS. The AS MUST ensure that there is no
824 collision between different authorization data types that it
825 supports. The AS MUST NOT do any collation or normalization of data
826 types during comparison. It is RECOMMENDED that designers of
827 general-purpose APIs use a URI for this field to avoid collisions
828 between multiple API types protected by a single AS.
830 While it is expected that many APIs will have its own properties, a
831 set of common properties are defined here. Specific API
832 implementations SHOULD NOT re-use these fields with different
833 semantics or syntax. The available values for these properties are
834 determined by the API being protected at the RS.
836 [[ Editor's note: this will align with OAuth 2 RAR, but the details
837 of how it aligns are TBD ]].
839 actions The types of actions the RC will take at the RS as an array
840 of strings. For example, an RC asking for a combination of "read"
841 and "write" access.
843 locations The location of the RS as an array of strings. These
844 strings are typically URIs identifying the location of the RS.
846 datatypes The kinds of data available to the RC at the RS's API as
847 an array of strings. For example, an RC asking for access to raw
848 "image" data and "metadata" at a photograph API.
850 identifier A string identifier indicating a specific resource at the
851 RS. For example, a patient identifier for a medical API or a bank
852 account number for a financial API.
854 The following non-normative example shows the use of both common and
855 API-specific elements as part of two different access "type" values.
857 "resources": [
858 {
859 "type": "photo-api",
860 "actions": [
861 "read",
862 "write",
863 "dolphin"
864 ],
865 "locations": [
866 "https://server.example.net/",
867 "https://resource.local/other"
868 ],
869 "datatypes": [
870 "metadata",
871 "images"
872 ]
873 },
874 {
875 "type": "financial-transaction",
876 "actions": [
877 "withdraw"
878 ],
879 "identifier": "account-14-32-32-3",
880 "currency": "USD"
881 }
882 ]
884 If this request is approved, the resulting access token
885 (Section 3.2.1) will include the sum of both of the requested types
886 of access.
888 2.1.2. Requesting Resources By Reference
890 Instead of sending an object describing the requested resource
891 (Section 2.1.1), a RC MAY send a string known to the AS or RS
892 representing the access being requested. Each string SHOULD
893 correspond to a specific expanded object representation at the AS.
895 [[ Editor's note: we could describe more about how the expansion
896 would work. For example, expand into an object where the value of
897 the "type" field is the value of the string. Or we could leave it
898 open and flexible, since it's really up to the AS/RS to interpret. ]]
900 "resources": [
901 "read", "dolphin-metadata", "some other thing"
902 ]
904 This value is opaque to the RC and MAY be any valid JSON string, and
905 therefore could include spaces, unicode characters, and properly
906 escaped string sequences. However, in some situations the value is
907 intended to be seen and understood be the RC developer. In such
908 cases, the API designer choosing any such human-readable strings
909 SHOULD take steps to ensure the string values are not easily confused
910 by a developer
912 This functionality is similar in practice to OAuth 2's "scope"
913 parameter [RFC6749], where a single string represents the set of
914 access rights requested by the RC. As such, the reference string
915 could contain any valid OAuth 2 scope value as in Appendix D.2. Note
916 that the reference string here is not bound to the same character
917 restrictions as in OAuth 2's "scope" definition.
919 A single "resources" array MAY include both object-type and string-
920 type resource items.
922 "resources": [
923 {
924 "type": "photo-api",
925 "actions": [
926 "read",
927 "write",
928 "dolphin"
929 ],
930 "locations": [
931 "https://server.example.net/",
932 "https://resource.local/other"
933 ],
934 "datatypes": [
935 "metadata",
936 "images"
937 ]
938 },
939 "read",
940 "dolphin-metadata",
941 {
942 "type": "financial-transaction",
943 "actions": [
944 "withdraw"
945 ],
946 "identifier": "account-14-32-32-3",
947 "currency": "USD"
948 },
949 "some other thing"
950 ]
952 [[ Editor's note: passing resource requests by reference really is
953 akin to a "scope", and we have many years of experience showing us
954 that the simplicity of giving a developer a set of strings to send is
955 a simple and powerful pattern. We could always require objects and
956 just use the "type" field as a scope value, but that's a lot of
957 complexity to pay for the simple case. Client developers will always
958 know which kind they need to send, because they're the ones picking
959 from the API's description. ]]
961 2.1.3. Requesting Multiple Access Tokens
963 When requesting multiple access tokens, the resources element is a
964 JSON object. The names of the JSON object elements are token
965 identifiers chosen by the RC, and MAY be any valid string. The
966 values of the JSON object are JSON arrays representing a single
967 access token request, as specified in requesting a single access
968 token (Section 2.1.1).
970 The following non-normative example shows a request for two separate
971 access tokens, "token1" and "token2".
973 "resources": {
974 "token1": [
975 {
976 "type": "photo-api",
977 "actions": [
978 "read",
979 "write",
980 "dolphin"
981 ],
982 "locations": [
983 "https://server.example.net/",
984 "https://resource.local/other"
985 ],
986 "datatypes": [
987 "metadata",
988 "images"
989 ]
990 },
991 "dolphin-metadata"
992 ],
993 "token2": [
994 {
995 "type": "walrus-access",
996 "actions": [
997 "foo",
998 "bar"
999 ],
1000 "locations": [
1001 "https://resource.other/"
1002 ],
1003 "datatypes": [
1004 "data",
1005 "pictures",
1006 "walrus whiskers"
1007 ]
1008 }
1009 ]
1010 }
1012 Any approved access requests are returned in the multiple access
1013 token response (Section 3.2.2) structure using the token identifiers
1014 in the request.
1016 2.2. Requesting User Information
1018 If the RC is requesting information about the RO from the AS, it
1019 sends a "subject" element as a JSON object. This object MAY contain
1020 the following fields (or additional fields defined in a registry TBD
1021 (Section 12)).
1023 sub_ids An array of subject identifier subject types requested for
1024 the RO, as defined by [I-D.ietf-secevent-subject-identifiers].
1026 assertions An array of requested assertion formats. Possible values
1027 include "id_token" for an [OIDC] ID Token and "saml2" for a SAML 2
1028 assertion. Additional assertion values are defined by a registry
1029 TBD (Section 12). [[ Editor's note: These values are lifted from
1030 [RFC8693]'s "token type identifiers" list, but is there a better
1031 source?]]
1033 "subject": {
1034 "sub_ids": [ "iss-sub", "email" ],
1035 "assertions": [ "id_token", "saml2" ]
1036 }
1038 The AS can determine the RO's identity and permission for releasing
1039 this information through interaction with the RO (Section 4), AS
1040 policies, or assertions presented by the RC (Section 2.4). If this
1041 is determined positively, the AS MAY return the RO's information in
1042 its response (Section 3.4) as requested.
1044 Note: the "sub_ids" and "assertions" request fields are independent
1045 of each other, and a returned assertion MAY omit a requested subject
1046 identifier.
1048 [[ Editor's note: we're potentially conflating these two types in the
1049 same structure, so perhaps these should be split. There's also a
1050 difference between user information and authentication event
1051 information. ]]
1053 2.3. Identifying the RC by Key
1055 When sending a non-continuation request to the AS, the RC MUST
1056 identify itself by including the "key" field in the request and by
1057 signing the request as described in Section 8.
1059 When sent by value, the key MUST be a public key in at least one
1060 supported format and MUST contain a proof property that matches the
1061 proofing mechanism used in the request. If the key is sent in
1062 multiple formats, all the keys MUST be the same. The key presented
1063 in this field MUST be the key used to sign the request.
1065 proof The form of proof that the RC will use when presenting the key
1066 to the AS. The valid values of this field and the processing
1067 requirements for each are detailed in Section 8. This field is
1068 REQUIRED.
1070 jwk Value of the public key as a JSON Web Key. MUST contain an "alg"
1071 field which is used to validate the signature. MUST contain the
1072 "kid" field to identify the key in the signed object.
1074 cert PEM serialized value of the certificate used to sign the
1075 request, with optional internal whitespace.
1077 cert#256 The certificate thumbprint calculated as per OAuth-MTLS
1078 [RFC8705] in base64 URL encoding.
1080 Additional key types are defined in a registry TBD (Section 12).
1082 [[ Editor's note: we will eventually want to have fetchable keys, I
1083 would guess. Things like DID for key identification are going to be
1084 important. ]]
1086 This non-normative example shows a single key presented in multiple
1087 formats using a single proofing mechanism.
1089 "key": {
1090 "proof": "httpsig",
1091 "jwk": {
1092 "kty": "RSA",
1093 "e": "AQAB",
1094 "kid": "xyz-1",
1095 "alg": "RS256",
1096 "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8xY..."
1097 },
1098 "cert": "MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQsFA..."
1099 }
1101 The RC MUST prove possession of any presented key by the "proof"
1102 mechanism associated with the key in the request. Proof types are
1103 defined in a registry TBD (Section 12) and an initial set are of
1104 methods are described in Section 8.
1106 Continuation requests (Section 5) MUST use the same key and proof
1107 method as the initial request.
1109 [[ Editor's note: additional client attestation frameworks will
1110 eventually need to be addressed here beyond the presentation of the
1111 key. For example, the organization the client represents, or a
1112 family of client software deployed in a cluster, or the posture of
1113 the device the client is installed on. These all need to be
1114 separable from the client's key and the key identifier. ]]
1116 2.3.1. Authenticating the RC
1118 If the presented key is known to the AS and is associated with a
1119 single instance of the RC software, the process of presenting a key
1120 and proving possession of that key is sufficient to authenticate the
1121 RC to the AS. The AS MAY associate policies with the RC software
1122 identified by this key, such as limiting which resources can be
1123 requested and which interaction methods can be used. For example,
1124 only specific RCs with certain known keys might be trusted with
1125 access tokens without the AS interacting directly with the RO as in
1126 Appendix D.
1128 The presentation of a key allows the AS to strongly associate
1129 multiple successive requests from the same RC with each other. This
1130 is true when the AS knows the key ahead of time and can use the key
1131 to authenticate the RC software, but also if the key is ephemeral and
1132 created just for this request. As such the AS MAY allow for RCs to
1133 make requests with unknown keys. This pattern allows for ephemeral
1134 RCs, such as single-page applications, and RCs with many individual
1135 instances, such as mobile applications, to generate their own key
1136 pairs and use them within the protocol without having to go through a
1137 separate registration step. The AS MAY limit which capabilities are
1138 made available to RCs with unknown keys. For example, the AS could
1139 have a policy saying that only previously-registered RCs can request
1140 particular resources, or that all RCs with unknown keys have to be
1141 interactively approved by an RO.
1143 2.3.2. Identifying the Client Key By Reference
1145 If the RC has a reference for its key, the RC MAY send that reference
1146 handle as a string. The format of this string is determined by the
1147 AS and is opaque to the RC.
1149 "key": "7C7C4AZ9KHRS6X63AJAO"
1151 If the key is passed by reference, the proofing mechanism associated
1152 with that key reference MUST also be used by the RC, as described in
1153 Section 8.
1155 If the AS does not recognize the key reference handle, the request
1156 MUST be rejected with an error.
1158 If the RC identifies its key by reference, the referenced key MAY be
1159 a symmetric key known to the AS. The RC MUST NOT send a symmetric
1160 key by value in the request, as doing so would expose the key
1161 directly instead of proving possession of it.
1163 [[ Editor's note: In many ways, passing a key identifier by reference
1164 is analogous to OAuth 2's "client_id" parameter [RFC6749], especially
1165 when coupled with a confidential client's registration and
1166 authentication process. See Appendix D.2 for an example. Something
1167 like this is required to make things easier for client developers in
1168 the common case where the AS already knows the client's key, and to
1169 allow symmetric keys. ]]
1171 2.4. Identifying the User
1173 If the RC knows the identity of the RQ through one or more
1174 identifiers or assertions, the RC MAY send that information to the AS
1175 in the "user" field. The RC MAY pass this information by value or by
1176 reference.
1178 sub_ids An array of subject identifiers for the RQ, as defined by
1179 [I-D.ietf-secevent-subject-identifiers].
1181 assertions An object containing assertions as values keyed on the
1182 assertion type defined by a registry TBD (Section 12). Possible
1183 keys include "id_token" for an [OIDC] ID Token and "saml2" for a
1184 SAML 2 assertion. Additional assertion values are defined by a
1185 registry TBD (Section 12). [[ Editor's note: These keys are
1186 lifted from [RFC8693]'s "token type identifiers" list, but is
1187 there a better source? Additionally: should this be an array of
1188 objects with internal typing like the sub_ids? Do we expect more
1189 than one assertion per user anyway? ]]
1191 "user": {
1192 "sub_ids": [ {
1193 "subject_type": "email",
1194 "email": "user@example.com"
1195 } ],
1196 "assertions": {
1197 "id_token": "eyj..."
1198 }
1199 }
1200 Subject identifiers are hints to the AS in determining the RO and
1201 MUST NOT be taken as declarative statements that a particular RO is
1202 present at the RC and acting as the RQ. Assertions SHOULD be
1203 validated by the AS. [[ editor's note: is this a MUST? Assertion
1204 validation is extremely specific to the kind of assertion in place,
1205 what other guidance and requirements can we put in place here? ]]
1207 If the identified RQ does not match the RO present at the AS during
1208 an interaction step, the AS SHOULD reject the request with an error.
1210 [[ Editor's note: we're potentially conflating identification
1211 (sub_ids) and provable presence (assertions and a trusted reference
1212 handle) in the same structure, so perhaps these should be split. The
1213 security parameters are pretty different here. ]]
1215 If the AS trusts the RC to present verifiable assertions, the AS MAY
1216 decide, based on its policy, to skip interaction with the RO, even if
1217 the RC provides one or more interaction capabilities in its request.
1219 2.4.1. Identifying the User by Reference
1221 User reference identifiers can be dynamically issued by the AS
1222 (Section 3.5) to allow the RC to represent the same RQ to the AS over
1223 subsequent requests.
1225 If the RC has a reference for the RQ at this AS, the RC MAY pass that
1226 reference as a string. The format of this string is opaque to the
1227 RC.
1229 "user": "XUT2MFM1XBIKJKSDU8QM"
1231 User reference identifiers are not intended to be human-readable user
1232 identifiers or structured assertions. For the RC to send either of
1233 these, use the full user request object (Section 2.4) instead.
1235 [[ Editor's note: we might be able to fold this function into an
1236 unstructured user assertion reference issued by the AS to the RC. We
1237 could put it in as an assertion type of "gnap_reference" or something
1238 like that. Downside: it's more verbose and potentially confusing to
1239 the client developer to have an assertion-like thing that's internal
1240 to the AS and not an assertion. ]]
1242 If the AS does not recognize the user reference, it MUST return an
1243 error.
1245 2.5. Interacting with the User
1247 If the RC is capable of driving interaction with the RQ, and the
1248 client presumes the RQ can act as the RO, the RC SHOULD declare the
1249 means that it can interact using the "interact" field. This field is
1250 a JSON object with keys that declare different interaction
1251 capabilities. A RC MUST NOT declare an interaction capability it
1252 does not support.
1254 The RC MAY send multiple capabilities in the same request. There is
1255 no preference order specified in this request. An AS MAY respond to
1256 any, all, or none of the presented interaction capabilities
1257 (Section 3.3) in a request, depending on its capabilities and what is
1258 allowed to fulfill the request. This specification defines the
1259 following interaction capabilities:
1261 redirect Indicates that the RC can
1262 direct the RQ to an arbitrary URL at the AS for interaction.
1263 Section 2.5.1
1265 app Indicates that the RC can launch an
1266 application on the RQ's device for interaction. Section 2.5.2
1268 callback Indicates that the RC can
1269 receive a callback from the AS after interaction with the RO has
1270 concluded. Section 2.5.3
1272 user_code Indicates that the RC can
1273 communicate a human-readable short code to the RQ for use with a
1274 stable URL at the AS. Section 2.5.4
1276 ui_locales Indicates the RQ's preferred
1277 locales that the AS can use during interaction, particularly
1278 before the RO has authenticated. Section 2.5.5
1280 The following sections detail requests for interaction capabilities.
1281 Additional interaction capabilities are defined in a registry TBD
1282 (Section 12).
1284 [[ Editor's note: there need to be more examples (Appendix C) that
1285 knit together the interaction capabilities into common flows, like an
1286 authz-code equivalent. But it's important for the protocol design
1287 that these are separate pieces to allow such knitting to take place.
1288 ]]
1290 In this non-normative example, the RC is indicating that it can
1291 redirect (Section 2.5.1) the RQ to an arbitrary URL and can receive a
1292 callback (Section 2.5.3) through a browser request.
