rfc9635.original | rfc9635.txt | |||
---|---|---|---|---|
GNAP J. Richer, Ed. | Internet Engineering Task Force (IETF) J. Richer, Ed. | |||
Internet-Draft Bespoke Engineering | Request for Comments: 9635 Bespoke Engineering | |||
Intended status: Standards Track F. Imbault | Category: Standards Track F. Imbault | |||
Expires: 10 September 2024 acert.io | ISSN: 2070-1721 acert.io | |||
9 March 2024 | September 2024 | |||
Grant Negotiation and Authorization Protocol | Grant Negotiation and Authorization Protocol (GNAP) | |||
draft-ietf-gnap-core-protocol-19 | ||||
Abstract | Abstract | |||
GNAP defines a mechanism for delegating authorization to a piece of | The Grant Negotiation and Authorization Protocol (GNAP) defines a | |||
software, and conveying the results and artifacts of that delegation | mechanism for delegating authorization to a piece of software and | |||
to the software. This delegation can include access to a set of APIs | conveying the results and artifacts of that delegation to the | |||
as well as subject information passed directly to the software. | software. This delegation can include access to a set of APIs as | |||
well as subject information passed directly to the software. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 10 September 2024. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9635. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 | 1. Introduction | |||
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 | 1.1. Terminology | |||
1.2. Roles . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 1.2. Roles | |||
1.3. Elements . . . . . . . . . . . . . . . . . . . . . . . . 10 | 1.3. Elements | |||
1.4. Trust relationships . . . . . . . . . . . . . . . . . . . 11 | 1.4. Trust Relationships | |||
1.5. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 13 | 1.5. Protocol Flow | |||
1.6. Sequences . . . . . . . . . . . . . . . . . . . . . . . . 16 | 1.6. Sequences | |||
1.6.1. Overall Protocol Sequence . . . . . . . . . . . . . . 16 | 1.6.1. Overall Protocol Sequence | |||
1.6.2. Redirect-based Interaction . . . . . . . . . . . . . 19 | 1.6.2. Redirect-Based Interaction | |||
1.6.3. User-code Interaction . . . . . . . . . . . . . . . . 22 | 1.6.3. User Code Interaction | |||
1.6.4. Asynchronous Authorization . . . . . . . . . . . . . 25 | 1.6.4. Asynchronous Authorization | |||
1.6.5. Software-only Authorization . . . . . . . . . . . . . 27 | 1.6.5. Software-Only Authorization | |||
1.6.6. Refreshing an Expired Access Token . . . . . . . . . 28 | 1.6.6. Refreshing an Expired Access Token | |||
1.6.7. Requesting Subject Information Only . . . . . . . . . 30 | 1.6.7. Requesting Subject Information Only | |||
1.6.8. Cross-User Authentication . . . . . . . . . . . . . . 31 | 1.6.8. Cross-User Authentication | |||
2. Requesting Access . . . . . . . . . . . . . . . . . . . . . . 34 | 2. Requesting Access | |||
2.1. Requesting Access to Resources . . . . . . . . . . . . . 36 | 2.1. Requesting Access to Resources | |||
2.1.1. Requesting a Single Access Token . . . . . . . . . . 36 | 2.1.1. Requesting a Single Access Token | |||
2.1.2. Requesting Multiple Access Tokens . . . . . . . . . . 39 | 2.1.2. Requesting Multiple Access Tokens | |||
2.2. Requesting Subject Information . . . . . . . . . . . . . 41 | 2.2. Requesting Subject Information | |||
2.3. Identifying the Client Instance . . . . . . . . . . . . . 42 | 2.3. Identifying the Client Instance | |||
2.3.1. Identifying the Client Instance by Reference . . . . 44 | 2.3.1. Identifying the Client Instance by Reference | |||
2.3.2. Providing Displayable Client Instance Information . . 45 | 2.3.2. Providing Displayable Client Instance Information | |||
2.3.3. Authenticating the Client Instance . . . . . . . . . 45 | 2.3.3. Authenticating the Client Instance | |||
2.4. Identifying the User . . . . . . . . . . . . . . . . . . 46 | 2.4. Identifying the User | |||
2.4.1. Identifying the User by Reference . . . . . . . . . . 47 | 2.4.1. Identifying the User by Reference | |||
2.5. Interacting with the User . . . . . . . . . . . . . . . . 48 | 2.5. Interacting with the User | |||
2.5.1. Start Mode Definitions . . . . . . . . . . . . . . . 50 | 2.5.1. Start Mode Definitions | |||
2.5.2. Interaction Finish Methods . . . . . . . . . . . . . 52 | 2.5.2. Interaction Finish Methods | |||
2.5.3. Hints . . . . . . . . . . . . . . . . . . . . . . . . 55 | 2.5.3. Hints | |||
3. Grant Response . . . . . . . . . . . . . . . . . . . . . . . 56 | 3. Grant Response | |||
3.1. Request Continuation . . . . . . . . . . . . . . . . . . 58 | 3.1. Request Continuation | |||
3.2. Access Tokens . . . . . . . . . . . . . . . . . . . . . . 59 | 3.2. Access Tokens | |||
3.2.1. Single Access Token . . . . . . . . . . . . . . . . . 59 | 3.2.1. Single Access Token | |||
3.2.2. Multiple Access Tokens . . . . . . . . . . . . . . . 63 | 3.2.2. Multiple Access Tokens | |||
3.3. Interaction Modes . . . . . . . . . . . . . . . . . . . . 64 | 3.3. Interaction Modes | |||
3.3.1. Redirection to an arbitrary URI . . . . . . . . . . . 66 | 3.3.1. Redirection to an Arbitrary URI | |||
3.3.2. Launch of an application URI . . . . . . . . . . . . 66 | 3.3.2. Launch of an Application URI | |||
3.3.3. Display of a Short User Code . . . . . . . . . . . . 67 | 3.3.3. Display of a Short User Code | |||
3.3.4. Display of a Short User Code and URI . . . . . . . . 68 | 3.3.4. Display of a Short User Code and URI | |||
3.3.5. Interaction Finish . . . . . . . . . . . . . . . . . 69 | 3.3.5. Interaction Finish | |||
3.4. Returning Subject Information . . . . . . . . . . . . . . 69 | 3.4. Returning Subject Information | |||
3.4.1. Assertion Formats . . . . . . . . . . . . . . . . . . 71 | 3.4.1. Assertion Formats | |||
3.5. Returning a Dynamically-bound Client Instance | 3.5. Returning a Dynamically Bound Client Instance Identifier | |||
Identifier . . . . . . . . . . . . . . . . . . . . . . . 72 | 3.6. Error Response | |||
3.6. Error Response . . . . . . . . . . . . . . . . . . . . . 72 | 4. Determining Authorization and Consent | |||
4.1. Starting Interaction with the End User | ||||
4. Determining Authorization and Consent . . . . . . . . . . . . 74 | 4.1.1. Interaction at a Redirected URI | |||
4.1. Starting Interaction With the End User . . . . . . . . . 79 | 4.1.2. Interaction at the Static User Code URI | |||
4.1.1. Interaction at a Redirected URI . . . . . . . . . . . 79 | 4.1.3. Interaction at a Dynamic User Code URI | |||
4.1.2. Interaction at the Static User Code URI . . . . . . . 80 | 4.1.4. Interaction through an Application URI | |||
4.1.3. Interaction at a Dynamic User Code URI . . . . . . . 81 | 4.2. Post-Interaction Completion | |||
4.1.4. Interaction through an Application URI . . . . . . . 83 | ||||
4.2. Post-Interaction Completion . . . . . . . . . . . . . . . 83 | ||||
4.2.1. Completing Interaction with a Browser Redirect to the | 4.2.1. Completing Interaction with a Browser Redirect to the | |||
Callback URI . . . . . . . . . . . . . . . . . . . . 84 | Callback URI | |||
4.2.2. Completing Interaction with a Direct HTTP Request | 4.2.2. Completing Interaction with a Direct HTTP Request | |||
Callback . . . . . . . . . . . . . . . . . . . . . . 85 | Callback | |||
4.2.3. Calculating the interaction hash . . . . . . . . . . 86 | 4.2.3. Calculating the Interaction Hash | |||
5. Continuing a Grant Request . . . . . . . . . . . . . . . . . 87 | 5. Continuing a Grant Request | |||
5.1. Continuing After a Completed Interaction . . . . . . . . 90 | 5.1. Continuing after a Completed Interaction | |||
5.2. Continuing During Pending Interaction (Polling) . . . . . 92 | 5.2. Continuing during Pending Interaction (Polling) | |||
5.3. Modifying an Existing Request . . . . . . . . . . . . . . 94 | 5.3. Modifying an Existing Request | |||
5.4. Revoking a Grant Request . . . . . . . . . . . . . . . . 100 | 5.4. Revoking a Grant Request | |||
6. Token Management . . . . . . . . . . . . . . . . . . . . . . 101 | 6. Token Management | |||
6.1. Rotating the Access Token Value . . . . . . . . . . . . . 102 | 6.1. Rotating the Access Token Value | |||
6.1.1. Binding a New Key to the Rotated Access Token . . . . 104 | 6.1.1. Binding a New Key to the Rotated Access Token | |||
6.2. Revoking the Access Token . . . . . . . . . . . . . . . . 105 | 6.2. Revoking the Access Token | |||
7. Securing Requests from the Client Instance . . . . . . . . . 106 | 7. Securing Requests from the Client Instance | |||
7.1. Key Formats . . . . . . . . . . . . . . . . . . . . . . . 107 | 7.1. Key Formats | |||
7.1.1. Key References . . . . . . . . . . . . . . . . . . . 108 | 7.1.1. Key References | |||
7.1.2. Key Protection . . . . . . . . . . . . . . . . . . . 109 | 7.1.2. Key Protection | |||
7.2. Presenting Access Tokens . . . . . . . . . . . . . . . . 109 | 7.2. Presenting Access Tokens | |||
7.3. Proving Possession of a Key with a Request . . . . . . . 110 | 7.3. Proving Possession of a Key with a Request | |||
7.3.1. HTTP Message Signatures . . . . . . . . . . . . . . . 114 | 7.3.1. HTTP Message Signatures | |||
7.3.2. Mutual TLS . . . . . . . . . . . . . . . . . . . . . 121 | 7.3.2. Mutual TLS | |||
7.3.3. Detached JWS . . . . . . . . . . . . . . . . . . . . 124 | 7.3.3. Detached JWS | |||
7.3.4. Attached JWS . . . . . . . . . . . . . . . . . . . . 128 | 7.3.4. Attached JWS | |||
8. Resource Access Rights . . . . . . . . . . . . . . . . . . . 133 | 8. Resource Access Rights | |||
8.1. Requesting Resources By Reference . . . . . . . . . . . . 137 | 8.1. Requesting Resources by Reference | |||
9. Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 140 | 9. Discovery | |||
9.1. RS-first Method of AS Discovery . . . . . . . . . . . . . 141 | 9.1. RS-First Method of AS Discovery | |||
9.2. Dynamic grant endpoint discovery . . . . . . . . . . . . 143 | 9.2. Dynamic Grant Endpoint Discovery | |||
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 144 | 10. IANA Considerations | |||
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 144 | 10.1. HTTP Authentication Scheme Registration | |||
11.1. HTTP Authentication Scheme Registration . . . . . . . . 145 | 10.2. Media Type Registration | |||
11.2. Media Type Registration . . . . . . . . . . . . . . . . 145 | 10.2.1. application/gnap-binding-jwsd | |||
11.3. GNAP Grant Request Parameters . . . . . . . . . . . . . 149 | 10.2.2. application/gnap-binding-jws | |||
11.3.1. Registration Template . . . . . . . . . . . . . . . 149 | 10.2.3. application/gnap-binding-rotation-jwsd | |||
11.3.2. Initial Contents . . . . . . . . . . . . . . . . . . 149 | 10.2.4. application/gnap-binding-rotation-jws | |||
11.4. GNAP Access Token Flags . . . . . . . . . . . . . . . . 150 | 10.3. GNAP Grant Request Parameters | |||
11.4.1. Registration Template . . . . . . . . . . . . . . . 150 | 10.3.1. Registration Template | |||
11.4.2. Initial Contents . . . . . . . . . . . . . . . . . . 151 | 10.3.2. Initial Contents | |||
11.5. GNAP Subject Information Request Fields . . . . . . . . 151 | 10.4. GNAP Access Token Flags | |||
11.5.1. Registration Template . . . . . . . . . . . . . . . 151 | 10.4.1. Registration Template | |||
11.5.2. Initial Contents . . . . . . . . . . . . . . . . . . 152 | 10.4.2. Initial Contents | |||
11.6. GNAP Assertion Formats . . . . . . . . . . . . . . . . . 152 | 10.5. GNAP Subject Information Request Fields | |||
11.6.1. Registration Template . . . . . . . . . . . . . . . 152 | 10.5.1. Registration Template | |||
11.6.2. Initial Contents . . . . . . . . . . . . . . . . . . 152 | 10.5.2. Initial Contents | |||
11.7. GNAP Client Instance Fields . . . . . . . . . . . . . . 153 | 10.6. GNAP Assertion Formats | |||
11.7.1. Registration Template . . . . . . . . . . . . . . . 153 | 10.6.1. Registration Template | |||
11.7.2. Initial Contents . . . . . . . . . . . . . . . . . . 153 | 10.6.2. Initial Contents | |||
11.8. GNAP Client Instance Display Fields . . . . . . . . . . 154 | 10.7. GNAP Client Instance Fields | |||
11.8.1. Registration Template . . . . . . . . . . . . . . . 154 | 10.7.1. Registration Template | |||
11.8.2. Initial Contents . . . . . . . . . . . . . . . . . . 154 | 10.7.2. Initial Contents | |||
11.9. GNAP Interaction Start Modes . . . . . . . . . . . . . . 155 | 10.8. GNAP Client Instance Display Fields | |||
11.9.1. Registration Template . . . . . . . . . . . . . . . 155 | 10.8.1. Registration Template | |||
11.9.2. Initial Contents . . . . . . . . . . . . . . . . . . 156 | 10.8.2. Initial Contents | |||
11.10. GNAP Interaction Finish Methods . . . . . . . . . . . . 156 | 10.9. GNAP Interaction Start Modes | |||
11.10.1. Registration Template . . . . . . . . . . . . . . . 156 | 10.9.1. Registration Template | |||
11.10.2. Initial Contents . . . . . . . . . . . . . . . . . 157 | 10.9.2. Initial Contents | |||
11.11. GNAP Interaction Hints . . . . . . . . . . . . . . . . . 157 | 10.10. GNAP Interaction Finish Methods | |||
11.11.1. Registration Template . . . . . . . . . . . . . . . 157 | 10.10.1. Registration Template | |||
11.11.2. Initial Contents . . . . . . . . . . . . . . . . . 157 | 10.10.2. Initial Contents | |||
11.12. GNAP Grant Response Parameters . . . . . . . . . . . . . 158 | 10.11. GNAP Interaction Hints | |||
11.12.1. Registration Template . . . . . . . . . . . . . . . 158 | 10.11.1. Registration Template | |||
11.12.2. Initial Contents . . . . . . . . . . . . . . . . . 158 | 10.11.2. Initial Contents | |||
11.13. GNAP Interaction Mode Responses . . . . . . . . . . . . 159 | 10.12. GNAP Grant Response Parameters | |||
11.13.1. Registration Template . . . . . . . . . . . . . . . 159 | 10.12.1. Registration Template | |||
11.13.2. Initial Contents . . . . . . . . . . . . . . . . . 159 | 10.12.2. Initial Contents | |||
11.14. GNAP Subject Information Response Fields . . . . . . . . 160 | 10.13. GNAP Interaction Mode Responses | |||
11.14.1. Registration Template . . . . . . . . . . . . . . . 160 | 10.13.1. Registration Template | |||
11.14.2. Initial Contents . . . . . . . . . . . . . . . . . 160 | 10.13.2. Initial Contents | |||
11.15. GNAP Error Codes . . . . . . . . . . . . . . . . . . . . 161 | 10.14. GNAP Subject Information Response Fields | |||
11.15.1. Registration Template . . . . . . . . . . . . . . . 161 | 10.14.1. Registration Template | |||
11.15.2. Initial Contents . . . . . . . . . . . . . . . . . 161 | 10.14.2. Initial Contents | |||
11.16. GNAP Key Proofing Methods . . . . . . . . . . . . . . . 162 | 10.15. GNAP Error Codes | |||
11.16.1. Registration Template . . . . . . . . . . . . . . . 162 | 10.15.1. Registration Template | |||
11.16.2. Initial Contents . . . . . . . . . . . . . . . . . 163 | 10.15.2. Initial Contents | |||
11.17. GNAP Key Formats . . . . . . . . . . . . . . . . . . . . 163 | 10.16. GNAP Key Proofing Methods | |||
11.17.1. Registration Template . . . . . . . . . . . . . . . 163 | 10.16.1. Registration Template | |||
11.17.2. Initial Contents . . . . . . . . . . . . . . . . . 164 | 10.16.2. Initial Contents | |||
11.18. GNAP Authorization Server Discovery Fields . . . . . . . 164 | 10.17. GNAP Key Formats | |||
11.18.1. Registration Template . . . . . . . . . . . . . . . 164 | 10.17.1. Registration Template | |||
11.18.2. Initial Contents . . . . . . . . . . . . . . . . . 165 | 10.17.2. Initial Contents | |||
12. Implementation Status . . . . . . . . . . . . . . . . . . . . 165 | 10.18. GNAP Authorization Server Discovery Fields | |||
13. Security Considerations . . . . . . . . . . . . . . . . . . . 166 | 10.18.1. Registration Template | |||
13.1. TLS Protection in Transit . . . . . . . . . . . . . . . 166 | 10.18.2. Initial Contents | |||
13.2. Signing Requests from the Client Software . . . . . . . 167 | 11. Security Considerations | |||
13.3. MTLS Message Integrity . . . . . . . . . . . . . . . . . 169 | 11.1. TLS Protection in Transit | |||
13.4. MTLS Deployment Patterns . . . . . . . . . . . . . . . . 169 | 11.2. Signing Requests from the Client Software | |||
13.5. Protection of Client Instance Key Material . . . . . . . 170 | 11.3. MTLS Message Integrity | |||
13.6. Protection of Authorization Server . . . . . . . . . . . 171 | 11.4. MTLS Deployment Patterns | |||
13.7. Symmetric and Asymmetric Client Instance Keys . . . . . 172 | 11.5. Protection of Client Instance Key Material | |||
13.8. Generation of Access Tokens . . . . . . . . . . . . . . 173 | 11.6. Protection of Authorization Server | |||
13.9. Bearer Access Tokens . . . . . . . . . . . . . . . . . . 174 | 11.7. Symmetric and Asymmetric Client Instance Keys | |||
13.10. Key-Bound Access Tokens . . . . . . . . . . . . . . . . 175 | 11.8. Generation of Access Tokens | |||
13.11. Exposure of End-user Credentials to Client Instance . . 176 | 11.9. Bearer Access Tokens | |||
13.12. Mixing Up Authorization Servers . . . . . . . . . . . . 177 | 11.10. Key-Bound Access Tokens | |||
13.13. Processing of Client-Presented User Information . . . . 177 | 11.11. Exposure of End-User Credentials to Client Instance | |||
13.14. Client Instance Pre-registration . . . . . . . . . . . . 178 | 11.12. Mixing Up Authorization Servers | |||
13.15. Client Instance Impersonation . . . . . . . . . . . . . 180 | 11.13. Processing of Client-Presented User Information | |||
13.16. Client-Hosted Logo URI . . . . . . . . . . . . . . . . . 180 | 11.14. Client Instance Pre-registration | |||
13.17. Interception of Information in the Browser . . . . . . . 181 | 11.15. Client Instance Impersonation | |||
13.18. Callback URI Manipulation . . . . . . . . . . . . . . . 181 | 11.16. Client-Hosted Logo URI | |||
13.19. Redirection Status Codes . . . . . . . . . . . . . . . . 182 | 11.17. Interception of Information in the Browser | |||
13.20. Interception of Responses from the AS . . . . . . . . . 183 | 11.18. Callback URI Manipulation | |||
13.21. Key Distribution . . . . . . . . . . . . . . . . . . . . 183 | 11.19. Redirection Status Codes | |||
13.22. Key Rotation Policy . . . . . . . . . . . . . . . . . . 184 | 11.20. Interception of Responses from the AS | |||
13.23. Interaction Finish Modes and Polling . . . . . . . . . . 185 | 11.21. Key Distribution | |||
13.24. Session Management for Interaction Finish Methods . . . 185 | 11.22. Key Rotation Policy | |||
13.25. Calculating Interaction Hash . . . . . . . . . . . . . . 187 | 11.23. Interaction Finish Modes and Polling | |||
13.26. Storage of Information During Interaction and | 11.24. Session Management for Interaction Finish Methods | |||
Continuation . . . . . . . . . . . . . . . . . . . . . 189 | 11.25. Calculating Interaction Hash | |||
13.27. Denial of Service (DoS) through Grant Continuation . . . 190 | 11.26. Storage of Information during Interaction and Continuation | |||
13.28. Exhaustion of Random Value Space . . . . . . . . . . . . 191 | 11.27. Denial of Service (DoS) through Grant Continuation | |||
13.29. Front-channel URIs . . . . . . . . . . . . . . . . . . . 191 | 11.28. Exhaustion of Random Value Space | |||
13.30. Processing Assertions . . . . . . . . . . . . . . . . . 192 | 11.29. Front-Channel URIs | |||
13.31. Stolen Token Replay . . . . . . . . . . . . . . . . . . 193 | 11.30. Processing Assertions | |||
13.32. Self-contained Stateless Access Tokens . . . . . . . . . 194 | 11.31. Stolen Token Replay | |||
13.33. Network Problems and Token and Grant Management . . . . 195 | 11.32. Self-Contained Stateless Access Tokens | |||
13.34. Server-side Request Forgery (SSRF) . . . . . . . . . . . 196 | 11.33. Network Problems and Token and Grant Management | |||
13.35. Multiple Key Formats . . . . . . . . . . . . . . . . . . 197 | 11.34. Server-Side Request Forgery (SSRF) | |||
13.36. Asynchronous Interactions . . . . . . . . . . . . . . . 198 | 11.35. Multiple Key Formats | |||
13.37. Compromised RS . . . . . . . . . . . . . . . . . . . . . 199 | 11.36. Asynchronous Interactions | |||
13.38. AS-Provided Token Keys . . . . . . . . . . . . . . . . . 199 | 11.37. Compromised RS | |||
14. Privacy Considerations . . . . . . . . . . . . . . . . . . . 200 | 11.38. AS-Provided Token Keys | |||
14.1. Surveillance . . . . . . . . . . . . . . . . . . . . . . 200 | 12. Privacy Considerations | |||
14.1.1. Surveillance by the Client . . . . . . . . . . . . . 200 | 12.1. Surveillance | |||
14.1.2. Surveillance by the Authorization Server . . . . . . 201 | 12.1.1. Surveillance by the Client | |||
14.2. Stored Data . . . . . . . . . . . . . . . . . . . . . . 201 | 12.1.2. Surveillance by the Authorization Server | |||
14.3. Intrusion . . . . . . . . . . . . . . . . . . . . . . . 202 | 12.2. Stored Data | |||
14.4. Correlation . . . . . . . . . . . . . . . . . . . . . . 202 | 12.3. Intrusion | |||
14.4.1. Correlation by Clients . . . . . . . . . . . . . . . 202 | 12.4. Correlation | |||
14.4.2. Correlation by Resource Servers . . . . . . . . . . 203 | 12.4.1. Correlation by Clients | |||
14.4.3. Correlation by Authorization Servers . . . . . . . . 204 | 12.4.2. Correlation by Resource Servers | |||
14.5. Disclosure in Shared References . . . . . . . . . . . . 204 | 12.4.3. Correlation by Authorization Servers | |||
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 204 | 12.5. Disclosure in Shared References | |||
15.1. Normative References . . . . . . . . . . . . . . . . . . 204 | 13. References | |||
15.2. Informative References . . . . . . . . . . . . . . . . . 206 | 13.1. Normative References | |||
Appendix A. Document History . . . . . . . . . . . . . . . . . . 209 | 13.2. Informative References | |||
Appendix B. Compared to OAuth 2.0 . . . . . . . . . . . . . . . 215 | Appendix A. Comparison with OAuth 2.0 | |||
Appendix C. Example Protocol Flows . . . . . . . . . . . . . . . 217 | Appendix B. Example Protocol Flows | |||
C.1. Redirect-Based User Interaction . . . . . . . . . . . . . 218 | B.1. Redirect-Based User Interaction | |||
C.2. Secondary Device Interaction . . . . . . . . . . . . . . 221 | B.2. Secondary Device Interaction | |||
C.3. No User Involvement . . . . . . . . . . . . . . . . . . . 224 | B.3. No User Involvement | |||
C.4. Asynchronous Authorization . . . . . . . . . . . . . . . 225 | B.4. Asynchronous Authorization | |||
C.5. Applying OAuth 2.0 Scopes and Client IDs . . . . . . . . 229 | B.5. Applying OAuth 2.0 Scopes and Client IDs | |||
Appendix D. Interoperability Profiles . . . . . . . . . . . . . 230 | Appendix C. Interoperability Profiles | |||
D.1. Web-based Redirection . . . . . . . . . . . . . . . . . . 231 | C.1. Web-Based Redirection | |||
D.2. Secondary Device . . . . . . . . . . . . . . . . . . . . 231 | C.2. Secondary Device | |||
Appendix E. Guidance for Extensions . . . . . . . . . . . . . . 232 | Appendix D. Guidance for Extensions | |||
Appendix F. JSON Structures and Polymorphism . . . . . . . . . . 233 | Appendix E. JSON Structures and Polymorphism | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 234 | Acknowledgements | |||
Authors' Addresses | ||||
1. Introduction | 1. Introduction | |||
This protocol allows a piece of software, the client instance, to | GNAP allows a piece of software, the client instance, to request | |||
request delegated authorization to resource servers and subject | delegated authorization to resource servers and subject information. | |||
information. The delegated access to the resource server can be used | The delegated access to the resource server can be used by the client | |||
by the client instance to access resources and APIs on behalf a | instance to access resources and APIs on behalf a resource owner, and | |||
resource owner, and delegated access to subject information can in | delegated access to subject information can in turn be used by the | |||
turn be used by the client instance to make authentication decisions. | client instance to make authentication decisions. This delegation is | |||
This delegation is facilitated by an authorization server usually on | facilitated by an authorization server, usually on behalf of a | |||
behalf of a resource owner. The end user operating the software can | resource owner. The end user operating the software can interact | |||
interact with the authorization server to authenticate, provide | with the authorization server to authenticate, provide consent, and | |||
consent, and authorize the request as a resource owner. | authorize the request as a resource owner. | |||
The process by which the delegation happens is known as a grant, and | The process by which the delegation happens is known as a grant, and | |||
GNAP allows for the negotiation of the grant process over time by | GNAP allows for the negotiation of the grant process over time by | |||
multiple parties acting in distinct roles. | multiple parties acting in distinct roles. | |||
This specification focuses on the portions of the delegation process | This specification focuses on the portions of the delegation process | |||
facing the client instance. In particular, this specification | facing the client instance. In particular, this specification | |||
defines interoperable methods for a client instance to request, | defines interoperable methods for a client instance to request, | |||
negotiate, and receive access to information facilitated by the | negotiate, and receive access to information facilitated by the | |||
authorization server. This specification additionally defines | authorization server. This specification additionally defines | |||
methods for the client instance to access protected resources at a | methods for the client instance to access protected resources at a | |||
resource server. This specification also discusses discovery | resource server. This specification also discusses discovery | |||
mechanisms for the client instance to configure itself dynamically. | mechanisms for the client instance to configure itself dynamically. | |||
The means for an authorization server and resource server to | The means for an authorization server and resource server to | |||
interoperate are discussed in the companion document, | interoperate are discussed in the companion document [GNAP-RS]. | |||
[I-D.ietf-gnap-resource-servers]. | ||||
The focus of this protocol is to provide interoperability between the | The focus of this protocol is to provide interoperability between the | |||
different parties acting in each role, and is not to specify | different parties acting in each role, not to specify implementation | |||
implementation details of each. Where appropriate, GNAP may make | details of each. Where appropriate, GNAP may make recommendations | |||
recommendations about internal implementation details, but these | about internal implementation details, but these recommendations are | |||
recommendations are to ensure the security of the overall deployment | to ensure the security of the overall deployment rather than to be | |||
rather than to be prescriptive in the implementation. | prescriptive in the implementation. | |||
This protocol solves many of the same use cases as OAuth 2.0 | This protocol solves many of the same use cases as OAuth 2.0 | |||
[RFC6749], OpenID Connect [OIDC], and the family of protocols that | [RFC6749], OpenID Connect [OIDC], and the family of protocols that | |||
have grown up around that ecosystem. However, GNAP is not an | have grown up around that ecosystem. However, GNAP is not an | |||
extension of OAuth 2.0 and is not intended to be directly compatible | extension of OAuth 2.0 and is not intended to be directly compatible | |||
with OAuth 2.0. GNAP seeks to provide functionality and solve use | with OAuth 2.0. GNAP seeks to provide functionality and solve use | |||
cases that OAuth 2.0 cannot easily or cleanly address. Appendix B | cases that OAuth 2.0 cannot easily or cleanly address. Appendix A | |||
further details the protocol rationale compared to OAuth 2.0. GNAP | further details the protocol rationale compared to OAuth 2.0. GNAP | |||
and OAuth 2.0 will likely exist in parallel for many deployments, and | and OAuth 2.0 will likely exist in parallel for many deployments, and | |||
considerations have been taken to facilitate the mapping and | considerations have been taken to facilitate the mapping and | |||
transition from existing OAuth 2.0 systems to GNAP. Some examples of | transition from existing OAuth 2.0 systems to GNAP. Some examples of | |||
these can be found in Appendix C.5. | these can be found in Appendix B.5. | |||
1.1. Terminology | 1.1. Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
This document contains non-normative examples of partial and complete | This document contains non-normative examples of partial and complete | |||
HTTP messages, JSON structures, URIs, query components, keys, and | HTTP messages, JSON structures, URIs, query components, keys, and | |||
other elements. Whenever possible, the document uses URI as a | other elements. Whenever possible, the document uses URI as a | |||
generic term, since it aligns with [RFC3986] recommendations and | generic term, since it aligns with the recommendations in [RFC3986] | |||
matches better with the intent that the identifier may be reachable | and better matches the intent that the identifier may be reachable | |||
through various/generic means (compared to URLs). Some examples use | through various/generic means (compared to URLs). Some examples use | |||
a single trailing backslash \ to indicate line wrapping for long | a single trailing backslash (\) to indicate line wrapping for long | |||
values, as per [RFC8792]. The \ character and leading spaces on | values, as per [RFC8792]. The \ character and leading spaces on | |||
wrapped lines are not part of the value. | wrapped lines are not part of the value. | |||
This document uses the term "mutual TLS" as defined by [RFC8705]. | This document uses the term "mutual TLS" as defined by [RFC8705]. | |||
The shortened form "MTLS" is used to mean the same thing. | The shortened form "MTLS" is used to mean the same thing. | |||
For brevity, the term "signature" on its own is used in this document | For brevity, the term "signature" on its own is used in this document | |||
to refer to both digital signatures (which use asymmetric | to refer to both digital signatures (which use asymmetric | |||
cryptography) and keyed MACs (which use symmetric cryptography). | cryptography) and keyed MACs (which use symmetric cryptography). | |||
Similarly, the verb "sign" refers to the generation of either a | Similarly, the verb "sign" refers to the generation of either a | |||
digital signature or keyed MAC over a given signature base. The | digital signature or a keyed MAC over a given signature base. The | |||
qualified term "digital signature" refers specifically to the output | qualified term "digital signature" refers specifically to the output | |||
of an asymmetric cryptographic signing operation. | of an asymmetric cryptographic signing operation. | |||
1.2. Roles | 1.2. Roles | |||
The parties in GNAP perform actions under different roles. Roles are | The parties in GNAP perform actions under different roles. Roles are | |||
defined by the actions taken and the expectations leveraged on the | defined by the actions taken and the expectations leveraged on the | |||
role by the overall protocol. | role by the overall protocol. | |||
+-------------+ +------------+ | +-------------+ +------------+ | |||
skipping to change at page 8, line 30 ¶ | skipping to change at line 354 ¶ | |||
â•‘ | Instance | | â•‘ | Instance | | |||
â•‘ +----+-----+ | â•‘ +----+-----+ | |||
â•‘ â•‘ | â•‘ â•‘ | |||
.----+----. â•‘ .----------. | .----+----. â•‘ .----------. | |||
| | +=====+ | | | | +=====+ | | |||
| Resource | | End | | | Resource | | End | | |||
| Owner | ~ ~ ~ ~ ~ ~ | User | | | Owner | ~ ~ ~ ~ ~ ~ | User | | |||
| | | | | | | | | | |||
`---------` `----------` | `---------` `----------` | |||
Legend | Legend: | |||
===== indicates interaction between a human and computer | ===== indicates interaction between a human and computer | |||
----- indicates interaction between two pieces of software | ----- indicates interaction between two pieces of software | |||
~ ~ ~ indicates a potential equivalence or out-of-band | ~ ~ ~ indicates a potential equivalence or out-of-band | |||
communication between roles | communication between roles | |||
Figure 1: Figure 1: Roles in GNAP | Figure 1: Roles in GNAP | |||
Authorization Server (AS): server that grants delegated privileges | Authorization Server (AS): Server that grants delegated privileges | |||
to a particular instance of client software in the form of access | to a particular instance of client software in the form of access | |||
tokens or other information (such as subject information). The AS | tokens or other information (such as subject information). The AS | |||
is uniquely defined by the _grant endpoint URI_, which is the | is uniquely defined by the _grant endpoint URI_, which is the | |||
absolute URI where grant requests are started by clients. | absolute URI where grant requests are started by clients. | |||
Client: application that consumes resources from one or several RSs, | Client: Application that consumes resources from one or several | |||
possibly requiring access privileges from one or several ASs. The | resource servers, possibly requiring access privileges from one or | |||
client is operated by the end user or it runs autonomously on | several ASes. The client is operated by the end user, or it runs | |||
behalf of a resource owner. | autonomously on behalf of a resource owner. | |||
Example: a client can be a mobile application, a web application, | For example, a client can be a mobile application, a web | |||
a back-end data processor, etc. | application, a back-end data processor, etc. | |||
Note: this specification differentiates between a specific | Note: This specification differentiates between a specific | |||
instance (the client instance, identified by its unique key) and | instance (the client instance, identified by its unique key) and | |||
the software running the instance (the client software). For some | the software running the instance (the client software). For some | |||
kinds of client software, there could be many instances of that | kinds of client software, there could be many instances of that | |||
software, each instance with a different key. | software, each instance with a different key. | |||
Resource Server (RS): server that provides an API on protected | Resource Server (RS): Server that provides an API on protected | |||
resources, where operations on the API require a valid access | resources, where operations on the API require a valid access | |||
token issued by a trusted AS. | token issued by a trusted AS. | |||
Resource Owner (RO): subject entity that may grant or deny | Resource Owner (RO): Subject entity that may grant or deny | |||
operations on resources it has authority upon. | operations on resources it has authority upon. | |||
Note: the act of granting or denying an operation may be manual | Note: The act of granting or denying an operation may be manual | |||
(i.e. through an interaction with a physical person) or automatic | (i.e., through an interaction with a physical person) or automatic | |||
(i.e. through predefined organizational rules). | (i.e., through predefined organizational rules). | |||
End user: natural person that operates a client instance. | End user: Natural person that operates a client instance. | |||
Note: that natural person may or may not be the same entity as the | Note: That natural person may or may not be the same entity as the | |||
RO. | RO. | |||
The design of GNAP does not assume any one deployment architecture, | The design of GNAP does not assume any one deployment architecture | |||
but instead attempts to define roles that can be fulfilled in a | but instead attempts to define roles that can be fulfilled in a | |||
number of different ways for different use cases. As long as a given | number of different ways for different use cases. As long as a given | |||
role fulfills all of its obligations and behaviors as defined by the | role fulfills all of its obligations and behaviors as defined by the | |||
protocol, GNAP does not make additional requirements on its structure | protocol, GNAP does not make additional requirements on its structure | |||
or setup. | or setup. | |||
Multiple roles can be fulfilled by the same party, and a given party | Multiple roles can be fulfilled by the same party, and a given party | |||
can switch roles in different instances of the protocol. For | can switch roles in different instances of the protocol. For | |||
example, the RO and end user in many instances are the same person, | example, in many instances, the RO and end user are the same person, | |||
where a user is authorizing the client instance to act on their own | where a user authorizes the client instance to act on their own | |||
behalf at the RS. In this case, one party fulfills both of the RO | behalf at the RS. In this case, one party fulfills the roles of both | |||
and end-user roles, but the roles themselves are still defined | RO and end user, but the roles themselves are still defined | |||
separately from each other to allow for other use cases where they | separately from each other to allow for other use cases where they | |||
are fulfilled by different parties. | are fulfilled by different parties. | |||
For another example, in some complex scenarios, an RS receiving | As another example, in some complex scenarios, an RS receiving | |||
requests from one client instance can act as a client instance for a | requests from one client instance can act as a client instance for a | |||
downstream secondary RS in order to fulfill the original request. In | downstream secondary RS in order to fulfill the original request. In | |||
this case, one piece of software is both an RS and a client instance | this case, one piece of software is both an RS and a client instance | |||
from different perspectives, and it fulfills these roles separately | from different perspectives, and it fulfills these roles separately | |||
as far as the overall protocol is concerned. | as far as the overall protocol is concerned. | |||
A single role need not be deployed as a monolithic service. For | A single role need not be deployed as a monolithic service. For | |||
example, a client instance could have front-end components that are | example, a client instance could have front-end components that are | |||
installed on the end user's device as well as a back-end system that | installed on the end user's device as well as a back-end system that | |||
the front-end communicates with. If both of these components | the front-end communicates with. If both of these components | |||
participate in the delegation protocol, they are both considered part | participate in the delegation protocol, they are both considered part | |||
of the client instance. If there are several copies of the client | of the client instance. If there are several copies of the client | |||
software that run separately but all share the same key material, | software that run separately but all share the same key material, | |||
such as a deployed cluster, then this cluster is considered a single | such as a deployed cluster, then this cluster is considered a single | |||
client instance. In these cases, the distinct components of what is | client instance. In these cases, the distinct components of what is | |||
considered a GNAP client instance may use any number of different | considered a GNAP client instance may use any number of different | |||
communication mechanisms between them, all of which would be | communication mechanisms between them, all of which would be | |||
considered an implementation detail of the client instances and out | considered an implementation detail of the client instances and out | |||
of scope of GNAP. | of scope of GNAP. | |||
For another example, an AS could likewise be built out of many | As another example, an AS could likewise be built out of many | |||
constituent components in a distributed architecture. The component | constituent components in a distributed architecture. The component | |||
that the client instance calls directly could be different from the | that the client instance calls directly could be different from the | |||
component that the RO interacts with to drive consent, since API | component that the RO interacts with to drive consent, since API | |||
calls and user interaction have different security considerations in | calls and user interaction have different security considerations in | |||
many environments. Furthermore, the AS could need to collect | many environments. Furthermore, the AS could need to collect | |||
identity claims about the RO from one system that deals with user | identity claims about the RO from one system that deals with user | |||
attributes while generating access tokens at another system that | attributes while generating access tokens at another system that | |||
deals with security rights. From the perspective of GNAP, all of | deals with security rights. From the perspective of GNAP, all of | |||
these are pieces of the AS and together fulfill the role of the AS as | these are pieces of the AS and together fulfill the role of the AS as | |||
defined by the protocol. These pieces may have their own internal | defined by the protocol. These pieces may have their own internal | |||
communications mechanisms which are considered out of scope of GNAP. | communications mechanisms, which are considered out of scope of GNAP. | |||
1.3. Elements | 1.3. Elements | |||
In addition to the roles above, the protocol also involves several | In addition to the roles above, the protocol also involves several | |||
elements that are acted upon by the roles throughout the process. | elements that are acted upon by the roles throughout the process. | |||
Access Token: a data artifact representing a set of rights and/or | Access Token: A data artifact representing a set of rights and/or | |||
attributes. | attributes. | |||
Note: an access token can be first issued to a client instance | Note: An access token can be first issued to a client instance | |||
(requiring authorization by the RO) and subsequently rotated. | (requiring authorization by the RO) and subsequently rotated. | |||
Grant: (verb): to permit an instance of client software to receive | Grant: (verb): To permit an instance of client software to receive | |||
some attributes at a specific time and valid for a specific | some attributes at a specific time and valid for a specific | |||
duration and/or to exercise some set of delegated rights to access | duration and/or to exercise some set of delegated rights to access | |||
a protected resource; | a protected resource. | |||
(noun): the act of granting permission to a client instance. | (noun): The act of granting permission to a client instance. | |||
Privilege: right or attribute associated with a subject. | Privilege: Right or attribute associated with a subject. | |||
Note: the RO defines and maintains the rights and attributes | Note: The RO defines and maintains the rights and attributes | |||
associated to the protected resource, and might temporarily | associated to the protected resource and might temporarily | |||
delegate some set of those privileges to an end user. This | delegate some set of those privileges to an end user. This | |||
process is refered to as privilege delegation. | process is referred to as "privilege delegation". | |||
Protected Resource: protected API (Application Programming | Protected Resource: Protected API that is served by an RS and that | |||
Interface) served by an RS and that can be accessed by a client, | can be accessed by a client, if and only if a valid and sufficient | |||
if and only if a valid and sufficient access token is provided. | access token is provided. | |||
Note: to avoid complex sentences, the specification document may | Note: To avoid complex sentences, the specification document may | |||
simply refer to "resource" instead of "protected resource". | simply refer to "resource" instead of "protected resource". | |||
Right: ability given to a subject to perform a given operation on a | Right: Ability given to a subject to perform a given operation on a | |||
resource under the control of an RS. | resource under the control of an RS. | |||
Subject: person or organization. The subject decides whether and | Subject: Person or organization. The subject decides whether and | |||
under which conditions its attributes can be disclosed to other | under which conditions its attributes can be disclosed to other | |||
parties. | parties. | |||
Subject Information: set of statements and attributes asserted by an | Subject Information: Set of statements and attributes asserted by an | |||
AS about a subject. These statements can be used by the client | AS about a subject. These statements can be used by the client | |||
instance as part of an authentication decision. | instance as part of an authentication decision. | |||
1.4. Trust relationships | 1.4. Trust Relationships | |||
GNAP defines its trust objective as: "the RO trusts the AS to ensure | GNAP defines its trust objective as: "the RO trusts the AS to ensure | |||
access validation and delegation of protected resources to end users, | access validation and delegation of protected resources to end users, | |||
through third party clients." | through third party clients." | |||
This trust objective can be decomposed into trust relationships | This trust objective can be decomposed into trust relationships | |||
between software elements and roles, especially the pairs end user/ | between software elements and roles, especially the pairs end user/ | |||
RO, end user/client, client/AS, RS/RO, AS/RO, AS/RS. Trust of an | RO, end user/client, client/AS, RS/RO, AS/RO, and AS/RS. Trust of an | |||
agent by its pair can exist if the pair is informed that the agent | agent by its pair can exist if the pair is informed that the agent | |||
has made a promise to follow the protocol in the past (e.g. pre- | has made a promise to follow the protocol in the past (e.g., pre- | |||
registration, uncompromised cryptographic components) or if the pair | registration and uncompromised cryptographic components) or if the | |||
is able to infer by indirect means that the agent has made such a | pair is able to infer by indirect means that the agent has made such | |||
promise (e.g. a compliant client request). Each agent defines its | a promise (e.g., a compliant client request). Each agent defines its | |||
own valuation function of promises given or received. Examples of | own valuation function of promises given or received. Examples of | |||
such valuations can be the benefits from interacting with other | such valuations can be the benefits from interacting with other | |||
agents (e.g. safety in client access, interoperability with identity | agents (e.g., safety in client access and interoperability with | |||
standards), the cost of following the protocol (including its | identity standards), the cost of following the protocol (including | |||
security and privacy requirements and recommendations), a ranking of | its security and privacy requirements and recommendations), a ranking | |||
promise importance (e.g. a policy decision made by the AS), the | of promise importance (e.g., a policy decision made by the AS), the | |||
assessment of one's vulnerability or risk of not being able to defend | assessment of one's vulnerability or risk of not being able to defend | |||
against threats, etc. Those valuations may depend on the context of | against threats, etc. Those valuations may depend on the context of | |||
the request. For instance, the AS may decide to either take into | the request. For instance, depending on the specific case in which | |||
account or discard hints provided by the client, the RS may refuse | GNAP is used, the AS may decide to either take into account or | |||
bearer tokens, etc. depending on the specific case in which GNAP is | discard hints provided by the client, or the RS may refuse bearer | |||
used. Some promises can be affected by previous interactions (e.g., | tokens. Some promises can be affected by previous interactions | |||
repeated requests). | (e.g., repeated requests). | |||
Looking back on each trust relationship: | Below are details of each trust relationship: | |||
* end user/RO: this relationship exists only when the end user and | end user/RO: This relationship exists only when the end user and the | |||
the RO are different, in which case the end user needs some out of | RO are different, in which case the end user needs some out-of- | |||
band mechanism of getting the RO consent (see Section 4). GNAP | band mechanism of getting the RO consent (see Section 4). GNAP | |||
generally assumes that humans can be authenticated thanks to | generally assumes that humans can be authenticated, thanks to | |||
identity protocols (for instance, through an id_token assertion in | identity protocols (for instance, through an id_token assertion as | |||
Section 2.2). | described in Section 2.2). | |||
* end user/client: the client acts as a user agent. Depending on | end user/client: The client acts as a user agent. Depending on the | |||
the technology used (browser, SPA, mobile application, IoT device, | technology used (browser, single-page application (SPA), mobile | |||
etc.), some interactions may or may not be possible (as described | application, Internet of Things (IoT) device, etc.), some | |||
in Section 2.5.1). Client developers implement requirements and | interactions may or may not be possible (as described in | |||
Section 2.5.1). Client developers implement requirements and | ||||
generally some recommendations or best practices, so that the end | generally some recommendations or best practices, so that the end | |||
users may confidently use their software. However, end users | users may confidently use their software. However, end users | |||
might also be facing an attacker's client software or a poorly- | might also face an attacker's client software or a poorly | |||
implemented client, without even realizing it. | implemented client without even realizing it. | |||
* end user/AS: when the client supports the interaction feature (see | end user/AS: When the client supports the interaction feature (see | |||
Section 3.3), the end user interacts with the AS through an AS- | Section 3.3), the end user interacts with the AS through an AS- | |||
provided interface. In many cases, this happens through a front- | provided interface. In many cases, this happens through a front- | |||
channel interaction through the end user's browser. See | channel interaction through the end user's browser. See | |||
Section 13.29 for some considerations in trusting these | Section 11.29 for some considerations in trusting these | |||
interactions. | interactions. | |||
* client/AS: An honest AS may be facing an attacker's client (as | client/AS: An honest AS may face an attacker's client (as discussed | |||
discussed just above), or the reverse, and GNAP aims at making | just above), or the reverse, and GNAP aims to make common attacks | |||
common attacks impractical. The core specification makes access | impractical. The core specification makes access tokens opaque to | |||
tokens opaque to the client and defines the request/response | the client and defines the request/response scheme in detail, | |||
scheme in detail, therefore avoiding extra trust hypotheses from | therefore avoiding extra trust hypotheses from this critical piece | |||
this critical piece of software. Yet the AS may further define | of software. Yet, the AS may further define cryptographic | |||
cryptographic attestations or optional rules to simplify the | attestations or optional rules to simplify the access of clients | |||
access of clients it already trusts, due to past behavior or | it already trusts, due to past behavior or organizational policies | |||
organizational policies (see Section 2.3). | (see Section 2.3). | |||
* RS/RO: the RS promises it protects its resources on behalf of the | RS/RO: On behalf of the RO, the RS promises to protect its resources | |||
RO from unauthorized access, and only accepts valid access tokens | from unauthorized access and only accepts valid access tokens | |||
issued by a trusted AS. In case tokens are key bound, proper | issued by a trusted AS. In case tokens are key bound, proper | |||
validation of the proof method is expected from the RS. | validation of the proof method is expected from the RS. | |||
* AS/RO: the AS is expected to follow the decisions made by the RO, | AS/RO: The AS is expected to follow the decisions made by the RO, | |||
either through interactive consent requests, repeated | through either interactive consent requests, repeated | |||
interactions, or automated rules (as described in Section 1.6). | interactions, or automated rules (as described in Section 1.6). | |||
Privacy considerations aim to reduce the risk of an honest but | Privacy considerations aim to reduce the risk of an honest but | |||
too-curious AS, or the consequences of an unexpected user data | too-curious AS or the consequences of an unexpected user data | |||
exposure. | exposure. | |||
* AS/RS: the AS promises to issue valid access tokens to legitimate | AS/RS: The AS promises to issue valid access tokens to legitimate | |||
client requests (i.e. after carrying out appropriate due | client requests (i.e., after carrying out appropriate due | |||
diligence, as defined in the GNAP protocol). Some optional | diligence, as defined in the GNAP protocol). Some optional | |||
configurations are covered by [I-D.ietf-gnap-resource-servers]. | configurations are covered by [GNAP-RS]. | |||
A global assumption made by GNAP is that authorization requests are | A global assumption made by GNAP is that authorization requests are | |||
security and privacy sensitive, and appropriate measures are | security and privacy sensitive, and appropriate measures are detailed | |||
respectively detailed in Section 13 and Section 14. | in Sections 11 and 12, respectively. | |||
A formal trust model is out of scope of this specification, but one | A formal trust model is out of scope of this specification, but one | |||
could be developed using techniques such as [promise-theory]. | could be developed using techniques such as [promise-theory]. | |||
1.5. Protocol Flow | 1.5. Protocol Flow | |||
GNAP is fundamentally designed to allow delegated access to APIs and | GNAP is fundamentally designed to allow delegated access to APIs and | |||
other information, such as subject information, using a multi-stage, | other information, such as subject information, using a multi-stage, | |||
stateful process. This process allows different parties to provide | stateful process. This process allows different parties to provide | |||
information into the system to alter and augment the state of the | information into the system to alter and augment the state of the | |||
delegated access and its artifacts. | delegated access and its artifacts. | |||
The underlying requested grant moves through several states as | The underlying requested grant moves through several states as | |||
different actions take place during the protocol: | different actions take place during the protocol, as shown in | |||
Figure 2. | ||||
.-----. | .-----. | |||
| | | | | | |||
+------+--+ | Continue | +------+--+ | Continue | |||
.---Need Interaction---->| | | | .---Need Interaction---->| | | | |||
/ | Pending |<--` | / | Pending |<--` | |||
/ .--Finish Interaction--+ | | / .--Finish Interaction--+ | | |||
/ / (approve/deny) +----+----+ | / / (approve/deny) +----+----+ | |||
/ / | | / / | | |||
/ / | Cancel | / / | Cancel | |||
skipping to change at page 14, line 5 ¶ | skipping to change at line 617 ¶ | |||
\ \ | Revoke or | \ \ | Revoke or | |||
\ \ | Finalize | \ \ | Finalize | |||
\ \ +-----+----+ | \ \ +-----+----+ | |||
\ `-----Update---------+ | | \ `-----Update---------+ | | |||
\ | Approved |<--. | \ | Approved |<--. | |||
`-----No Interaction--->| | | | `-----No Interaction--->| | | | |||
+-------+--+ | Continue | +-------+--+ | Continue | |||
| | | | | | |||
`-----` | `-----` | |||
Figure 2: Figure 2: State diagram of a grant request throughout GNAP | Figure 2: State Diagram of a Grant Request throughout GNAP | |||
The state of the grant request is defined and managed by the AS, | The state of the grant request is defined and managed by the AS, | |||
though the client instance also needs to manage its view of the grant | though the client instance also needs to manage its view of the grant | |||
request over time. The means by which these roles manage their state | request over time. The means by which these roles manage their state | |||
is outside the scope of this specification. | are outside the scope of this specification. | |||
_Processing_: When a request for access (Section 2) is received by | _Processing_: When a request for access (Section 2) is received by | |||
the AS, a new grant request is created and placed in the | the AS, a new grant request is created and placed in the | |||
_processing_ state by the AS. This state is also entered when an | _processing_ state by the AS. This state is also entered when an | |||
existing grant request is updated by the client instance and when | existing grant request is updated by the client instance and when | |||
interaction is completed. In this state, the AS processes the | interaction is completed. In this state, the AS processes the | |||
context of the grant request to determine whether interaction with | context of the grant request to determine whether interaction with | |||
the end user or RO is required for approval of the request. The | the end user or RO is required for approval of the request. The | |||
grant request has to exit this state before a response can be | grant request has to exit this state before a response can be | |||
returned to the client instance. If approval is required, the | returned to the client instance. If approval is required, the | |||
request moves to the _pending_ state and the AS returns a continue | request moves to the _pending_ state, and the AS returns a | |||
response (Section 3.1) along with any appropriate interaction | continue response (Section 3.1) along with any appropriate | |||
responses (Section 3.3). If no such approval is required, such as | interaction responses (Section 3.3). If no such approval is | |||
when the client instance is acting on its own behalf or the AS can | required, such as when the client instance is acting on its own | |||
determine that access has been fulfilled, the request moves to the | behalf or the AS can determine that access has been fulfilled, the | |||
_approved_ state where access tokens for API access (Section 3.2) | request moves to the _approved_ state where access tokens for API | |||
and subject information (Section 3.4) can be issued to the client | access (Section 3.2) and subject information (Section 3.4) can be | |||
instance. If the AS determines that no additional processing can | issued to the client instance. If the AS determines that no | |||
occur (such as a timeout or an unrecoverable error), the grant | additional processing can occur (such as a timeout or an | |||
request is moved to the _finalized_ state and is terminated. | unrecoverable error), the grant request is moved to the | |||
_finalized_ state and is terminated. | ||||
_Pending_: When a request needs to be approved by a RO, or | _Pending_: When a request needs to be approved by an RO, or | |||
interaction with the end user is required, the grant request | interaction with the end user is required, the grant request | |||
enters a state of _pending_. In this state, no access tokens can | enters a state of _pending_. In this state, no access tokens can | |||
be granted and no subject information can be released to the | be granted, and no subject information can be released to the | |||
client instance. While a grant request is in this state, the AS | client instance. While a grant request is in this state, the AS | |||
seeks to gather the required consent and authorization (Section 4) | seeks to gather the required consent and authorization (Section 4) | |||
for the requested access. A grant request in this state is always | for the requested access. A grant request in this state is always | |||
associated with a _continuation access token_ bound to the client | associated with a _continuation access token_ bound to the client | |||
instance's key (see Section 3.1 for details of the continuation | instance's key (see Section 3.1 for details of the continuation | |||
access token). If no interaction finish method (Section 2.5.2) is | access token). If no interaction finish method (Section 2.5.2) is | |||
associated with this request, the client instance can send a | associated with this request, the client instance can send a | |||
polling continue request (Section 5.2) to the AS. This returns a | polling continue request (Section 5.2) to the AS. This returns a | |||
continue response (Section 3.1) while the grant request remains in | continue response (Section 3.1) while the grant request remains in | |||
this state, allowing the client instance to continue to check the | this state, allowing the client instance to continue to check the | |||
skipping to change at page 15, line 9 ¶ | skipping to change at line 671 ¶ | |||
client instance can continue the request after interaction | client instance can continue the request after interaction | |||
(Section 5.1) to the AS to move this request to the _processing_ | (Section 5.1) to the AS to move this request to the _processing_ | |||
state to be re-evaluated by the AS. Note that this occurs whether | state to be re-evaluated by the AS. Note that this occurs whether | |||
the grant request has been approved or denied by the RO, since the | the grant request has been approved or denied by the RO, since the | |||
AS needs to take into account the full context of the request | AS needs to take into account the full context of the request | |||
before determining the next step for the grant request. When | before determining the next step for the grant request. When | |||
other information is made available in the context of the grant | other information is made available in the context of the grant | |||
request, such as through the asynchronous actions of the RO, the | request, such as through the asynchronous actions of the RO, the | |||
AS moves this request to the _processing_ state to be re- | AS moves this request to the _processing_ state to be re- | |||
evaluated. If the AS determines that no additional interaction | evaluated. If the AS determines that no additional interaction | |||
can occur, such as all the interaction methods have timed out or a | can occur, e.g., all the interaction methods have timed out or a | |||
revocation request (Section 5.4) is received from the client | revocation request (Section 5.4) is received from the client | |||
instance, the grant request can be moved to the _finalized_ state. | instance, the grant request can be moved to the _finalized_ state. | |||
_Approved_: When a request has been approved by an RO and no further | _Approved_: When a request has been approved by an RO and no further | |||
interaction with the end user is required, the grant request | interaction with the end user is required, the grant request | |||
enters a state of _approved_. In this state, responses to the | enters a state of _approved_. In this state, responses to the | |||
client instance can include access tokens for API access | client instance can include access tokens for API access | |||
(Section 3.2) and subject information (Section 3.4). If | (Section 3.2) and subject information (Section 3.4). If | |||
continuation and updates are allowed for this grant request, the | continuation and updates are allowed for this grant request, the | |||
AS can include the continuation response (Section 3.1). In this | AS can include the continuation response (Section 3.1). In this | |||
skipping to change at page 15, line 31 ¶ | skipping to change at line 693 ¶ | |||
not allowed and will result in an error, since all interaction is | not allowed and will result in an error, since all interaction is | |||
assumed to have been completed. If the client instance sends a | assumed to have been completed. If the client instance sends a | |||
polling continue request (Section 5.2) while the request is in | polling continue request (Section 5.2) while the request is in | |||
this state, new access tokens (Section 3.2) can be issued in the | this state, new access tokens (Section 3.2) can be issued in the | |||
response. Note that this always creates a new access token, but | response. Note that this always creates a new access token, but | |||
any existing access tokens could be rotated and revoked using the | any existing access tokens could be rotated and revoked using the | |||
token management API (Section 6). The client instance can send an | token management API (Section 6). The client instance can send an | |||
update continuation request (Section 5.3) to modify the requested | update continuation request (Section 5.3) to modify the requested | |||
access, causing the AS to move the request back to the | access, causing the AS to move the request back to the | |||
_processing_ state for re-evaluation. If the AS determines that | _processing_ state for re-evaluation. If the AS determines that | |||
no additional tokens can be issued, and that no additional updates | no additional tokens can be issued and that no additional updates | |||
are to be accepted (such as the continuation access tokens have | are to be accepted (e.g., the continuation access tokens have | |||
expired), the grant is moved to the _finalized_ state. | expired), the grant is moved to the _finalized_ state. | |||
_Finalized_: After the access tokens are issued, if the AS does not | _Finalized_: After the access tokens are issued, if the AS does not | |||
allow any additional updates on the grant request, the grant | allow any additional updates on the grant request, the grant | |||
request enters the _finalized_ state. This state is also entered | request enters the _finalized_ state. This state is also entered | |||
when an existing grant request is revoked by the client instance | when an existing grant request is revoked by the client instance | |||
(Section 5.4) or otherwise revoked by the AS (such as through out- | (Section 5.4) or otherwise revoked by the AS (such as through out- | |||
of-band action by the RO). This state can also be entered if the | of-band action by the RO). This state can also be entered if the | |||
AS determines that no additional processing is possible, for | AS determines that no additional processing is possible, for | |||
example if the RO has denied the requested access or if | example, if the RO has denied the requested access or if | |||
interaction is required but no compatible interaction methods are | interaction is required but no compatible interaction methods are | |||