1294 "interact": {
1295 "redirect": true,
1296 "callback": {
1297 "method": "redirect",
1298 "uri": "https://client.example.net/return/123455",
1299 "nonce": "LKLTI25DK82FX4T4QFZC"
1300 }
1301 }
1303 In this non-normative example, the RC is indicating that it can
1304 display a use code (Section 2.5.4) and direct the RQ to an arbitrary
1305 URL of maximum length (Section 2.5.1.1) 255 characters, but it cannot
1306 accept a callback.
1308 "interact": {
1309 "redirect": 255,
1310 "user_code": true
1311 }
1313 If the RC does not provide a suitable interaction mechanism, the AS
1314 cannot contact the RO asynchronously, and the AS determines that
1315 interaction is required, then the AS SHOULD return an error since the
1316 RC will be unable to complete the request without authorization.
1318 The AS SHOULD apply suitable timeouts to any interaction mechanisms
1319 provided, including user codes and redirection URLs. The RC SHOULD
1320 apply suitable timeouts to any callback URLs.
1322 2.5.1. Redirect to an Arbitrary URL
1324 If the RC is capable of directing the RQ to a URL defined by the AS
1325 at runtime, the RC indicates this by sending the "redirect" field
1326 with the boolean value "true". The means by which the RC will
1327 activate this URL is out of scope of this specification, but common
1328 methods include an HTTP redirect, launching a browser on the RQ's
1329 device, providing a scannable image encoding, and printing out a URL
1330 to an interactive console.
1332 "interact": {
1333 "redirect": true
1334 }
1336 If this interaction capability is supported for this RC and request,
1337 the AS returns a redirect interaction response Section 3.3.1.
1339 2.5.1.1. Redirect to an Arbitrary Shortened URL
1341 If the RC would prefer to redirect to a shortened URL defined by the
1342 AS at runtime, the RC indicates this by sending the "redirect" field
1343 with an integer indicating the maximum character length of the
1344 returned URL. The AS MAY use this value to decide whether to return
1345 a shortened form of the response URL. If the AS cannot shorten its
1346 response URL enough to fit in the requested size, the AS SHOULD
1347 return an error. [[ Editor's note: Or maybe just ignore this part of
1348 the interaction request? ]]
1350 "interact": {
1351 "redirect": 255
1352 }
1354 If this interaction capability is supported for this RC and request,
1355 the AS returns a redirect interaction response with short URL
1356 Section 3.3.1.
1358 2.5.2. Open an Application-specific URL
1360 If the RC can open a URL associated with an application on the RQ's
1361 device, the RC indicates this by sending the "app" field with boolean
1362 value "true". The means by which the RC determines the application
1363 to open with this URL are out of scope of this specification.
1365 "interact": {
1366 "app": true
1367 }
1369 If this interaction capability is supported for this RC and request,
1370 the AS returns an app interaction response with an app URL payload
1371 Section 3.3.2.
1373 [[ Editor's note: this is similar to the "redirect" above today as
1374 most apps use captured URLs, but there seems to be a desire for
1375 splitting the web-based interaction and app-based interaction into
1376 different URIs. There's also the possibility of wanting more in the
1377 payload than can be reasonably put into the URL, or at least having
1378 separate payloads. ]]
1380 2.5.3. Receive a Callback After Interaction
1382 If the RC is capable of receiving a message from the AS indicating
1383 that the RO has completed their interaction, the RC indicates this by
1384 sending the "callback" field. The value of this field is an object
1385 containing the following members.
1387 uri REQUIRED. Indicates the URI to send the RO to after
1388 interaction. This URI MAY be unique per request and MUST be
1389 hosted by or accessible by the RC. This URI MUST NOT contain any
1390 fragment component. This URI MUST be protected by HTTPS, be
1391 hosted on a server local to the RO's browser ("localhost"), or use
1392 an application-specific URI scheme. If the RC needs any state
1393 information to tie to the front channel interaction response, it
1394 MUST use a unique callback URI to link to that ongoing state. The
1395 allowable URIs and URI patterns MAY be restricted by the AS based
1396 on the RC's presented key information. The callback URI SHOULD be
1397 presented to the RO during the interaction phase before redirect.
1399 nonce REQUIRED. Unique value to be used in the calculation of the
1400 "hash" query parameter sent to the callback URL, must be
1401 sufficiently random to be unguessable by an attacker. MUST be
1402 generated by the RC as a unique value for this request.
1404 method REQUIRED. The callback method that the AS will use to
1405 contact the RC. Valid values include "redirect" Section 2.5.3.1
1406 and "push" Section 2.5.3.2, with other values defined by a
1407 registry TBD (Section 12).
1409 hash_method OPTIONAL. The hash calculation mechanism to be used for
1410 the callback hash in Section 4.4.3. Can be one of "sha3" or
1411 "sha2". If absent, the default value is "sha3". [[ Editor's
1412 note: This should be expandable via a registry of cryptographic
1413 options, and it would be good if we didn't define our own
1414 identifiers here. See also note about cryptographic functions in
1415 Section 4.4.3. ]]
1417 "interact": {
1418 "callback": {
1419 "method": "redirect",
1420 "uri": "https://client.example.net/return/123455",
1421 "nonce": "LKLTI25DK82FX4T4QFZC"
1422 }
1423 }
1425 If this interaction capability is supported for this RC and request,
1426 the AS returns a nonce for use in validating the callback response
1427 (Section 3.3.3). Requests to the callback URI MUST be processed as
1428 described in Section 4.4, and the AS MUST require presentation of an
1429 interaction callback reference as described in Section 5.1.
1431 2.5.3.1. Receive an HTTP Callback Through the Browser
1433 A callback "method" value of "redirect" indicates that the RC will
1434 expect a call from the RO's browser using the HTTP method GET as
1435 described in Section 4.4.1.
1437 "interact": {
1438 "callback": {
1439 "method": "redirect",
1440 "uri": "https://client.example.net/return/123455",
1441 "nonce": "LKLTI25DK82FX4T4QFZC"
1442 }
1443 }
1445 Requests to the callback URI MUST be processed by the RC as described
1446 in Section 4.4.1.
1448 Since the incoming request to the callback URL is from the RO's
1449 browser, this method is usually used when the RO and RQ are the same
1450 entity. As such, the RC MUST ensure the RQ is present on the request
1451 to prevent substitution attacks.
1453 2.5.3.2. Receive an HTTP Direct Callback
1455 A callback "method" value of "push" indicates that the RC will expect
1456 a call from the AS directly using the HTTP method POST as described
1457 in Section 4.4.2.
1459 "interact": {
1460 "callback": {
1461 "method": "redirect",
1462 "uri": "https://client.example.net/return/123455",
1463 "nonce": "LKLTI25DK82FX4T4QFZC"
1464 }
1465 }
1467 Requests to the callback URI MUST be processed by the RC as described
1468 in Section 4.4.2.
1470 Since the incoming request to the callback URL is from the AS and not
1471 from the RO's browser, the RC MUST NOT require the RQ to be present
1472 on incoming HTTP the request.
1474 2.5.4. Display a Short User Code
1476 If the RC is capable of displaying or otherwise communicating a
1477 short, human-entered code to the RO, the RC indicates this by sending
1478 the "user_code" field with the boolean value "true". This code is to
1479 be entered at a static URL that does not change at runtime, as
1480 described in Section 3.3.4.
1482 "interact": {
1483 "user_code": true
1484 }
1486 If this interaction capability is supported for this RC and request,
1487 the AS returns a user code and interaction URL as specified in
1488 Section 4.2.
1490 2.5.5. Indicate Desired Interaction Locales
1492 If the RC knows the RQ's locale and language preferences, the RC can
1493 send this information to the AS using the "ui_locales" field with an
1494 array of locale strings as defined by [RFC5646].
1496 "interact": {
1497 "ui_locales": ["en_US", "fr_CA"]
1498 }
1500 If possible, the AS SHOULD use one of the locales in the array, with
1501 preference to the first item in the array supported by the AS. If
1502 none of the given locales are supported, the AS MAY use a default
1503 locale.
1505 2.5.6. Extending Interaction Capabilities
1507 Additional interaction capabilities are defined in a registry TBD
1508 (Section 12).
1510 [[ Editor's note: we should have guidance in here about how to define
1511 other interaction capabilities. There's already interest in defining
1512 message-based protocols like DIDCOMM and challenge-response protocols
1513 like FIDO, for example. ]]
1515 2.6. Providing Displayable RC Information
1517 If the RC has additional information to display to the RO during any
1518 interactions at the AS, it MAY send that information in the "display"
1519 field. This field is a JSON object that declares information to
1520 present to the RO during any interactive sequences.
1522 name Display name of the RC software
1524 uri User-facing web page of the RC software
1526 logo_uri Display image to represent the RC software
1528 "display": {
1529 "name": "My Client Display Name",
1530 "uri": "https://example.net/client"
1531 }
1533 [[ Editor's note: would we want to support pushing a display logo by
1534 value? On the upside it allows for more dynamic detached clients and
1535 doesn't require the AS to fetch information. On the downside, this
1536 is harder for the AS to enforce a policy about and could lead to
1537 potential exploits caused by sending binary image files. ]]
1539 Additional display fields are defined by a registry TBD (Section 12).
1541 The AS SHOULD use these values during interaction with the RO. The
1542 values are for informational purposes only and MUST NOT be taken as
1543 authentic proof of the RC's identity or source. The AS MAY restrict
1544 display values to specific RC instances, as identified by their keys
1545 in Section 2.3.
1547 [[ Editor's note: this might make sense to combine with the "key"
1548 field, but some classes of more dynamic client vary those fields
1549 separately from the key material. We should also consider things
1550 like signed statements for client attestation, but that might fit
1551 better into a different top-level field instead of this "display"
1552 field. ]]
1554 2.7. Declaring RC Capabilities
1556 If the RC supports extension capabilities, it MAY present them to the
1557 AS in the "capabilities" field. This field is an array of strings
1558 representing specific extensions and capabilities, as defined by a
1559 registry TBD (Section 12).
1561 "capabilities": ["ext1", "ext2"]
1563 2.8. Referencing an Existing Grant Request
1565 If the RC has a reference handle from a previously granted request,
1566 it MAY send that reference in the "existing_grant" field. This field
1567 is a single string consisting of the reference handle returned in a
1568 previous request's continuation response (Section 3.1).
1570 "existing_grant": "80UPRY5NM33OMUKMKSKU"
1572 The AS MUST dereference the grant associated with the reference and
1573 process this request in the context of the referenced one. The AS
1574 MUST NOT alter the existing grant associated with the reference.
1576 [[ Editor's note: this basic capability is to allow for both step-up
1577 authorization and downscoped authorization, but by explicitly
1578 creating a new request and not modifying an existing one. What's the
1579 best guidance for how an AS should process this? ]]
1581 2.9. Requesting OpenID Connect Claims
1583 If the RC and AS both support OpenID Connect's claims query language
1584 as defined in [OIDC] Section 5.5, the RC sends the value of the
1585 OpenID Connect "claims" authorization request parameter as a JSON
1586 object under the name "claims" in the root of the request.
1588 "claims": {
1589 "id_token" : {
1590 "email" : { "essential" : true },
1591 "email_verified" : { "essential" : true }
1592 },
1593 "userinfo" : {
1594 "name" : { "essential" : true },
1595 "picture" : null
1596 }
1597 }
1599 The contents of the "claims" parameter have the same semantics as
1600 they do in OpenID Connect's "claims" authorization request parameter,
1601 including all extensions such as [OIDC4IA]. The AS MUST process the
1602 claims object in the same way that it would with an OAuth 2 based
1603 authorization request.
1605 Note that because this is an independent query object, the "claims"
1606 value can augment or alter other portions of the request, namely the
1607 "resources" and "subject" fields. This query language uses the
1608 fields in the top level of the object to indicate the target for any
1609 requested claims. For instance, the "userinfo" target indicates that
1610 an access token would grant access to the given claims at the
1611 UserInfo Endpoint, while the "id_token" target indicates that the
1612 claims would be returned in an ID Token as described in Section 3.4.
1614 [[ Editor's note: I'm not a fan of GNAP defining how OIDC would work
1615 and would rather that work be done by the OIDF in an extension.
1616 However, I think it is important for discussion to see this kind of
1617 thing in context with the rest of the protocol, for now. ]]
1619 2.10. Extending The Grant Request
1621 The request object MAY be extended by registering new items in a
1622 registry TBD (Section 12). Extensions SHOULD be orthogonal to other
1623 parameters. Extensions MUST document any aspects where the extension
1624 item affects or influences the values or behavior of other request
1625 and response objects.
1627 [[ Editor's note: we should have more guidance and examples on what
1628 possible top-level extensions would look like. ]]
1630 3. Grant Response
1632 In response to a RC's request, the AS responds with a JSON object as
1633 the HTTP entity body.
1635 In this example, the AS is returning an interaction URL
1636 (Section 3.3.1), a callback nonce (Section 3.3.3), and a continuation
1637 handle (Section 3.1).
1639 {
1640 "interact": {
1641 "redirect": "https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ",
1642 "callback": "MBDOFXG4Y5CVJCX821LH"
1643 },
1644 "continue": {
1645 "handle": "80UPRY5NM33OMUKMKSKU",
1646 "uri": "https://server.example.com/tx"
1647 }
1648 }
1650 In this example, the AS is returning a bearer access token
1651 (Section 3.2.1) with a management URL and a subject identifier
1652 (Section 3.4) in the form of an email address.
1654 {
1655 "access_token": {
1656 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
1657 "proof": "bearer",
1658 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L"
1659 },
1660 "subject": {
1661 "sub_ids": [ {
1662 "subject_type": "email",
1663 "email": "user@example.com",
1664 } ]
1665 }
1666 }
1667 3.1. Request Continuation Handle
1669 If the AS determines that the request can be continued with
1670 additional requests, it responds with the "continue" field. This
1671 field contains a JSON object with the following properties.
1673 handle REQUIRED. A unique reference for continuing the request.
1675 uri REQUIRED. The URI at which the RC can make continuation
1676 requests. This URI MAY vary per RC or ongoing request, or MAY be
1677 stable at the AS. The RC MUST use this value exactly as given
1678 when making a continuation request (Section 5).
1680 wait RECOMMENDED. The amount of time in integer seconds the RC
1681 SHOULD wait after receiving this continuation handle and calling
1682 the URI.
1684 expires_in OPTIONAL. The number of seconds in which the handle will
1685 expire. The RC MUST NOT use the handle past this time. The AS
1686 MUST respond to an expired handle with an error. Note that the
1687 handle MAY be revoked at any point prior to its expiration.
1689 {
1690 "continue": {
1691 "handle": "80UPRY5NM33OMUKMKSKU",
1692 "uri": "https://server.example.com/continue",
1693 "wait": 60
1694 }
1695 }
1697 The RC can use the values of this field to continue the request as
1698 described in Section 5.
1700 This field SHOULD be returned when interaction is expected, to allow
1701 the RC to follow up after interaction has been concluded.
1703 [[ Editor's note: The combination of a "handle" and "uri" really
1704 feels like the access token pattern. Perhaps the exact constructs
1705 for tokens could be re-used here instead of something special for the
1706 request continuation? Especially if we're using some kind of
1707 directed access token mechanism. ]]
1709 3.2. Access Tokens
1711 If the AS has successfully granted one or more access tokens to the
1712 RC, the AS responds with either the "access_token" or the
1713 "multiple_access_token" field. The AS MUST NOT respond with both the
1714 "access_token" and "multiple_access_token" fields.
1716 [[ Editor's note: I really don't like the dichotomy between
1717 "access_token" and "multiple_access_tokens" and their being mutually
1718 exclusive, and I think we should design away from this pattern toward
1719 something less error-prone. ]]
1721 3.2.1. Single Access Token
1723 If the RC has requested a single access token and the AS has granted
1724 that access token, the AS responds with the "access_token" field.
1725 The value of this field is an object with the following properties.
1727 value REQUIRED. The value of the access token as a string. The
1728 value is opaque to the RC. The value SHOULD be limited to ASCII
1729 characters to facilitate transmission over HTTP headers within
1730 other protocols without requiring additional encoding.
1732 proof REQUIRED. The proofing presentation mechanism used for
1733 presenting this access token to an RS. See Section 7 for details
1734 on possible values to this field and their requirements.
1736 manage OPTIONAL. The management URI for this access token. If
1737 provided, the RC MAY manage its access token as described in
1738 Section 6. This management URI is a function of the AS and is
1739 separate from the RS the RC is requesting access to. This URI
1740 MUST NOT include the access token value and SHOULD be different
1741 for each access token issued in a request.