available. Once in this state, no new access tokens can be | available. Once in this state, no new access tokens can be | |||
issued, no subject information can be returned, and no | issued, no subject information can be returned, and no | |||
interactions can take place. Once in this state, the grant | interactions can take place. Once in this state, the grant | |||
request is dead and cannot be revived. If future access is | request is dead and cannot be revived. If future access is | |||
desired by the client instance, a new grant request can be | desired by the client instance, a new grant request can be | |||
created, unrelated to this grant request. | created, unrelated to this grant request. | |||
While it is possible to deploy an AS in a stateless environment, GNAP | While it is possible to deploy an AS in a stateless environment, GNAP | |||
is a stateful protocol and such deployments will need a way to manage | is a stateful protocol, and such deployments will need a way to | |||
the current state of the grant request in a secure and deterministic | manage the current state of the grant request in a secure and | |||
fashion without relying on other components, such as the client | deterministic fashion without relying on other components, such as | |||
software, to keep track of the current state. | the client software, to keep track of the current state. | |||
1.6. Sequences | 1.6. Sequences | |||
GNAP can be used in a variety of ways to allow the core delegation | GNAP can be used in a variety of ways to allow the core delegation | |||
process to take place. Many portions of this process are | process to take place. Many portions of this process are | |||
conditionally present depending on the context of the deployments, | conditionally present depending on the context of the deployments, | |||
and not every step in this overview will happen in all circumstances. | and not every step in this overview will happen in all circumstances. | |||
Note that a connection between roles in this process does not | Note that a connection between roles in this process does not | |||
necessarily indicate that a specific protocol message is sent across | necessarily indicate that a specific protocol message is sent across | |||
the wire between the components fulfilling the roles in question, or | the wire between the components fulfilling the roles in question or | |||
that a particular step is required every time. For example, for a | that a particular step is required every time. For example, for a | |||
client instance interested in only getting subject information | client instance interested in only getting subject information | |||
directly, and not calling an RS, all steps involving the RS below do | directly and not calling an RS, all steps involving the RS below do | |||
not apply. | not apply. | |||
In some circumstances, the information needed at a given stage is | In some circumstances, the information needed at a given stage is | |||
communicated out of band or is preconfigured between the components | communicated out of band or is pre-configured between the components | |||
or entities performing the roles. For example, one entity can | or entities performing the roles. For example, one entity can | |||
fulfill multiple roles, and so explicit communication between the | fulfill multiple roles, so explicit communication between the roles | |||
roles is not necessary within the protocol flow. Additionally some | is not necessary within the protocol flow. Additionally, some | |||
components may not be involved in all use cases. For example, a | components may not be involved in all use cases. For example, a | |||
client instance could be calling the AS just to get direct user | client instance could be calling the AS just to get direct user | |||
information and have no need to get an access token to call an RS. | information and have no need to get an access token to call an RS. | |||
1.6.1. Overall Protocol Sequence | 1.6.1. Overall Protocol Sequence | |||
The following diagram provides a general overview of GNAP, including | The following diagram provides a general overview of GNAP, including | |||
many different optional phases and connections. The diagrams in the | many different optional phases and connections. The diagrams in the | |||
following sections provide views of GNAP under more specific | following sections provide views of GNAP under more specific | |||
circumstances. These additional diagrams use the same conventions as | circumstances. These additional diagrams use the same conventions as | |||
skipping to change at page 17, line 37 ¶ | skipping to change at line 783 ¶ | |||
| | | | | | | | | | | | | | |||
| +--(9)-->| | | | | | +--(9)-->| | | | | |||
| |<-(10)--+ | | | | | |<-(10)--+ | | | | |||
| | | | | | | | | | | | | | |||
| +---------------(11)------------>| | | | +---------------(11)------------>| | | |||
| | | | (12) | | | | | | | (12) | | | |||
| +--(13)->| | | | | | +--(13)->| | | | | |||
| | | | | | | | | | | | | | |||
+--------+ +---------------+ +------------+ | +--------+ +---------------+ +------------+ | |||
Legend | Legend: | |||
===== indicates a possible interaction with a human | ===== indicates a possible interaction with a human | |||
----- indicates an interaction between protocol roles | ----- indicates an interaction between protocol roles | |||
~ ~ ~ indicates a potential equivalence or out-of-band | ~ ~ ~ indicates a potential equivalence or out-of-band | |||
communication between roles | communication between roles | |||
Figure 3: Figure 3: Overall sequence of GNAP | Figure 3: Overall Sequence of GNAP | |||
* (A) The end user interacts with the client instance to indicate a | * (A) The end user interacts with the client instance to indicate a | |||
need for resources on behalf of the RO. This could identify the | need for resources on behalf of the RO. This could identify the | |||
RS the client instance needs to call, the resources needed, or the | RS that the client instance needs to call, the resources needed, | |||
RO that is needed to approve the request. Note that the RO and | or the RO that is needed to approve the request. Note that the RO | |||
end user are often the same entity in practice, but GNAP makes no | and end user are often the same entity in practice, but GNAP makes | |||
general assumption that they are. | no general assumption that they are. | |||
* (1) The client instance determines what access is needed and which | * (1) The client instance determines what access is needed and which | |||
AS to approach for access. Note that for most situations, the | AS to approach for access. Note that for most situations, the | |||
client instance is pre-configured with which AS to talk to and | client instance is pre-configured with which AS to talk to and | |||
which kinds of access it needs, but some more dynamic processes | which kinds of access it needs, but some more dynamic processes | |||
are discussed in Section 9.1. | are discussed in Section 9.1. | |||
* (2) The client instance requests access at the AS (Section 2). | * (2) The client instance requests access at the AS (Section 2). | |||
* (3) The AS processes the request and determines what is needed to | * (3) The AS processes the request and determines what is needed to | |||
fulfill the request (See Section 4). The AS sends its response to | fulfill the request (see Section 4). The AS sends its response to | |||
the client instance (Section 3). | the client instance (Section 3). | |||
* (B) If interaction is required, the AS interacts with the RO | * (B) If interaction is required, the AS interacts with the RO | |||
(Section 4) to gather authorization. The interactive component of | (Section 4) to gather authorization. The interactive component of | |||
the AS can function using a variety of possible mechanisms | the AS can function using a variety of possible mechanisms, | |||
including web page redirects, applications, challenge/response | including web page redirects, applications, challenge/response | |||
protocols, or other methods. The RO approves the request for the | protocols, or other methods. The RO approves the request for the | |||
client instance being operated by the end user. Note that the RO | client instance being operated by the end user. Note that the RO | |||
and end user are often the same entity in practice, and many of | and end user are often the same entity in practice, and many of | |||
GNAP's interaction methods allow the client instance to facilitate | GNAP's interaction methods allow the client instance to facilitate | |||
the end user interacting with the AS in order to fulfill the role | the end user interacting with the AS in order to fulfill the role | |||
of the RO. | of the RO. | |||
* (4) The client instance continues the grant at the AS (Section 5). | * (4) The client instance continues the grant at the AS (Section 5). | |||
This action could occur in response to receiving a signal that | This action could occur in response to receiving a signal that | |||
interaction has finished (Section 4.2) or through a periodic | interaction has finished (Section 4.2) or through a periodic | |||
polling mechanism, depending on the interaction capabilities of | polling mechanism, depending on the interaction capabilities of | |||
the client software and the options active in the grant request. | the client software and the options active in the grant request. | |||
* (5) If the AS determines that access can be granted, it returns a | * (5) If the AS determines that access can be granted, it returns a | |||
response to the client instance (Section 3) including an access | response to the client instance (Section 3), including an access | |||
token (Section 3.2) for calling the RS and any directly returned | token (Section 3.2) for calling the RS and any directly returned | |||
information (Section 3.4) about the RO. | information (Section 3.4) about the RO. | |||
* (6) The client instance uses the access token (Section 7.2) to | * (6) The client instance uses the access token (Section 7.2) to | |||
call the RS. | call the RS. | |||
* (7) The RS determines if the token is sufficient for the request | * (7) The RS determines if the token is sufficient for the request | |||
by examining the token. The means of the RS determining this | by examining the token. The means of the RS determining this | |||
access are out of scope of this specification, but some options | access are out of scope of this specification, but some options | |||
are discussed in [I-D.ietf-gnap-resource-servers]. | are discussed in [GNAP-RS]. | |||
* (8) The client instance calls the RS (Section 7.2) using the | * (8) The client instance calls the RS (Section 7.2) using the | |||
access token until the RS or client instance determine that the | access token until the RS or client instance determines that the | |||
token is no longer valid. | token is no longer valid. | |||
* (9) When the token no longer works, the client instance rotates | * (9) When the token no longer works, the client instance rotates | |||
the access token (Section 6.1). | the access token (Section 6.1). | |||
* (10) The AS issues a new access token (Section 3.2) to the client | * (10) The AS issues a new access token (Section 3.2) to the client | |||
instance with the same rights as the original access token | instance with the same rights as the original access token | |||
returned in (5). | returned in (5). | |||
* (11) The client instance uses the new access token (Section 7.2) | * (11) The client instance uses the new access token (Section 7.2) | |||
to call the RS. | to call the RS. | |||
* (12) The RS determines if the new token is sufficient for the | * (12) The RS determines if the new token is sufficient for the | |||
request, as in (7). | request, as in (7). | |||
* (13) The client instance disposes of the token (Section 6.2) once | * (13) The client instance disposes of the token (Section 6.2) once | |||
the client instance has completed its access of the RS and no | the client instance has completed its access of the RS and no | |||
longer needs the token. | longer needs the token. | |||
The following sections and Appendix C contain specific guidance on | The following sections and Appendix B contain specific guidance on | |||
how to use GNAP in different situations and deployments. For | how to use GNAP in different situations and deployments. For | |||
example, it is possible for the client instance to never request an | example, it is possible for the client instance to never request an | |||
access token and never call an RS, just as it is possible to have no | access token and never call an RS, just as it is possible to have no | |||
end user involved in the delegation process. | end user involved in the delegation process. | |||
1.6.2. Redirect-based Interaction | 1.6.2. Redirect-Based Interaction | |||
In this example flow, the client instance is a web application that | In this example flow, the client instance is a web application that | |||
wants access to resources on behalf of the current user, who acts as | wants access to resources on behalf of the current user, who acts as | |||
both the end user and the resource owner (RO). Since the client | both the end user and the resource owner (RO). Since the client | |||
instance is capable of directing the user to an arbitrary URI and | instance is capable of directing the user to an arbitrary URI and | |||
receiving responses from the user's browser, interaction here is | receiving responses from the user's browser, interaction here is | |||
handled through front-channel redirects using the user's browser. | handled through front-channel redirects using the user's browser. | |||
The redirection URI used for interaction is a service hosted by the | The redirection URI used for interaction is a service hosted by the | |||
AS in this example. The client instance uses a persistent session | AS in this example. The client instance uses a persistent session | |||
with the user to ensure the same user that is starting the | with the user to ensure the same user that is starting the | |||
skipping to change at page 20, line 35 ¶ | skipping to change at line 910 ¶ | |||
| | | | | | | | | | |||
| |<-(9)----- Grant Access ----------+ | | | |<-(9)----- Grant Access ----------+ | | |||
| | | | | | | | | | |||
| | | | +--------+ | | | | | +--------+ | |||
| +--(10)-- Access API ---------------------------->| RS | | | +--(10)-- Access API ---------------------------->| RS | | |||
| | | | | | | | | | | | | | |||
| |<-(11)-- API Response ---------------------------| | | | |<-(11)-- API Response ---------------------------| | | |||
| | | | +--------+ | | | | | +--------+ | |||
+--------+ +--------+ | +--------+ +--------+ | |||
Figure 4: Figure 4: Diagram of a redirect-based interaction | Figure 4: Diagram of a Redirect-Based Interaction | |||
1. The client instance establishes a session with the user, in the | 1. The client instance establishes a session with the user, in the | |||
role of the end user. | role of the end user. | |||
2. The client instance requests access to the resource (Section 2). | 2. The client instance requests access to the resource (Section 2). | |||
The client instance indicates that it can redirect to an | The client instance indicates that it can redirect to an | |||
arbitrary URI (Section 2.5.1.1) and receive a redirect from the | arbitrary URI (Section 2.5.1.1) and receive a redirect from the | |||
browser (Section 2.5.2.1). The client instance stores | browser (Section 2.5.2.1). The client instance stores | |||
verification information for its redirect in the session created | verification information for its redirect in the session created | |||
in (1). | in (1). | |||
skipping to change at page 21, line 45 ¶ | skipping to change at line 962 ¶ | |||
the hash validates. Note that the client instance needs to | the hash validates. Note that the client instance needs to | |||
ensure that the parameters for the incoming request match those | ensure that the parameters for the incoming request match those | |||
that it is expecting from the session created in (1). The | that it is expecting from the session created in (1). The | |||
client instance also needs to be prepared for the end user never | client instance also needs to be prepared for the end user never | |||
being returned to the client instance and handle timeouts | being returned to the client instance and handle timeouts | |||
appropriately. | appropriately. | |||
8. The client instance loads the continuation information from (3) | 8. The client instance loads the continuation information from (3) | |||
and sends the interaction reference from (7) in a request to | and sends the interaction reference from (7) in a request to | |||
continue the request (Section 5.1). The AS validates the | continue the request (Section 5.1). The AS validates the | |||
interaction reference ensuring that the reference is associated | interaction reference, ensuring that the reference is associated | |||
with the request being continued. | with the request being continued. | |||
9. If the request has been authorized, the AS grants access to the | 9. If the request has been authorized, the AS grants access to the | |||
information in the form of access tokens (Section 3.2) and | information in the form of access tokens (Section 3.2) and | |||
direct subject information (Section 3.4) to the client instance. | direct subject information (Section 3.4) to the client instance. | |||
10. The client instance uses the access token (Section 7.2) to call | 10. The client instance uses the access token (Section 7.2) to call | |||
the RS. | the RS. | |||
11. The RS validates the access token and returns an appropriate | 11. The RS validates the access token and returns an appropriate | |||
response for the API. | response for the API. | |||
An example set of protocol messages for this method can be found in | An example set of protocol messages for this method can be found in | |||
Appendix C.1. | Appendix B.1. | |||
1.6.3. User-code Interaction | 1.6.3. User Code Interaction | |||
In this example flow, the client instance is a device that is capable | In this example flow, the client instance is a device that is capable | |||
of presenting a short, human-readable code to the user and directing | of presenting a short, human-readable code to the user and directing | |||
the user to enter that code at a known URI. The user enters the code | the user to enter that code at a known URI. The user enters the code | |||
at a URI that is an interactive service hosted by the AS in this | at a URI that is an interactive service hosted by the AS in this | |||
example. The client instance is not capable of presenting an | example. The client instance is not capable of presenting an | |||
arbitrary URI to the user, nor is it capable of accepting incoming | arbitrary URI to the user, nor is it capable of accepting incoming | |||
HTTP requests from the user's browser. The client instance polls the | HTTP requests from the user's browser. The client instance polls the | |||
AS while it is waiting for the RO to authorize the request. The | AS while it is waiting for the RO to authorize the request. The | |||
user's interaction is assumed to occur on a secondary device. In | user's interaction is assumed to occur on a secondary device. In | |||
this example it is assumed that the user is both the end user and RO. | this example, it is assumed that the user is both the end user and | |||
Note that since the user is not assumed to be interacting with the | RO. Note that since the user is not assumed to be interacting with | |||
client instance through the same web browser used for interaction at | the client instance through the same web browser used for interaction | |||
the AS, the user is not shown as being connected to the client | at the AS, the user is not shown as being connected to the client | |||
instance in this diagram. | instance in this diagram. | |||
+--------+ +--------+ .----. | +--------+ +--------+ .----. | |||
| Client | | AS | | End | | | Client | | AS | | End | | |||
|Instance+--(1)--- Request Access --------->| | | User | | |Instance+--(1)--- Request Access --------->| | | User | | |||
| | | | | | | | | | | | | | |||
| |<-(2)-- Interaction Needed -------+ | | | | | |<-(2)-- Interaction Needed -------+ | | | | |||
| | | | | | | | | | | | | | |||
| +==(3)==== Display User Code ========================>| | | | +==(3)==== Display User Code ========================>| | | |||
| | | | | | | | | | | | | | |||
skipping to change at page 23, line 39 ¶ | skipping to change at line 1029 ¶ | |||
| | | | | User | | | | | | | User | | |||
| |<-(12)----- Grant Access ---------+ | `----` | | |<-(12)----- Grant Access ---------+ | `----` | |||
| | | | | | | | | | |||
| | | | +--------+ | | | | | +--------+ | |||
| +--(13)-- Access API ---------------------------->| RS | | | +--(13)-- Access API ---------------------------->| RS | | |||
| | | | | | | | | | | | | | |||
| |<-(14)-- API Response ---------------------------+ | | | |<-(14)-- API Response ---------------------------+ | | |||
| | | | +--------+ | | | | | +--------+ | |||
+--------+ +--------+ | +--------+ +--------+ | |||
Figure 5: Figure 5: Diagram of a user-code-based interaction | Figure 5: Diagram of a User-Code-Based Interaction | |||
1. The client instance requests access to the resource (Section 2). | 1. The client instance requests access to the resource (Section 2). | |||
The client instance indicates that it can display a user code | The client instance indicates that it can display a user code | |||
(Section 2.5.1.3). | (Section 2.5.1.3). | |||
2. The AS determines that interaction is needed and responds | 2. The AS determines that interaction is needed and responds | |||
(Section 3) with a user code to communicate to the user | (Section 3) with a user code to communicate to the user | |||
(Section 3.3.3). The AS also includes information the client | (Section 3.3.3). The AS also includes information the client | |||
instance will need to continue the request (Section 3.1) in (8) | instance will need to continue the request (Section 3.1) in (8) | |||
and (10). The AS associates this continuation information with | and (10). The AS associates this continuation information with | |||
skipping to change at page 25, line 12 ¶ | skipping to change at line 1097 ¶ | |||
information in the form of access tokens (Section 3.2) and | information in the form of access tokens (Section 3.2) and | |||
direct subject information (Section 3.4) to the client instance. | direct subject information (Section 3.4) to the client instance. | |||
13. The client instance uses the access token (Section 7.2) to call | 13. The client instance uses the access token (Section 7.2) to call | |||
the RS. | the RS. | |||
14. The RS validates the access token and returns an appropriate | 14. The RS validates the access token and returns an appropriate | |||
response for the API. | response for the API. | |||
An example set of protocol messages for this method can be found in | An example set of protocol messages for this method can be found in | |||
Appendix C.2. | Appendix B.2. | |||
1.6.4. Asynchronous Authorization | 1.6.4. Asynchronous Authorization | |||
In this example flow, the end user and RO roles are fulfilled by | In this example flow, the end user and RO roles are fulfilled by | |||
different parties, and the RO does not interact with the client | different parties, and the RO does not interact with the client | |||
instance. The AS reaches out asynchronously to the RO during the | instance. The AS reaches out asynchronously to the RO during the | |||
request process to gather the RO's authorization for the client | request process to gather the RO's authorization for the client | |||
instance's request. The client instance polls the AS while it is | instance's request. The client instance polls the AS while it is | |||
waiting for the RO to authorize the request. | waiting for the RO to authorize the request. | |||
skipping to change at page 25, line 48 ¶ | skipping to change at line 1133 ¶ | |||
| | | | | | | | | | |||
| |<-(9)------ Grant Access ---------+ | | | |<-(9)------ Grant Access ---------+ | | |||
| | | | | | | | | | |||
| | | | +--------+ | | | | | +--------+ | |||
| +--(10)-- Access API ---------------------------->| RS | | | +--(10)-- Access API ---------------------------->| RS | | |||
| | | | | | | | | | | | | | |||
| |<-(11)-- API Response ---------------------------+ | | | |<-(11)-- API Response ---------------------------+ | | |||
| | | | +--------+ | | | | | +--------+ | |||
+--------+ +--------+ | +--------+ +--------+ | |||
Figure 6: Figure 6: Diagram of an asynchronous authorization | Figure 6: Diagram of an Asynchronous Authorization Process, with | |||
process, with no end user interaction | No End-User Interaction | |||
1. The client instance requests access to the resource (Section 2). | 1. The client instance requests access to the resource (Section 2). | |||
The client instance does not send any interaction modes to the | The client instance does not send any interaction modes to the | |||
server, indicating that it does not expect to interact with the | server, indicating that it does not expect to interact with the | |||
RO. The client instance can also signal which RO it requires | RO. The client instance can also signal which RO it requires | |||
authorization from, if known, by using the subject request | authorization from, if known, by using the subject request | |||
(Section 2.2) and user request (Section 2.4) sections. It's | section (Section 2.2) and user request section (Section 2.4). | |||
also possible for the AS to determine which RO needs to be | It's also possible for the AS to determine which RO needs to be | |||
contacted by the nature of what access is being requested. | contacted by the nature of what access is being requested. | |||
2. The AS determines that interaction is needed, but the client | 2. The AS determines that interaction is needed, but the client | |||
instance cannot interact with the RO. The AS responds | instance cannot interact with the RO. The AS responds | |||
(Section 3) with the information the client instance will need | (Section 3) with the information the client instance will need | |||
to continue the request (Section 3.1) in (6) and (8), including | to continue the request (Section 3.1) in (6) and (8), including | |||
a signal that the client instance should wait before checking | a signal that the client instance should wait before checking | |||
the status of the request again. The AS associates this | the status of the request again. The AS associates this | |||
continuation information with an ongoing request that will be | continuation information with an ongoing request that will be | |||
referenced in (3), (4), (5), (6), and (8). | referenced in (3), (4), (5), (6), and (8). | |||
skipping to change at page 27, line 16 ¶ | skipping to change at line 1196 ¶ | |||
information in the form of access tokens (Section 3.2) and | information in the form of access tokens (Section 3.2) and | |||
direct subject information (Section 3.4) to the client instance. | direct subject information (Section 3.4) to the client instance. | |||
10. The client instance uses the access token (Section 7.2) to call | 10. The client instance uses the access token (Section 7.2) to call | |||
the RS. | the RS. | |||
11. The RS validates the access token and returns an appropriate | 11. The RS validates the access token and returns an appropriate | |||
response for the API. | response for the API. | |||
An example set of protocol messages for this method can be found in | An example set of protocol messages for this method can be found in | |||
Appendix C.4. | Appendix B.4. | |||
Additional considerations for asynchronous interactions like this are | Additional considerations for asynchronous interactions like this are | |||
discussed in Section 13.36. | discussed in Section 11.36. | |||
1.6.5. Software-only Authorization | 1.6.5. Software-Only Authorization | |||
In this example flow, the AS policy allows the client instance to | In this example flow, the AS policy allows the client instance to | |||
make a call on its own behalf, without the need for an RO to be | make a call on its own behalf, without the need for an RO to be | |||
involved at runtime to approve the decision. Since there is no | involved at runtime to approve the decision. Since there is no | |||
explicit RO, the client instance does not interact with an RO. | explicit RO, the client instance does not interact with an RO. | |||
+--------+ +--------+ | +--------+ +--------+ | |||
| Client | | AS | | | Client | | AS | | |||
|Instance+--(1)--- Request Access --->| | | |Instance+--(1)--- Request Access --->| | | |||
| | | | | | | | | | |||
| |<-(2)---- Grant Access -----+ | | | |<-(2)---- Grant Access -----+ | | |||
| | | | +--------+ | | | | | +--------+ | |||
| +--(3)--- Access API ------------------->| RS | | | +--(3)--- Access API ------------------->| RS | | |||
| | | | | | | | | | | | | | |||
| |<-(4)--- API Response ------------------+ | | | |<-(4)--- API Response ------------------+ | | |||
| | | | +--------+ | | | | | +--------+ | |||
+--------+ +--------+ | +--------+ +--------+ | |||
Figure 7: Figure 7: Diagram of a software-only authorization, | Figure 7: Diagram of a Software-Only Authorization, with No End | |||
with no end user or explicit resource owner | User or Explicit Resource Owner | |||
1. The client instance requests access to the resource (Section 2). | 1. The client instance requests access to the resource (Section 2). | |||
The client instance does not send any interaction modes to the | The client instance does not send any interaction modes to the | |||
server. | server. | |||
2. The AS determines that the request has been authorized based on | 2. The AS determines that the request has been authorized based on | |||
the identity of the client instance making the request and the | the identity of the client instance making the request and the | |||
access requested (Section 2.1). The AS grants access to the | access requested (Section 2.1). The AS grants access to the | |||
resource in the form of access tokens (Section 3.2) to the client | resource in the form of access tokens (Section 3.2) to the client | |||
instance. Note that direct subject information (Section 3.4) is | instance. Note that direct subject information (Section 3.4) is | |||
not generally applicable in this use case, as there is no user | not generally applicable in this use case, as there is no user | |||
involved. | involved. | |||
3. The client instance uses the access token (Section 7.2) to call | 3. The client instance uses the access token (Section 7.2) to call | |||
the RS. | the RS. | |||
4. The RS validates the access token and returns an appropriate | 4. The RS validates the access token and returns an appropriate | |||
response for the API. | response for the API. | |||
An example set of protocol messages for this method can be found in | An example set of protocol messages for this method can be found in | |||
Appendix C.3. | Appendix B.3. | |||
1.6.6. Refreshing an Expired Access Token | 1.6.6. Refreshing an Expired Access Token | |||
In this example flow, the client instance receives an access token to | In this example flow, the client instance receives an access token to | |||
access a resource server through some valid GNAP process. The client | access a resource server through some valid GNAP process. The client | |||
instance uses that token at the RS for some time, but eventually the | instance uses that token at the RS for some time, but eventually the | |||
access token expires. The client instance then gets a refreshed | access token expires. The client instance then gets a refreshed | |||
access token by rotating the expired access token's value at the AS | access token by rotating the expired access token's value at the AS | |||
using the token management API. | using the token management API. | |||
skipping to change at page 29, line 29 ¶ | skipping to change at line 1277 ¶ | |||
| | | | | | | | | | | | | | |||
| |<-(6)--- Error Response -----+ | | | | | |<-(6)--- Error Response -----+ | | | | |||
| | +--------+ | | | | | +--------+ | | | |||
| | | | | | | | | | |||
| +--(7)--- Rotate Token ------------------->| | | | +--(7)--- Rotate Token ------------------->| | | |||
| | | | | | | | | | |||
| |<-(8)--- Rotated Token -------------------+ | | | |<-(8)--- Rotated Token -------------------+ | | |||
| | | | | | | | | | |||
+--------+ +--------+ | +--------+ +--------+ | |||
Figure 8: Figure 8: Diagram of the process of refreshing an | Figure 8: Diagram of the Process of Refreshing an Access Token | |||
access token | ||||
1. The client instance requests access to the resource (Section 2). | 1. The client instance requests access to the resource (Section 2). | |||
2. The AS grants access to the resource (Section 3) with an access | 2. The AS grants access to the resource (Section 3) with an access | |||
token (Section 3.2) usable at the RS. The access token response | token (Section 3.2) usable at the RS. The access token response | |||
includes a token management URI. | includes a token management URI. | |||
3. The client instance uses the access token (Section 7.2) to call | 3. The client instance uses the access token (Section 7.2) to call | |||
the RS. | the RS. | |||
skipping to change at page 30, line 8 ¶ | skipping to change at line 1301 ¶ | |||