1743 resources OPTIONAL. A description of the rights associated with
1744 this access token, as defined in Section 3.2.1. If included, this
1745 MUST reflect the rights associated with the issued access token.
1746 These rights MAY vary from what was requested by the RC.
1748 expires_in OPTIONAL. The number of seconds in which the access will
1749 expire. The RC MUST NOT use the access token past this time. An
1750 RS MUST NOT accept an access token past this time. Note that the
1751 access token MAY be revoked by the AS or RS at any point prior to
1752 its expiration.
1754 key The key that the token is bound to, REQUIRED if the token is
1755 sender-constrained. The key MUST be in a format described in
1756 Section 2.3. [[ Editor's note: this isn't quite right, since the
1757 request section includes a "proof" field that we already have
1758 here. A possible solution would be to only have a "key" field as
1759 defined above and its absence indicates a bearer token? ]]
1761 The following non-normative example shows a single bearer token with
1762 a management URL that has access to three described resources.
1764 "access_token": {
1765 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
1766 "proof": "bearer",
1767 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L",
1768 "resources": [
1769 {
1770 "type": "photo-api",
1771 "actions": [
1772 "read",
1773 "write",
1774 "dolphin"
1775 ],
1776 "locations": [
1777 "https://server.example.net/",
1778 "https://resource.local/other"
1779 ],
1780 "datatypes": [
1781 "metadata",
1782 "images"
1783 ]
1784 },
1785 "read", "dolphin-metadata"
1786 ]
1787 }
1789 If the RC requested multiple access tokens (Section 2.1.3), the AS
1790 MUST NOT respond with a single access token structure.
1792 [[ Editor's note: There has been interest in describing a way for the
1793 AS to tell the client both how and where to use the token. This kind
1794 of directed access token could allow for some interesting deployment
1795 patterns where the client doesn't know much]]
1797 3.2.2. Multiple Access Tokens
1799 If the RC has requested multiple access tokens and the AS has granted
1800 at least one of them, the AS responds with the
1801 "multiple_access_tokens" field. The value of this field is a JSON
1802 object, and the property names correspond to the token identifiers
1803 chosen by the RC in the multiple access token request
1804 (Section 2.1.3). The values of the properties of this object are
1805 access tokens as described in Section 3.2.1.
1807 In this non-normative example, two bearer tokens are issued under the
1808 names "token1" and "token2", and only the first token has a
1809 management URL associated with it.
1811 "multiple_access_tokens": {
1812 "token1": {
1813 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
1814 "proof": "bearer",
1815 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L"
1816 },
1817 "token2": {
1818 "value": "UFGLO2FDAFG7VGZZPJ3IZEMN21EVU71FHCARP4J1",
1819 "proof": "bearer"
1820 }
1821 }
1823 Each access token corresponds to the named resources arrays in the
1824 RC's request. The AS MAY refuse to issue one or more of the
1825 requested access tokens. In such cases all of the other issued
1826 access tokens are included in the response except for the omitted
1827 token. The multiple access token response MUST be used when multiple
1828 access tokens are requested, even if only one access token is issued.
1830 If the RC requested a single access token (Section 2.1.1), the AS
1831 MUST NOT respond with multiple access tokens.
1833 Each access token MAY have different proofing mechanisms. If
1834 management is allowed, each access token SHOULD have different
1835 management URIs.
1837 [[ Editor's note: Do we need to specify that the management URIs are
1838 different if we require the token to be presented? ]]
1840 3.3. Interaction Capabilities
1842 If the RC has indicated a capability to interact with the RO in its
1843 request (Section 2.5), and the AS has determined that interaction is
1844 both supported and necessary, the AS responds to the RC with any of
1845 the following values in the "interact" field of the response. There
1846 is no preference order for interaction capabilities in the response,
1847 and it is up to the RC to determine which ones to use.
1849 The AS MUST NOT respond with any interaction capability that the RC
1850 did not indicate in its request.
1852 3.3.1. Redirection to an arbitrary URL
1854 If the RC indicates that it can redirect to an arbitrary URL
1855 (Section 2.5.1) and the AS supports this capability for the RC's
1856 request, the AS responds with the "redirect" field, which is a string
1857 containing the URL to direct the RQ to. This URL MUST be unique for
1858 the request and MUST NOT contain any security-sensitive information.
1860 "interact": {
1861 "redirect": "https://interact.example.com/4CF492MLVMSW9MKMXKHQ"
1862 }
1864 The interaction URL returned represents a function of the AS but MAY
1865 be completely distinct from the URL the RC uses to request access
1866 (Section 2), allowing an AS to separate its user-interactive
1867 functionality from its back-end security functionality.
1869 [[ Editor's note: This is one aspect where the AS might actually be
1870 two separate roles. Namely, a delegation server (back end) and
1871 interaction server (user-facing).]]
1873 The RC sends the RQ to the URL to interact with the AS. The RC MUST
1874 NOT alter the URL in any way. The means for the RC to send the RQ to
1875 this URL is out of scope of this specification, but common methods
1876 include an HTTP redirect, launching the system browser, displaying a
1877 scannable code, or printing out the URL in an interactive console.
1879 3.3.2. Launch of an application URL
1881 If the RC indicates that it can launch an application URL
1882 (Section 2.5.2) and the AS supports this capability for the RC's
1883 request, the AS responds with the "app" field, which is a string
1884 containing the URL to direct the RQ to. This URL MUST be unique for
1885 the request and MUST NOT contain any security-sensitive information.
1887 "interact": {
1888 "app": "https://app.example.com/launch?tx=4CF492MLV"
1889 }
1891 The RC launches the URL as appropriate on its platform, and the means
1892 for the RC to launch this URL is out of scope of this specification.
1893 The RC MUST NOT alter the URL in any way. The RC MAY attempt to
1894 detect if an installed application will service the URL being sent
1895 before attempting to launch the application URL.
1897 [[ Editor's note: This will probably need to be expanded to an object
1898 to account for other parameters needed in app2app use cases, like
1899 addresses for distributed storage systems, server keys, and the like.
1900 Details TBD as people build this out. ]]
1902 3.3.3. Callback to URL
1904 If the RC indicates that it can receive a post-interaction callback
1905 on a URL (Section 2.5.3) and the AS supports this capability for the
1906 RC's request, the AS responds with a "callback" field containing a
1907 nonce that the RC will use in validating the callback as defined in
1908 Section 4.4.1.
1910 "interact": {
1911 "callback": "MBDOFXG4Y5CVJCX821LH"
1912 }
1914 [[ Editor's note: This is fairly parallel to the request but it kinda
1915 hides the fact that this is a nonce from the AS, not the client. ]]
1917 When the RO completes interaction at the AS, the AS MUST call the
1918 RC's callback URL using the method indicated in the callback request
1919 (Section 2.5.3) as described in Section 4.4.1.
1921 If the AS returns a "callback" nonce, the RC MUST NOT continue a
1922 grant request before it receives the associated interaction reference
1923 on the callback URI.
1925 3.3.4. Display of a Short User Code
1927 If the RC indicates that it can display a short user-typeable code
1928 (Section 2.5.4) and the AS supports this capability for the RC's
1929 request, the AS responds with a "user_code" field. This field is an
1930 object that contains the following members.
1932 code REQUIRED. A unique short code that the user can type into an
1933 authorization server. This string MUST be case-insensitive, MUST
1934 consist of only easily typeable characters (such as letters or
1935 numbers). The time in which this code will be accepted SHOULD be
1936 short lived, such as several minutes. It is RECOMMENDED that this
1937 code be no more than eight characters in length.
1939 url RECOMMENDED. The interaction URL that the RC will direct the RO
1940 to. This URL MUST be stable at the AS such that RCs can be
1941 statically configured with it.
1943 "interact": {
1944 "user_code": {
1945 "code": "A1BC-3DFF",
1946 "url": "https://srv.ex/device"
1947 }
1948 }
1950 The RC MUST communicate the "code" to the RQ in some fashion, such as
1951 displaying it on a screen or reading it out audibly. The "code" is a
1952 one-time-use credential that the AS uses to identify the pending
1953 request from the RC. When the RO enters this code (Section 4.2) into
1954 the AS, the AS MUST determine the pending request that it was
1955 associated with. If the AS does not recognize the entered code, the
1956 AS MUST display an error to the user. If the AS detects too many
1957 unrecognized codes entered, it SHOULD display an error to the user.
1959 The RC SHOULD also communicate the URL if possible to facilitate user
1960 interaction, but since the URL should be stable, the RC should be
1961 able to safely decide to not display this value. As this interaction
1962 capability is designed to facilitate interaction via a secondary
1963 device, it is not expected that the RC redirect the RQ to the URL
1964 given here at runtime. Consequently, the URL needs to be stable
1965 enough that a RC could be statically configured with it, perhaps
1966 referring the RQ to the URL via documentation instead of through an
1967 interactive means. If the RC is capable of communicating an
1968 arbitrary URL to the RQ, such as through a scannable code, the RC can
1969 use the "redirect" (Section 2.5.1) capability for this purpose
1970 instead of or in addition to the user code capability.
1972 The interaction URL returned represents a function of the AS but MAY
1973 be completely distinct from the URL the RC uses to request access
1974 (Section 2), allowing an AS to separate its user-interactive
1975 functionality from its back-end security functionality.
1977 [[ Editor's note: This is one aspect where the AS might actually be
1978 two separate roles. Namely, a delegation server (back end) and
1979 interaction server (user-facing).]]
1981 3.3.5. Extending Interaction Capability Responses
1983 Extensions to this specification can define new interaction
1984 capability responses in a registry TBD (Section 12). Extensions MUST
1985 document the corresponding interaction request.
1987 3.4. Returning User Information
1989 If information about the RO is requested and the AS grants the RC
1990 access to that data, the AS returns the approved information in the
1991 "subject" response field. This field is an object with the following
1992 OPTIONAL properties.
1994 sub_ids An array of subject identifiers for the RO, as defined by
1995 [I-D.ietf-secevent-subject-identifiers]. [[ Editor's note: privacy
1996 considerations are needed around returning identifiers. ]]
1998 assertions An object containing assertions as values keyed on the
1999 assertion type defined by a registry TBD (Section 12). [[
2000 Editor's note: should this be an array of objects with internal
2001 typing like the sub_ids? Do we expect more than one assertion per
2002 user anyway? ]]
2004 updated_at Timestamp in integer seconds indicating when the
2005 identified account was last updated. The RC MAY use this value to
2006 determine if it needs to request updated profile information
2007 through an identity API. The definition of such an identity API
2008 is out of scope for this specification.
2010 "subject": {
2011 "sub_ids": [ {
2012 "subject_type": "email",
2013 "email": "user@example.com",
2014 } ],
2015 "assertions": {
2016 "id_token": "eyj..."
2017 }
2018 }
2020 Extensions to this specification MAY define additional response
2021 properties in a registry TBD (Section 12).
2023 3.5. Returning Dynamically-bound Reference Handles
2025 Many parts of the RC's request can be passed as either a value or a
2026 reference. The use of a reference in place of a value allows for a
2027 client to optimize requests to the AS.
2029 Some references, such as for the RC's keys (Section 2.3.2) or the
2030 requested resources (Section 2.1.2), can be managed statically
2031 through an admin console or developer portal provided by the AS or
2032 RS. If desired, the AS MAY also generate and return some of these
2033 references dynamically to the RC in its response to facilitate
2034 multiple interactions with the same software. The RC SHOULD use
2035 these references in future requests in lieu of sending the associated
2036 data value. These handles are intended to be used on future
2037 requests.
2039 Dynamically generated handles are string values that MUST be
2040 protected by the RC as secrets. Handle values MUST be unguessable
2041 and MUST NOT contain any sensitive information. Handle values are
2042 opaque to the RC. [[ Editor's note: these used to be objects to allow
2043 for expansion to future elements, like a management URI or different
2044 presentation types or expiration, but those weren't used in practice.
2045 Is that desirable anymore or is collapsing them like this the right
2046 direction? ]]
2048 All dynamically generated handles are returned as fields in the root
2049 JSON object of the response. This specification defines the
2050 following dynamic handle returns, additional handles can be defined
2051 in a registry TBD (Section 12).
2053 key_handle A value used to represent the information in the key
2054 object that the RC can use in a future request, as described in
2055 Section 2.3.2.
2057 user_handle A value used to represent the current user. The RC can
2058 use in a future request, as described in Section 2.4.1.
2060 This non-normative example shows two handles along side an issued
2061 access token.
2063 {
2064 "user_handle": "XUT2MFM1XBIKJKSDU8QM",
2065 "key_handle": "7C7C4AZ9KHRS6X63AJAO",
2066 "access_token": {
2067 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
2068 "proof": "bearer"
2069 }
2070 }
2072 [[ Editor's note: the ability to dynamically return reference handles
2073 allows for an inline version of dynamic registration without needing
2074 to go through a discrete registration step, for clients where that
2075 makes sense. Currently this is entirely up to the AS to decide when
2076 to issue these, but maybe the client should signal that it can
2077 receive these handles as part of the request? Since the client is
2078 the component that will know if it's in a position to make use of
2079 such reference handles in the future (like a mobile app) or if it's
2080 just going to evaporate at the end of a session (like an SPA).
2081 Ultimately we need to deal with a range of dynamism, not just the
2082 "pre-registered" vs. "non-registered" use cases that OAuth forces us
2083 in to. ]]
2085 3.6. Error response
2087 If the AS determines that the request cannot be issued for any
2088 reason, it responds to the RC with an error message.
2090 error The error code.
2092 {
2094 "error": "user_denied"
2096 }
2098 The error code is one of the following, with additional values
2099 available in a registry TBD (Section 12):
2101 user_denied The RO denied the request.
2103 too_fast The RC did not respect the timeout in the wait response.
2105 unknown_handle The request referenced an unknown handle.
2107 [[ Editor's note: I think we will need a more robust error mechanism,
2108 and we need to be more clear about what error states are allowed in
2109 what circumstances. Additionally, is the "error" parameter exclusive
2110 with others in the return? ]]
2112 3.7. Extending the Response
2114 Extensions to this specification MAY define additional fields for the
2115 grant response in a registry TBD (Section 12).
2117 [[ Editor's note: what guidance should we give to designers on this?
2118 ]]
2120 4. Interaction at the AS
2122 If the RC indicates that it is capable of driving interaction with
2123 the RO in its request (Section 2.5), and the AS determines that
2124 interaction is required and responds to one or more of the RC's
2125 interaction capabilities, the RC SHOULD initiate one of the returned
2126 interaction capabilities in the response (Section 3.3).
2128 When the RO is interacting with the AS, the AS MAY perform whatever
2129 actions it sees fit, including but not limited to:
2131 * authenticate the current user (who may be the RQ) as the RO
2132 * gather consent and authorization from the RO for access to
2133 requested resources and direct information
2135 * allow the RO to modify the parameters of the request (such as
2136 disallowing some requested resources or specifying an account or
2137 record)
2139 * provide warnings to the RO about potential attacks or negative
2140 effects of the requested information
2142 [[ Editor's note: there are some privacy and security considerations
2143 here but for the most part we don't want to be overly prescriptive
2144 about the UX, I think. ]]
2146 4.1. Interaction at a Redirected URI
2148 When the RO is directed to the AS through the "redirect"
2149 (Section 3.3.1) capability, the AS can interact with the RO through
2150 their web browser to authenticate the user as an RO and gather their
2151 consent. Note that since the RC does not add any parameters to the
2152 URL, the AS MUST determine the grant request being referenced from
2153 the URL value itself. If the URL cannot be associated with a
2154 currently active request, the AS MUST display an error to the RO and
2155 MUST NOT attempt to redirect the RO back to any RC even if a callback
2156 is supplied (Section 2.5.3).
2158 The interaction URL MUST be reachable from the RO's browser, though
2159 note that the RO MAY open the URL on a separate device from the RC
2160 itself. The interaction URL MUST be accessible from an HTTP GET
2161 request, and MUST be protected by HTTPS or equivalent means.
2163 With this method, it is common for the RO to be the same party as the
2164 RQ, since the RC has to communicate the redirection URI to the RQ.
2166 4.2. Interaction at the User Code URI
2168 When the RO is directed to the AS through the "user_code"
2169 (Section 3.3.4) capability, the AS can interact with the RO through
2170 their web browser to collect the user code, authenticate the user as
2171 an RO, and gather their consent. Note that since the URL itself is
2172 static, the AS MUST determine the grant request being referenced from
2173 the user code value itself. If the user code cannot be associated
2174 with a currently active request, the AS MUST display an error to the
2175 RO and MUST NOT attempt to redirect the RO back to any RC even if a
2176 callback is supplied (Section 2.5.3).
2178 The user code URL MUST be reachable from the RO's browser, though
2179 note that the RO MAY open the URL on a separate device from the RC
2180 itself. The user code URL MUST be accessible from an HTTP GET
2181 request, and MUST be protected by HTTPS or equivalent means.
2183 While it is common for the RO to be the same party as the RQ, since
2184 the RC has to communicate the user code to someone, there are cases
2185 where the RQ and RO are separate parties and the authorization
2186 happens asynchronously.
2188 4.3. Interaction through an Application URI
2190 When the RC successfully launches an application through the "app"
2191 capability (Section 3.3.2), the AS interacts with the RO through that
2192 application to authenticate the user as the RO and gather their
2193 consent. The details of this interaction are out of scope for this
2194 specification.
2196 [[ Editor's note: Should we have anything to say about an app sending
2197 information to a back-end to get details on the pending request? ]]
2199 4.4. Post-Interaction Completion
2201 Upon completing an interaction with the RO, if a "callback"
2202 (Section 3.3.3) capability is available with the current request, the
2203 AS MUST follow the appropriate method at the end of interaction to
2204 allow the RC to continue. If this capability is not available, the
2205 AS SHOULD instruct the RO to return to their RC software upon
2206 completion. Note that these steps still take place in most error
2207 cases, such as when the RO has denied access. This pattern allows
2208 the RC to potentially recover from the error state without restarting
2209 the request from scratch.
2211 [[ Editor's note: there might be some other kind of push-based
2212 notification or callback that the client can use, or an out-of-band
2213 non-HTTP protocol. The AS would know about this if supported and
2214 used, but the guidance here should be written in such a way as to not
2215 be too restrictive in the next steps that it can take. Still, it's
2216 important that the AS not expect or even allow clients to poll if the
2217 client has stated it can take a callback of some form, otherwise that
2218 sets up a potential session fixation attack vector that the client is
2219 trying to and able to avoid. ]]
2221 The AS MUST calculate a hash value as described in Section 4.4.3.
2222 The RC will use this value to validate the return call from the AS.
2224 The AS MUST create an interaction reference and associate that
2225 reference with the current interaction and the underlying pending
2226 request. This value MUST be sufficiently random so as not to be
2227 guessable by an attacker.
2229 The AS then MUST send the hash and interaction reference based on the
2230 interaction finalization capability as described in the following
2231 sections.
2233 4.4.1. Completing Interaction with a Browser Redirect to the Callback
2234 URI
2236 When using the "callback" interaction capability (Section 3.3.3) with
2237 the "redirect" method, the AS signals to the RC that interaction is
2238 complete and the request can be continued by directing the RO (in
2239 their browser) back to the RC's callback URL sent in the callback
2240 request (Section 2.5.3.1).
2242 The AS secures this callback by adding the hash and interaction
2243 reference as query parameters to the RC's callback URL.
2245 hash REQUIRED. The interaction hash value as described in
2246 Section 4.4.3.
2248 interact_ref REQUIRED. The interaction reference generated for this
2249 interaction.
2251 The means of directing the RO to this URL are outside the scope of
2252 this specification, but common options include redirecting the RO
2253 from a web page and launching the system browser with the target URL.
2255 https://client.example.net/return/123455
2256 ?hash=p28jsq0Y2KK3WS__a42tavNC64ldGTBroywsWxT4md_jZQ1R2HZT8BOWYHcLmObM7XHPAdJzTZMtKBsaraJ64A
2257 &interact_ref=4IFWWIKYBC2PQ6U56NL1
2259 When receiving the request, the RC MUST parse the query parameters to
2260 calculate and validate the hash value as described in Section 4.4.3.
2261 If the hash validates, the RC sends a continuation request to the AS
2262 as described in Section 5.1 using the interaction reference value
2263 received here.
2265 4.4.2. Completing Interaction with a Direct HTTP Request Callback
2267 When using the "callback" interaction capability (Section 3.3.3) with
2268 the "push" method, the AS signals to the RC that interaction is
2269 complete and the request can be continued by sending an HTTP POST
2270 request to the RC's callback URL sent in the callback request
2271 (Section 2.5.3.2).
2273 The entity message body is a JSON object consisting of the following
2274 two elements:
2276 hash REQUIRED. The interaction hash value as described in
2277 Section 4.4.3.
2279 interact_ref REQUIRED. The interaction reference generated for this
2280 interaction.
2282 POST /push/554321 HTTP/1.1
2283 Host: client.example.net
2284 Content-Type: application/json
2286 {
2287 "hash": "p28jsq0Y2KK3WS__a42tavNC64ldGTBroywsWxT4md_jZQ1R2HZT8BOWYHcLmObM7XHPAdJzTZMtKBsaraJ64A",
2288 "interact_ref": "4IFWWIKYBC2PQ6U56NL1"
2289 }
2291 When receiving the request, the RC MUST parse the JSON object and
2292 validate the hash value as described in Section 4.4.3. If the hash
2293 validates, the RC sends a continuation request to the AS as described
2294 in Section 5.1 using the interaction reference value received here.
2296 4.4.3. Calculating the interaction hash
2298 The "hash" parameter in the request to the RC's callback URL ties the
2299 front channel response to an ongoing request by using values known
2300 only to the parties involved. This security mechanism prevents
2301 several kinds of session fixation attacks against the RC.
2303 To calculate the "hash" value, the party doing the calculation first
2304 takes the "nonce" value sent by the RC in the interaction section of
2305 the initial request (Section 2.5.3), the AS's nonce value from the
2306 callback response (Section 3.3.3), and the "interact_ref" sent to the
2307 RC's callback URL. These three values are concatenated to each other
2308 in this order using a single newline character as a separator between
2309 the fields. There is no padding or whitespace before or after any of
2310 the lines, and no trailing newline character.
2312 VJLO6A4CAYLBXHTR0KRO
2313 MBDOFXG4Y5CVJCX821LH
2314 4IFWWIKYBC2PQ6U56NL1
2316 The party then hashes this string with the appropriate algorithm
2317 based on the "hash_method" parameter of the "callback". If the
2318 "hash_method" value is not present in the RC's request, the algorithm
2319 defaults to "sha3".
2321 [[ Editor's note: these hash algorithms should be pluggable, and
2322 ideally we shouldn't redefine yet another crypto registry for this
2323 purpose, but I'm not convinced an appropriate one already exists.
2324 Furthermore, we should be following best practices here whether it's
2325 a plain hash, a keyed MAC, an HMAC, or some other form of
2326 cryptographic function. I'm not sure what the defaults and options
2327 ought to be, but SHA512 and SHA3 were picked based on what was
2328 available to early developers. ]]
2330 4.4.3.1. SHA3-512
2332 The "sha3" hash method consists of hashing the input string with the
2333 512-bit SHA3 algorithm. The byte array is then encoded using URL
2334 Safe Base64 with no padding. The resulting string is the hash value.
2336 p28jsq0Y2KK3WS__a42tavNC64ldGTBroywsWxT4md_jZQ1R2HZT8BOWYHcLmObM7XHPAdJzTZMtKBsaraJ64A
2338 4.4.3.2. SHA2-512
2340 The "sha2" hash method consists of hashing the input string with the
2341 512-bit SHA2 algorithm. The byte array is then encoded using URL
2342 Safe Base64 with no padding. The resulting string is the hash value.
2344 62SbcD3Xs7L40rjgALA-ymQujoh2LB2hPJyX9vlcr1H6ecChZ8BNKkG_HrOKP_Bpj84rh4mC9aE9x7HPBFcIHw
2346 5. Continuing a Grant Request
2348 If the RC receives a "continue" element in its response Section 3.1,
2349 the RC can make an HTTP POST call to the continuation URI with a JSON
2350 object. The RC MUST send the handle reference from the continuation
2351 element in its request as a top-level JSON parameter.
2353 {
2354 "handle": "tghji76ytghj9876tghjko987yh"
2355 }
2357 The RC MAY include other parameters as described here or as defined a
2358 registry TBD (Section 12).
2360 [[ Editor's note: We probably want to allow other parameters, like
2361 modifying the resources requested or providing more user information.
2362 We'll certainly have some kinds of specific challenge-response
2363 protocols as there's already been interest in that kind of thing, and
2364 the continuation request is the place where that would fit. ]]
2366 If a "wait" parameter was included in the continuation response, the
2367 RC MUST NOT call the continuation URI prior to waiting the number of
2368 seconds indicated. If no "wait" period is indicated, the RC SHOULD
2369 wait at least 5 seconds [[ Editor's note: what's a reasonable amount
2370 of time so as not to DOS the server?? ]]. If the RC does not respect
2371 the given wait period, the AS MUST return an error.
2373 The response from the AS is a JSON object and MAY contain any of the
2374 elements described in Section 3, with the following variations:
2376 If the AS determines that the RC can make a further continuation
2377 request, the AS MUST include a new "continue" response element
2378 (Section 3.1). The returned handle value MUST NOT be the same as
2379 that used to make the continuation request, and the continuation URI
2380 MAY remain the same. If the AS does not return a new "continue"
2381 response element, the RC MUST NOT make an additional continuation
2382 request. If a RC does so, the AS MUST return an error.
2384 If the AS determines that the RC still needs to drive interaction
2385 with the RQ, the AS MAY return appropriate responses for any of the
2386 interaction mechanisms (Section 3.3) the RC indicated in its initial
2387 request (Section 2.5). Unique values such as interaction URIs and
2388 nonces SHOULD be re-generated and not re-used.
2390 The RC MUST present proof of the same key identified in the initial
2391 request (Section 2.3) by signing the request as described in
2392 Section 8. This requirement is in place whether or not the AS had
2393 previously registered the RC's key as described in Section 2.3.1.
2395 5.1. Continuing after a Finalized Interaction
2397 If the RC has received an interaction reference from a "callback"
2398 (Section 4.4.1) message, the RC MUST include the "interaction_ref" in
2399 its continuation request. The RC MUST validate the hash before
2400 making the continuation request, but note that the RC does not send
2401 the hash back to the AS in the request.
2403 {
2404 "handle": "tghji76ytghj9876tghjko987yh",
2405 "interact_ref": "4IFWWIKYBC2PQ6U56NL1"
2406 }
2408 5.2. Continuing after Tokens are Issued
2410 A request MAY be continued even after access tokens have been issued,
2411 so long as the handle is valid. The AS MAY respond to such a
2412 continuation request with new access tokens as described in
2413 Section 3.2 based on the RC's original request. The AS SHOULD revoke
2414 existing access tokens. If the AS determines that the RC can make a
2415 further continuation request in the future, the AS MUST include a new
2416 "continue" response element (Section 3.1). The returned handle value
2417 MUST NOT be the same as that used to make the continuation request,
2418 and the continuation URI MAY remain the same. If the AS does not
2419 return a new "continue" response element, the RC MUST NOT make an
2420 additional continuation request. If the RC does so, the AS MUST
2421 return an error.
2423 [[ Editor's note: There is significant overlap here with the
2424 functionality that allows the rotation of an individual access token
2425 in the next main section. It seems like this would still be needed
2426 to modify the entire request, but for the common case where you've
2427 got a single access token in the response, you've got two ways to do
2428 almost the same thing, which is confusing for client developers. We
2429 need to discuss how best to manage these patterns in concert with
2430 each other. ]]
2432 6. Token Management
2434 If an access token response includes the "manage" parameter as
2435 described in Section 3.2.1, the RC MAY call this URL to manage the
2436 access token with any of the actions defined in the following
2437 sections. Other actions are undefined by this specification.
2439 The access token being managed acts as the access element for its own
2440 management API. The RC MUST present proof of an appropriate key
2441 along with the access token.
2443 If the token is sender-constrained (i.e., not a bearer token), it
2444 MUST be sent with the appropriate binding for the access token
2445 (Section 7).
2447 If the token is a bearer token, the RC MUST present proof of the same
2448 key identified in the initial request (Section 2.3) as described in
2449 Section 8.
2451 The AS MUST validate the proof and assure that it is associated with
2452 either the token itself or the RC the token was issued to, as
2453 appropriate for the token's presentation type.
2455 6.1. Rotating the Access Token
2457 The RC makes an HTTP POST to the token management URI, sending the
2458 access token in the appropriate header and signing the request with
2459 the appropriate key.
2461 POST /token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L HTTP/1.1
2462 Host: server.example.com
2463 Authorization: GNAP OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0
2464 Detached-JWS: eyj0....
2466 The AS validates that the token presented is associated with the
2467 management URL, that the AS issued the token to the given RC, and
2468 that the presented key is appropriate to the token.
2470 If the access token has expired, the AS SHOULD honor the rotation
2471 request to the token management URL since it is likely that the RC is
2472 attempting to refresh the expired token. To support this, the AS MAY
2473 apply different lifetimes for the use of the token in management vs.
2474 its use at an RS. An AS MUST NOT honor a rotation request for an
2475 access token that has been revoked, either by the AS or by the RC
2476 through the token management URI (Section 6.2).
2478 If the token is validated and the key is appropriate for the request,
2479 the AS MUST invalidate the current access token associated with this
2480 URL, if possible, and return a new access token response as described
2481 in Section 3.2.1. The value of the access token MUST NOT be the same
2482 as the current value of the access token used to access the
2483 management API. The response MAY include an updated access token
2484 management URL as well, and if so, the RC MUST use this new URL to
2485 manage the new access token.
2487 {
2488 "access_token": {
2489 "value": "FP6A8H6HY37MH13CK76LBZ6Y1UADG6VEUPEER5H2",
2490 "proof": "bearer",
2491 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L",
2492 "resources": [
2493 {
2494 "type": "photo-api",
2495 "actions": [
2496 "read",
2497 "write",
2498 "dolphin"
2499 ],
2500 "locations": [
2501 "https://server.example.net/",
2502 "https://resource.local/other"
2503 ],
2504 "datatypes": [
2505 "metadata",
2506 "images"
2507 ]
2508 },
2509 "read", "dolphin-metadata"
2510 ]
2511 }
2512 }
2514 [[ Editor's note: If the client is using its own key as the proof,
2515 like with a bearer access token, the AS is going to need to know if
2516 the client's key has been rotated. We don't have a mechanism for
2517 rotating the token's key or the client's key yet either - so that
2518 could occur through this management function as well. ]]
2520 6.2. Revoking the Access Token
2522 If the RC wishes to revoke the access token proactively, such as when
2523 a user indicates to the RC that they no longer wish for it to have
2524 access or the RC application detects that it is being uninstalled,
2525 the RC can use the token management URI to indicate to the AS that
2526 the AS should invalidate the access token for all purposes.
2528 The RC makes an HTTP DELETE request to the token management URI,
2529 signing the request with its key.
2531 DELETE /token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L HTTP/1.1
2532 Host: server.example.com
2533 Authorization: GNAP OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0
2534 Detached-JWS: eyj0....
2536 If the token was issued to the RC identified by the key, the AS MUST
2537 invalidate the access token, if possible, and return an HTTP 204
2538 response code.
2540 204 No Content
2542 If the access token has expired, the AS SHOULD honor the revocation
2543 request to the token management URL as valid, since the end result is
2544 still the token not being usable.
2546 Though the AS MAY revoke an access token at any time for any reason,
2547 the token management function is specifically for the RC's use.
2549 7. Using Access Tokens
2551 The method the RC uses to send an access token to the RS depends on
2552 the value of the "proof" parameter in the access token response
2553 (Section 3.2.1).
2555 If this value is "bearer", the access token is sent using the HTTP
2556 Header method defined in [RFC6750].
2558 Authorization: Bearer OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0
2560 The form parameter and query parameter methods of [RFC6750] MUST NOT
2561 be used.
2563 If the "proof" value is any other string, the access token is sent
2564 using the HTTP authorization scheme "GNAP" along with a key proof as
2565 described in Section 8 for the key bound to the access token. For
2566 example, a "jwsd"-bound access token is sent as follows:
2568 Authorization: GNAP OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0
2569 Detached-JWS: eyj0....
2571 [[ Editor's note: I don't actually like the idea of using only one
2572 header type for differently-bound access tokens. Perhaps instead
2573 these values should somehow reflect the key binding types. Maybe
2574 there can be multiple fields after the "GNAP" keyword using
2575 structured headers? Or a set of derived headers like GNAP-mtls?
2576 This might also be better as a separate specification, like it was in
2577 OAuth 2. ]]
2579 8. Binding Keys
2581 Any keys presented by the RC to the AS or RS MUST be validated as
2582 part of the request in which they are presented. The type of binding
2583 used is indicated by the proof parameter of the key section in the
2584 initial request Section 2.3. Values defined by this specification
2585 are as follows:
2587 jwsd A detached JWS signature header
2589 jws Attached JWS payload
2591 mtls Mutual TLS certificate verification
2593 dpop OAuth Demonstration of Proof-of-Possession key proof header
2595 httpsig HTTP Signing signature header
2597 oauthpop OAuth PoP key proof authentication header
2599 Additional proofing methods are defined by a registry TBD
2600 (Section 12).