5. Time passes and the client instance uses the access token to call | 5. Time passes and the client instance uses the access token to call | |||
the RS again. | the RS again. | |||
6. The RS validates the access token and determines that the access | 6. The RS validates the access token and determines that the access | |||
token is expired. The RS responds to the client instance with an | token is expired. The RS responds to the client instance with an | |||
error. | error. | |||
7. The client instance calls the token management URI returned in | 7. The client instance calls the token management URI returned in | |||
(2) to rotate the access token (Section 6.1). The client | (2) to rotate the access token (Section 6.1). The client | |||
instance uses the access token (Section 7.2) in this call as well | instance uses the access token (Section 7.2) in this call as well | |||
as the appropriate key, see the token rotation section for | as the appropriate key; see the token rotation section for | |||
details. | details. | |||
8. The AS validates the rotation request including the signature and | 8. The AS validates the rotation request, including the signature | |||
keys presented in (7) and refreshes the access token | and keys presented in (7), and refreshes the access token | |||
(Section 3.2.1). The response includes a new version of the | (Section 3.2.1). The response includes a new version of the | |||
access token and can also include updated token management | access token and can also include updated token management | |||
information, which the client instance will store in place of the | information, which the client instance will store in place of the | |||
values returned in (2). | values returned in (2). | |||
1.6.7. Requesting Subject Information Only | 1.6.7. Requesting Subject Information Only | |||
In this scenario, the client instance does not call an RS and does | In this scenario, the client instance does not call an RS and does | |||
not request an access token. Instead, the client instance only | not request an access token. Instead, the client instance only | |||
requests and is returned direct subject information (Section 3.4). | requests and is returned direct subject information (Section 3.4). | |||
skipping to change at page 30, line 49 ¶ | skipping to change at line 1342 ¶ | |||
| | | | AuthZ +------+ | | | | | AuthZ +------+ | |||
| | | | | End | | | | | | | End | | |||
| |<=(6)== Signal Continuation =========================+ User | | | |<=(6)== Signal Continuation =========================+ User | | |||
| | | | `----` | | | | | `----` | |||
| +--(7)--- Continue Request ------->| | | | +--(7)--- Continue Request ------->| | | |||
| | | | | | | | | | |||
| |<-(8)----- Grant Access ----------+ | | | |<-(8)----- Grant Access ----------+ | | |||
| | | | | | | | | | |||
+--------+ +--------+ | +--------+ +--------+ | |||
Figure 9: Figure 9: Diagram of the process of requesting and | Figure 9: Diagram of the Process of Requesting and Releasing Subject | |||
releasing subject information apart from access tokens | Information apart from Access Tokens | |||
1. The client instance requests access to subject information | 1. The client instance requests access to subject information | |||
(Section 2). | (Section 2). | |||
2. The AS determines that interaction is needed and responds | 2. The AS determines that interaction is needed and responds | |||
(Section 3) with appropriate information for facilitating user | (Section 3) with appropriate information for facilitating user | |||
interaction (Section 3.3). | interaction (Section 3.3). | |||
3. The client instance facilitates the user interacting with the AS | 3. The client instance facilitates the user interacting with the AS | |||
(Section 4) as directed in (2). | (Section 4) as directed in (2). | |||
skipping to change at page 31, line 31 ¶ | skipping to change at line 1371 ¶ | |||
user to the client instance and signals continuation. | user to the client instance and signals continuation. | |||
7. The client instance loads the continuation information from (2) | 7. The client instance loads the continuation information from (2) | |||
and calls the AS to continue the request (Section 5). | and calls the AS to continue the request (Section 5). | |||
8. If the request has been authorized, the AS grants access to the | 8. If the request has been authorized, the AS grants access to the | |||
requested direct subject information (Section 3.4) to the client | requested direct subject information (Section 3.4) to the client | |||
instance. At this stage, the user is generally considered | instance. At this stage, the user is generally considered | |||
"logged in" to the client instance based on the identifiers and | "logged in" to the client instance based on the identifiers and | |||
assertions provided by the AS. Note that the AS can restrict the | assertions provided by the AS. Note that the AS can restrict the | |||
subject information returned and it might not match what the | subject information returned, and it might not match what the | |||
client instance requested, see the section on subject information | client instance requested; see the section on subject information | |||
for details. | for details. | |||
1.6.8. Cross-User Authentication | 1.6.8. Cross-User Authentication | |||
In this scenario, the end user and resource owner are two different | In this scenario, the end user and resource owner are two different | |||
people. Here, the client instance already knows who the end user is, | people. Here, the client instance already knows who the end user is, | |||
likely through a separate authentication process. The end user, | likely through a separate authentication process. The end user, | |||
operating the client instance, needs to get subject information about | operating the client instance, needs to get subject information about | |||
another person in the system, the RO. The RO is given an opportunity | another person in the system, the RO. The RO is given an opportunity | |||
to release this information using an asynchronous interaction method | to release this information using an asynchronous interaction method | |||
with the AS. This scenario would apply, for instance, when the end | with the AS. This scenario would apply, for instance, when the end | |||
user is an agent in a call-center and the resource owner is a | user is an agent in a call center and the resource owner is a | |||
customer authorizing the call center agent to access their account on | customer authorizing the call-center agent to access their account on | |||
their behalf. | their behalf. | |||
.----. .----. | .----. .----. | |||
| End | | RO | | | End | | RO | | |||
| User |<=================(1)== Identify RO ==================>| | | | User |<=================(1)== Identify RO ==================>| | | |||
| | | | | | | | | | |||
| | +--------+ +--------+ | | | | | +--------+ +--------+ | | | |||
| +==(2)==>| Client | | AS | | | | | +==(2)==>| Client | | AS | | | | |||
| | RO ID |Instance| | | | | | | | RO ID |Instance| | | | | | |||
| | | | | | | | | | | | | | | | | | |||
skipping to change at page 32, line 34 ¶ | skipping to change at line 1417 ¶ | |||
| | | | | | | | | | | | | | | | | | |||
| | | +--(9)--- Cont. -->| | | | | | | | +--(9)--- Cont. -->| | | | | |||
| | | | | | | | | | | | | | | | | | |||
| | | |<-(10)-- Subj. ---+ | | | | | | | |<-(10)-- Subj. ---+ | | | | |||
| |<=(11)==+ | Info | | | | | | |<=(11)==+ | Info | | | | | |||
| | Return | | | | | | | | | Return | | | | | | | |||
| | RO | | | | | | | | | RO | | | | | | | |||
| | Info | | | | | | | | | Info | | | | | | | |||
`----` +--------+ +--------+ `----` | `----` +--------+ +--------+ `----` | |||
Figure 10: Figure 10: Diagram of cross-user authorization, where | Figure 10: Diagram of Cross-User Authorization, Where the End | |||
the end user and RO are different | User and RO Are Different | |||
Precondition: The end user is authenticated to the client instance, | Precondition: The end user is authenticated to the client instance, | |||
and the client instance has an identifier representing the end user | and the client instance has an identifier representing the end user | |||
that it can present to the AS. This identifier should be unique to | that it can present to the AS. This identifier should be unique to | |||
the particular session with the client instance and the AS. The | the particular session with the client instance and the AS. The | |||
client instance is also known to the AS and allowed to access this | client instance is also known to the AS and allowed to access this | |||
advanced functionality where the information of someone other than | advanced functionality where the information of someone other than | |||
the end user is returned to the client instance. | the end user is returned to the client instance. | |||
1. The RO communicates a human-readable identifier to the end user, | 1. The RO communicates a human-readable identifier to the end user, | |||
such as an email address or account number. This communication | such as an email address or account number. This communication | |||
happens out of band from the protocol, such as over the phone | happens out of band from the protocol, such as over the phone | |||
between parties. Note that the RO is not interacting with the | between parties. Note that the RO is not interacting with the | |||
client instance. | client instance. | |||
2. The end user communicates the identifier to the client instance. | 2. The end user communicates the identifier to the client instance. | |||
The means by which the identifier is communicated to the client | The means by which the identifier is communicated to the client | |||
instance is out of scope for this specification. | instance are out of scope for this specification. | |||
3. The client instance requests access to subject information | 3. The client instance requests access to subject information | |||
(Section 2). The request includes the RO's identifier in the | (Section 2). The request includes the RO's identifier in the | |||
subject information request (Section 2.2) sub_ids field, and the | subject information request (Section 2.2) sub_ids field and the | |||
end user's identifier in the user information field | end user's identifier in the user information field | |||
(Section 2.4) of the request. The request includes no | (Section 2.4) of the request. The request includes no | |||
interaction start methods, since the end user is not expected to | interaction start methods, since the end user is not expected to | |||
be the one interacting with the AS. The request does include | be the one interacting with the AS. The request does include | |||
the push based interaction finish method (Section 2.5.2.2) to | the push-based interaction finish method (Section 2.5.2.2) to | |||
allow the AS to signal to the client instance when the | allow the AS to signal to the client instance when the | |||
interaction with the RO has concluded. | interaction with the RO has concluded. | |||
4. The AS sees that the identifier for the end user and subject | 4. The AS sees that the identifiers for the end user and subject | |||
being requested are different. The AS determines that it can | being requested are different. The AS determines that it can | |||
reach out to the RO asynchronously for approval. While it is | reach out to the RO asynchronously for approval. While it is | |||
doing so, the AS returns a continuation response (Section 3.1) | doing so, the AS returns a continuation response (Section 3.1) | |||
with a finish nonce to allow the client instance to continue the | with a finish nonce to allow the client instance to continue the | |||
grant request after interaction with the RO has concluded. | grant request after interaction with the RO has concluded. | |||
5. The AS contacts the RO and has them authenticate to the system. | 5. The AS contacts the RO and has them authenticate to the system. | |||
The means for doing this are outside the scope of this | The means for doing this are outside the scope of this | |||
specification, but the identity of the RO is known from the | specification, but the identity of the RO is known from the | |||
subject identifier sent in (3). | subject identifier sent in (3). | |||
skipping to change at page 34, line 12 ¶ | skipping to change at line 1488 ¶ | |||
10. The AS returns the RO's subject information (Section 3.4) to the | 10. The AS returns the RO's subject information (Section 3.4) to the | |||
client instance. | client instance. | |||
11. The client instance can display or otherwise utilize the RO's | 11. The client instance can display or otherwise utilize the RO's | |||
user information in its session with the end user. Note that | user information in its session with the end user. Note that | |||
since the client instance requested different sets of user | since the client instance requested different sets of user | |||
information in (3), the client instance does not conflate the | information in (3), the client instance does not conflate the | |||
end user with the RO. | end user with the RO. | |||
Additional considerations for asynchronous interactions like this are | Additional considerations for asynchronous interactions like this are | |||
discussed in Section 13.36. | discussed in Section 11.36. | |||
2. Requesting Access | 2. Requesting Access | |||
To start a request, the client instance sends an HTTP POST with a | To start a request, the client instance sends an HTTP POST with a | |||
JSON [RFC8259] document to the grant endpoint of the AS. The grant | JSON [RFC8259] document to the grant endpoint of the AS. The grant | |||
endpoint is a URI that uniquely identifies the AS to client instances | endpoint is a URI that uniquely identifies the AS to client instances | |||
and serves as the identifier for the AS. The document is a JSON | and serves as the identifier for the AS. The document is a JSON | |||
object where each field represents a different aspect of the client | object where each field represents a different aspect of the client | |||
instance's request. Each field is described in detail in a section | instance's request. Each field is described in detail in a | |||
below. | subsection below. | |||
access_token (object / array of objects): Describes the rights and | access_token (object / array of objects): Describes the rights and | |||
properties associated with the requested access token. REQUIRED | properties associated with the requested access token. REQUIRED | |||
if requesting an access token. See Section 2.1. | if requesting an access token. See Section 2.1. | |||
subject (object): Describes the information about the RO that the | subject (object): Describes the information about the RO that the | |||
client instance is requesting to be returned directly in the | client instance is requesting to be returned directly in the | |||
response from the AS. REQUIRED if requesting subject information. | response from the AS. REQUIRED if requesting subject information. | |||
See Section 2.2. | See Section 2.2. | |||
client (object / string): Describes the client instance that is | client (object / string): Describes the client instance that is | |||
making this request, including the key that the client instance | making this request, including the key that the client instance | |||
will use to protect this request and any continuation requests at | will use to protect this request, any continuation requests at the | |||
the AS and any user-facing information about the client instance | AS, and any user-facing information about the client instance used | |||
used in interactions. REQUIRED. See Section 2.3. | in interactions. REQUIRED. See Section 2.3. | |||
user (object / string): Identifies the end user to the AS in a | user (object / string): Identifies the end user to the AS in a | |||
manner that the AS can verify, either directly or by interacting | manner that the AS can verify, either directly or by interacting | |||
with the end user to determine their status as the RO. OPTIONAL. | with the end user to determine their status as the RO. OPTIONAL. | |||
See Section 2.4. | See Section 2.4. | |||
interact (object): Describes the modes that the client instance | interact (object): Describes the modes that the client instance | |||
supports for allowing the RO to interact with the AS and modes for | supports for allowing the RO to interact with the AS and modes for | |||
the client instance to receive updates when interaction is | the client instance to receive updates when interaction is | |||
complete. REQUIRED if interaction is supported. See Section 2.5. | complete. REQUIRED if interaction is supported. See Section 2.5. | |||
Additional members of this request object can be defined by | Additional members of this request object can be defined by | |||
extensions using the GNAP Grant Request Parameters Registry | extensions using the "GNAP Grant Request Parameters" registry | |||
(Section 11.3). | (Section 10.3). | |||
A non-normative example of a grant request is below: | A non-normative example of a grant request is below: | |||
{ | { | |||
"access_token": { | "access_token": { | |||
"access": [ | "access": [ | |||
{ | { | |||
"type": "photo-api", | "type": "photo-api", | |||
"actions": [ | "actions": [ | |||
"read", | "read", | |||
skipping to change at page 36, line 13 ¶ | skipping to change at line 1586 ¶ | |||
}, | }, | |||
"subject": { | "subject": { | |||
"sub_id_formats": ["iss_sub", "opaque"], | "sub_id_formats": ["iss_sub", "opaque"], | |||
"assertion_formats": ["id_token"] | "assertion_formats": ["id_token"] | |||
} | } | |||
} | } | |||
Sending a request to the grant endpoint creates a grant request in | Sending a request to the grant endpoint creates a grant request in | |||
the _processing_ state. The AS processes this request to determine | the _processing_ state. The AS processes this request to determine | |||
whether interaction or authorization are necessary (moving to the | whether interaction or authorization are necessary (moving to the | |||
_pending_ state), or if access can be granted immediately (moving to | _pending_ state) or if access can be granted immediately (moving to | |||
the _approved_ state). | the _approved_ state). | |||
The request MUST be sent as a JSON object in the content of the HTTP | The request MUST be sent as a JSON object in the content of the HTTP | |||
POST request with Content-Type application/json. A key proofing | POST request with Content-Type application/json. A key proofing | |||
mechanism MAY define an alternative content type, as long as the | mechanism MAY define an alternative content type, as long as the | |||
content is formed from the JSON object. For example, the attached | content is formed from the JSON object. For example, the attached | |||
JWS key proofing mechanism (see Section 7.3.4) places the JSON object | JSON Web Signature (JWS) key proofing mechanism (see Section 7.3.4) | |||
into the payload of a JWS wrapper, which is in turn sent as the | places the JSON object into the payload of a JWS wrapper, which is in | |||
message content. | turn sent as the message content. | |||
2.1. Requesting Access to Resources | 2.1. Requesting Access to Resources | |||
If the client instance is requesting one or more access tokens for | If the client instance is requesting one or more access tokens for | |||
the purpose of accessing an API, the client instance MUST include an | the purpose of accessing an API, the client instance MUST include an | |||
access_token field. This field MUST be an object (for a single | access_token field. This field MUST be an object (for a single | |||
access token (Section 2.1.1)) or an array of these objects (for | access token (Section 2.1.1)) or an array of these objects (for | |||
multiple access tokens (Section 2.1.2)), as described in the | multiple access tokens (Section 2.1.2)), as described in the | |||
following sections. | following subsections. | |||
2.1.1. Requesting a Single Access Token | 2.1.1. Requesting a Single Access Token | |||
To request a single access token, the client instance sends an | To request a single access token, the client instance sends an | |||
access_token object composed of the following fields. | access_token object composed of the following fields. | |||
access (array of objects/strings): Describes the rights that the | access (array of objects/strings): Describes the rights that the | |||
client instance is requesting for the access token to be used at | client instance is requesting for the access token to be used at | |||
the RS. REQUIRED. See Section 8. | the RS. REQUIRED. See Section 8. | |||
label (string): A unique name chosen by the client instance to refer | label (string): A unique name chosen by the client instance to refer | |||
to the resulting access token. The value of this field is opaque | to the resulting access token. The value of this field is opaque | |||
to the AS and is not intended to be exposed to or used by the end | to the AS and is not intended to be exposed to or used by the end | |||
user. If this field is included in the request, the AS MUST | user. If this field is included in the request, the AS MUST | |||
include the same label in the token response (Section 3.2). | include the same label in the token response (Section 3.2). | |||
REQUIRED if used as part of a multiple access token request | REQUIRED if used as part of a multiple access tokens request | |||
(Section 2.1.2), OPTIONAL otherwise. | (Section 2.1.2); OPTIONAL otherwise. | |||
flags (array of strings): A set of flags that indicate desired | flags (array of strings): A set of flags that indicate desired | |||
attributes or behavior to be attached to the access token by the | attributes or behavior to be attached to the access token by the | |||
AS. OPTIONAL. | AS. OPTIONAL. | |||
The values of the flags field defined by this specification are as | The values of the flags field defined by this specification are as | |||
follows: | follows: | |||
"bearer": If this flag is included, the access token being requested | "bearer": If this flag is included, the access token being requested | |||
is a bearer token. If this flag is omitted, the access token is | is a bearer token. If this flag is omitted, the access token is | |||
bound to the key used by the client instance in this request (or | bound to the key used by the client instance in this request (or | |||
that key's most recent rotation) and the access token MUST be | that key's most recent rotation), and the access token MUST be | |||
presented using the same key and proofing method. Methods for | presented using the same key and proofing method. Methods for | |||
presenting bound and bearer access tokens are described in | presenting bound and bearer access tokens are described in | |||
Section 7.2. See Section 13.9 for additional considerations on | Section 7.2. See Section 11.9 for additional considerations on | |||
the use of bearer tokens. | the use of bearer tokens. | |||
Flag values MUST NOT be included more than once. If the request | Flag values MUST NOT be included more than once. If the request | |||
includes a flag value multiple times, the AS MUST return an | includes a flag value multiple times, the AS MUST return an | |||
invalid_flag error defined in Section 3.6. | invalid_flag error defined in Section 3.6. | |||
Additional flags can be defined by extensions using the GNAP Access | Additional flags can be defined by extensions using the "GNAP Access | |||
Token Flags Registry (Section 11.4). | Token Flags" registry (Section 10.4). | |||
In the following non-normative example, the client instance is | In the following non-normative example, the client instance is | |||
requesting access to a complex resource described by a pair of access | requesting access to a complex resource described by a pair of access | |||
request object. | request object. | |||
"access_token": { | "access_token": { | |||
"access": [ | "access": [ | |||
{ | { | |||
"type": "photo-api", | "type": "photo-api", | |||
"actions": [ | "actions": [ | |||
skipping to change at page 39, line 7 ¶ | skipping to change at line 1695 ¶ | |||
} | } | |||
If access is approved, the resulting access token is valid for the | If access is approved, the resulting access token is valid for the | |||
described resource. Since the "bearer" flag is not provided in this | described resource. Since the "bearer" flag is not provided in this | |||
example, the token is bound to the client instance's key (or its most | example, the token is bound to the client instance's key (or its most | |||
recent rotation). The token is labeled "token1-23". The token | recent rotation). The token is labeled "token1-23". The token | |||
response structure is described in Section 3.2.1. | response structure is described in Section 3.2.1. | |||
2.1.2. Requesting Multiple Access Tokens | 2.1.2. Requesting Multiple Access Tokens | |||
To request multiple access tokens to be returned in a single | To request that multiple access tokens be returned in a single | |||
response, the client instance sends an array of objects as the value | response, the client instance sends an array of objects as the value | |||
of the access_token parameter. Each object MUST conform to the | of the access_token parameter. Each object MUST conform to the | |||
request format for a single access token request, as specified in | request format for a single access token request, as specified in | |||
requesting a single access token (Section 2.1.1). Additionally, each | Section 2.1.1. Additionally, each object in the array MUST include | |||
object in the array MUST include the label field, and all values of | the label field, and all values of these fields MUST be unique within | |||
these fields MUST be unique within the request. If the client | the request. If the client instance does not include a label value | |||
instance does not include a label value for any entry in the array, | for any entry in the array or the values of the label field are not | |||
or the values of the label field are not unique within the array, the | unique within the array, the AS MUST return an "invalid_request" | |||
AS MUST return an "invalid_request" error (Section 3.6). | error (Section 3.6). | |||
The following non-normative example shows a request for two separate | The following non-normative example shows a request for two separate | |||
access tokens, token1 and token2. | access tokens: token1 and token2. | |||
"access_token": [ | "access_token": [ | |||
{ | { | |||
"label": "token1", | "label": "token1", | |||
"access": [ | "access": [ | |||
{ | { | |||
"type": "photo-api", | "type": "photo-api", | |||
"actions": [ | "actions": [ | |||
"read", | "read", | |||
"write", | "write", | |||
skipping to change at page 41, line 4 ¶ | skipping to change at line 1754 ¶ | |||
"datatypes": [ | "datatypes": [ | |||
"data", | "data", | |||
"pictures", | "pictures", | |||
"walrus whiskers" | "walrus whiskers" | |||
] | ] | |||
} | } | |||
], | ], | |||
"flags": [ "bearer" ] | "flags": [ "bearer" ] | |||
} | } | |||
] | ] | |||
All approved access requests are returned in the multiple access | All approved access requests are returned in the multiple access | |||
token response (Section 3.2.2) structure using the values of the | tokens response structure (Section 3.2.2) using the values of the | |||
label fields in the request. | label fields in the request. | |||
2.2. Requesting Subject Information | 2.2. Requesting Subject Information | |||
If the client instance is requesting information about the RO from | If the client instance is requesting information about the RO from | |||
the AS, it sends a subject field as a JSON object. This object MAY | the AS, it sends a subject field as a JSON object. This object MAY | |||
contain the following fields. | contain the following fields. | |||
sub_id_formats (array of strings): An array of subject identifier | sub_id_formats (array of strings): An array of subject identifier | |||
subject formats requested for the RO, as defined by [RFC9493]. | subject formats requested for the RO, as defined by [RFC9493]. | |||
REQUIRED if subject identifiers are requested. | REQUIRED if subject identifiers are requested. | |||
assertion_formats (array of strings): An array of requested | assertion_formats (array of strings): An array of requested | |||
assertion formats. Possible values include id_token for an OpenID | assertion formats. Possible values include id_token for an OpenID | |||
Connect ID Token ([OIDC]) and saml2 for a SAML 2 assertion | Connect ID Token [OIDC] and saml2 for a Security Assertion Markup | |||
([SAML2]). Additional assertion formats are defined by the GNAP | Language (SAML) 2 assertion [SAML2]. Additional assertion formats | |||
Assertion Formats Registry (Section 11.6). REQUIRED if assertions | can be defined in the "GNAP Assertion Formats" registry | |||
are requested. | (Section 10.6). REQUIRED if assertions are requested. | |||
sub_ids (array of objects): An array of subject identifiers | sub_ids (array of objects): An array of subject identifiers | |||
representing the subject for which information is being requested. | representing the subject for which information is being requested. | |||
Each object is a subject identifier as defined by [RFC9493]. All | Each object is a subject identifier as defined by [RFC9493]. All | |||
identifiers in the sub_ids array MUST identify the same subject. | identifiers in the sub_ids array MUST identify the same subject. | |||
If omitted, the AS SHOULD assume that subject information requests | If omitted, the AS SHOULD assume that subject information requests | |||
are about the current user and SHOULD require direct interaction | are about the current user and SHOULD require direct interaction | |||
or proof of presence before releasing information. OPTIONAL. | or proof of presence before releasing information. OPTIONAL. | |||
Additional fields are defined in the GNAP Subject Information Request | Additional fields can be defined in the "GNAP Subject Information | |||
Fields Registry (Section 11.5). | Request Fields" registry (Section 10.5). | |||
"subject": { | "subject": { | |||
"sub_id_formats": [ "iss_sub", "opaque" ], | "sub_id_formats": [ "iss_sub", "opaque" ], | |||
"assertion_formats": [ "id_token", "saml2" ] | "assertion_formats": [ "id_token", "saml2" ] | |||
} | } | |||
The AS can determine the RO's identity and permission for releasing | The AS can determine the RO's identity and permission for releasing | |||
this information through interaction with the RO (Section 4), AS | this information through interaction with the RO (Section 4), AS | |||
policies, or assertions presented by the client instance | policies, or assertions presented by the client instance | |||
(Section 2.4). If this is determined positively, the AS MAY return | (Section 2.4). If this is determined positively, the AS MAY return | |||
the RO's information in its response (Section 3.4) as requested. | the RO's information in its response (Section 3.4) as requested. | |||
Subject identifier types requested by the client instance serve only | Subject identifier types requested by the client instance serve only | |||
to identify the RO in the context of the AS and can't be used as | to identify the RO in the context of the AS and can't be used as | |||
communication channels by the client instance, as discussed in | communication channels by the client instance, as discussed in | |||
Section 3.4. | Section 3.4. | |||
2.3. Identifying the Client Instance | 2.3. Identifying the Client Instance | |||
When sending new grant request to the AS, the client instance MUST | When sending a new grant request to the AS, the client instance MUST | |||
identify itself by including its client information in the client | identify itself by including its client information in the client | |||
field of the request and by signing the request with its unique key | field of the request and by signing the request with its unique key | |||
as described in Section 7.3. Note that once a grant has been created | as described in Section 7.3. Note that once a grant has been created | |||
and is in the _pending_ or _accepted_ states, the AS can determine | and is in either the _pending_ or the _accepted_ state, the AS can | |||
which client is associated with the grant by dereferencing the | determine which client is associated with the grant by dereferencing | |||
continuation access token sent in the continuation request | the continuation access token sent in the continuation request | |||
(Section 5). As a consequence, the client field is not sent or | (Section 5). As a consequence, the client field is not sent or | |||
accepted for continuation requests. | accepted for continuation requests. | |||
Client information is sent by value as an object or by reference as a | Client information is sent by value as an object or by reference as a | |||
string (see Section 2.3.1). | string (see Section 2.3.1). | |||
When client instance information is sent by value, the client field | When client instance information is sent by value, the client field | |||
of the request consists of a JSON object with the following fields. | of the request consists of a JSON object with the following fields. | |||
key (object / string): The public key of the client instance to be | key (object / string): The public key of the client instance to be | |||