2602 All key binding methods used by this specification MUST cover all
2603 relevant portions of the request, including anything that would
2604 change the nature of the request, to allow for secure validation of
2605 the request by the AS. Relevant aspects include the URI being
2606 called, the HTTP method being used, any relevant HTTP headers and
2607 values, and the HTTP message body itself. The recipient of the
2608 signed message MUST validate all components of the signed message to
2609 ensure that nothing has been tampered with or substituted in a way
2610 that would change the nature of the request.
2612 When used in the GNAP delegation protocol, these key binding
2613 mechanisms allow the AS to ensure that the keys presented by the RC
2614 in the initial request are in control of the party calling any
2615 follow-up or continuation requests. To facilitate this requirement,
2616 all keys in the initial request Section 2.3 MUST be proved in all
2617 continuation requests Section 5 and token management requests
2618 Section 6. The AS MUST validate all keys presented by the RC
2619 (Section 2.3) or referenced in an ongoing request for each call
2620 within that request.
2622 [[ Editor's note: We are going to need a way for a client to rotate
2623 its keys securely, even while an ongoing grant is in effect. ]]
2625 8.1. Detached JWS
2627 This method is indicated by "jwsd" in the "proof" field. A JWS
2628 [RFC7515] signature object is created as follows:
2630 The header of the JWS MUST contain the "kid" field of the key bound
2631 to this RC for this request. The JWS header MUST contain an "alg"
2632 field appropriate for the key identified by kid and MUST NOT be
2633 "none".
2635 To protect the request, the JWS header MUST contain the following
2636 additional fields.
2638 htm The HTTP Method used to make this request, as an uppercase ASCII
2639 string.
2641 htu The HTTP URI used for this request, including all path and query
2642 components.
2644 ts A timestamp of the request in integer seconds
2646 [[ Editor's note: It's not the usual practice to put additional
2647 information into the header of a JWS, but this keeps us from having
2648 to normalize the body serialization. ]]
2650 The payload of the JWS object is the serialized body of the request,
2651 and the object is signed according to detached JWS [RFC7797].
2653 The RC presents the signature in the Detached-JWS HTTP Header field.
2654 [[ Editor's Note: this is a custom header field, do we need this? ]]
2656 POST /tx HTTP/1.1
2657 Host: server.example.com
2658 Content-Type: application/json
2659 Detached-JWS: eyJiNjQiOmZhbHNlLCJhbGciOiJSUzI1NiIsImtpZCI6Inh5ei0xIn0.
2660 .Y287HMtaY0EegEjoTd_04a4GC6qV48GgVbGKOhHdJnDtD0VuUlVjLfwne8AuUY3U7e8
2661 9zUWwXLnAYK_BiS84M8EsrFvmv8yDLWzqveeIpcN5_ysveQnYt9Dqi32w6IOtAywkNUD
2662 ZeJEdc3z5s9Ei8qrYFN2fxcu28YS4e8e_cHTK57003WJu-wFn2TJUmAbHuqvUsyTb-nz
2663 YOKxuCKlqQItJF7E-cwSb_xULu-3f77BEU_vGbNYo5ZBa2B7UHO-kWNMSgbW2yeNNLbL
2664 C18Kv80GF22Y7SbZt0e2TwnR2Aa2zksuUbntQ5c7a1-gxtnXzuIKa34OekrnyqE1hmVW
2665 peQ
2667 {
2668 "display": {
2669 "name": "My Client Display Name",
2670 "uri": "https://example.net/client"
2671 },
2672 "resources": [
2673 "dolphin-metadata"
2674 ],
2675 "interact": {
2676 "redirect": true,
2677 "callback": {
2678 "method": "redirect",
2679 "uri": "https://client.foo",
2680 "nonce": "VJLO6A4CAYLBXHTR0KRO"
2681 }
2682 },
2683 "key": {
2684 "proof": "jwsd",
2685 "jwk": {
2686 "kty": "RSA",
2687 "e": "AQAB",
2688 "kid": "xyz-1",
2689 "alg": "RS256",
2690 "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8
2691 xYJCNaOKNJn_Oz0YhdHbXTeWO5AoyspDWJbN5w_7bdWDxgpD-y6jnD1u9YhBOCWObNPF
2692 vpkTM8LC7SdXGRKx2k8Me2r_GssYlyRpqvpBlY5-ejCywKRBfctRcnhTTGNztbbDBUyD
2693 SWmFMVCHe5mXT4cL0BwrZC6S-uu-LAx06aKwQOPwYOGOslK8WPm1yGdkaA1uF_FpS6LS
2694 63WYPHi_Ap2B7_8Wbw4ttzbMS_doJvuDagW8A1Ip3fXFAHtRAcKw7rdI4_Xln66hJxFe
2695 kpdfWdiPQddQ6Y1cK2U3obvUg7w"
2696 }
2697 }
2698 }
2700 When the server (AS or RS) receives the Detached-JWS header, it MUST
2701 parse its contents as a detached JWS object. The HTTP Body is used
2702 as the payload for purposes of validating the JWS, with no
2703 transformations.
2705 [[ Editor's note: this is a potentially fragile signature mechanism.
2706 It doesn't protect the method or URL of the request in the signature,
2707 but it's simple to calculate and useful for body-driven requests,
2708 like the client to the AS. We might want to remove this in favor of
2709 general-purpose HTTP signing. ]]
2711 8.2. Attached JWS
2713 This method is indicated by "jwsd" in the "proof" field. A JWS
2714 [RFC7515] signature object is created as follows:
2716 The header of the JWS MUST contain the "kid" field of the key bound
2717 to this RC for this request. The JWS header MUST contain an "alg"
2718 field appropriate for the key identified by kid and MUST NOT be
2719 "none".
2721 To protect the request, the JWS header MUST contain the following
2722 additional fields.
2724 htm The HTTP Method used to make this request, as an uppercase ASCII
2725 string.
2727 htu The HTTP URI used for this request, including all path and query
2728 components.
2730 ts A timestamp of the request in integer seconds
2732 [[ Editor's note: It's not the usual practice to put additional
2733 information into the header of a JWS, but this keeps us from having
2734 to modify the body to use this signature method. ]]
2736 The payload of the JWS object is the JSON serialized body of the
2737 request, and the object is signed according to JWS and serialized
2738 into compact form [RFC7515].
2740 The RC presents the JWS as the body of the request along with a
2741 content type of "application/jose". The AS MUST extract the payload
2742 of the JWS and treat it as the request body for further processing.
2744 POST /tx HTTP/1.1
2745 Host: server.example.com
2746 Content-Type: application/jose
2748 eyJiNjQiOmZhbHNlLCJhbGciOiJSUzI1NiIsImtpZCI6Inh5ei0xIn0.ewogICAgIm
2749 NsaWVudCI6IHsKICAgICAgICAibmFtZSI6ICJNeSBDbGllbnQgRGlzcGxheSBOYW1l
2750 IiwKICAgICAgICAidXJpIjogImh0dHBzOi8vZXhhbXBsZS5uZXQvY2xpZW50IgogIC
2751 AgfSwKICAgICJyZXNvdXJjZXMiOiBbCiAgICAgICAgImRvbHBoaW4tbWV0YWRhdGEi
2752 CiAgICBdLAogICAgImludGVyYWN0IjogewogICAgICAgICJyZWRpcmVjdCI6IHRydW
2753 UsCiAgICAgICAgImNhbGxiYWNrIjogewogICAgCQkidXJpIjogImh0dHBzOi8vY2xp
2754 ZW50LmZvbyIsCiAgICAJCSJub25jZSI6ICJWSkxPNkE0Q0FZTEJYSFRSMEtSTyIKIC
2755 AgIAl9CiAgICB9LAogICAgImtleXMiOiB7CgkJInByb29mIjogImp3c2QiLAogICAg
2756 ICAgICJqd2tzIjogewogICAgICAgICAgICAia2V5cyI6IFsKICAgICAgICAgICAgIC
2757 AgIHsKICAgICAgICAgICAgICAgICAgICAia3R5IjogIlJTQSIsCiAgICAgICAgICAg
2758 ICAgICAgICAgImUiOiAiQVFBQiIsCiAgICAgICAgICAgICAgICAgICAgImtpZCI6IC
2759 J4eXotMSIsCiAgICAgICAgICAgICAgICAgICAgImFsZyI6ICJSUzI1NiIsCiAgICAg
2760 ICAgICAgICAgICAgICAgIm4iOiAia09CNXJSNEp2MEdNZUxhWTZfSXRfcjNPUndkZj
2761 hjaV9KdGZmWHlhU3g4eFlKQ0NOYU9LTkpuX096MFloZEhiWFRlV081QW95c3BEV0pi
2762 TjV3XzdiZFdEeGdwRC15NmpuRDF1OVloQk9DV09iTlBGdnBrVE04TEM3U2RYR1JLeD
2763 JrOE1lMnJfR3NzWWx5UnBxdnBCbFk1LWVqQ3l3S1JCZmN0UmNuaFRUR056dGJiREJV
2764 eURTV21GTVZDSGU1bVhUNGNMMEJ3clpDNlMtdXUtTEF4MDZhS3dRT1B3WU9HT3NsSz
2765 hXUG0xeUdka2FBMXVGX0ZwUzZMUzYzV1lQSGlfQXAyQjdfOFdidzR0dHpiTVNfZG9K
2766 dnVEYWdXOEExSXAzZlhGQUh0UkFjS3c3cmRJNF9YbG42NmhKeEZla3BkZldkaVBRZG
2767 RRNlkxY0syVTNvYnZVZzd3IgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBd
2768 CiAgICAgICAgfQogICAgfQp9.Y287HMtaY0EegEjoTd_04a4GC6qV48GgVbGKOhHdJ
2769 nDtD0VuUlVjLfwne8AuUY3U7e89zUWwXLnAYK_BiS84M8EsrFvmv8yDLWzqveeIpcN
2770 5_ysveQnYt9Dqi32w6IOtAywkNUDZeJEdc3z5s9Ei8qrYFN2fxcu28YS4e8e_cHTK5
2771 7003WJu-wFn2TJUmAbHuqvUsyTb-nzYOKxuCKlqQItJF7E-cwSb_xULu-3f77BEU_v
2772 GbNYo5ZBa2B7UHO-kWNMSgbW2yeNNLbLC18Kv80GF22Y7SbZt0e2TwnR2Aa2zksuUb
2773 ntQ5c7a1-gxtnXzuIKa34OekrnyqE1hmVWpeQ
2775 [[ Editor's note: A downside to this method is that it requires the
2776 content type to be something other than application/json, and it
2777 doesn't work against an RS without additional profiling since it
2778 requires things to be sent in the body. Additionally it is
2779 potentially fragile like a detached JWS since a multi-tier system
2780 could parse the payload and pass the parsed payload downstream with
2781 potential transformations. Furthermore, it doesn't protect the
2782 method or URL of the request in the signature. We might want to
2783 remove this in favor of general-purpose HTTP signing. ]]
2785 8.3. Mutual TLS
2787 This method is indicated by "mtls" in the "proof" field. The RC
2788 presents its client certificate during TLS negotiation with the
2789 server (either AS or RS). The AS or RS takes the thumbprint of the
2790 client certificate presented during mutual TLS negotiation and
2791 compares that thumbprint to the thumbprint presented by the RC
2792 application as described in [RFC8705] section 3.
2794 POST /tx HTTP/1.1
2795 Host: server.example.com
2796 Content-Type: application/json
2797 SSL_CLIENT_CERT: MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmjE3MDUGA1UEAwwuQmVz
2798 cG9rZSBFbmdpbmVlcmluZyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTELMAkG
2799 A1UECAwCTUExCzAJBgNVBAYTAlVTMRkwFwYJKoZIhvcNAQkBFgpjYUBic3BrLmlv
2800 MRwwGgYDVQQKDBNCZXNwb2tlIEVuZ2luZWVyaW5nMQwwCgYDVQQLDANNVEkwHhcN
2801 MTkwNDEwMjE0MDI5WhcNMjQwNDA4MjE0MDI5WjB8MRIwEAYDVQQDDAlsb2NhbGhv
2802 c3QxCzAJBgNVBAgMAk1BMQswCQYDVQQGEwJVUzEgMB4GCSqGSIb3DQEJARYRdGxz
2803 Y2xpZW50QGJzcGsuaW8xHDAaBgNVBAoME0Jlc3Bva2UgRW5naW5lZXJpbmcxDDAK
2804 BgNVBAsMA01USTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmaXQHb
2805 s/wc1RpsQ6Orzf6rN+q2ijaZbQxD8oi+XaaN0P/gnE13JqQduvdq77OmJ4bQLokq
2806 sd0BexnI07Njsl8nkDDYpe8rNve5TjyUDCfbwgS7U1CluYenXmNQbaYNDOmCdHww
2807 UjV4kKREg6DGAx22Oq7+VHPTeeFgyw4kQgWRSfDENWY3KUXJlb/vKR6lQ+aOJytk
2808 vj8kVZQtWupPbvwoJe0na/ISNAOhL74w20DWWoDKoNltXsEtflNljVoi5nqsmZQc
2809 jfjt6LO0T7O1OX3Cwu2xWx8KZ3n/2ocuRqKEJHqUGfeDtuQNt6Jz79v/OTr8puLW
2810 aD+uyk6NbtGjoQsCAwEAAaOBiTCBhjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DBs
2811 BgNVHREEZTBjgglsb2NhbGhvc3SCD3Rsc2NsaWVudC5sb2NhbIcEwKgBBIERdGxz
2812 Y2xpZW50QGJzcGsuaW+GF2h0dHA6Ly90bHNjbGllbnQubG9jYWwvhhNzc2g6dGxz
2813 Y2xpZW50LmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQCKKv8WlLrT4Z5NazaUrYtl
2814 TF+2v0tvZBQ7qzJQjlOqAcvxry/d2zyhiRCRS/v318YCJBEv4Iq2W3I3JMMyAYEe
2815 2573HzT7rH3xQP12yZyRQnetdiVM1Z1KaXwfrPDLs72hUeELtxIcfZ0M085jLboX
2816 hufHI6kqm3NCyCCTihe2ck5RmCc5l2KBO/vAHF0ihhFOOOby1v6qbPHQcxAU6rEb
2817 907/p6BW/LV1NCgYB1QtFSfGxowqb9FRIMD2kvMSmO0EMxgwZ6k6spa+jk0IsI3k
2818 lwLW9b+Tfn/daUbIDctxeJneq2anQyU2znBgQl6KILDSF4eaOqlBut/KNZHHazJh
2820 {
2821 "display": {
2822 "name": "My Client Display Name",
2823 "uri": "https://example.net/client"
2824 },
2825 "resources": [
2826 "dolphin-metadata"
2827 ],
2828 "interact": {
2829 "redirect": true,
2830 "callback": {
2831 "method": "redirect",
2832 "uri": "https://client.foo",
2833 "nonce": "VJLO6A4CAYLBXHTR0KRO"
2834 }
2835 },
2836 "key": {
2837 "proof": "mtls",
2838 "cert": "MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmjE3
2839 MDUGA1UEAwwuQmVzcG9rZSBFbmdpbmVlcmluZyBSb290IENlcnRpZmljYXRlIEF1d
2840 Ghvcml0eTELMAkGA1UECAwCTUExCzAJBgNVBAYTAlVTMRkwFwYJKoZIhvcNAQkBFg
2841 pjYUBic3BrLmlvMRwwGgYDVQQKDBNCZXNwb2tlIEVuZ2luZWVyaW5nMQwwCgYDVQQ
2842 LDANNVEkwHhcNMTkwNDEwMjE0MDI5WhcNMjQwNDA4MjE0MDI5WjB8MRIwEAYDVQQD
2843 DAlsb2NhbGhvc3QxCzAJBgNVBAgMAk1BMQswCQYDVQQGEwJVUzEgMB4GCSqGSIb3D
2844 QEJARYRdGxzY2xpZW50QGJzcGsuaW8xHDAaBgNVBAoME0Jlc3Bva2UgRW5naW5lZX
2845 JpbmcxDDAKBgNVBAsMA01USTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggE
2846 BAMmaXQHbs/wc1RpsQ6Orzf6rN+q2ijaZbQxD8oi+XaaN0P/gnE13JqQduvdq77Om
2847 J4bQLokqsd0BexnI07Njsl8nkDDYpe8rNve5TjyUDCfbwgS7U1CluYenXmNQbaYND
2848 OmCdHwwUjV4kKREg6DGAx22Oq7+VHPTeeFgyw4kQgWRSfDENWY3KUXJlb/vKR6lQ+
2849 aOJytkvj8kVZQtWupPbvwoJe0na/ISNAOhL74w20DWWoDKoNltXsEtflNljVoi5nq
2850 smZQcjfjt6LO0T7O1OX3Cwu2xWx8KZ3n/2ocuRqKEJHqUGfeDtuQNt6Jz79v/OTr8
2851 puLWaD+uyk6NbtGjoQsCAwEAAaOBiTCBhjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4
2852 DBsBgNVHREEZTBjgglsb2NhbGhvc3SCD3Rsc2NsaWVudC5sb2NhbIcEwKgBBIERdG
2853 xzY2xpZW50QGJzcGsuaW+GF2h0dHA6Ly90bHNjbGllbnQubG9jYWwvhhNzc2g6dGx
2854 zY2xpZW50LmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQCKKv8WlLrT4Z5NazaUrYtl
2855 TF+2v0tvZBQ7qzJQjlOqAcvxry/d2zyhiRCRS/v318YCJBEv4Iq2W3I3JMMyAYEe2
2856 573HzT7rH3xQP12yZyRQnetdiVM1Z1KaXwfrPDLs72hUeELtxIcfZ0M085jLboXhu
2857 fHI6kqm3NCyCCTihe2ck5RmCc5l2KBO/vAHF0ihhFOOOby1v6qbPHQcxAU6rEb907
2858 /p6BW/LV1NCgYB1QtFSfGxowqb9FRIMD2kvMSmO0EMxgwZ6k6spa+jk0IsI3klwLW
2859 9b+Tfn/daUbIDctxeJneq2anQyU2znBgQl6KILDSF4eaOqlBut/KNZHHazJh"
2860 }
2861 }
2863 [[ Editor's note: ]]
2865 8.4. DPoP
2867 This method is indicated by "dpop" in the "proof" field. The RC
2868 creates a Demonstration of Proof-of-Possession signature header as
2869 described in [I-D.ietf-oauth-dpop] section 2. In addition to the
2870 required fields, the DPoP body MUST also contain a digest of the
2871 request body:
2873 digest Digest of the request body as the value of the Digest header
2874 defined in [RFC3230].
2876 POST /tx HTTP/1.1
2877 Host: server.example.com
2878 Content-Type: application/json
2879 DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IlJTMjU2IiwiandrIjp7Imt0eSI6Il
2880 JTQSIsImUiOiJBUUFCIiwia2lkIjoieHl6LWNsaWVudCIsImFsZyI6IlJTMjU2Iiwibi
2881 I6Inp3Q1RfM2J4LWdsYmJIcmhlWXBZcFJXaVk5SS1uRWFNUnBablJySWpDczZiX2VteV
2882 RrQmtEREVqU3lzaTM4T0M3M2hqMS1XZ3hjUGRLTkdaeUlvSDNRWmVuMU1LeXloUXBMSk
2883 cxLW9MTkxxbTdwWFh0ZFl6U2RDOU8zLW9peXk4eWtPNFlVeU5aclJSZlBjaWhkUUNiT1
2884 9PQzhRdWdtZzlyZ05ET1NxcHBkYU5lYXMxb3Y5UHhZdnhxcnoxLThIYTdna0QwMFlFQ1
2885 hIYUIwNXVNYVVhZEhxLU9fV0l2WVhpY2c2STVqNlM0NFZOVTY1VkJ3dS1BbHluVHhRZE
2886 1BV1AzYll4VlZ5NnAzLTdlVEpva3ZqWVRGcWdEVkRaOGxVWGJyNXlDVG5SaG5oSmd2Zj
2887 NWakRfbWFsTmU4LXRPcUs1T1NEbEhUeTZnRDlOcWRHQ20tUG0zUSJ9fQ.eyJodHRwX21
2888 ldGhvZCI6IlBPU1QiLCJodHRwX3VyaSI6Imh0dHA6XC9cL2hvc3QuZG9ja2VyLmludGV
2889 ybmFsOjk4MzRcL2FwaVwvYXNcL3RyYW5zYWN0aW9uIiwiaWF0IjoxNTcyNjQyNjEzLCJ
2890 qdGkiOiJIam9IcmpnbTJ5QjR4N2pBNXl5RyJ9.aUhftvfw2NoW3M7durkopReTvONng1
2891 fOzbWjAlKNSLL0qIwDgfG39XUyNvwQ23OBIwe6IuvTQ2UBBPklPAfJhDTKd8KHEAfidN
2892 B-LzUOzhDetLg30yLFzIpcEBMLCjb0TEsmXadvxuNkEzFRL-Q-QCg0AXSF1h57eAqZV8
2893 SYF4CQK9OUV6fIWwxLDd3cVTx83MgyCNnvFlG_HDyim1Xx-rxV4ePd1vgDeRubFb6QWj
2894 iKEO7vj1APv32dsux67gZYiUpjm0wEZprjlG0a07R984KLeK1XPjXgViEwEdlirUmpVy
2895 T9tyEYqGrTfm5uautELgMls9sgSyE929woZ59elg
2897 {
2898 "display": {
2899 "name": "My Client Display Name",
2900 "uri": "https://example.net/client"
2901 },
2902 "resources": [
2903 "dolphin-metadata"
2904 ],
2905 "interact": {
2906 "redirect": true,
2907 "callback": {
2908 "method": "redirect",
2909 "uri": "https://client.foo",
2910 "nonce": "VJLO6A4CAYLBXHTR0KRO"
2911 }
2912 },
2913 "key": {
2914 "proof": "dpop",
2915 "jwk": {
2916 "kty": "RSA",
2917 "e": "AQAB",
2918 "kid": "xyz-1",
2919 "alg": "RS256",
2920 "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8xYJ
2921 CCNaOKNJn_Oz0YhdHbXTeWO5AoyspDWJbN5w_7bdWDxgpD-y6jnD1u9YhBOCWObNPFvpkTM
2922 8LC7SdXGRKx2k8Me2r_GssYlyRpqvpBlY5-ejCywKRBfctRcnhTTGNztbbDBUyDSWmFMVCH
2923 e5mXT4cL0BwrZC6S-uu-LAx06aKwQOPwYOGOslK8WPm1yGdkaA1uF_FpS6LS63WYPHi_Ap2
2924 B7_8Wbw4ttzbMS_doJvuDagW8A1Ip3fXFAHtRAcKw7rdI4_Xln66hJxFekpdfWdiPQddQ6Y
2925 1cK2U3obvUg7w"
2926 }
2927 }
2928 }
2930 [[ Editor's note: this method requires duplication of the key in the
2931 header and the request body, which is redundant and potentially
2932 awkward. The signature also doesn't protect the body of the request.
2933 ]]
2935 8.5. HTTP Signing
2937 This method is indicated by "httpsig" in the "proof" field. The RC
2938 creates an HTTP Signature header as described in
2939 [I-D.ietf-httpbis-message-signatures] section 4. The RC MUST
2940 calculate and present the Digest header as defined in [RFC3230] and
2941 include this header in the signature.
2943 POST /tx HTTP/1.1
2944 Host: server.example.com
2945 Content-Type: application/json
2946 Content-Length: 716
2947 Signature: keyId="xyz-client", algorithm="rsa-sha256",
2948 headers="(request-target) digest content-length",
2949 signature="TkehmgK7GD/z4jGkmcHS67cjVRgm3zVQNlNrrXW32Wv7d
2950 u0VNEIVI/dMhe0WlHC93NP3ms91i2WOW5r5B6qow6TNx/82/6W84p5jqF
2951 YuYfTkKYZ69GbfqXkYV9gaT++dl5kvZQjVk+KZT1dzpAzv8hdk9nO87Xi
2952 rj7qe2mdAGE1LLc3YvXwNxuCQh82sa5rXHqtNT1077fiDvSVYeced0UEm
2953 rWwErVgr7sijtbTohC4FJLuJ0nG/KJUcIG/FTchW9rd6dHoBnY43+3Dzj
2954 CIthXpdH5u4VX3TBe6GJDO6Mkzc6vB+67OWzPwhYTplUiFFV6UZCsDEeu
2955 Sa/Ue1yLEAMg=="]}
2956 Digest: SHA=oZz2O3kg5SEFAhmr0xEBbc4jEfo=
2958 {
2959 "display": {
2960 "name": "My Client Display Name",
2961 "uri": "https://example.net/client"
2962 },
2963 "resources": [
2964 "dolphin-metadata"
2965 ],
2966 "interact": {
2967 "redirect": true,
2968 "callback": {
2969 "method": "push",
2970 "uri": "https://client.foo",
2971 "nonce": "VJLO6A4CAYLBXHTR0KRO"
2973 }
2974 },
2975 "key": {
2976 "proof": "httpsig",
2977 "jwk": {
2978 "kty": "RSA",
2979 "e": "AQAB",
2980 "kid": "xyz-1",
2981 "alg": "RS256",
2982 "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_J
2983 tffXyaSx8xYJCCNaOKNJn_Oz0YhdHbXTeWO5AoyspDWJbN5w_7bdWDxgpD-
2984 y6jnD1u9YhBOCWObNPFvpkTM8LC7SdXGRKx2k8Me2r_GssYlyRpqvpBlY5-
2985 ejCywKRBfctRcnhTTGNztbbDBUyDSWmFMVCHe5mXT4cL0BwrZC6S-uu-LAx
2986 06aKwQOPwYOGOslK8WPm1yGdkaA1uF_FpS6LS63WYPHi_Ap2B7_8Wbw4ttz
2987 bMS_doJvuDagW8A1Ip3fXFAHtRAcKw7rdI4_Xln66hJxFekpdfWdiPQddQ6
2988 Y1cK2U3obvUg7w"
2989 }
2990 }
2991 }
2993 When used to present an access token as in Section 7, the
2994 Authorization header MUST be included in the signature.
2996 8.6. OAuth PoP
2998 This method is indicated by "oauthpop" in the "proof" field. The RC
2999 creates an HTTP Authorization PoP header as described in
3000 [I-D.ietf-oauth-signed-http-request] section 4, with the following
3001 additional requirements:
3003 * The at (access token) field MUST be omitted unless this method is
3004 being used in conjunction with an access token as in Section 7.
3005 [[ Editor's note: this is in contradiction to the referenced spec
3006 which makes this field mandatory. ]]
3008 * The b (body hash) field MUST be calculated and supplied
3010 * All components of the URL MUST be calculated and supplied
3012 * The m (method) field MUST be supplied
3014 POST /tx HTTP/1.1
3015 Host: server.example.com
3016 Content-Type: application/json
3017 PoP: eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoi
3018 QVFBQiIsImtpZCI6Inh5ei1jbGllbnQiLCJhbGciOiJSUzI1NiIsIm4iO
3019 iJ6d0NUXzNieC1nbGJiSHJoZVlwWXBSV2lZOUktbkVhTVJwWm5ScklqQ3
3020 M2Yl9lbXlUa0JrRERFalN5c2kzOE9DNzNoajEtV2d4Y1BkS05HWnlJb0g
3021 zUVplbjFNS3l5aFFwTEpHMS1vTE5McW03cFhYdGRZelNkQzlPMy1vaXl5
3022 OHlrTzRZVXlOWnJSUmZQY2loZFFDYk9fT0M4UXVnbWc5cmdORE9TcXBwZ
3023 GFOZWFzMW92OVB4WXZ4cXJ6MS04SGE3Z2tEMDBZRUNYSGFCMDV1TWFVYW
3024 RIcS1PX1dJdllYaWNnNkk1ajZTNDRWTlU2NVZCd3UtQWx5blR4UWRNQVd
3025 QM2JZeFZWeTZwMy03ZVRKb2t2allURnFnRFZEWjhsVVhicjV5Q1RuUmhu
3026 aEpndmYzVmpEX21hbE5lOC10T3FLNU9TRGxIVHk2Z0Q5TnFkR0NtLVBtM
3027 1EifX0.eyJwIjoiXC9hcGlcL2FzXC90cmFuc2FjdGlvbiIsImIiOiJxa0
3028 lPYkdOeERhZVBTZnc3NnFjamtqSXNFRmxDb3g5bTU5NFM0M0RkU0xBIiw
3029 idSI6Imhvc3QuZG9ja2VyLmludGVybmFsIiwiaCI6W1siQWNjZXB0Iiwi
3030 Q29udGVudC1UeXBlIiwiQ29udGVudC1MZW5ndGgiXSwiVjQ2OUhFWGx6S
3031 k9kQTZmQU5oMmpKdFhTd3pjSGRqMUloOGk5M0h3bEVHYyJdLCJtIjoiUE
3032 9TVCIsInRzIjoxNTcyNjQyNjEwfQ.xyQ47qy8bu4fyK1T3Ru1Sway8wp6
3033 5rfAKnTQQU92AUUU07I2iKoBL2tipBcNCC5zLH5j_WUyjlN15oi_lLHym
3034 fPdzihtt8_Jibjfjib5J15UlifakjQ0rHX04tPal9PvcjwnyZHFcKn-So
3035 Y3wsARn-gGwxpzbsPhiKQP70d2eG0CYQMA6rTLslT7GgdQheelhVFW29i
3036 27NcvqtkJmiAG6Swrq4uUgCY3zRotROkJ13qo86t2DXklV-eES4-2dCxf
3037 cWFkzBAr6oC4Qp7HnY_5UT6IWkRJt3efwYprWcYouOVjtRan3kEtWkaWr
3038 G0J4bPVnTI5St9hJYvvh7FE8JirIg
3040 {
3041 "display": {
3042 "name": "My Client Display Name",
3043 "uri": "https://example.net/client"
3044 },
3045 "resources": [
3046 "dolphin-metadata"
3047 ],
3048 "interact": {
3049 "redirect": true,
3050 "callback": {
3051 "method": "redirect",
3052 "uri": "https://client.foo",
3053 "nonce": "VJLO6A4CAYLBXHTR0KRO"
3054 }
3055 },
3056 "key": {
3057 "proof": "oauthpop",
3058 "jwk": {
3059 "kty": "RSA",
3060 "e": "AQAB",
3061 "kid": "xyz-1",
3062 "alg": "RS256",
3063 "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_J
3064 tffXyaSx8xYJCCNaOKNJn_Oz0YhdHbXTeWO5AoyspDWJbN5w_7bdWDxgpD-
3065 y6jnD1u9YhBOCWObNPFvpkTM8LC7SdXGRKx2k8Me2r_GssYlyRpqvpBlY5-
3066 ejCywKRBfctRcnhTTGNztbbDBUyDSWmFMVCHe5mXT4cL0BwrZC6S-uu-LAx
3067 06aKwQOPwYOGOslK8WPm1yGdkaA1uF_FpS6LS63WYPHi_Ap2B7_8Wbw4ttz
3068 bMS_doJvuDagW8A1Ip3fXFAHtRAcKw7rdI4_Xln66hJxFekpdfWdiPQddQ6
3069 Y1cK2U3obvUg7w"
3070 }
3071 }
3072 }
3074 [[ Editor's note: This is a stale draft from the OAuth working group,
3075 but it does at least provide some basic functionality for protecting
3076 HTTP messages with a signature. This work is likely to be subsumed
3077 by the general-purpose HTTP message signature mechanism in
3078 Section 8.5. ]]
3080 9. Discovery
3082 By design, the protocol minimizes the need for any pre-flight
3083 discovery. To begin a request, the RC only needs to know the
3084 endpoint of the AS and which keys it will use to sign the request.
3085 Everything else can be negotiated dynamically in the course of the
3086 protocol.
3088 However, the AS can have limits on its allowed functionality. If the
3089 RC wants to optimize its calls to the AS before making a request, it
3090 MAY send an HTTP OPTIONS request to the grant request endpoint to
3091 retrieve the server's discovery information. The AS MUST respond
3092 with a JSON document containing the following information:
3094 grant_request_endpoint REQUIRED. The full URL of the AS's grant
3095 request endpoint. This MUST match the URL the RC used to make the
3096 discovery request.
3098 capabilities OPTIONAL. A list of the AS's capabilities. The values
3099 of this result MAY be used by the RC in the capabilities section
3100 (Section 2.7) of the request.
3102 interaction_methods OPTIONAL. A list of the AS's interaction
3103 methods. The values of this list correspond to the possible
3104 fields in the interaction section (Section 2.5) of the request.
3106 key_proofs OPTIONAL. A list of the AS's supported key proofing
3107 mechanisms. The values of this list correspond to possible values
3108 of the "proof" field of the key section (Section 2.3) of the
3109 request.