used in this request as described in Section 7.1 or a reference to | used in this request as described in Section 7.1 or a reference to | |||
a key as described in Section 7.1.1. REQUIRED. | a key as described in Section 7.1.1. REQUIRED. | |||
class_id (string): An identifier string that the AS can use to | class_id (string): An identifier string that the AS can use to | |||
identify the client software comprising this client instance. The | identify the client software comprising this client instance. The | |||
contents and format of this field are up to the AS. OPTIONAL. | contents and format of this field are up to the AS. OPTIONAL. | |||
display (object): An object containing additional information that | display (object): An object containing additional information that | |||
the AS MAY display to the RO during interaction, authorization, | the AS MAY display to the RO during interaction, authorization, | |||
and management. OPTIONAL. (Section 2.3.2) | and management. OPTIONAL. See Section 2.3.2. | |||
"client": { | "client": { | |||
"key": { | "key": { | |||
"proof": "httpsig", | "proof": "httpsig", | |||
"jwk": { | "jwk": { | |||
"kty": "RSA", | "kty": "RSA", | |||
"e": "AQAB", | "e": "AQAB", | |||
"kid": "xyz-1", | "kid": "xyz-1", | |||
"alg": "RS256", | "alg": "RS256", | |||
"n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8..." | "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8..." | |||
} | } | |||
}, | }, | |||
"class_id": "web-server-1234", | "class_id": "web-server-1234", | |||
"display": { | "display": { | |||
"name": "My Client Display Name", | "name": "My Client Display Name", | |||
"uri": "https://example.net/client" | "uri": "https://example.net/client" | |||
} | } | |||
} | } | |||
Additional fields are defined in the GNAP Client Instance Fields | ||||
Registry (Section 11.7). | Additional fields can be defined in the "GNAP Client Instance Fields" | |||
registry (Section 10.7). | ||||
Absent additional attestations, profiles, or trust mechanisms, both | Absent additional attestations, profiles, or trust mechanisms, both | |||
the display and class_id fields are self-declarative, presented by | the display and class_id fields are self-declarative, presented by | |||
the client instance. The AS needs to exercise caution in their | the client instance. The AS needs to exercise caution in their | |||
interpretation, taking them as a hint but not as absolute truth. The | interpretation, taking them as a hint but not as absolute truth. The | |||
class_id field can be used in a variety of ways to help the AS make | class_id field can be used in a variety of ways to help the AS make | |||
sense of the particular context in which the client instance is | sense of the particular context in which the client instance is | |||
operating. In corporate environments, for example, different levels | operating. In corporate environments, for example, different levels | |||
of trust might apply depending on security policies. This field aims | of trust might apply depending on security policies. This field aims | |||
to help the AS adjust its own access decisions for different classes | to help the AS adjust its own access decisions for different classes | |||
of client software. It is possible to configure a set of values and | of client software. It is possible to configure a set of values and | |||
rules during a pre-registration, and then have the client instances | rules during a pre-registration and then have the client instances | |||
provide them later in runtime as a hint to the AS. In other cases, | provide them later in runtime as a hint to the AS. In other cases, | |||
the client runs with a specific AS in mind, so a single hardcoded | the client runs with a specific AS in mind, so a single hardcoded | |||
value would acceptable (for instance, a set top box with a class_id | value would be acceptable (for instance, a set-top box with a | |||
claiming to be "FooBarTV version 4"). While the client instance may | class_id claiming to be "FooBarTV version 4"). While the client | |||
not have contacted the AS yet, the value of this class_id field can | instance may not have contacted the AS yet, the value of this | |||
be evaluated by the AS according to a broader context of dynamic use, | class_id field can be evaluated by the AS according to a broader | |||
alongside other related information available elsewhere (for | context of dynamic use, alongside other related information available | |||
instance, corresponding fields in a certificate). If the AS is not | elsewhere (for instance, corresponding fields in a certificate). If | |||
able to interpret or validate the class_id field, it MUST either | the AS is not able to interpret or validate the class_id field, it | |||
return an invalid_client error (Section 3.6) or interpret the request | MUST either return an invalid_client error (Section 3.6) or interpret | |||
as if the class_id were not present. See additional discussion of | the request as if the class_id were not present. See additional | |||
client instance impersonation in Section 13.15. | discussion of client instance impersonation in Section 11.15. | |||
The client instance MUST prove possession of any presented key by the | The client instance MUST prove possession of any presented key by the | |||
proof mechanism associated with the key in the request. Key proofing | proof mechanism associated with the key in the request. Key proofing | |||
methods are defined in the GNAP Key Proofing Methods Registry | methods are defined in the "GNAP Key Proofing Methods" registry | |||
(Section 11.16) and an initial set of methods is described in | (Section 10.16), and an initial set of methods is described in | |||
Section 7.3. | Section 7.3. | |||
If the same public key is sent by value on different access requests, | If the same public key is sent by value on different access requests, | |||
the AS MUST treat these requests as coming from the same client | the AS MUST treat these requests as coming from the same client | |||
instance for purposes of identification, authentication, and policy | instance for purposes of identification, authentication, and policy | |||
application. | application. | |||
If the AS does not know the client instance's public key ahead of | If the AS does not know the client instance's public key ahead of | |||
time, the AS can choose how to process the unknown key. Common | time, the AS can choose how to process the unknown key. Common | |||
approaches include: | approaches include: | |||
skipping to change at page 44, line 11 ¶ | skipping to change at line 1905 ¶ | |||
* Limiting the client's requested access to only certain APIs and | * Limiting the client's requested access to only certain APIs and | |||
information | information | |||
* Denying the request entirely by returning an invalid_client error | * Denying the request entirely by returning an invalid_client error | |||
(Section 3.6) | (Section 3.6) | |||
The client instance MUST NOT send a symmetric key by value in the key | The client instance MUST NOT send a symmetric key by value in the key | |||
field of the request, as doing so would expose the key directly | field of the request, as doing so would expose the key directly | |||
instead of simply proving possession of it. See considerations on | instead of simply proving possession of it. See considerations on | |||
symmetric keys in Section 13.7. To use symmetric keys, the client | symmetric keys in Section 11.7. To use symmetric keys, the client | |||
instance can send the key by reference (Section 7.1.1) or send the | instance can send the key by reference (Section 7.1.1) or send the | |||
entire client identity by reference (Section 2.3.1). | entire client identity by reference (Section 2.3.1). | |||
The client instance's key can be pre-registered with the AS ahead of | The client instance's key can be pre-registered with the AS ahead of | |||
time and associated with a set of policies and allowable actions | time and associated with a set of policies and allowable actions | |||
pertaining to that client. If this pre-registration includes other | pertaining to that client. If this pre-registration includes other | |||
fields that can occur in the client request object described in this | fields that can occur in the client request object described in this | |||
section, such as class_id or display, the pre-registered values MUST | section, such as class_id or display, the pre-registered values MUST | |||
take precedence over any values given at runtime. Additional fields | take precedence over any values given at runtime. Additional fields | |||
sent during a request but not present in a pre-registered client | sent during a request but not present in a pre-registered client | |||
instance record at the AS SHOULD NOT be added to the client's pre- | instance record at the AS SHOULD NOT be added to the client's pre- | |||
registered record. See additional considerations regarding client | registered record. See additional considerations regarding client | |||
instance impersonation in Section 13.15. | instance impersonation in Section 11.15. | |||
A client instance that is capable of talking to multiple AS's SHOULD | A client instance that is capable of talking to multiple ASes SHOULD | |||
use a different key for each AS to prevent a class of mix-up attacks | use a different key for each AS to prevent a class of mix-up attacks | |||
as described in Section 13.31 unless other mechanisms can be used to | as described in Section 11.31, unless other mechanisms can be used to | |||
assure the identity of the AS for a given request. | assure the identity of the AS for a given request. | |||
2.3.1. Identifying the Client Instance by Reference | 2.3.1. Identifying the Client Instance by Reference | |||
If the client instance has an instance identifier that the AS can use | If the client instance has an instance identifier that the AS can use | |||
to determine appropriate key information, the client instance can | to determine appropriate key information, the client instance can | |||
send this instance identifier as a direct reference value in lieu of | send this instance identifier as a direct reference value in lieu of | |||
the client object. The instance identifier MAY be assigned to a | the client object. The instance identifier MAY be assigned to a | |||
client instance at runtime through a grant response (Section 3.5) or | client instance at runtime through a grant response (Section 3.5) or | |||
MAY be obtained in another fashion, such as a static registration | MAY be obtained in another fashion, such as a static registration | |||
skipping to change at page 45, line 17 ¶ | skipping to change at line 1956 ¶ | |||
If the client instance has additional information to display to the | If the client instance has additional information to display to the | |||
RO during any interactions at the AS, it MAY send that information in | RO during any interactions at the AS, it MAY send that information in | |||
the "display" field. This field is a JSON object that declares | the "display" field. This field is a JSON object that declares | |||
information to present to the RO during any interactive sequences. | information to present to the RO during any interactive sequences. | |||
name (string): Display name of the client software. RECOMMENDED. | name (string): Display name of the client software. RECOMMENDED. | |||
uri (string): User-facing information about the client software, | uri (string): User-facing information about the client software, | |||
such as a web page. This URI MUST be an absolute URI. OPTIONAL. | such as a web page. This URI MUST be an absolute URI. OPTIONAL. | |||
logo_uri (string) Display image to represent the client software. | logo_uri (string): Display image to represent the client software. | |||
This URI MUST be an absolute URI. The logo MAY be passed by value | This URI MUST be an absolute URI. The logo MAY be passed by value | |||
by using a data: URI [RFC2397] referencing an image mediatype. | by using a data: URI [RFC2397] referencing an image media type. | |||
OPTIONAL. | OPTIONAL. | |||
"display": { | "display": { | |||
"name": "My Client Display Name", | "name": "My Client Display Name", | |||
"uri": "https://example.net/client", | "uri": "https://example.net/client", | |||
"logo_uri": "data:image/png;base64,Eeww...=" | "logo_uri": "data:image/png;base64,Eeww...=" | |||
} | } | |||
Additional display fields are defined by the GNAP Client Instance | Additional display fields can be defined in the "GNAP Client Instance | |||
Display Fields Registry (Section 11.8). | Display Fields" registry (Section 10.8). | |||
The AS SHOULD use these values during interaction with the RO. The | The AS SHOULD use these values during interaction with the RO. The | |||
values are for informational purposes only and MUST NOT be taken as | values are for informational purposes only and MUST NOT be taken as | |||
authentic proof of the client instance's identity or source. The AS | authentic proof of the client instance's identity or source. The AS | |||
MAY restrict display values to specific client instances, as | MAY restrict display values to specific client instances, as | |||
identified by their keys in Section 2.3. See additional | identified by their keys in Section 2.3. See additional | |||
considerations for displayed client information in Section 13.15 and | considerations for displayed client information in Section 11.15 and | |||
for the logo_uri in particular in Section 13.16. | for the logo_uri in particular in Section 11.16. | |||
2.3.3. Authenticating the Client Instance | 2.3.3. Authenticating the Client Instance | |||
If the presented key is known to the AS and is associated with a | If the presented key is known to the AS and is associated with a | |||
single instance of the client software, the process of presenting a | single instance of the client software, the process of presenting a | |||
key and proving possession of that key is sufficient to authenticate | key and proving possession of that key is sufficient to authenticate | |||
the client instance to the AS. The AS MAY associate policies with | the client instance to the AS. The AS MAY associate policies with | |||
the client instance identified by this key, such as limiting which | the client instance identified by this key, such as limiting which | |||
resources can be requested and which interaction methods can be used. | resources can be requested and which interaction methods can be used. | |||
For example, only specific client instances with certain known keys | For example, only specific client instances with certain known keys | |||
might be trusted with access tokens without the AS interacting | might be trusted with access tokens without the AS interacting | |||
directly with the RO as in Appendix C.3. | directly with the RO, as in Appendix B.3. | |||
The presentation of a key allows the AS to strongly associate | The presentation of a key allows the AS to strongly associate | |||
multiple successive requests from the same client instance with each | multiple successive requests from the same client instance with each | |||
other. This is true when the AS knows the key ahead of time and can | other. This is true when the AS knows the key ahead of time and can | |||
use the key to authenticate the client instance, but also if the key | use the key to authenticate the client instance, but it is also true | |||
is ephemeral and created just for this series of requests. As such | if the key is ephemeral and created just for this series of requests. | |||
the AS MAY allow for client instances to make requests with unknown | As such, the AS MAY allow for client instances to make requests with | |||
keys. This pattern allows for ephemeral client instances, such as | unknown keys. This pattern allows for ephemeral client instances | |||
single-page applications, and client software with many individual | (such as single-page applications) and client software with many | |||
long-lived instances, such as mobile applications, to generate key | individual long-lived instances (such as mobile applications) to | |||
pairs per instance and use the keys within the protocol without | generate key pairs per instance and use the keys within the protocol | |||
having to go through a separate registration step. The AS MAY limit | without having to go through a separate registration step. The AS | |||
which capabilities are made available to client instances with | MAY limit which capabilities are made available to client instances | |||
unknown keys. For example, the AS could have a policy saying that | with unknown keys. For example, the AS could have a policy saying | |||
only previously-registered client instances can request particular | that only previously registered client instances can request | |||
resources, or that all client instances with unknown keys have to be | particular resources or that all client instances with unknown keys | |||
interactively approved by an RO. | have to be interactively approved by an RO. | |||
2.4. Identifying the User | 2.4. Identifying the User | |||
If the client instance knows the identity of the end user through one | If the client instance knows the identity of the end user through one | |||
or more identifiers or assertions, the client instance MAY send that | or more identifiers or assertions, the client instance MAY send that | |||
information to the AS in the "user" field. The client instance MAY | information to the AS in the "user" field. The client instance MAY | |||
pass this information by value or by reference (See Section 2.4.1). | pass this information by value or by reference (see Section 2.4.1). | |||
sub_ids (array of objects): An array of subject identifiers for the | sub_ids (array of objects): An array of subject identifiers for the | |||
end user, as defined by [RFC9493]. OPTIONAL. | end user, as defined by [RFC9493]. OPTIONAL. | |||
assertions (array of objects) An array containing assertions as | assertions (array of objects): An array containing assertions as | |||
objects each containing the assertion format and the assertion | objects, each containing the assertion format and the assertion | |||
value as the JSON string serialization of the assertion, as | value as the JSON string serialization of the assertion, as | |||
defined in Section 3.4. OPTIONAL. | defined in Section 3.4. OPTIONAL. | |||
"user": { | "user": { | |||
"sub_ids": [ { | "sub_ids": [ { | |||
"format": "opaque", | "format": "opaque", | |||
"id": "J2G8G8O4AZ" | "id": "J2G8G8O4AZ" | |||
} ], | } ], | |||
"assertions": [ { | "assertions": [ { | |||
"format": "id_token", | "format": "id_token", | |||
skipping to change at page 47, line 17 ¶ | skipping to change at line 2049 ¶ | |||
of this specification, common validation steps include verifying the | of this specification, common validation steps include verifying the | |||
signature of the assertion against a trusted signing key, verifying | signature of the assertion against a trusted signing key, verifying | |||
the audience and issuer of the assertion map to expected values, and | the audience and issuer of the assertion map to expected values, and | |||
verifying the time window for the assertion itself. However, note | verifying the time window for the assertion itself. However, note | |||
that in many use cases, some of these common steps are relaxed. For | that in many use cases, some of these common steps are relaxed. For | |||
example, an AS acting as an identity provider (IdP) could expect that | example, an AS acting as an identity provider (IdP) could expect that | |||
assertions being presented using this mechanism were issued by the AS | assertions being presented using this mechanism were issued by the AS | |||
to the client software. The AS would verify that the AS is the | to the client software. The AS would verify that the AS is the | |||
issuer of the assertion, not the audience, and that the client | issuer of the assertion, not the audience, and that the client | |||
instance is instead the audience of the assertion. Similarly, an AS | instance is instead the audience of the assertion. Similarly, an AS | |||
might accept a recently-expired assertion in order to help bootstrap | might accept a recently expired assertion in order to help bootstrap | |||
a new session with a specific end user. | a new session with a specific end user. | |||
If the identified end user does not match the RO present at the AS | If the identified end user does not match the RO present at the AS | |||
during an interaction step, and the AS is not explicitly allowing a | during an interaction step and the AS is not explicitly allowing a | |||
cross-user authorization, the AS SHOULD reject the request with an | cross-user authorization, the AS SHOULD reject the request with an | |||
unknown_user error (Section 3.6). | unknown_user error (Section 3.6). | |||
If the AS trusts the client instance to present verifiable assertions | If the AS trusts the client instance to present verifiable assertions | |||
or known subject identifiers, such as an opaque identifier issued by | or known subject identifiers, such as an opaque identifier issued by | |||
the AS for this specific client instance, the AS MAY decide, based on | the AS for this specific client instance, the AS MAY decide, based on | |||
its policy, to skip interaction with the RO, even if the client | its policy, to skip interaction with the RO, even if the client | |||
instance provides one or more interaction modes in its request. | instance provides one or more interaction modes in its request. | |||
See Section 13.30 for considerations that the AS has to make when | See Section 11.30 for considerations for the AS when accepting and | |||
accepting and processing assertions from the client instance. | processing assertions from the client instance. | |||
2.4.1. Identifying the User by Reference | 2.4.1. Identifying the User by Reference | |||
The AS can identify the current end user to the client instance with | The AS can identify the current end user to the client instance with | |||
a reference which can be used by the client instance to refer to the | a reference that can be used by the client instance to refer to the | |||
end user across multiple requests. If the client instance has a | end user across multiple requests. If the client instance has a | |||
reference for the end user at this AS, the client instance MAY pass | reference for the end user at this AS, the client instance MAY pass | |||
that reference as a string. The format of this string is opaque to | that reference as a string. The format of this string is opaque to | |||
the client instance. | the client instance. | |||
"user": "XUT2MFM1XBIKJKSDU8QM" | "user": "XUT2MFM1XBIKJKSDU8QM" | |||
One means of dynamically obtaining such a user reference is from the | One means of dynamically obtaining such a user reference is from the | |||
AS returning an opaque subject identifier as described in | AS returning an opaque subject identifier as described in | |||
Section 3.4. Other means of configuring a client instance with a | Section 3.4. Other means of configuring a client instance with a | |||
user identifier are out of scope of this specification. The lifetime | user identifier are out of scope of this specification. The lifetime | |||
and validity of these user references is determined by the AS and | and validity of these user references are determined by the AS, and | |||
this lifetime is not exposed to the client instance in GNAP. As | this lifetime is not exposed to the client instance in GNAP. As | |||
such, a client instance using such a user reference is likely to keep | such, a client instance using such a user reference is likely to keep | |||
using that reference until such a time as it stops working. | using that reference until it stops working. | |||
User reference identifiers are not intended to be human-readable user | User reference identifiers are not intended to be human-readable user | |||
identifiers or structured assertions. For the client instance to | identifiers or structured assertions. For the client instance to | |||
send either of these, the client can use the full user request object | send either of these, the client can use the full user request object | |||
(Section 2.4) instead. | (Section 2.4) instead. | |||
If the AS does not recognize the user reference, it MUST return an | If the AS does not recognize the user reference, it MUST return an | |||
unknown_user error (Section 3.6). | unknown_user error (Section 3.6). | |||
2.5. Interacting with the User | 2.5. Interacting with the User | |||
Often, the AS will require interaction with the RO (Section 4) in | Often, the AS will require interaction with the RO (Section 4) in | |||
order to approve a requested delegation to the client instance for | order to approve a requested delegation to the client instance for | |||
both access to resources and direct subject information. Many times | both access to resources and direct subject information. Many times, | |||
the end user using the client instance is the same person as the RO, | the end user using the client instance is the same person as the RO, | |||
and the client instance can directly drive interaction with the end | and the client instance can directly drive interaction with the end | |||
user by facilitating the process through means such as redirection to | user by facilitating the process through means such as redirection to | |||
a URI or launching an application. Other times, the client instance | a URI or launching an application. Other times, the client instance | |||
can provide information to start the RO's interaction on a secondary | can provide information to start the RO's interaction on a secondary | |||
device, or the client instance will wait for the RO to approve the | device, or the client instance will wait for the RO to approve the | |||
request asynchronously. The client instance could also be signaled | request asynchronously. The client instance could also be signaled | |||
that interaction has concluded through a callback mechanism. | that interaction has concluded through a callback mechanism. | |||
The client instance declares the parameters for interaction methods | The client instance declares the parameters for interaction methods | |||
skipping to change at page 48, line 41 ¶ | skipping to change at line 2122 ¶ | |||
declare how the client can initiate and complete the request, as well | declare how the client can initiate and complete the request, as well | |||
as provide hints to the AS about user preferences such as locale. A | as provide hints to the AS about user preferences such as locale. A | |||
client instance MUST NOT declare an interaction mode it does not | client instance MUST NOT declare an interaction mode it does not | |||
support. The client instance MAY send multiple modes in the same | support. The client instance MAY send multiple modes in the same | |||
request. There is no preference order specified in this request. An | request. There is no preference order specified in this request. An | |||
AS MAY respond to any, all, or none of the presented interaction | AS MAY respond to any, all, or none of the presented interaction | |||
modes (Section 3.3) in a request, depending on its capabilities and | modes (Section 3.3) in a request, depending on its capabilities and | |||
what is allowed to fulfill the request. | what is allowed to fulfill the request. | |||
start (array of objects/strings): Indicates how the client instance | start (array of objects/strings): Indicates how the client instance | |||
can start an interaction. REQUIRED. (Section 2.5.1) | can start an interaction. REQUIRED. See Section 2.5.1. | |||
finish (object): Indicates how the client instance can receive an | finish (object): Indicates how the client instance can receive an | |||
indication that interaction has finished at the AS. OPTIONAL. | indication that interaction has finished at the AS. OPTIONAL. | |||
(Section 2.5.2) | See Section 2.5.2. | |||
hints (object): Provides additional information to inform the | hints (object): Provides additional information to inform the | |||
interaction process at the AS. OPTIONAL. (Section 2.5.3) | interaction process at the AS. OPTIONAL. See Section 2.5.3. | |||
In the following non-normative example, the client instance is | In the following non-normative example, the client instance is | |||
indicating that it can redirect (Section 2.5.1.1) the end user to an | indicating that it can redirect (Section 2.5.1.1) the end user to an | |||
arbitrary URI and can receive a redirect (Section 2.5.2.1) through a | arbitrary URI and can receive a redirect (Section 2.5.2.1) through a | |||
browser request. Note that the client instance does not accept a | browser request. Note that the client instance does not accept a | |||
push-style callback. The pattern of using a redirect for both | push-style callback. The pattern of using a redirect for both | |||
interaction start and finish is common for web-based client software. | interaction start and finish is common for web-based client software. | |||
"interact": { | "interact": { | |||
"start": ["redirect"], | "start": ["redirect"], | |||
skipping to change at page 49, line 21 ¶ | skipping to change at line 2151 ¶ | |||
"method": "redirect", | "method": "redirect", | |||
"uri": "https://client.example.net/return/123455", | "uri": "https://client.example.net/return/123455", | |||
"nonce": "LKLTI25DK82FX4T4QFZC" | "nonce": "LKLTI25DK82FX4T4QFZC" | |||
} | } | |||
} | } | |||
In the following non-normative example, the client instance is | In the following non-normative example, the client instance is | |||
indicating that it can display a user code (Section 2.5.1.3) and | indicating that it can display a user code (Section 2.5.1.3) and | |||
direct the end user to an arbitrary URI (Section 2.5.1.1), but it | direct the end user to an arbitrary URI (Section 2.5.1.1), but it | |||
cannot accept a redirect or push callback. This pattern is common | cannot accept a redirect or push callback. This pattern is common | |||
for devices with robust display capabilities but that expect the use | for devices that have robust display capabilities but expect the use | |||
of a secondary device to facilitate end-user interaction with the AS, | of a secondary device to facilitate end-user interaction with the AS, | |||
such as a set-top box capable of displaying an interaction URL as a | such as a set-top box capable of displaying an interaction URL as a | |||
QR code. | QR code. | |||
"interact": { | "interact": { | |||
"start": ["redirect", "user_code"] | "start": ["redirect", "user_code"] | |||
} | } | |||
In the following non-normative example, the client instance is | In the following non-normative example, the client instance is | |||
indicating that it can not start any interaction with the end-user, | indicating that it cannot start any interaction with the end user but | |||
but that the AS can push an interaction finish message | that the AS can push an interaction finish message (Section 2.5.2.2) | |||
(Section 2.5.2.2) when authorization from the RO is received | when authorization from the RO is received asynchronously. This | |||
asynchronously. This pattern is common for scenarios where a service | pattern is common for scenarios where a service needs to be | |||
needs to be authorized, but the RO is able to be contacted separately | authorized, but the RO is able to be contacted separately from the | |||
from the GNAP transaction itself, such as through a push notification | GNAP transaction itself, such as through a push notification or | |||
or existing interactive session on a secondary device. | existing interactive session on a secondary device. | |||
"interact": { | "interact": { | |||
"start": [], | "start": [], | |||
"finish": { | "finish": { | |||
"method": "push", | "method": "push", | |||
"uri": "https://client.example.net/return/123455", | "uri": "https://client.example.net/return/123455", | |||
"nonce": "LKLTI25DK82FX4T4QFZC" | "nonce": "LKLTI25DK82FX4T4QFZC" | |||
} | } | |||
} | } | |||
If the client instance does not provide a suitable interaction | If the client instance does not provide a suitable interaction | |||
mechanism, the AS cannot contact the RO asynchronously, and the AS | mechanism, the AS cannot contact the RO asynchronously, and the AS | |||
determines that interaction is required, then the AS MUST return an | determines that interaction is required, then the AS MUST return an | |||
invalid_interaction error (Section 3.6) since the client instance | invalid_interaction error (Section 3.6) since the client instance | |||
will be unable to complete the request without authorization. | will be unable to complete the request without authorization. | |||
2.5.1. Start Mode Definitions | 2.5.1. Start Mode Definitions | |||
If the client instance is capable of starting interaction with the | If the client instance is capable of starting interaction with the | |||
end user, the client instance indicates this by sending an array of | end user, the client instance indicates this by sending an array of | |||
start modes under the start key. Each interaction start modes has a | start modes under the start key. Each interaction start mode has a | |||
unique identifying name. Interaction start modes are specified in | unique identifying name. Interaction start modes are specified in | |||