3111 sub_ids OPTIONAL. A list of the AS's supported identifiers. The
3112 values of this list correspond to possible values of the subject
3113 identifier section (Section 2.2) of the request.
3115 assertions OPTIONAL. A list of the AS's supported assertion
3116 formats. The values of this list correspond to possible values of
3117 the subject assertion section (Section 2.2) of the request.
3119 The information returned from this method is for optimization
3120 purposes only. The AS MAY deny any request, or any portion of a
3121 request, even if it lists a capability as supported. For example, a
3122 given RC can be registered with the "mtls" key proofing mechanism,
3123 but the AS also returns other proofing methods, then the AS will deny
3124 a request from that RC using a different proofing mechanism.
3126 10. Resource Servers
3128 In some deployments, a resource server will need to be able to call
3129 the AS for a number of functions.
3131 [[ Editor's note: This section is for discussion of possible advanced
3132 functionality. It seems like it should be a separate document or set
3133 of documents, and it's not even close to being well-baked. This also
3134 adds additional endpoints to the AS, as this is separate from the
3135 token request process, and therefore would require RS-facing
3136 discovery or configuration information to make it work. Also-also,
3137 it does presume the RS can sign requests in the same way that a
3138 client does, but hopefully we can be more consistent with this than
3139 RFC7662 was able to do. ]]
3141 10.1. Introspecting a Token
3143 When the RS receives an access token, it can call the introspection
3144 endpoint at the AS to get token information. [[ Editor's note: this
3145 isn't super different from the token management URIs, but the RS has
3146 no way to get that URI, and it's bound to the RS's keys instead of
3147 the RC's or token's keys. ]]
3149 +------+ +------+ +------+
3150 | RC |--(1)->| RS | | AS |
3151 | | | |--(2)->| |
3152 | | | |<-(3)--| |
3153 | | | | +------+
3154 | |<-(4)--| |
3155 +------+ +------+
3157 1. The RC calls the RS with its access token.
3159 2. The RS introspects the access token value at the AS. The RS
3160 signs the request with its own key (not the RC's key or the
3161 token's key).
3163 3. The AS validates the token value and the RC's request and returns
3164 the introspection response for the token.
3166 4. The RS fulfills the request from the RC.
3168 The RS signs the request with its own key and sends the access token
3169 as the body of the request.
3171 POST /introspect HTTP/1.1
3172 Host: server.example.com
3173 Content-type: application/json
3174 Detached-JWS: ejy0...
3176 {
3177 "access_token": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
3178 }
3180 The AS responds with a data structure describing the token's current
3181 state and any information the RS would need to validate the token's
3182 presentation, such as its intended proofing mechanism and key
3183 material.
3185 Content-type: application/json
3187 {
3188 "active": true,
3189 "resources": [
3190 "dolphin-metadata", "some other thing"
3191 ],
3192 "proof": "httpsig",
3193 "key": {
3194 "jwk": {
3195 "kty": "RSA",
3196 "e": "AQAB",
3197 "kid": "xyz-1",
3198 "alg": "RS256",
3199 "n": "kOB5rR4Jv0GMeL...."
3200 }
3201 }
3202 }
3204 10.2. Deriving a downstream token
3206 Some architectures require an RS to act as an RC and request a
3207 derived access token for a secondary RS. This internal token is
3208 issued in the context of the incoming access token.
3210 +------+ +-------+ +------+ +-------+
3211 | RC |--(1)->| RS1 | | AS | | RS2 |
3212 | | | |--(2)->| | | |
3213 | | | |<-(3)--| | | |
3214 | | | | +------+ | |
3215 | | | | | |
3216 | | | |-----------(4)------->| |
3217 | | | |<----------(5)--------| |
3218 | |<-(6)--| | | |
3219 +------+ +-------+ +-------+
3221 1. The RC calls RS1 with an access token.
3223 2. RS1 presents that token to the AS to get a derived token for use
3224 at RS2. RS1 indicates that it has no ability to interact with
3225 the RO. RS1 signs its request with its own key, not the token's
3226 key or the RC's key.
3228 3. The AS returns a derived token to RS1 for use at RS2.
3230 4. RS1 calls RS2 with the token from (3).
3232 5. RS2 fulfills the call from RS1.
3234 6. RS1 fulfills the call from RC.
3236 If the RS needs to derive a token from one presented to it, it can
3237 request one from the AS by making a token request as described in
3238 Section 2 and presenting the existing access token's value in the
3239 "existing_access_token" field.
3241 The RS MUST identify itself with its own key and sign the request.
3243 [[ Editor's note: this is similar to Section 2.8 but based on the
3244 access token and not the grant. We might be able to re-use that
3245 function: the fact that the keys presented are not the ones used for
3246 the access token should indicate that it's a different party and a
3247 different kind of request, but there might be some subtle security
3248 issues there. ]]
3250 POST /tx HTTP/1.1
3251 Host: server.example.com
3252 Content-type: application/json
3253 Detached-JWS: ejy0...
3255 {
3256 "resources": [
3257 {
3258 "actions": [
3259 "read",
3260 "write",
3261 "dolphin"
3262 ],
3263 "locations": [
3264 "https://server.example.net/",
3265 "https://resource.local/other"
3266 ],
3267 "datatypes": [
3268 "metadata",
3269 "images"
3270 ]
3271 },
3272 "dolphin-metadata"
3273 ],
3274 "key": "7C7C4AZ9KHRS6X63AJAO",
3275 "existing_access_token": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0"
3276 }
3278 The AS responds with a token as described in Section 3.
3280 10.3. Registering a Resource Handle
3282 If the RS needs to, it can post a set of resources as described in
3283 Section 2.1.1 to the AS's resource registration endpoint.
3285 The RS MUST identify itself with its own key and sign the request.
3287 POST /resource HTTP/1.1
3288 Host: server.example.com
3289 Content-type: application/json
3290 Detached-JWS: ejy0...
3292 {
3293 "resources": [
3294 {
3295 "actions": [
3296 "read",
3297 "write",
3298 "dolphin"
3299 ],
3300 "locations": [
3301 "https://server.example.net/",
3302 "https://resource.local/other"
3303 ],
3304 "datatypes": [
3305 "metadata",
3306 "images"
3307 ]
3308 },
3309 "dolphin-metadata"
3310 ],
3311 "key": "7C7C4AZ9KHRS6X63AJAO"
3313 }
3315 The AS responds with a handle appropriate to represent the resources
3316 list that the RS presented.
3318 Content-type: application/json
3320 {
3321 "resource_handle": "FWWIKYBQ6U56NL1"
3322 }
3324 The RS MAY make this handle available as part of a response
3325 (Section 10.4) or as documentation to developers.
3327 [[ Editor's note: It's not an exact match here because the
3328 "resource_handle" returned now represents a collection of objects
3329 instead of a single one. Perhaps we should let this return a list of
3330 strings instead? Or use a different syntax than the resource
3331 request? Also, this borrows heavily from UMA 2's "distributed
3332 authorization" model and, like UMA, might be better suited to an
3333 extension than the core protocol. ]]
3335 10.4. Requesting a Resources With Insufficient Access
3337 If the RC calls an RS without an access token, or with an invalid
3338 access token, the RS MAY respond to the RC with an authentication
3339 header indicating that GNAP. The address of the GNAP endpoint MUST
3340 be sent in the "as_uri" parameter. The RS MAY additionally return a
3341 resource reference that the RC MAY use in its resource request
3342 (Section 2.1). This resource reference handle SHOULD be sufficient
3343 for at least the action the RC was attempting to take at the RS. The
3344 RS MAY use the dynamic resource handle request (Section 10.3) to
3345 register a new resource handle, or use a handle that has been pre-
3346 configured to represent what the AS is protecting. The content of
3347 this handle is opaque to the RS and the RC.
3349 WWW-Authenticate: GNAP as_uri=http://server.example/tx,resource=FWWIKYBQ6U56NL1
3351 The RC then makes a call to the "as_uri" as described in Section 2,
3352 with the value of "resource" as one of the members of a "resources"
3353 array Section 2.1.1. The RC MAY request additional resources and
3354 other information, and MAY request multiple access tokens.
3356 [[ Editor's note: this borrows heavily from UMA 2's "distributed
3357 authorization" model and, like UMA, might be better suited to an
3358 extension than the core protocol. ]]
3360 11. Acknowledgements
3362 The author would like to thank the feedback of the following
3363 individuals for their reviews, implementations, and contributions:
3364 Aaron Parecki, Annabelle Backman, Dick Hardt, Dmitri Zagidulin,
3365 Dmitry Barinov, Fabien Imbault, Francis Pouatcha, George Fletcher,
3366 Haardik Haardik, Hamid Massaoud, Jacky Yuan, Joseph Heenan, Kathleen
3367 Moriarty, Mike Jones, Mike Varley, Nat Sakimura, Takahiko Kawasaki,
3368 Takahiro Tsuchiya.
3370 In particular, the author would like to thank Aaron Parecki and Mike
3371 Jones for insights into how to integrate identity and authentication
3372 systems into the core protocol, and to Dick Hardt for the use cases,
3373 diagrams, and insights provided in the XAuth proposal that have been
3374 incorporated here. The author would like to especially thank Mike
3375 Varley and the team at SecureKey for feedback and development of
3376 early versions of the XYZ protocol that fed into this standards work.
3378 12. IANA Considerations
3380 [[ TBD: There are a lot of items in the document that are expandable
3381 through the use of value registries. ]]
3383 13. Security Considerations
3385 [[ TBD: There are a lot of security considerations to add. ]]
3387 All requests have to be over TLS or equivalent as per [BCP195]. Many
3388 handles act as shared secrets, though they can be combined with a
3389 requirement to provide proof of a key as well.
3391 14. Privacy Considerations
3393 [[ TBD: There are a lot of privacy considerations to add. ]]
3395 Handles are passed between parties and therefore should not contain
3396 any private data.
3398 When user information is passed to the RC, the AS needs to make sure
3399 that it has the permission to do so.
3401 15. Normative References
3403 [BCP195] "Recommendations for Secure Use of Transport Layer
3404 Security (TLS) and Datagram Transport Layer Security
3405 (DTLS)", 2015, .
3407 [I-D.ietf-httpbis-message-signatures]
3408 Backman, A., Richer, J., and M. Sporny, "Signing HTTP
3409 Messages", Work in Progress, Internet-Draft, draft-ietf-
3410 httpbis-message-signatures-00, April 10, 2020,
3411 .
3414 [I-D.ietf-oauth-dpop]
3415 Fett, D., Campbell, B., Bradley, J., Lodderstedt, T.,
3416 Jones, M., and D. Waite, "OAuth 2.0 Demonstration of
3417 Proof-of-Possession at the Application Layer (DPoP)", Work
3418 in Progress, Internet-Draft, draft-ietf-oauth-dpop-01, May
3419 1, 2020, .
3422 [I-D.ietf-oauth-signed-http-request]
3423 Richer, J., Bradley, J., and H. Tschofenig, "A Method for
3424 Signing HTTP Requests for OAuth", Work in Progress,
3425 Internet-Draft, draft-ietf-oauth-signed-http-request-03,
3426 August 8, 2016, .
3429 [I-D.ietf-secevent-subject-identifiers]
3430 Backman, A. and M. Scurtescu, "Subject Identifiers for
3431 Security Event Tokens", Work in Progress, Internet-Draft,
3432 draft-ietf-secevent-subject-identifiers-06, September 4,
3433 2020, .
3436 [OIDC] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
3437 C. Mortimore, "OpenID Connect Core 1.0 incorporating
3438 errata set 1", November 2014,
3439 .
3441 [OIDC4IA] Lodderstedt, T. and D. Fett, "OpenID Connect for Identity
3442 Assurance 1.0", October 2019, .
3445 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
3446 Requirement Levels", BCP 14, RFC 2119,
3447 DOI 10.17487/RFC2119, March 1997,
3448 .
3450 [RFC3230] Mogul, J. and A. Van Hoff, "Instance Digests in HTTP",
3451 RFC 3230, DOI 10.17487/RFC3230, January 2002,
3452 .
3454 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
3455 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
3456 September 2009, .
3458 [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
3459 RFC 6749, DOI 10.17487/RFC6749, October 2012,
3460 .
3462 [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
3463 Framework: Bearer Token Usage", RFC 6750,
3464 DOI 10.17487/RFC6750, October 2012,
3465 .
3467 [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
3468 Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
3469 2015, .
3471 [RFC7797] Jones, M., "JSON Web Signature (JWS) Unencoded Payload
3472 Option", RFC 7797, DOI 10.17487/RFC7797, February 2016,
3473 .
3475 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
3476 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
3477 May 2017, .
3479 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
3480 Interchange Format", STD 90, RFC 8259,
3481 DOI 10.17487/RFC8259, December 2017,
3482 .
3484 [RFC8693] Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J.,
3485 and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693,
3486 DOI 10.17487/RFC8693, January 2020,
3487 .
3489 [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T.
3490 Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication
3491 and Certificate-Bound Access Tokens", RFC 8705,
3492 DOI 10.17487/RFC8705, February 2020,
3493 .
3495 Appendix A. Document History
3497 * -11
3499 - Updated based on Design Team feedback and reviews.
3501 - Removed oidc_ prefix from several values and used RFC8693
3502 assertion types.
3504 - Changed "client" to "RC" throughout.
3506 - Changed "user" to "RQ" or "RO" as appropriate.
3508 - Added expansions for request and response section
3509 introductions.
3511 - Added refresh examples.
3513 - Added diagrams to RS examples.
3515 - Added ui_locales hint to interaction block.
3517 - Added section on JSON polymorphism.
3519 - Added numerous editorial notes to describe why elements are in
3520 place.
3522 - Added discussion on composition of roles.
3524 - Added requirements for signature methods to cover all aspects
3525 of request and mechanisms to do so.
3527 * -10
3529 - Switched to xml2rfc v3 and markdown source.
3531 - Updated based on Design Team feedback and reviews.
3533 - Added acknowledgements list.
3535 - Added sequence diagrams and explanations.
3537 - Collapsed "short_redirect" into regular redirect request.
3539 - Separated pass-by-reference into subsections.
3541 - Collapsed "callback" and "pushback" into a single mode-switched
3542 method.
3544 - Add OIDC Claims request object example.
3546 * -09
3548 - Major document refactoring based on request and response
3549 capabilities.
3551 - Changed from "claims" language to "subject identifier"
3552 language.
3554 - Added "pushback" interaction capability.
3556 - Removed DIDCOMM interaction (better left to extensions).
3558 - Excised "transaction" language in favor of "Grant" where
3559 appropriate.
3561 - Added token management URLs.
3563 - Added separate continuation URL to use continuation handle
3564 with.
3566 - Added RS-focused functionality section.
3568 - Added notion of extending a grant request based on a previous
3569 grant.
3571 - Simplified returned handle structures.
3573 * -08
3575 - Added attached JWS signature method.
3577 - Added discovery methods.
3579 * -07
3581 - Marked sections as being controlled by a future registry TBD.
3583 * -06
3585 - Added multiple resource requests and multiple access token
3586 response.
3588 * -05
3590 - Added "claims" request and response for identity support.
3592 - Added "capabilities" request for inline discovery support.
3594 * -04
3596 - Added crypto agility for callback return hash.
3598 - Changed "interaction_handle" to "interaction_ref".
3600 * -03
3602 - Removed "state" in favor of "nonce".
3604 - Created signed return parameter for front channel return.
3606 - Changed "client" section to "display" section, as well as
3607 associated handle.
3609 - Changed "key" to "keys".
3611 - Separated key proofing from key presentation.
3613 - Separated interaction methods into booleans instead of "type"
3614 field.
3616 * -02
3618 - Minor editorial cleanups.
3620 * -01
3621 - Made JSON multimodal for handle requests.
3623 - Major updates to normative language and references throughout
3624 document.
3626 - Allowed interaction to split between how the user gets to the
3627 AS and how the user gets back.
3629 * -00
3631 - Initial submission.
3633 Appendix B. Component Data Models
3635 While different implementations of this protocol will have different
3636 realizations of all the components and artifacts enumerated here, the
3637 nature of the protocol implies some common structures and elements
3638 for certain components. This appendix seeks to enumerate those
3639 common elements.
3641 TBD: Client has keys, allowed requested resources, identifier(s),
3642 allowed requested subjects, allowed
3644 TBD: AS has "grant endpoint", interaction endpoints, store of trusted
3645 client keys, policies
3647 TBD: Token has RO, user, client, resource list, RS list,
3649 Appendix C. Example Protocol Flows
3651 The protocol defined in this specification provides a number of
3652 features that can be combined to solve many different kinds of
3653 authentication scenarios. This section seeks to show examples of how
3654 the protocol would be applied for different situations.