the array either by a string, which consists of the start mode name | the array either by a string, which consists of the start mode name | |||
on its own, or by a JSON object with the required field mode: | on its own, or by a JSON object with the required field mode: | |||
mode: The interaction start mode. REQUIRED. | mode: The interaction start mode. REQUIRED. | |||
Interaction start modes defined as objects MAY define additional | Interaction start modes defined as objects MAY define additional | |||
parameters to be required in the object. | parameters to be required in the object. | |||
The start array can contain both string-type and object-type modes. | The start array can contain both string-type and object-type modes. | |||
This specification defines the following interaction start modes: | This specification defines the following interaction start modes: | |||
"redirect" (string): Indicates that the client instance can direct | "redirect" (string): Indicates that the client instance can direct | |||
the end user to an arbitrary URI for interaction. Section 2.5.1.1 | the end user to an arbitrary URI for interaction. See | |||
Section 2.5.1.1. | ||||
"app" (string): Indicates that the client instance can launch an | "app" (string): Indicates that the client instance can launch an | |||
application on the end user's device for interaction. | application on the end user's device for interaction. See | |||
Section 2.5.1.2 | Section 2.5.1.2. | |||
"user_code" (string): Indicates that the client instance can | "user_code" (string): Indicates that the client instance can | |||
communicate a human-readable short code to the end user for use | communicate a short, human-readable code to the end user for use | |||
with a stable URI. Section 2.5.1.3 | with a stable URI. See Section 2.5.1.3. | |||
"user_code_uri" (string): Indicates that the client instance can | "user_code_uri" (string): Indicates that the client instance can | |||
communicate a human-readable short code to the end user for use | communicate a short, human-readable code to the end user for use | |||
with a short, dynamic URI. Section 2.5.1.4 | with a short, dynamic URI. See Section 2.5.1.4. | |||
Additional start modes are defined in the GNAP Interaction Start | Additional start modes can be defined in the "GNAP Interaction Start | |||
Modes Registry (Section 11.9). | Modes" registry (Section 10.9). | |||
2.5.1.1. Redirect to an Arbitrary URI | 2.5.1.1. Redirect to an Arbitrary URI | |||
If the client instance is capable of directing the end user to a URI | If the client instance is capable of directing the end user to a URI | |||
defined by the AS at runtime, the client instance indicates this by | defined by the AS at runtime, the client instance indicates this by | |||
including redirect in the array under the start key. The means by | including redirect in the array under the start key. The means by | |||
which the client instance will activate this URI is out of scope of | which the client instance will activate this URI are out of scope of | |||
this specification, but common methods include an HTTP redirect, | this specification, but common methods include an HTTP redirect, | |||
launching a browser on the end user's device, providing a scannable | launching a browser on the end user's device, providing a scannable | |||
image encoding, and printing out a URI to an interactive console. | image encoding, and printing out a URI to an interactive console. | |||
While this URI is generally hosted at the AS, the client instance can | While this URI is generally hosted at the AS, the client instance can | |||
make no assumptions about its contents, composition, or relationship | make no assumptions about its contents, composition, or relationship | |||
to the grant endpoint URI. | to the grant endpoint URI. | |||
"interact": { | "interact": { | |||
"start": ["redirect"] | "start": ["redirect"] | |||
} | } | |||
If this interaction mode is supported for this client instance and | If this interaction mode is supported for this client instance and | |||
request, the AS returns a redirect interaction response | request, the AS returns a redirect interaction response | |||
Section 3.3.1. The client instance manages this interaction method | (Section 3.3.1). The client instance manages this interaction method | |||
as described in Section 4.1.1. | as described in Section 4.1.1. | |||
See Section 13.29 for more considerations regarding the use of front- | See Section 11.29 for more considerations regarding the use of front- | |||
channel communication techniques. | channel communication techniques. | |||
2.5.1.2. Open an Application-specific URI | 2.5.1.2. Open an Application-Specific URI | |||
If the client instance can open a URI associated with an application | If the client instance can open a URI associated with an application | |||
on the end user's device, the client instance indicates this by | on the end user's device, the client instance indicates this by | |||
including app in the array under the start key. The means by which | including app in the array under the start key. The means by which | |||
the client instance determines the application to open with this URI | the client instance determines the application to open with this URI | |||
are out of scope of this specification. | are out of scope of this specification. | |||
"interact": { | "interact": { | |||
"start": ["app"] | "start": ["app"] | |||
} | } | |||
skipping to change at page 52, line 12 ¶ | skipping to change at line 2270 ¶ | |||
payload (Section 3.3.2). The client instance manages this | payload (Section 3.3.2). The client instance manages this | |||
interaction method as described in Section 4.1.4. | interaction method as described in Section 4.1.4. | |||
2.5.1.3. Display a Short User Code | 2.5.1.3. Display a Short User Code | |||
If the client instance is capable of displaying or otherwise | If the client instance is capable of displaying or otherwise | |||
communicating a short, human-entered code to the RO, the client | communicating a short, human-entered code to the RO, the client | |||
instance indicates this by including user_code in the array under the | instance indicates this by including user_code in the array under the | |||
start key. This code is to be entered at a static URI that does not | start key. This code is to be entered at a static URI that does not | |||
change at runtime. The client instance has no reasonable means to | change at runtime. The client instance has no reasonable means to | |||
communicate a dynamic URI to the RO, and so this URI is usually | communicate a dynamic URI to the RO, so this URI is usually | |||
communicated out of band to the RO through documentation or other | communicated out of band to the RO through documentation or other | |||
messaging outside of GNAP. While this URI is generally hosted at the | messaging outside of GNAP. While this URI is generally hosted at the | |||
AS, the client instance can make no assumptions about its contents, | AS, the client instance can make no assumptions about its contents, | |||
composition, or relationship to the grant endpoint URI. | composition, or relationship to the grant endpoint URI. | |||
"interact": { | "interact": { | |||
"start": ["user_code"] | "start": ["user_code"] | |||
} | } | |||
If this interaction mode is supported for this client instance and | If this interaction mode is supported for this client instance and | |||
skipping to change at page 53, line 10 ¶ | skipping to change at line 2317 ¶ | |||
If the client instance is capable of receiving a message from the AS | If the client instance is capable of receiving a message from the AS | |||
indicating that the RO has completed their interaction, the client | indicating that the RO has completed their interaction, the client | |||
instance indicates this by sending the following members of an object | instance indicates this by sending the following members of an object | |||
under the finish key. | under the finish key. | |||
method (string): The callback method that the AS will use to contact | method (string): The callback method that the AS will use to contact | |||
the client instance. REQUIRED. | the client instance. REQUIRED. | |||
uri (string): Indicates the URI that the AS will either send the RO | uri (string): Indicates the URI that the AS will either send the RO | |||
to after interaction or send an HTTP POST request. This URI MAY | to after interaction or send an HTTP POST request. This URI MAY | |||
be unique per request and MUST be hosted by or accessible by the | be unique per request and MUST be hosted by or accessible to the | |||
client instance. This URI MUST be an absolute URI, and MUST NOT | client instance. This URI MUST be an absolute URI and MUST NOT | |||
contain any fragment component. If the client instance needs any | contain any fragment component. If the client instance needs any | |||
state information to tie to the front channel interaction | state information to tie to the front-channel interaction | |||
response, it MUST use a unique callback URI to link to that | response, it MUST use a unique callback URI to link to that | |||
ongoing state. The allowable URIs and URI patterns MAY be | ongoing state. The allowable URIs and URI patterns MAY be | |||
restricted by the AS based on the client instance's presented key | restricted by the AS based on the client instance's presented key | |||
information. The callback URI SHOULD be presented to the RO | information. The callback URI SHOULD be presented to the RO | |||
during the interaction phase before redirect. REQUIRED for | during the interaction phase before redirect. REQUIRED for | |||
redirect and push methods. | redirect and push methods. | |||
nonce (string): Unique ASCII string value to be used in the | nonce (string): Unique ASCII string value to be used in the | |||
calculation of the "hash" query parameter sent to the callback | calculation of the "hash" query parameter sent to the callback | |||
URI, must be sufficiently random to be unguessable by an attacker. | URI. It must be sufficiently random to be unguessable by an | |||
MUST be generated by the client instance as a unique value for | attacker. It MUST be generated by the client instance as a unique | |||
this request. REQUIRED. | value for this request. REQUIRED. | |||
hash_method (string): An identifier of a hash calculation mechanism | hash_method (string): An identifier of a hash calculation mechanism | |||
to be used for the callback hash in Section 4.2.3, as defined in | to be used for the callback hash in Section 4.2.3, as defined in | |||
the IANA Named Information Hash Algorithm Registry [HASH-ALG]. If | the IANA "Named Information Hash Algorithm Registry" [HASH-ALG]. | |||
absent, the default value is sha-256. OPTIONAL. | If absent, the default value is sha-256. OPTIONAL. | |||
This specification defines the following values for the method | This specification defines the following values for the method | |||
parameter, with other values defined by the GNAP Interaction Finish | parameter; additional values can be defined in the "GNAP Interaction | |||
Methods Registry (Section 11.10): | Finish Methods" registry (Section 10.10): | |||
"redirect": Indicates that the client instance can receive a | "redirect": Indicates that the client instance can receive a | |||
redirect from the end user's device after interaction with the RO | redirect from the end user's device after interaction with the RO | |||
has concluded. Section 2.5.2.1 | has concluded. See Section 2.5.2.1. | |||
"push": Indicates that the client instance can receive an HTTP POST | "push": Indicates that the client instance can receive an HTTP POST | |||
request from the AS after interaction with the RO has concluded. | request from the AS after interaction with the RO has concluded. | |||
Section 2.5.2.2 | See Section 2.5.2.2. | |||
If interaction finishing is supported for this client instance and | If interaction finishing is supported for this client instance and | |||
request, the AS will return a nonce (Section 3.3.5) used by the | request, the AS will return a nonce (Section 3.3.5) used by the | |||
client instance to validate the callback. All interaction finish | client instance to validate the callback. All interaction finish | |||
methods MUST use this nonce to allow the client to verify the | methods MUST use this nonce to allow the client to verify the | |||
connection between the pending interaction request and the callback. | connection between the pending interaction request and the callback. | |||
GNAP does this through the use of the interaction hash, defined in | GNAP does this through the use of the interaction hash, defined in | |||
Section 4.2.3. All requests to the callback URI MUST be processed as | Section 4.2.3. All requests to the callback URI MUST be processed as | |||
described in Section 4.2. | described in Section 4.2. | |||
All interaction finish methods MUST require presentation of an | All interaction finish methods MUST require presentation of an | |||
interaction reference for continuing this grant request. This means | interaction reference for continuing this grant request. This means | |||
that the interaction reference MUST be returned by the AS and MUST be | that the interaction reference MUST be returned by the AS and MUST be | |||
presented by the client as described in Section 5.1. The means by | presented by the client as described in Section 5.1. The means by | |||
which the interaction reference is returned to the client instance is | which the interaction reference is returned to the client instance | |||
specific to the interaction finish method. | are specific to the interaction finish method. | |||
2.5.2.1. Receive an HTTP Callback Through the Browser | 2.5.2.1. Receive an HTTP Callback through the Browser | |||
A finish method value of redirect indicates that the client instance | A finish method value of redirect indicates that the client instance | |||
will expect a request from the RO's browser using the HTTP method GET | will expect a request from the RO's browser using the HTTP method GET | |||
as described in Section 4.2.1. | as described in Section 4.2.1. | |||
The client instance's URI MUST be protected by HTTPS, be hosted on a | The client instance's URI MUST be protected by HTTPS, be hosted on a | |||
server local to the RO's browser ("localhost"), or use an | server local to the RO's browser ("localhost"), or use an | |||
application-specific URI scheme that is loaded on the end user's | application-specific URI scheme that is loaded on the end user's | |||
device. | device. | |||
skipping to change at page 54, line 36 ¶ | skipping to change at line 2391 ¶ | |||
"uri": "https://client.example.net/return/123455", | "uri": "https://client.example.net/return/123455", | |||
"nonce": "LKLTI25DK82FX4T4QFZC" | "nonce": "LKLTI25DK82FX4T4QFZC" | |||
} | } | |||
} | } | |||
Requests to the callback URI MUST be processed by the client instance | Requests to the callback URI MUST be processed by the client instance | |||
as described in Section 4.2.1. | as described in Section 4.2.1. | |||
Since the incoming request to the callback URI is from the RO's | Since the incoming request to the callback URI is from the RO's | |||
browser, this method is usually used when the RO and end user are the | browser, this method is usually used when the RO and end user are the | |||
same entity. See Section 13.24 for considerations on ensuring the | same entity. See Section 11.24 for considerations on ensuring the | |||
incoming HTTP message matches the expected context of the request. | incoming HTTP message matches the expected context of the request. | |||
See Section 13.29 for more considerations regarding the use of front- | See Section 11.29 for more considerations regarding the use of front- | |||
channel communication techniques. | channel communication techniques. | |||
2.5.2.2. Receive an HTTP Direct Callback | 2.5.2.2. Receive an HTTP Direct Callback | |||
A finish method value of push indicates that the client instance will | A finish method value of push indicates that the client instance will | |||
expect a request from the AS directly using the HTTP method POST as | expect a request from the AS directly using the HTTP method POST as | |||
described in Section 4.2.2. | described in Section 4.2.2. | |||
The client instance's URI MUST be protected by HTTPS, be hosted on a | The client instance's URI MUST be protected by HTTPS, be hosted on a | |||
server local to the RO's browser ("localhost"), or use an | server local to the RO's browser ("localhost"), or use an | |||
skipping to change at page 55, line 18 ¶ | skipping to change at line 2420 ¶ | |||
"uri": "https://client.example.net/return/123455", | "uri": "https://client.example.net/return/123455", | |||
"nonce": "LKLTI25DK82FX4T4QFZC" | "nonce": "LKLTI25DK82FX4T4QFZC" | |||
} | } | |||
} | } | |||
Requests to the callback URI MUST be processed by the client instance | Requests to the callback URI MUST be processed by the client instance | |||
as described in Section 4.2.2. | as described in Section 4.2.2. | |||
Since the incoming request to the callback URI is from the AS and not | Since the incoming request to the callback URI is from the AS and not | |||
from the RO's browser, this request is not expected to have any | from the RO's browser, this request is not expected to have any | |||
shared session information from the start method. See Section 13.24 | shared session information from the start method. See Sections 11.24 | |||
and Section 13.23 for more considerations regarding the use of back- | and 11.23 for more considerations regarding the use of back-channel | |||
channel and polling mechanisms like this. | and polling mechanisms like this. | |||
2.5.3. Hints | 2.5.3. Hints | |||
The hints key is an object describing one or more suggestions from | The hints key is an object describing one or more suggestions from | |||
the client instance that the AS can use to help drive user | the client instance that the AS can use to help drive user | |||
interaction. | interaction. | |||
This specification defines the following properties under the hints | This specification defines the following property under the hints | |||
key: | key: | |||
ui_locales (array of strings): Indicates the end user's preferred | ui_locales (array of strings): Indicates the end user's preferred | |||
locales that the AS can use during interaction, particularly | locales that the AS can use during interaction, particularly | |||
before the RO has authenticated. OPTIONAL. Section 2.5.3.1 | before the RO has authenticated. OPTIONAL. Section 2.5.3.1 | |||
The following sections detail requests for interaction hints. | The following subsection details requests for interaction hints. | |||
Additional interaction hints are defined in the GNAP Interaction | Additional interaction hints can be defined in the "GNAP Interaction | |||
Hints Registry (Section 11.11). | Hints" registry (Section 10.11). | |||
2.5.3.1. Indicate Desired Interaction Locales | 2.5.3.1. Indicate Desired Interaction Locales | |||
If the client instance knows the end user's locale and language | If the client instance knows the end user's locale and language | |||
preferences, the client instance can send this information to the AS | preferences, the client instance can send this information to the AS | |||
using the ui_locales field with an array of locale strings as defined | using the ui_locales field with an array of locale strings as defined | |||
by [RFC5646]. | by [RFC5646]. | |||
"interact": { | "interact": { | |||
"hints": { | "hints": { | |||
skipping to change at page 56, line 4 ¶ | skipping to change at line 2453 ¶ | |||
If the client instance knows the end user's locale and language | If the client instance knows the end user's locale and language | |||
preferences, the client instance can send this information to the AS | preferences, the client instance can send this information to the AS | |||
using the ui_locales field with an array of locale strings as defined | using the ui_locales field with an array of locale strings as defined | |||
by [RFC5646]. | by [RFC5646]. | |||
"interact": { | "interact": { | |||
"hints": { | "hints": { | |||
"ui_locales": ["en-US", "fr-CA"] | "ui_locales": ["en-US", "fr-CA"] | |||
} | } | |||
} | } | |||
If possible, the AS SHOULD use one of the locales in the array, with | If possible, the AS SHOULD use one of the locales in the array, with | |||
preference to the first item in the array supported by the AS. If | preference to the first item in the array supported by the AS. If | |||
none of the given locales are supported, the AS MAY use a default | none of the given locales are supported, the AS MAY use a default | |||
locale. | locale. | |||
3. Grant Response | 3. Grant Response | |||
In response to a client instance's request, the AS responds with a | In response to a client instance's request, the AS responds with a | |||
JSON object as the HTTP content. Each possible field is detailed in | JSON object as the HTTP content. Each possible field is detailed in | |||
the sections below. | the subsections below. | |||
continue (object): Indicates that the client instance can continue | continue (object): Indicates that the client instance can continue | |||
the request by making one or more continuation requests. REQUIRED | the request by making one or more continuation requests. REQUIRED | |||
if continuation calls are allowed for this client instance on this | if continuation calls are allowed for this client instance on this | |||
grant request. See Section 3.1. | grant request. See Section 3.1. | |||
access_token (object / array of objects): A single access token or | access_token (object / array of objects): A single access token or | |||
set of access tokens that the client instance can use to call the | set of access tokens that the client instance can use to call the | |||
RS on behalf of the RO. REQUIRED if an access token is included. | RS on behalf of the RO. REQUIRED if an access token is included. | |||
See Section 3.2. | See Section 3.2. | |||
skipping to change at page 56, line 41 ¶ | skipping to change at line 2491 ¶ | |||
Section 3.4. | Section 3.4. | |||
instance_id (string): An identifier this client instance can use to | instance_id (string): An identifier this client instance can use to | |||
identify itself when making future requests. OPTIONAL. See | identify itself when making future requests. OPTIONAL. See | |||
Section 3.5. | Section 3.5. | |||
error (object or string): An error code indicating that something | error (object or string): An error code indicating that something | |||
has gone wrong. REQUIRED for an error condition. See | has gone wrong. REQUIRED for an error condition. See | |||
Section 3.6. | Section 3.6. | |||
Additional fields can be defined by extensions to GNAP in the GNAP | Additional fields can be defined by extensions to GNAP in the "GNAP | |||
Grant Response Parameters Registry (Section 11.12). | Grant Response Parameters" registry (Section 10.12). | |||
In the following non-normative example, the AS is returning an | In the following non-normative example, the AS is returning an | |||
interaction URI (Section 3.3.1), a callback nonce (Section 3.3.5), | interaction URI (Section 3.3.1), a callback nonce (Section 3.3.5), | |||
and a continuation response (Section 3.1). | and a continuation response (Section 3.1). | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
{ | { | |||
"interact": { | "interact": { | |||
"redirect": "https://server.example.com/interact/4CF492ML\ | "redirect": "https://server.example.com/interact/4CF492ML\ | |||
skipping to change at page 57, line 44 ¶ | skipping to change at line 2537 ¶ | |||
} | } | |||
}, | }, | |||
"subject": { | "subject": { | |||
"sub_ids": [ { | "sub_ids": [ { | |||
"format": "opaque", | "format": "opaque", | |||
"id": "J2G8G8O4AZ" | "id": "J2G8G8O4AZ" | |||
} ] | } ] | |||
} | } | |||
} | } | |||
In following non-normative example, the AS is returning set of | In the following non-normative example, the AS is returning set of | |||
subject identifiers (Section 3.4), simultaneously as an opaque | subject identifiers (Section 3.4), simultaneously as an opaque | |||
identifier, an email address, and a decentralized identifier (DID), | identifier, an email address, and a decentralized identifier (DID), | |||
formatted as a set of Subject Identifiers defined in [RFC9493]. | formatted as a set of Subject Identifiers as defined in [RFC9493]. | |||
{ | { | |||
"subject": { | "subject": { | |||
"sub_ids": [ { | "sub_ids": [ { | |||
"format": "opaque", | "format": "opaque", | |||
"id": "J2G8G8O4AZ" | "id": "J2G8G8O4AZ" | |||
}, { | }, { | |||
"format": "email", | "format": "email", | |||
"email": "user@example.com" | "email": "user@example.com" | |||
}, { | }, { | |||
skipping to change at page 58, line 35 ¶ | skipping to change at line 2572 ¶ | |||
The authorization server MUST include the HTTP Cache-Control response | The authorization server MUST include the HTTP Cache-Control response | |||
header field [RFC9111] with a value set to "no-store". | header field [RFC9111] with a value set to "no-store". | |||
3.1. Request Continuation | 3.1. Request Continuation | |||
If the AS determines that the grant request can be continued by the | If the AS determines that the grant request can be continued by the | |||
client instance, the AS responds with the continue field. This field | client instance, the AS responds with the continue field. This field | |||
contains a JSON object with the following properties. | contains a JSON object with the following properties. | |||
uri (string): The URI at which the client instance can make | uri (string): The URI at which the client instance can make | |||
continuation requests. This URI MAY vary per request, or MAY be | continuation requests. This URI MAY vary per request or MAY be | |||
stable at the AS. This URI MUST be an absolute URI. The client | stable at the AS. This URI MUST be an absolute URI. The client | |||
instance MUST use this value exactly as given when making a | instance MUST use this value exactly as given when making a | |||
continuation request (Section 5). REQUIRED. | continuation request (Section 5). REQUIRED. | |||
wait (integer): The amount of time in integer seconds the client | wait (integer): The amount of time in integer seconds the client | |||
instance MUST wait after receiving this request continuation | instance MUST wait after receiving this request continuation | |||
response and calling the continuation URI. The value SHOULD NOT | response and calling the continuation URI. The value SHOULD NOT | |||
be less than five seconds, and omission of the value MUST be | be less than five seconds, and omission of the value MUST be | |||
interpreted as five seconds. RECOMMENDED. | interpreted as five seconds. RECOMMENDED. | |||
access_token (object): A unique access token for continuing the | access_token (object): A unique access token for continuing the | |||
request, called the "continuation access token". The value of | request, called the "continuation access token". The value of | |||
this property MUST be an object in the format specified in | this property MUST be an object in the format specified in | |||
Section 3.2.1. This access token MUST be bound to the client | Section 3.2.1. This access token MUST be bound to the client | |||
instance's key used in the request and MUST NOT be a bearer token. | instance's key used in the request and MUST NOT be a bearer token. | |||
As a consequence, the flags array of this access token MUST NOT | As a consequence, the flags array of this access token MUST NOT | |||
contain the string bearer and the key field MUST be omitted. This | contain the string bearer, and the key field MUST be omitted. | |||
access token MUST NOT have a manage field. The client instance | This access token MUST NOT have a manage field. The client | |||
MUST present the continuation access token in all requests to the | instance MUST present the continuation access token in all | |||
continuation URI as described in Section 7.2. REQUIRED. | requests to the continuation URI as described in Section 7.2. | |||
REQUIRED. | ||||
{ | { | |||
"continue": { | "continue": { | |||
"access_token": { | "access_token": { | |||
"value": "80UPRY5NM33OMUKMKSKU" | "value": "80UPRY5NM33OMUKMKSKU" | |||
}, | }, | |||
"uri": "https://server.example.com/continue", | "uri": "https://server.example.com/continue", | |||
"wait": 60 | "wait": 60 | |||
} | } | |||
} | } | |||
This field is REQUIRED if the grant request is in the _pending_ | This field is REQUIRED if the grant request is in the _pending_ | |||
state, as the field contains the information needed by the client | state, as the field contains the information needed by the client | |||
request to continue the request as described in Section 5. Note that | request to continue the request as described in Section 5. Note that | |||
the continuation access token is bound to the client instance's key, | the continuation access token is bound to the client instance's key; | |||
and therefore the client instance MUST sign all continuation requests | therefore, the client instance MUST sign all continuation requests | |||
with its key as described in Section 7.3 and MUST present the | with its key as described in Section 7.3 and MUST present the | |||
continuation access token in its continuation request. | continuation access token in its continuation request. | |||
3.2. Access Tokens | 3.2. Access Tokens | |||
If the AS has successfully granted one or more access tokens to the | If the AS has successfully granted one or more access tokens to the | |||
client instance, the AS responds with the access_token field. This | client instance, the AS responds with the access_token field. This | |||
field contains either a single access token as described in | field contains either a single access token as described in | |||
Section 3.2.1 or an array of access tokens as described in | Section 3.2.1 or an array of access tokens as described in | |||
Section 3.2.2. | Section 3.2.2. | |||
skipping to change at page 60, line 8 ¶ | skipping to change at line 2643 ¶ | |||
value (string): The value of the access token as a string. The | value (string): The value of the access token as a string. The | |||
value is opaque to the client instance. The value MUST be limited | value is opaque to the client instance. The value MUST be limited | |||
to the token68 character set defined in Section 11.2 of [HTTP] to | to the token68 character set defined in Section 11.2 of [HTTP] to | |||
facilitate transmission over HTTP headers and within other | facilitate transmission over HTTP headers and within other | |||
protocols without requiring additional encoding. REQUIRED. | protocols without requiring additional encoding. REQUIRED. | |||
label (string): The value of the label the client instance provided | label (string): The value of the label the client instance provided | |||
in the associated token request (Section 2.1), if present. | in the associated token request (Section 2.1), if present. | |||
REQUIRED for multiple access tokens or if a label was included in | REQUIRED for multiple access tokens or if a label was included in | |||
the single access token request, OPTIONAL for a single access | the single access token request; OPTIONAL for a single access | |||
token where no label was included in the request. | token where no label was included in the request. | |||
manage (object): Access information for the token management API for | manage (object): Access information for the token management API for | |||
this access token. The management URI for this access token. If | this access token. The management URI for this access token. If | |||
provided, the client instance MAY manage its access token as | provided, the client instance MAY manage its access token as | |||
described in Section 6. This management API is a function of the | described in Section 6. This management API is a function of the | |||
AS and is separate from the RS the client instance is requesting | AS and is separate from the RS the client instance is requesting | |||
access to. OPTIONAL. | access to. OPTIONAL. | |||
access (array of objects/strings): A description of the rights | access (array of objects/strings): A description of the rights | |||
skipping to change at page 60, line 36 ¶ | skipping to change at line 2671 ¶ | |||
this time. Note that the access token MAY be revoked by the AS or | this time. Note that the access token MAY be revoked by the AS or | |||
RS at any point prior to its expiration. OPTIONAL. | RS at any point prior to its expiration. OPTIONAL. | |||
key (object / string): The key that the token is bound to, if | key (object / string): The key that the token is bound to, if | |||
different from the client instance's presented key. The key MUST | different from the client instance's presented key. The key MUST | |||
be an object or string in a format described in Section 7.1. The | be an object or string in a format described in Section 7.1. The | |||
client instance MUST be able to dereference or process the key | client instance MUST be able to dereference or process the key | |||
information in order to be able to sign subsequent requests using | information in order to be able to sign subsequent requests using | |||
the access token (Section 7.2). When the key is provided by value | the access token (Section 7.2). When the key is provided by value | |||
from the AS, the token shares some security properties with bearer | from the AS, the token shares some security properties with bearer | |||
tokens as discussed in Section 13.38. It is RECOMMENDED that keys | tokens as discussed in Section 11.38. It is RECOMMENDED that keys | |||
returned for use with access tokens be key references as described | returned for use with access tokens be key references as described | |||
in Section 7.1.1 that the client instance can correlate to its | in Section 7.1.1 that the client instance can correlate to its | |||
known keys. OPTIONAL. | known keys. OPTIONAL. | |||
flags (array of strings): A set of flags that represent attributes | flags (array of strings): A set of flags that represent attributes | |||
or behaviors of the access token issued by the AS. OPTIONAL. | or behaviors of the access token issued by the AS. OPTIONAL. | |||
The value of the manage field is an object with the following | The value of the manage field is an object with the following | |||
properties: | properties: | |||
uri (string): The URI of the token management API for this access | uri (string): The URI of the token management API for this access | |||
token. This URI MUST be an absolute URI. This URI MUST NOT include | token. This URI MUST be an absolute URI. This URI MUST NOT | |||
the access token value and SHOULD be different for each access token | include the access token value, SHOULD be different for each | |||
issued in a request and MUST NOT include the value of the access | access token issued in a request, and MUST NOT include the value | |||
token being managed. REQUIRED. | of the access token being managed. REQUIRED. | |||
access_token (object): A unique access token for continuing the | access_token (object): A unique access token for continuing the | |||
request, called the "token management access token". The value of | request, called the "token management access token". The value of | |||
this property MUST be an object in the format specified in | this property MUST be an object in the format specified in | |||
Section 3.2.1. This access token MUST be bound to the client | Section 3.2.1. This access token MUST be bound to the client | |||
instance's key used in the request (or its most recent rotation) | instance's key used in the request (or its most recent rotation) | |||
and MUST NOT be a bearer token. As a consequence, the flags array | and MUST NOT be a bearer token. As a consequence, the flags array | |||
of this access token MUST NOT contain the string bearer and the | of this access token MUST NOT contain the string bearer, and the | |||
key field MUST be omitted. This access token MUST NOT have a | key field MUST be omitted. This access token MUST NOT have a | |||
manage field. This access token MUST NOT have the same value as | manage field. This access token MUST NOT have the same value as | |||
the token it is managing. The client instance MUST present the | the token it is managing. The client instance MUST present the | |||
continuation access token in all requests to the continuation URI | continuation access token in all requests to the continuation URI | |||
as described in Section 7.2. REQUIRED. | as described in Section 7.2. REQUIRED. | |||
The values of the flags field defined by this specification are as | The values of the flags field defined by this specification are as | |||
follows: | follows: | |||
"bearer": This flag indicates whether the token is a bearer token, | "bearer": Flag indicating whether the token is a bearer token, not | |||
not bound to a key and proofing mechanism. If the bearer flag is | bound to a key and proofing mechanism. If the bearer flag is | |||
present, the access token is a bearer token, and the key field in | present, the access token is a bearer token, and the key field in | |||
this response MUST be omitted. See Section 13.9 for additional | this response MUST be omitted. See Section 11.9 for additional | |||
considerations on the use of bearer tokens. | considerations on the use of bearer tokens. | |||
"durable": Flag indicating a hint of AS behavior on token rotation. | "durable": Flag indicating a hint of AS behavior on token rotation. | |||
If this flag is present, then the client instance can expect a | If this flag is present, then the client instance can expect a | |||
previously-issued access token to continue to work after it has | previously issued access token to continue to work after it has | |||
been rotated (Section 6.1) or the underlying grant request has | been rotated (Section 6.1) or the underlying grant request has | |||
been modified (Section 5.3), resulting in the issuance of new | been modified (Section 5.3), resulting in the issuance of new | |||
access tokens. If this flag is omitted, the client instance can | access tokens. If this flag is omitted, the client instance can | |||
anticipate a given access token could stop working after token | anticipate a given access token could stop working after token | |||
rotation or grant request modification. Note that a token flagged | rotation or grant request modification. Note that a token flagged | |||
as durable can still expire or be revoked through any normal | as durable can still expire or be revoked through any normal | |||
means. | means. | |||
Flag values MUST NOT be included more than once. | Flag values MUST NOT be included more than once. | |||
Additional flags can be defined by extensions using the GNAP Access | Additional flags can be defined by extensions using the "GNAP Access | |||
Token Fields Registry (Section 11.4). | Token Flags" registry (Section 10.4). | |||
If the bearer flag and the key field in this response are omitted, | If the bearer flag and the key field in this response are omitted, | |||
the token is bound the key used by the client instance (Section 2.3) | the token is bound to the key used by the client instance | |||
in its request for access. If the bearer flag is omitted, and the | (Section 2.3) in its request for access. If the bearer flag is | |||
key field is present, the token is bound to the key and proofing | omitted and the key field is present, the token is bound to the key | |||
mechanism indicated in the key field. The means by which the AS | and proofing mechanism indicated in the key field. The means by | |||
determines how to bind an access token to a key other than that | which the AS determines how to bind an access token to a key other | |||
presented by the client instance is out of scope for this | than that presented by the client instance are out of scope for this | |||
specification, but common practices include pre-registering specific | specification, but common practices include pre-registering specific | |||
keys in a static fashion. | keys in a static fashion. | |||
The client software MUST reject any access token where the flags | The client software MUST reject any access token where the flags | |||
field contains the bearer flag and the key field is present with any | field contains the bearer flag and the key field is present with any | |||
value. | value. | |||
The following non-normative example shows a single access token bound | The following non-normative example shows a single access token bound | |||
to the client instance's key used in the initial request, with a | to the client instance's key used in the initial request, with a | |||
management URI, and that has access to three described resources (one | management URI, and that has access to three described resources (one | |||
skipping to change at page 63, line 15 ¶ | skipping to change at line 2789 ¶ | |||
"access_token": { | "access_token": { | |||
"value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", | "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", | |||
"flags": ["bearer"], | "flags": ["bearer"], | |||
"access": [ | "access": [ | |||
"finance", "medical" | "finance", "medical" | |||
] | ] | |||
} | } | |||
If the client instance requested a single access token | If the client instance requested a single access token | |||
(Section 2.1.1), the AS MUST NOT respond with the multiple access | (Section 2.1.1), the AS MUST NOT respond with the multiple access | |||
token structure. | tokens structure. | |||
3.2.2. Multiple Access Tokens | 3.2.2. Multiple Access Tokens | |||
If the client instance has requested multiple access tokens and the | If the client instance has requested multiple access tokens and the | |||
AS has granted at least one of them, the AS responds with the | AS has granted at least one of them, the AS responds with the | |||
"access_token" field. The value of this field is a JSON array, the | "access_token" field. The value of this field is a JSON array, the | |||
members of which are distinct access tokens as described in | members of which are distinct access tokens as described in | |||
Section 3.2.1. Each object MUST have a unique label field, | Section 3.2.1. Each object MUST have a unique label field, | |||
corresponding to the token labels chosen by the client instance in | corresponding to the token labels chosen by the client instance in | |||
the multiple access token request (Section 2.1.2). | the multiple access tokens request (Section 2.1.2). | |||
In the following non-normative example, two tokens are issued under | In the following non-normative example, two tokens are issued under | |||
the names token1 and token2, and only the first token has a | the names token1 and token2, and only the first token has a | |||
management URI associated with it. | management URI associated with it. | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
"access_token": [ | "access_token": [ | |||
{ | { | |||
"label": "token1", | "label": "token1", | |||
skipping to change at page 64, line 4 ¶ | skipping to change at line 2825 ¶ | |||
} | } | |||
}, | }, | |||
"access": [ "finance" ] | "access": [ "finance" ] | |||
}, | }, | |||
{ | { | |||
"label": "token2", | "label": "token2", | |||
"value": "UFGLO2FDAFG7VGZZPJ3IZEMN21EVU71FHCARP4J1", | "value": "UFGLO2FDAFG7VGZZPJ3IZEMN21EVU71FHCARP4J1", | |||
"access": [ "medical" ] | "access": [ "medical" ] | |||
} | } | |||
} | } | |||
Each access token corresponds to one of the objects in the | Each access token corresponds to one of the objects in the | |||
access_token array of the client instance's request (Section 2.1.2). | access_token array of the client instance's request (Section 2.1.2). | |||
The AS MAY refuse to issue one or more of the requested access | The AS MAY refuse to issue one or more of the requested access tokens | |||
tokens, for any reason. In such cases the refused token is omitted | for any reason. In such cases, the refused token is omitted from the | |||
from the response and all of the other issued access tokens are | response, and all of the other issued access tokens are included in | |||
included in the response under their respective requested labels. If | the response under their respective requested labels. If the client | |||
the client instance requested multiple access tokens (Section 2.1.2), | instance requested multiple access tokens (Section 2.1.2), the AS | |||
the AS MUST NOT respond with a single access token structure, even if | MUST NOT respond with a single access token structure, even if only a | |||
only a single access token is granted. In such cases, the AS MUST | single access token is granted. In such cases, the AS MUST respond | |||
respond with a multiple access token structure containing one access | with a multiple access tokens structure containing one access token. | |||
token. | ||||
"access_token": [ | "access_token": [ | |||
{ | { | |||
"label": "token2", | "label": "token2", | |||
"value": "8N6BW7OZB8CDFONP219-OS9M2PMHKUR64TBRP1LT0", | "value": "8N6BW7OZB8CDFONP219-OS9M2PMHKUR64TBRP1LT0", | |||
"manage": { | "manage": { | |||
"uri": "https://server.example.com/token/PRY5NM33O", | "uri": "https://server.example.com/token/PRY5NM33O", | |||
"access_token": { | "access_token": { | |||
"value": "B8CDFONP21-4TB8N6.BW7ONM" | "value": "B8CDFONP21-4TB8N6.BW7ONM" | |||
} | } | |||
}, | }, | |||
"access": [ "fruits" ] | "access": [ "fruits" ] | |||
} | } | |||
] | ] | |||
The parameters of each access token are separate. For example, each | The parameters of each access token are separate. For example, each | |||
access token is expected to have a unique value and (if present) | access token is expected to have a unique value and (if present) | |||
label, and likely has different access rights associated with it. | label, and each access token likely has different access rights | |||
Each access token could also be bound to different keys with | associated with it. Each access token could also be bound to | |||
different proofing mechanisms. | different keys with different proofing mechanisms. | |||
3.3. Interaction Modes | 3.3. Interaction Modes | |||
If the client instance has indicated a capability to interact with | If the client instance has indicated a capability to interact with | |||
the RO in its request (Section 2.5), and the AS has determined that | the RO in its request (Section 2.5) and the AS has determined that | |||
interaction is both supported and necessary, the AS responds to the | interaction is both supported and necessary, the AS responds to the | |||
client instance with any of the following values in the interact | client instance with any of the following values in the interact | |||
field of the response. There is no preference order for interaction | field of the response. There is no preference order for interaction | |||
modes in the response, and it is up to the client instance to | modes in the response, and it is up to the client instance to | |||
determine which ones to use. All supported interaction methods are | determine which ones to use. All supported interaction methods are | |||
included in the same interact object. | included in the same interact object. | |||
redirect (string): Redirect to an arbitrary URI. REQUIRED if the | redirect (string): Redirect to an arbitrary URI. REQUIRED if the | |||
redirect interaction start mode is possible for this request. See | redirect interaction start mode is possible for this request. See | |||
Section 3.3.1. | Section 3.3.1. | |||
skipping to change at page 65, line 26 ¶ | skipping to change at line 2894 ¶ | |||
finish (string): A unique ASCII string value provided by the AS as a | finish (string): A unique ASCII string value provided by the AS as a | |||
nonce. This is used by the client instance to verify the callback | nonce. This is used by the client instance to verify the callback | |||
after interaction is completed. REQUIRED if the interaction | after interaction is completed. REQUIRED if the interaction | |||
finish method requested by the client instance is possible for | finish method requested by the client instance is possible for | |||
this request. See Section 3.3.5. | this request. See Section 3.3.5. | |||
expires_in (integer): The number of integer seconds after which this | expires_in (integer): The number of integer seconds after which this | |||
set of interaction responses will expire and no longer be usable | set of interaction responses will expire and no longer be usable | |||
by the client instance. If the interaction methods expire, the | by the client instance. If the interaction methods expire, the | |||
client MAY re-start the interaction process for this grant request | client MAY restart the interaction process for this grant request | |||
by sending an update (Section 5.3) with a new interaction request | by sending an update (Section 5.3) with a new interaction request | |||
(Section 2.5) section. OPTIONAL. If omitted, the interaction | section (Section 2.5). OPTIONAL. If omitted, the interaction | |||
response modes returned do not expire but MAY be invalidated by | response modes returned do not expire but MAY be invalidated by | |||
the AS at any time. | the AS at any time. | |||
Additional interaction mode responses can be defined in the GNAP | Additional interaction mode responses can be defined in the "GNAP | |||
Interaction Mode Responses Registry (Section 11.13). | Interaction Mode Responses" registry (Section 10.13). | |||
The AS MUST NOT respond with any interaction mode that the client | The AS MUST NOT respond with any interaction mode that the client | |||
instance did not indicate in its request. The AS MUST NOT respond | instance did not indicate in its request, and the AS MUST NOT respond | |||
with any interaction mode that the AS does not support. Since | with any interaction mode that the AS does not support. Since | |||
interaction responses include secret or unique information, the AS | interaction responses include secret or unique information, the AS | |||
SHOULD respond to each interaction mode only once in an ongoing | SHOULD respond to each interaction mode only once in an ongoing | |||
request, particularly if the client instance modifies its request | request, particularly if the client instance modifies its request | |||
(Section 5.3). | (Section 5.3). | |||
The grant request MUST be in the _pending_ state to include this | The grant request MUST be in the _pending_ state to include this | |||
field in the response. | field in the response. | |||
3.3.1. Redirection to an arbitrary URI | 3.3.1. Redirection to an Arbitrary URI | |||
If the client instance indicates that it can redirect to an arbitrary | If the client instance indicates that it can redirect to an arbitrary | |||
URI (Section 2.5.1.1) and the AS supports this mode for the client | URI (Section 2.5.1.1) and the AS supports this mode for the client | |||
instance's request, the AS responds with the "redirect" field, which | instance's request, the AS responds with the "redirect" field, which | |||
is a string containing the URI for the end user to visit. This URI | is a string containing the URI for the end user to visit. This URI | |||
MUST be unique for the request and MUST NOT contain any security- | MUST be unique for the request and MUST NOT contain any security- | |||
sensitive information such as user identifiers or access tokens. | sensitive information such as user identifiers or access tokens. | |||
"interact": { | "interact": { | |||
"redirect": "https://interact.example.com/4CF492MLVMSW9MKMXKHQ" | "redirect": "https://interact.example.com/4CF492MLVMSW9MKMXKHQ" | |||
} | } | |||
The URI returned is a function of the AS, but the URI itself MAY be | The URI returned is a function of the AS, but the URI itself MAY be | |||
completely distinct from the grant endpoint URI that the client | completely distinct from the grant endpoint URI that the client | |||
instance uses to request access (Section 2), allowing an AS to | instance uses to request access (Section 2), allowing an AS to | |||
separate its user-interactive functionality from its back-end | separate its user-interaction functionality from its back-end | |||
security functionality. The AS will need to dereference the specific | security functionality. The AS will need to dereference the specific | |||
grant request and its information from the URI alone. If the AS does | grant request and its information from the URI alone. If the AS does | |||
not directly host the functionality accessed through the redirect | not directly host the functionality accessed through the redirect | |||
URI, then the means for the interaction functionality to communicate | URI, then the means for the interaction functionality to communicate | |||
with the rest of the AS are out of scope for this specification. | with the rest of the AS are out of scope for this specification. | |||
The client instance sends the end user to the URI to interact with | The client instance sends the end user to the URI to interact with | |||
the AS. The client instance MUST NOT alter the URI in any way. The | the AS. The client instance MUST NOT alter the URI in any way. The | |||
means for the client instance to send the end user to this URI is out | means for the client instance to send the end user to this URI are | |||
of scope of this specification, but common methods include an HTTP | out of scope of this specification, but common methods include an | |||
redirect, launching the system browser, displaying a scannable code, | HTTP redirect, launching the system browser, displaying a scannable | |||
or printing out the URI in an interactive console. See details of | code, or printing out the URI in an interactive console. See details | |||
the interaction in Section 4.1.1. | of the interaction in Section 4.1.1. | |||
3.3.2. Launch of an application URI | 3.3.2. Launch of an Application URI | |||
If the client instance indicates that it can launch an application | If the client instance indicates that it can launch an application | |||
URI (Section 2.5.1.2) and the AS supports this mode for the client | URI (Section 2.5.1.2) and the AS supports this mode for the client | |||
instance's request, the AS responds with the "app" field, which is a | instance's request, the AS responds with the "app" field, which is a | |||
string containing the URI for the client instance to launch. This | string containing the URI for the client instance to launch. This | |||
URI MUST be unique for the request and MUST NOT contain any security- | URI MUST be unique for the request and MUST NOT contain any security- | |||
sensitive information such as user identifiers or access tokens. | sensitive information such as user identifiers or access tokens. | |||
"interact": { | "interact": { | |||
"app": "https://app.example.com/launch?tx=4CF492MLV" | "app": "https://app.example.com/launch?tx=4CF492MLV" | |||
} | } | |||
The means for the launched application to communicate with the AS are | The means for the launched application to communicate with the AS are | |||
out of scope for this specification. | out of scope for this specification. | |||
The client instance launches the URI as appropriate on its platform, | The client instance launches the URI as appropriate on its platform; | |||
and the means for the client instance to launch this URI is out of | the means for the client instance to launch this URI are out of scope | |||
scope of this specification. The client instance MUST NOT alter the | of this specification. The client instance MUST NOT alter the URI in | |||
URI in any way. The client instance MAY attempt to detect if an | any way. The client instance MAY attempt to detect if an installed | |||
installed application will service the URI being sent before | application will service the URI being sent before attempting to | |||
attempting to launch the application URI. See details of the | launch the application URI. See details of the interaction in | |||
interaction in Section 4.1.4. | Section 4.1.4. | |||
3.3.3. Display of a Short User Code | 3.3.3. Display of a Short User Code | |||
If the client instance indicates that it can display a short | If the client instance indicates that it can display a short, user- | |||
user-typeable code (Section 2.5.1.3) and the AS supports this mode | typeable code (Section 2.5.1.3) and the AS supports this mode for the | |||
for the client instance's request, the AS responds with a "user_code" | client instance's request, the AS responds with a "user_code" field. | |||
field. This field is string containing a unique short code that the | This field is string containing a unique short code that the user can | |||
user can type into a web page. To facilitate usability, this string | type into a web page. To facilitate usability, this string MUST | |||
MUST consist only of characters that can be easily typed by the end | consist only of characters that can be easily typed by the end user | |||
user (such as ASCII letters or numbers) and MUST be processed by the | (such as ASCII letters or numbers) and MUST be processed by the AS in | |||
AS in a case-insensitive manner (see Section 4.1.2). The string MUST | a case-insensitive manner (see Section 4.1.2). The string MUST be | |||
be randomly generated so as to be unguessable by an attacker within | randomly generated so as to be unguessable by an attacker within the | |||
the time it is accepted. The time in which this code will be | time it is accepted. The time in which this code will be accepted | |||
accepted SHOULD be short lived, such as several minutes. It is | SHOULD be short lived, such as several minutes. It is RECOMMENDED | |||
RECOMMENDED that this code be no more than eight characters in | that this code be between six and eight characters in length. | |||
length. | ||||
"interact": { | "interact": { | |||
"user_code": "A1BC3DFF" | "user_code": "A1BC3DFF" | |||
} | } | |||
The client instance MUST communicate the "user_code" value to the end | The client instance MUST communicate the "user_code" value to the end | |||
user in some fashion, such as displaying it on a screen or reading it | user in some fashion, such as displaying it on a screen or reading it | |||
out audibly. This code is used by the interaction component of the | out audibly. This code is used by the interaction component of the | |||
AS as a means of identifying the pending grant request and does not | AS as a means of identifying the pending grant request and does not | |||
function as an authentication factor for the RO. | function as an authentication factor for the RO. | |||
The URI that the end user is intended to enter the code into MUST be | The URI that the end user is intended to enter the code into MUST be | |||
stable, since the client instance is expected to have no means of | stable, since the client instance is expected to have no means of | |||
communicating a dynamic URI to the end user at runtime. | communicating a dynamic URI to the end user at runtime. | |||
As this interaction mode is designed to facilitate interaction via a | As this interaction mode is designed to facilitate interaction via a | |||
secondary device, it is not expected that the client instance | secondary device, it is not expected that the client instance | |||
redirect the end user to the URI where the code is entered. If the | redirect the end user to the URI where the code is entered. If the | |||
client instance is capable of communicating an short arbitrary URI to | client instance is capable of communicating a short arbitrary URI to | |||
the end user for use with the user code, the client instance SHOULD | the end user for use with the user code, the client instance SHOULD | |||
instead use the "user_code_uri" (Section 2.5.1.4) mode. If the | instead use the "user_code_uri" mode (Section 2.5.1.4). If the | |||
client instance is capable of communicating a long arbitrary URI to | client instance is capable of communicating a long arbitrary URI to | |||
the end user, such as through a scannable code, the client instance | the end user, such as through a scannable code, the client instance | |||
SHOULD use the "redirect" (Section 2.5.1.1) mode for this purpose | SHOULD use the "redirect" mode (Section 2.5.1.1) for this purpose, | |||
instead of or in addition to the user code mode. | instead of or in addition to the user code mode. | |||
See details of the interaction in Section 4.1.2. | See details of the interaction in Section 4.1.2. | |||
3.3.4. Display of a Short User Code and URI | 3.3.4. Display of a Short User Code and URI | |||
If the client instance indicates that it can display a short | If the client instance indicates that it can display a short, user- | |||
user-typeable code (Section 2.5.1.3) and the AS supports this mode | typeable code (Section 2.5.1.3) and the AS supports this mode for the | |||
for the client instance's request, the AS responds with a | client instance's request, the AS responds with a "user_code_uri" | |||
"user_code_uri" object that contains the following members. | object that contains the following members. | |||
code (string): A unique short code that the end user can type into a | code (string): A unique short code that the end user can type into a | |||
provided URI. To facilitate usability, this string MUST consist | provided URI. To facilitate usability, this string MUST consist | |||
only of characters that can be easily typed by the end user (such | only of characters that can be easily typed by the end user (such | |||
as ASCII letters or numbers) and MUST be processed by the AS in a | as ASCII letters or numbers) and MUST be processed by the AS in a | |||
case-insensitive manner (see Section 4.1.3). The string MUST be | case-insensitive manner (see Section 4.1.3). The string MUST be | |||
randomly generated so as to be unguessable by an attacker within | randomly generated so as to be unguessable by an attacker within | |||
the time it is accepted. The time in which this code will be | the time it is accepted. The time in which this code will be | |||
accepted SHOULD be short lived, such as several minutes. It is | accepted SHOULD be short lived, such as several minutes. It is | |||
RECOMMENDED that this code be no more than eight characters in | RECOMMENDED that this code be between six and eight characters in | |||
length. REQUIRED. | length. REQUIRED. | |||
uri (string): The interaction URI that the client instance will | uri (string): The interaction URI that the client instance will | |||
direct the RO to. This URI MUST be short enough to be | direct the RO to. This URI MUST be short enough to be | |||
communicated to the end user by the client instance. It is | communicated to the end user by the client instance. It is | |||
RECOMMENDED that this URI be short enough for an end user to type | RECOMMENDED that this URI be short enough for an end user to type | |||
in manually. The URI MUST NOT contain the code value. This URI | in manually. The URI MUST NOT contain the code value. This URI | |||
MUST be an absolute URI. REQUIRED. | MUST be an absolute URI. REQUIRED. | |||
"interact": { | "interact": { | |||
skipping to change at page 69, line 4 ¶ | skipping to change at line 3057 ¶ | |||
function as an authentication factor for the RO. | function as an authentication factor for the RO. | |||
The client instance MUST also communicate the URI to the end user. | The client instance MUST also communicate the URI to the end user. | |||
Since it is expected that the end user will continue interaction on a | Since it is expected that the end user will continue interaction on a | |||
secondary device, the URI needs to be short enough to allow the end | secondary device, the URI needs to be short enough to allow the end | |||
user to type or copy it to a secondary device without mistakes. | user to type or copy it to a secondary device without mistakes. | |||
The URI returned is a function of the AS, but the URI itself MAY be | The URI returned is a function of the AS, but the URI itself MAY be | |||
completely distinct from the grant endpoint URI that the client | completely distinct from the grant endpoint URI that the client | |||
instance uses to request access (Section 2), allowing an AS to | instance uses to request access (Section 2), allowing an AS to | |||
separate its user-interactive functionality from its back-end | separate its user-interaction functionality from its back-end | |||
security functionality. If the AS does not directly host the | security functionality. If the AS does not directly host the | |||
functionality accessed through the given URI, then the means for the | functionality accessed through the given URI, then the means for the | |||
interaction functionality to communicate with the rest of the AS are | interaction functionality to communicate with the rest of the AS are | |||
out of scope for this specification. | out of scope for this specification. | |||
See details of the interaction in Section 4.1.2. | See details of the interaction in Section 4.1.2. | |||
3.3.5. Interaction Finish | 3.3.5. Interaction Finish | |||
If the client instance indicates that it can receive a | If the client instance indicates that it can receive a post- | |||
post-interaction redirect or push at a URI (Section 2.5.2) and the AS | interaction redirect or push at a URI (Section 2.5.2) and the AS | |||
supports this mode for the client instance's request, the AS responds | supports this mode for the client instance's request, the AS responds | |||
with a finish field containing a nonce that the client instance will | with a finish field containing a nonce that the client instance will | |||
use in validating the callback as defined in Section 4.2. | use in validating the callback as defined in Section 4.2. | |||
"interact": { | "interact": { | |||
"finish": "MBDOFXG4Y5CVJCX821LH" | "finish": "MBDOFXG4Y5CVJCX821LH" | |||
} | } | |||
When the interaction is completed, the interaction component of the | When the interaction is completed, the interaction component of the | |||
AS MUST contact the client instance using the means defined by the | AS MUST contact the client instance using the means defined by the | |||
skipping to change at page 69, line 49 ¶ | skipping to change at line 3102 ¶ | |||
are the same party. This can be accomplished through some forms of | are the same party. This can be accomplished through some forms of | |||
interaction with the RO (Section 4). | interaction with the RO (Section 4). | |||
This field is an object with the following properties. | This field is an object with the following properties. | |||
sub_ids (array of objects): An array of subject identifiers for the | sub_ids (array of objects): An array of subject identifiers for the | |||
RO, as defined by [RFC9493]. REQUIRED if returning subject | RO, as defined by [RFC9493]. REQUIRED if returning subject | |||