3656 Some longer fields, particularly cryptographic information, have been
3657 truncated for display purposes in these examples.
3659 C.1. Redirect-Based User Interaction
3661 In this scenario, the user is the RO and has access to a web browser,
3662 and the client can take front-channel callbacks on the same device as
3663 the user. This combination is analogous to the OAuth 2 Authorization
3664 Code grant type.
3666 The client initiates the request to the AS. Here the client
3667 identifies itself using its public key.
3669 POST /tx HTTP/1.1
3670 Host: server.example.com
3671 Content-type: application/json
3672 Detached-JWS: ejy0...
3674 {
3675 "resources": [
3676 {
3677 "actions": [
3678 "read",
3679 "write",
3680 "dolphin"
3681 ],
3682 "locations": [
3683 "https://server.example.net/",
3684 "https://resource.local/other"
3685 ],
3686 "datatypes": [
3687 "metadata",
3688 "images"
3689 ]
3690 }
3691 ],
3692 "key": {
3693 "proof": "jwsd",
3694 "jwk": {
3695 "kty": "RSA",
3696 "e": "AQAB",
3697 "kid": "xyz-1",
3698 "alg": "RS256",
3699 "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8xY..."
3700 }
3701 },
3702 "interact": {
3703 "redirect": true,
3704 "callback": {
3705 "method": "redirect",
3706 "uri": "https://client.example.net/return/123455",
3707 "nonce": "LKLTI25DK82FX4T4QFZC"
3708 }
3709 }
3710 }
3712 The AS processes the request and determines that the RO needs to
3713 interact. The AS returns the following response giving the client
3714 the information it needs to connect. The AS has also indicated to
3715 the client that it can use the given key handle to identify itself in
3716 future calls.
3718 Content-type: application/json
3720 {
3721 "interact": {
3722 "redirect": "https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ",
3723 "callback": "MBDOFXG4Y5CVJCX821LH"
3724 }
3725 "continue": {
3726 "handle": "80UPRY5NM33OMUKMKSKU",
3727 "uri": "https://server.example.com/continue"
3728 },
3729 "key_handle": "7C7C4AZ9KHRS6X63AJAO"
3730 }
3732 The client saves the response and redirects the user to the
3733 interaction_url by sending the following HTTP message to the user's
3734 browser.
3736 HTTP 302 Found
3737 Location: https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ
3739 The user's browser fetches the AS's interaction URL. The user logs
3740 in, is identified as the RO for the resource being requested, and
3741 approves the request. Since the AS has a callback parameter, the AS
3742 generates the interaction reference, calculates the hash, and
3743 redirects the user back to the client with these additional values
3744 added as query parameters.
3746 HTTP 302 Found
3747 Location: https://client.example.net/return/123455
3748 ?hash=p28jsq0Y2KK3WS__a42tavNC64ldGTBroywsWxT4md_jZQ1R2HZT8BOWYHcLmObM7XHPAdJzTZMtKBsaraJ64A
3749 &interact_ref=4IFWWIKYBC2PQ6U56NL1
3751 The client receives this request from the user's browser. The client
3752 ensures that this is the same user that was sent out by validating
3753 session information and retrieves the stored pending request. The
3754 client uses the values in this to validate the hash parameter. The
3755 client then calls the continuation URL and presents the handle and
3756 interaction reference in the request body. The client signs the
3757 request as above.
3759 POST /continue HTTP/1.1
3760 Host: server.example.com
3761 Content-type: application/json
3762 Detached-JWS: ejy0...
3764 {
3765 "handle": "80UPRY5NM33OMUKMKSKU",
3766 "interact_ref": "4IFWWIKYBC2PQ6U56NL1"
3767 }
3769 The AS retrieves the pending request based on the handle and issues a
3770 bearer access token and returns this to the client.
3772 Content-type: application/json
3774 {
3775 "access_token": {
3776 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
3777 "proof": "bearer",
3778 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L",
3779 "resources": [{
3780 "actions": [
3781 "read",
3782 "write",
3783 "dolphin"
3784 ],
3785 "locations": [
3786 "https://server.example.net/",
3787 "https://resource.local/other"
3788 ],
3789 "datatypes": [
3790 "metadata",
3791 "images"
3792 ]
3793 }]
3794 },
3795 "continue": {
3796 "handle": "80UPRY5NM33OMUKMKSKU",
3797 "uri": "https://server.example.com/continue"
3798 }
3799 }
3800 C.2. Secondary Device Interaction
3802 In this scenario, the user does not have access to a web browser on
3803 the device and must use a secondary device to interact with the AS.
3804 The client can display a user code or a printable QR code. The
3805 client prefers a short URL if one is available, with a maximum of 255
3806 characters in length. The is not able to accept callbacks from the
3807 AS and needs to poll for updates while waiting for the user to
3808 authorize the request.
3810 The client initiates the request to the AS.
3812 POST /tx HTTP/1.1
3813 Host: server.example.com
3814 Content-type: application/json
3815 Detached-JWS: ejy0...
3817 {
3818 "resources": [
3819 "dolphin-metadata", "some other thing"
3820 ],
3821 "key": "7C7C4AZ9KHRS6X63AJAO",
3822 "interact": {
3823 "redirect": 255,
3824 "user_code": true
3825 }
3826 }
3828 The AS processes this and determines that the RO needs to interact.
3829 The AS supports both long and short redirect URIs for interaction, so
3830 it includes both. Since there is no "callback" the AS does not
3831 include a nonce, but does include a "wait" parameter on the
3832 continuation section because it expects the client to poll for
3833 results.
3835 Content-type: application/json
3837 {
3838 "interact": {
3839 "redirect": "https://srv.ex/MXKHQ",
3840 "user_code": {
3841 "code": "A1BC-3DFF",
3842 "url": "https://srv.ex/device"
3843 }
3844 },
3845 "continue": {
3846 "handle": "80UPRY5NM33OMUKMKSKU",
3847 "uri": "https://server.example.com/continue",
3848 "wait": 60
3849 }
3850 }
3852 The client saves the response and displays the user code visually on
3853 its screen along with the static device URL. The client also
3854 displays the short interaction URL as a QR code to be scanned.
3856 If the user scans the code, they are taken to the interaction
3857 endpoint and the AS looks up the current pending request based on the
3858 incoming URL. If the user instead goes to the static page and enters
3859 the code manually, the AS looks up the current pending request based
3860 on the value of the user code. In both cases, the user logs in, is
3861 identified as the RO for the resource being requested, and approves
3862 the request. Once the request has been approved, the AS displays to
3863 the user a message to return to their device.
3865 Meanwhile, the client periodically polls the AS every 60 seconds at
3866 the continuation URL.
3868 POST /continue HTTP/1.1
3869 Host: server.example.com
3870 Content-type: application/json
3871 Detached-JWS: ejy0...
3873 {
3874 "handle": "80UPRY5NM33OMUKMKSKU"
3875 }
3877 The AS retrieves the pending request based on the handle and
3878 determines that it has not yet been authorized. The AS indicates to
3879 the client that no access token has yet been issued but it can
3880 continue to call after another 60 second timeout.
3882 Content-type: application/json
3884 {
3885 "continue": {
3886 "handle": "BI9QNW6V9W3XFJK4R02D",
3887 "uri": "https://server.example.com/continue",
3888 "wait": 60
3889 }
3890 }
3892 Note that the continuation handle has been rotated since it was used
3893 by the client to make this call. The client polls the continuation
3894 URL after a 60 second timeout using the new handle.
3896 POST /continue HTTP/1.1
3897 Host: server.example.com
3898 Content-type: application/json
3899 Detached-JWS: ejy0...
3901 {
3902 "handle": "BI9QNW6V9W3XFJK4R02D"
3903 }
3905 The AS retrieves the pending request based on the handle and
3906 determines that it has been approved and it issues an access token.
3908 Content-type: application/json
3910 {
3911 "access_token": {
3912 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
3913 "proof": "bearer",
3914 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L",
3915 "resources": [
3916 "dolphin-metadata", "some other thing"
3917 ]
3918 }
3919 }
3921 Appendix D. No User Involvement
3923 In this scenario, the client is requesting access on its own behalf,
3924 with no user to interact with.
3926 The client creates a request to the AS, identifying itself with its
3927 public key and using MTLS to make the request.
3929 POST /tx HTTP/1.1
3930 Host: server.example.com
3931 Content-type: application/json
3933 {
3934 "resources": [
3935 "backend service", "nightly-routine-3"
3936 ],
3937 "key": {
3938 "proof": "mtls",
3939 "cert#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2"
3940 }
3941 }
3943 The AS processes this and determines that the client can ask for the
3944 requested resources and issues an access token.
3946 Content-type: application/json
3948 {
3949 "access_token": {
3950 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
3951 "proof": "bearer",
3952 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L",
3953 "resources": [
3954 "backend service", "nightly-routine-3"
3955 ]
3956 }
3957 }
3959 D.1. Asynchronous Authorization
3961 In this scenario, the client is requesting on behalf of a specific
3962 RO, but has no way to interact with the user. The AS can
3963 asynchronously reach out to the RO for approval in this scenario.
3965 The client starts the request at the AS by requesting a set of
3966 resources. The client also identifies a particular user.
3968 POST /tx HTTP/1.1
3969 Host: server.example.com
3970 Content-type: application/json
3971 Detached-JWS: ejy0...
3973 {
3974 "resources": [
3975 {
3976 "type": "photo-api",
3977 "actions": [
3978 "read",
3979 "write",
3980 "dolphin"
3981 ],
3982 "locations": [
3983 "https://server.example.net/",
3984 "https://resource.local/other"
3985 ],
3986 "datatypes": [
3987 "metadata",
3988 "images"
3989 ]
3990 },
3991 "read", "dolphin-metadata",
3992 {
3993 "type": "financial-transaction",
3994 "actions": [
3995 "withdraw"
3996 ],
3997 "identifier": "account-14-32-32-3",
3998 "currency": "USD"
3999 },
4000 "some other thing"
4001 ],
4002 "key": "7C7C4AZ9KHRS6X63AJAO",
4003 "user": {
4004 "sub_ids": [ {
4005 "subject_type": "email",
4006 "email": "user@example.com"
4007 } ]
4008 }
4009 }
4011 The AS processes this and determines that the RO needs to interact.
4012 The AS determines that it can reach the identified user
4013 asynchronously and that the identified user does have the ability to
4014 approve this request. The AS indicates to the client that it can
4015 poll for continuation.
4017 Content-type: application/json
4019 {
4020 "continue": {
4021 "handle": "80UPRY5NM33OMUKMKSKU",
4022 "uri": "https://server.example.com/continue",
4023 "wait": 60
4024 }
4025 }
4027 The AS reaches out to the RO and prompts them for consent. In this
4028 example, the AS has an application that it can push notifications in
4029 to for the specified account.
4031 Meanwhile, the client periodically polls the AS every 60 seconds at
4032 the continuation URL.
4034 POST /continue HTTP/1.1
4035 Host: server.example.com
4036 Content-type: application/json
4037 Detached-JWS: ejy0...
4039 {
4040 "handle": "80UPRY5NM33OMUKMKSKU"
4041 }
4043 The AS retrieves the pending request based on the handle and
4044 determines that it has not yet been authorized. The AS indicates to
4045 the client that no access token has yet been issued but it can
4046 continue to call after another 60 second timeout.
4048 Content-type: application/json
4050 {
4051 "continue": {
4052 "handle": "BI9QNW6V9W3XFJK4R02D",
4053 "uri": "https://server.example.com/continue",
4054 "wait": 60
4055 }
4056 }
4058 Note that the continuation handle has been rotated since it was used
4059 by the client to make this call. The client polls the continuation
4060 URL after a 60 second timeout using the new handle.
4062 POST /continue HTTP/1.1
4063 Host: server.example.com
4064 Content-type: application/json
4065 Detached-JWS: ejy0...
4067 {
4068 "handle": "BI9QNW6V9W3XFJK4R02D"
4069 }
4071 The AS retrieves the pending request based on the handle and
4072 determines that it has been approved and it issues an access token.
4074 Content-type: application/json
4076 {
4077 "access_token": {
4078 "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
4079 "proof": "bearer",
4080 "manage": "https://server.example.com/token/PRY5NM33OM4TB8N6BW7OZB8CDFONP219RP1L",
4081 "resources": [
4082 "dolphin-metadata", "some other thing"
4083 ]
4084 }
4085 }
4087 D.2. Applying OAuth 2 Scopes and Client IDs
4089 While the GNAP protocol is not designed to be directly compatible
4090 with OAuth 2 [RFC6749], considerations have been made to enable the
4091 use of OAuth 2 concepts and constructs more smoothly within the GNAP
4092 protocol.
4094 In this scenario, the client developer has a "client_id" and set of
4095 "scope" values from their OAuth 2 system and wants to apply them to
4096 the new protocol. Traditionally, the OAuth 2 client developer would
4097 put their "client_id" and "scope" values as parameters into a
4098 redirect request to the authorization endpoint.
4100 HTTP 302 Found
4101 Location: https://server.example.com/authorize
4102 ?client_id=7C7C4AZ9KHRS6X63AJAO
4103 &scope=read%20write%20dolphin
4104 &redirect_uri=https://client.example.net/return
4105 &response_type=code
4106 &state=123455
4108 Now the developer wants to make an analogous request to the AS using
4109 the new protocol. To do so, the client makes an HTTP POST and places
4110 the OAuth 2 values in the appropriate places.
4112 POST /tx HTTP/1.1
4113 Host: server.example.com
4114 Content-type: application/json
4115 Detached-JWS: ejy0...
4117 {
4118 "resources": [
4119 "read", "write", "dolphin"
4120 ],
4121 "key": "7C7C4AZ9KHRS6X63AJAO",
4122 "interact": {
4123 "redirect": true,
4124 "callback": {
4125 "method": "redirect",
4126 "uri": "https://client.example.net/return?state=123455",
4127 "nonce": "LKLTI25DK82FX4T4QFZC"
4128 }
4129 }
4130 }
4132 The client_id can be used to identify the client's keys that it uses
4133 for authentication, the scopes represent resources that the client is
4134 requesting, and the "redirect_uri" and "state" value are pre-combined
4135 into a "callback" URI that can be unique per request. The client
4136 additionally creates a nonce to protect the callback, separate from
4137 the state parameter that it has added to its return URL.
4139 From here, the protocol continues as above.
4141 Appendix E. JSON Structures and Polymorphism
4143 The GNAP protocol makes use of polymorphism within the JSON [RFC8259]
4144 structures used for the protocol. Each element of this protocol is
4145 defined in terms of the JSON data type that its values can take,
4146 whether it's a string, object, array, boolean, or number. For some
4147 elements, different data types offer different descriptive
4148 capabilities and are used in different situations for the same
4149 element. Each data type provides a different syntax to express the
4150 same underlying semantic protocol element, which allows for
4151 optimization and simplification in many common cases.
4153 In JSON, the named members of an object have no type associated with
4154 them, and any data type can be used as the value for any member. In
4155 practice, each member has a semantic type that needs to make sense to
4156 the parties creating and consuming the object. Within this protocol,
4157 each object member is defined in terms of its semantic content, and
4158 this semantic content might have expressions in different concrete
4159 data types for different specific purposes. Since each object member
4160 has exactly one value in JSON, each data type for an object member
4161 field is naturally mutually exclusive with other data types within a
4162 single JSON object.
4164 For example, a resource request for a single access token is composed
4165 of an array of resource request descriptions while a request for
4166 multiple access tokens is composed of an object whose member values
4167 are all arrays. Both of these represent requests for access, but the
4168 difference in syntax allows the RC and AS to differentiate between
4169 the two request types in the same request.
4171 Another form of polymorphism in JSON comes from the fact that the
4172 values within JSON arrays need not all be of the same JSON data type.
4173 However, within this protocol, each element within the array needs to
4174 be of the same kind of semantic element for the collection to make
4175 sense.
4177 For example, each aspect of a resource request can be described using
4178 an object with multiple dimensional components, or the aspect can be
4179 requested using a string. In both cases, the resource request is
4180 being described in a way that the AS needs to interpret, but with
4181 different levels of specificity and complexity for the RC to deal
4182 with. An API designer can provide a set of common access scopes as
4183 simple strings but still allow RC developers to specify custom access
4184 when needed for more complex APIs.
4186 Extensions to this specification can use different data types for
4187 defined fields, but
4189 Author's Address
4191 Justin Richer (editor)
4192 Bespoke Engineering
4194 Email: ietf@justin.richer.org
4195 URI: https://bspk.io/