identifiers. | identifiers. | |||
assertions (array of objects): An array containing assertions as | assertions (array of objects): An array containing assertions as | |||
objects each containing the assertion object described below. | objects, each containing the assertion object described below. | |||
REQUIRED if returning assertions. | REQUIRED if returning assertions. | |||
updated_at (string): Timestamp as an [RFC3339] date string, | updated_at (string): Timestamp as a date string as described in | |||
indicating when the identified account was last updated. The | [RFC3339], indicating when the identified account was last | |||
client instance MAY use this value to determine if it needs to | updated. The client instance MAY use this value to determine if | |||
request updated profile information through an identity API. The | it needs to request updated profile information through an | |||
definition of such an identity API is out of scope for this | identity API. The definition of such an identity API is out of | |||
specification. RECOMMENDED. | scope for this specification. RECOMMENDED. | |||
Assertion objects contain the following fields: | Assertion objects contain the following fields: | |||
format (string): The assertion format. Possible formats are listed | format (string): The assertion format. Possible formats are listed | |||
in Section 3.4.1. Additional assertion formats are defined by the | in Section 3.4.1. Additional assertion formats can be defined in | |||
GNAP Assertion Formats Registry (Section 11.6). REQUIRED. | the "GNAP Assertion Formats" registry (Section 10.6). REQUIRED. | |||
value (string): The assertion value as the JSON string serialization | value (string): The assertion value as the JSON string serialization | |||
of the assertion. REQUIRED. | of the assertion. REQUIRED. | |||
The following non-normative example contains an opaque identifier and | The following non-normative example contains an opaque identifier and | |||
an OpenID Connect ID Token: | an OpenID Connect ID Token: | |||
"subject": { | "subject": { | |||
"sub_ids": [ { | "sub_ids": [ { | |||
"format": "opaque", | "format": "opaque", | |||
"id": "XUT2MFM1XBIKJKSDU8QM" | "id": "XUT2MFM1XBIKJKSDU8QM" | |||
} ], | } ], | |||
"assertions": [ { | "assertions": [ { | |||
"format": "id_token", | "format": "id_token", | |||
"value": "eyj..." | "value": "eyj..." | |||
} ] | } ] | |||
} | } | |||
Subject identifiers returned by the AS SHOULD uniquely identify the | Subject identifiers returned by the AS SHOULD uniquely identify the | |||
RO at the AS. Some forms of subject identifier are opaque to the | RO at the AS. Some forms of subject identifiers are opaque to the | |||
client instance (such as the subject of an issuer and subject pair), | client instance (such as the subject of an issuer and subject pair), | |||
while others forms (such as email address and phone number) are | while other forms (such as email address and phone number) are | |||
intended to allow the client instance to correlate the identifier | intended to allow the client instance to correlate the identifier | |||
with other account information at the client instance. The client | with other account information at the client instance. The client | |||
instance MUST NOT request or use any returned subject identifiers for | instance MUST NOT request or use any returned subject identifiers for | |||
communication purposes (see Section 2.2). That is, a subject | communication purposes (see Section 2.2). That is, a subject | |||
identifier returned in the format of an email address or a phone | identifier returned in the format of an email address or a phone | |||
number only identifies the RO to the AS and does not indicate that | number only identifies the RO to the AS and does not indicate that | |||
the AS has validated that the represented email address or phone | the AS has validated that the represented email address or phone | |||
number in the identifier is suitable for communication with the | number in the identifier is suitable for communication with the | |||
current user. To get such information, the client instance MUST use | current user. To get such information, the client instance MUST use | |||
an identity protocol to request and receive additional identity | an identity protocol to request and receive additional identity | |||
claims. The details of an identity protocol and associated schema | claims. The details of an identity protocol and associated schema | |||
are outside the scope of this specification. | are outside the scope of this specification. | |||
The AS MUST ensure that the returned subject information represents | The AS MUST ensure that the returned subject information represents | |||
the RO. In most cases, the AS will also ensure that the returned | the RO. In most cases, the AS will also ensure that the returned | |||
subject information represents the end user authenticated | subject information represents the end user authenticated | |||
interactively at the AS. The AS SHOULD NOT re-use subject | interactively at the AS. The AS SHOULD NOT reuse subject identifiers | |||
identifiers for multiple different ROs. | for multiple different ROs. | |||
The "sub_ids" and "assertions" response fields are independent of | The "sub_ids" and "assertions" response fields are independent of | |||
each other. That is, a returned assertion MAY use a different | each other. That is, a returned assertion MAY use a different | |||
subject identifier than other assertions and subject identifiers in | subject identifier than other assertions and subject identifiers in | |||
the response. However, all subject identifiers and assertions | the response. However, all subject identifiers and assertions | |||
returned MUST refer to the same party. | returned MUST refer to the same party. | |||
The client instance MUST interpret all subject information in the | The client instance MUST interpret all subject information in the | |||
context of the AS from which the subject information is received, as | context of the AS from which the subject information is received, as | |||
is discussed in Section 6 of [SP80063C]. For example, one AS could | is discussed in Section 6 of [SP80063C]. For example, one AS could | |||
return an email identifier of "user@example.com" for one RO, and a | return an email identifier of "user@example.com" for one RO, and a | |||
different AS could return that same email identifier of | different AS could return that same email identifier of | |||
"user@example.com" for a completely different RO. A client instance | "user@example.com" for a completely different RO. A client instance | |||
talking to both AS's needs to differentiate between these two | talking to both ASes needs to differentiate between these two | |||
accounts by accounting for the AS source of each identifier and not | accounts by accounting for the AS source of each identifier and not | |||
assuming that either has a canonical claim on the identifier without | assuming that either has a canonical claim on the identifier without | |||
additional configuration and trust agreements. Otherwise, a rogue AS | additional configuration and trust agreements. Otherwise, a rogue AS | |||
could exploit this to take over a targeted account asserted by a | could exploit this to take over a targeted account asserted by a | |||
different AS. | different AS. | |||
Extensions to this specification MAY define additional response | Extensions to this specification MAY define additional response | |||
properties in the GNAP Subject Information Response Fields Registry | properties in the "GNAP Subject Information Response Fields" registry | |||
(Section 11.14). | (Section 10.14). | |||
The grant request MUST be in the _approved_ state to return this | The grant request MUST be in the _approved_ state to return this | |||
field in the response. | field in the response. | |||
See Section 13.30 for considerations that the client instance has to | See Section 11.30 for considerations that the client instance has to | |||
make when accepting and processing assertions from the AS. | make when accepting and processing assertions from the AS. | |||
3.4.1. Assertion Formats | 3.4.1. Assertion Formats | |||
The following assertion formats are defined in this specification: | The following assertion formats are defined in this specification: | |||
id_token: An OpenID Connect ID Token ([OIDC]), in JWT compact format | id_token: An OpenID Connect ID Token [OIDC], in JSON Web Token (JWT) | |||
as a single string. | compact format as a single string. | |||
saml2: A SAML 2 assertion ([SAML2]), encoded as a single base64url | saml2: A SAML 2 assertion [SAML2], encoded as a single base64url | |||
string with no padding. | string with no padding. | |||
3.5. Returning a Dynamically-bound Client Instance Identifier | 3.5. Returning a Dynamically Bound Client Instance Identifier | |||
Many parts of the client instance's request can be passed as either a | Many parts of the client instance's request can be passed as either a | |||
value or a reference. The use of a reference in place of a value | value or a reference. The use of a reference in place of a value | |||
allows for a client instance to optimize requests to the AS. | allows for a client instance to optimize requests to the AS. | |||
Some references, such as for the client instance's identity | Some references, such as for the client instance's identity | |||
(Section 2.3.1) or the requested resources (Section 8.1), can be | (Section 2.3.1) or the requested resources (Section 8.1), can be | |||
managed statically through an admin console or developer portal | managed statically through an admin console or developer portal | |||
provided by the AS or RS. The developer of the client software can | provided by the AS or RS. The developer of the client software can | |||
include these values in their code for a more efficient and compact | include these values in their code for a more efficient and compact | |||
skipping to change at page 72, line 38 ¶ | skipping to change at line 3230 ¶ | |||
information that would compromise any party if revealed. Instance | information that would compromise any party if revealed. Instance | |||
identifier values are opaque to the client instance, and their | identifier values are opaque to the client instance, and their | |||
content is determined by the AS. The instance identifier MUST be | content is determined by the AS. The instance identifier MUST be | |||
unique per client instance at the AS. | unique per client instance at the AS. | |||
instance_id (string): A string value used to represent the | instance_id (string): A string value used to represent the | |||
information in the client object that the client instance can use | information in the client object that the client instance can use | |||
in a future request, as described in Section 2.3.1. OPTIONAL. | in a future request, as described in Section 2.3.1. OPTIONAL. | |||
The following non-normative example shows an instance identifier | The following non-normative example shows an instance identifier | |||
along side an issued access token. | alongside an issued access token. | |||
{ | { | |||
"instance_id": "7C7C4AZ9KHRS6X63AJAO", | "instance_id": "7C7C4AZ9KHRS6X63AJAO", | |||
"access_token": { | "access_token": { | |||
"value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0" | "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0" | |||
} | } | |||
} | } | |||
3.6. Error Response | 3.6. Error Response | |||
If the AS determines that the request cannot be completed for any | If the AS determines that the request cannot be completed for any | |||
reason, it responds to the client instance with an error field in the | reason, it responds to the client instance with an error field in the | |||
response message. This field is either an object or a string. | response message. This field is either an object or a string. | |||
When returned as an object, the object contains the following fields: | When returned as an object, the object contains the following fields: | |||
code (string): A single ASCII error code defining the error. The | code (string): A single ASCII error code defining the error. The | |||
value MUST be defined in the GNAP Error Codes Registry | value MUST be defined in the "GNAP Error Codes" registry | |||
(Section 11.15). REQUIRED. | (Section 10.15). REQUIRED. | |||
description (string): A human-readable string description of the | description (string): A human-readable string description of the | |||
error intended for the developer of the client. The value is | error intended for the developer of the client. The value is | |||
chosen by the implementation. OPTIONAL. | chosen by the implementation. OPTIONAL. | |||
This specification defines the following code values: | This specification defines the following code values: | |||
"invalid_request": The request is missing a required parameter, | "invalid_request": The request is missing a required parameter, | |||
includes an invalid parameter value or is otherwise malformed. | includes an invalid parameter value, or is otherwise malformed. | |||
"invalid_client": The request was made from a client that was not | "invalid_client": The request was made from a client that was not | |||
recognized or allowed by the AS, or the client's signature | recognized or allowed by the AS, or the client's signature | |||
validation failed. | validation failed. | |||
"invalid_interaction" The client instance has provided an | "invalid_interaction": The client instance has provided an | |||
interaction reference that is incorrect for this request or the | interaction reference that is incorrect for this request, or the | |||
interaction modes in use have expired. | interaction modes in use have expired. | |||
"invalid_flag" The flag configuration is not valid. | "invalid_flag": The flag configuration is not valid. | |||
"invalid_rotation" The token rotation request is not valid. | "invalid_rotation": The token rotation request is not valid. | |||
"key_rotation_not_supported" The AS does not allow rotation of this | "key_rotation_not_supported": The AS does not allow rotation of this | |||
access token's key. | access token's key. | |||
"invalid_continuation": The continuation of the referenced grant | "invalid_continuation": The continuation of the referenced grant | |||
could not be processed. | could not be processed. | |||
"user_denied": The RO denied the request. | "user_denied": The RO denied the request. | |||
"request_denied": The request was denied for an unspecified reason. | "request_denied": The request was denied for an unspecified reason. | |||
"unknown_user": The user presented in the request is not known to | "unknown_user": The user presented in the request is not known to | |||
skipping to change at page 74, line 7 ¶ | skipping to change at line 3295 ¶ | |||
"unknown_interaction": The interaction integrity could not be | "unknown_interaction": The interaction integrity could not be | |||
established. | established. | |||
"too_fast": The client instance did not respect the timeout in the | "too_fast": The client instance did not respect the timeout in the | |||
wait response before the next call. | wait response before the next call. | |||
"too_many_attempts": A limit has been reached in the total number of | "too_many_attempts": A limit has been reached in the total number of | |||
reasonable attempts. This number is either defined statically or | reasonable attempts. This number is either defined statically or | |||
adjusted based on runtime conditions by the AS. | adjusted based on runtime conditions by the AS. | |||
Additional error codes can be defined in the GNAP Error Codes | Additional error codes can be defined in the "GNAP Error Codes" | |||
Registry (Section 11.15). | registry (Section 10.15). | |||
For example, if the RO denied the request while interacting with the | For example, if the RO denied the request while interacting with the | |||
AS, the AS would return the following error when the client instance | AS, the AS would return the following error when the client instance | |||
tries to continue the grant request: | tries to continue the grant request: | |||
{ | { | |||
"error": { | "error": { | |||
"code": "user_denied", | "code": "user_denied", | |||
"description": "The RO denied the request" | "description": "The RO denied the request" | |||
} | } | |||
skipping to change at page 74, line 34 ¶ | skipping to change at line 3322 ¶ | |||
considered functionally equivalent to the previous example for the | considered functionally equivalent to the previous example for the | |||
purposes of the client software's understanding: | purposes of the client software's understanding: | |||
{ | { | |||
"error": "user_denied" | "error": "user_denied" | |||
} | } | |||
If an error state is reached but the grant is in the _pending_ state | If an error state is reached but the grant is in the _pending_ state | |||
(and therefore the client instance can continue), the AS MAY include | (and therefore the client instance can continue), the AS MAY include | |||
the continue field in the response along with the error, as defined | the continue field in the response along with the error, as defined | |||
Section 3.1. This allows the client instance to modify its request | in Section 3.1. This allows the client instance to modify its | |||
for access, potentially leading to prompting the RO again. Other | request for access, potentially leading to prompting the RO again. | |||
fields MUST NOT be included in the response. | Other fields MUST NOT be included in the response. | |||
4. Determining Authorization and Consent | 4. Determining Authorization and Consent | |||
When the client instance makes its initial request (Section 2) to the | When the client instance makes its initial request (Section 2) to the | |||
AS for delegated access, it is capable of asking for several | AS for delegated access, it is capable of asking for several | |||
different kinds of information in response: | different kinds of information in response: | |||
* the access being requested, in the access_token request parameter | * the access being requested, in the access_token request parameter | |||
* the subject information being requested, in the subject request | * the subject information being requested, in the subject request | |||
skipping to change at page 75, line 14 ¶ | skipping to change at line 3349 ¶ | |||
When the grant request is in the _processing_ state, the AS | When the grant request is in the _processing_ state, the AS | |||
determines what authorizations and consents are required to fulfill | determines what authorizations and consents are required to fulfill | |||
this requested delegation. The details of how the AS makes this | this requested delegation. The details of how the AS makes this | |||
determination are out of scope for this document. However, there are | determination are out of scope for this document. However, there are | |||
several common patterns defined and supported by GNAP for fulfilling | several common patterns defined and supported by GNAP for fulfilling | |||
these requirements, including information sent by the client | these requirements, including information sent by the client | |||
instance, information gathered through the interaction process, and | instance, information gathered through the interaction process, and | |||
information supplied by external parties. An individual AS can | information supplied by external parties. An individual AS can | |||
define its own policies and processes for deciding when and how to | define its own policies and processes for deciding when and how to | |||
gather the necessary authorizations and consent, and how those are | gather the necessary authorizations and consent and how those are | |||
applied to the grant request. | applied to the grant request. | |||
To facilitate the AS fulfilling this request, the client instance | To facilitate the AS fulfilling this request, the client instance | |||
sends information about the actions the client software can take, | sends information about the actions the client software can take, | |||
including: | including: | |||
* starting interaction with the end user, in the interact request | * starting interaction with the end user, in the interact request | |||
parameter | parameter | |||
* receiving notification that interaction with the RO has concluded, | * receiving notification that interaction with the RO has concluded, | |||
skipping to change at page 76, line 9 ¶ | skipping to change at line 3389 ¶ | |||
determines that the information presented in the initial request is | determines that the information presented in the initial request is | |||
sufficient for granting the requested access, the AS MAY move the | sufficient for granting the requested access, the AS MAY move the | |||
grant request to the _approved_ state and return results immediately | grant request to the _approved_ state and return results immediately | |||
in its response (Section 3) with access tokens and subject | in its response (Section 3) with access tokens and subject | |||
information. | information. | |||
If the AS determines that additional runtime authorization is | If the AS determines that additional runtime authorization is | |||
required, the AS can either deny the request outright (if there is no | required, the AS can either deny the request outright (if there is no | |||
possible recovery) or move the grant request to the _pending_ state | possible recovery) or move the grant request to the _pending_ state | |||
and use a number of means at its disposal to gather that | and use a number of means at its disposal to gather that | |||
authorization from the appropriate ROs, including for example: | authorization from the appropriate ROs, including: | |||
* starting interaction with the end user facilitated by the client | * starting interaction with the end user facilitated by the client | |||
software, such as a redirection or user code | software, such as a redirection or user code | |||
* challenging the client instance through a challenge-response | * challenging the client instance through a challenge-response | |||
mechanism | mechanism | |||
* requesting that the client instance present specific additional | * requesting that the client instance present specific additional | |||
information, such as a user's credential or an assertion | information, such as a user's credential or an assertion | |||
skipping to change at page 77, line 7 ¶ | skipping to change at line 3423 ¶ | |||
record, an identified subject, or a request requiring specific access | record, an identified subject, or a request requiring specific access | |||
such as approval by an administrator. In other cases, the request is | such as approval by an administrator. In other cases, the request is | |||
applied to whichever RO is present at the time of consent gathering. | applied to whichever RO is present at the time of consent gathering. | |||
This pattern is especially prevalent when the end user is sent to the | This pattern is especially prevalent when the end user is sent to the | |||
AS for an interactive session, during which the end user takes on the | AS for an interactive session, during which the end user takes on the | |||
role of the RO. In these cases, the end user is delegating their own | role of the RO. In these cases, the end user is delegating their own | |||
access as RO to the client instance. | access as RO to the client instance. | |||
The client instance can indicate that it is capable of facilitating | The client instance can indicate that it is capable of facilitating | |||
interaction with the end user, another party, or another piece of | interaction with the end user, another party, or another piece of | |||
software through its interaction start (Section 2.5.1) request. | software through its interaction start request (Section 2.5.1). | |||
Here, the AS usually needs to interact directly with the end user to | Here, the AS usually needs to interact directly with the end user to | |||
determine their identity, determine their status as an RO, and | determine their identity, determine their status as an RO, and | |||
collect their consent. If the AS has determined that authorization | collect their consent. If the AS has determined that authorization | |||
is required and the AS can support one or more of the requested | is required and the AS can support one or more of the requested | |||
interaction start methods, the AS returns the associated interaction | interaction start methods, the AS returns the associated interaction | |||
start responses (Section 3.3). The client instance SHOULD initiate | start responses (Section 3.3). The client instance SHOULD initiate | |||
one or more of these interaction methods (Section 4.1) in order to | one or more of these interaction methods (Section 4.1) in order to | |||
facilitate the granting of the request. If more than one interaction | facilitate the granting of the request. If more than one interaction | |||
start method is available, the means by which the client chooses | start method is available, the means by which the client chooses | |||
which methods to follow is out of scope of this specification. | which methods to follow are out of scope of this specification. | |||
After starting interaction, the client instance can then make a | After starting interaction, the client instance can then make a | |||
continuation request (Section 5) either in response to a signal | continuation request (Section 5) either in response to a signal | |||
indicating the finish of the interaction (Section 4.2), after a time- | indicating the finish of the interaction (Section 4.2), after a time- | |||
based polling, or through some other method defined by an extension | based polling, or through some other method defined by an extension | |||
of this specification through the GNAP Interaction Mode Responses | of this specification through the "GNAP Interaction Mode Responses" | |||
registry (Section 11.13). | registry (Section 10.13). | |||
If the grant request is not in the _approved_ state, the client | If the grant request is not in the _approved_ state, the client | |||
instance can repeat the interaction process by sending a grant update | instance can repeat the interaction process by sending a grant update | |||
request (Section 5.3) with new interaction (Section 2.5) methods. | request (Section 5.3) with new interaction methods (Section 2.5). | |||
The client instance MUST use each interaction method at most once, if | The client instance MUST use each interaction method once at most if | |||
a response can be detected. The AS MUST handle any interact request | a response can be detected. The AS MUST handle any interact request | |||
as a one-time-use mechanism and SHOULD apply suitable timeouts to any | as a one-time-use mechanism and SHOULD apply suitable timeouts to any | |||
interaction start methods provided, including user codes and | interaction start methods provided, including user codes and | |||
redirection URIs. The client instance SHOULD apply suitable timeouts | redirection URIs. The client instance SHOULD apply suitable timeouts | |||
to any interaction finish method. | to any interaction finish method. | |||
In order to support client software deployed in disadvantaged network | In order to support client software deployed in disadvantaged network | |||
conditions, the AS MAY allow for processing of the same interaction | conditions, the AS MAY allow for processing of the same interaction | |||
method multiple times if the AS can determine that the request is | method multiple times if the AS can determine that the request is | |||
from the same party and the results are idempotent. For example, if | from the same party and the results are idempotent. For example, if | |||
skipping to change at page 78, line 6 ¶ | skipping to change at line 3470 ¶ | |||
first place. However, if the AS in question receives both requests, | first place. However, if the AS in question receives both requests, | |||
it could mistakenly process them separately, creating an undefined | it could mistakenly process them separately, creating an undefined | |||
state for the client instance. If the AS can determine that both | state for the client instance. If the AS can determine that both | |||
requests come from the same origin or under the same session, and the | requests come from the same origin or under the same session, and the | |||
requests both came before any additional state change to the grant | requests both came before any additional state change to the grant | |||
occurs, the AS can reasonably conclude that the initial response was | occurs, the AS can reasonably conclude that the initial response was | |||
not received and the same response can be returned to the client | not received and the same response can be returned to the client | |||
instance. | instance. | |||
If the AS instead has a means of contacting the RO directly, it could | If the AS instead has a means of contacting the RO directly, it could | |||
do so without involving the client instance in its consent gathering | do so without involving the client instance in its consent-gathering | |||
process. For example, the AS could push a notification to a known RO | process. For example, the AS could push a notification to a known RO | |||
and have the RO approve the pending request asynchronously. These | and have the RO approve the pending request asynchronously. These | |||
interactions can be through an interface of the AS itself (such as a | interactions can be through an interface of the AS itself (such as a | |||
hosted web page), through another application (such as something | hosted web page), through another application (such as something | |||
installed on the RO's device), through a messaging fabric, or any | installed on the RO's device), through a messaging fabric, or any | |||
other means. | other means. | |||
When interacting with an RO, the AS can do anything it needs to | When interacting with an RO, the AS can do anything it needs to | |||
determine the authorization of the requested grant, including: | determine the authorization of the requested grant, including: | |||
* authenticate the RO, through a local account or some other means | * authenticate the RO through a local account or some other means, | |||
such as federated login | such as federated login | |||
* validate the RO through presentation of claims, attributes, or | * validate the RO through presentation of claims, attributes, or | |||
other information | other information | |||
* prompt the RO for consent for the requested delegation | * prompt the RO for consent for the requested delegation | |||
* describe to the RO what information is being released, to whom, | * describe to the RO what information is being released, to whom, | |||
and for what purpose | and for what purpose | |||
skipping to change at page 78, line 43 ¶ | skipping to change at line 3507 ¶ | |||
* provide the RO with artifacts such as receipts to facilitate an | * provide the RO with artifacts such as receipts to facilitate an | |||
audit trail of authorizations | audit trail of authorizations | |||
* allow the RO to deny the requested delegation | * allow the RO to deny the requested delegation | |||
The AS is also allowed to request authorization from more than one | The AS is also allowed to request authorization from more than one | |||
RO, if the AS deems fit. For example, a medical record might need to | RO, if the AS deems fit. For example, a medical record might need to | |||
be released by both an attending nurse and a physician, or both | be released by both an attending nurse and a physician, or both | |||
owners of a bank account need to sign off on a transfer request. | owners of a bank account need to sign off on a transfer request. | |||
Alternatively, the AS could require N of M possible RO's to approve a | Alternatively, the AS could require N of M possible ROs to approve a | |||
given request. In some circumstances, the AS could even determine | given request. In some circumstances, the AS could even determine | |||
that the end user present during the interaction is not the | that the end user present during the interaction is not the | |||
appropriate RO for a given request and reach out to the appropriate | appropriate RO for a given request and reach out to the appropriate | |||
RO asynchronously. | RO asynchronously. | |||
The RO is also allowed to define an automated policy at the AS to | The RO is also allowed to define an automated policy at the AS to | |||
determine which kind of end user can get access to the resource, and | determine which kind of end user can get access to the resource and | |||
under which condition. For instance, such a condition might require | under which conditions. For instance, such a condition might require | |||
the end user login and the acceptance of the RO's legal provisions. | the end user to log in and accept the RO's legal provisions. | |||
Alternatively, client software could be acting without an end user, | Alternatively, client software could be acting without an end user, | |||
and the RO's policy allows issuance of access tokens to specific | and the RO's policy allows issuance of access tokens to specific | |||
instances of that client software without human interaction. | instances of that client software without human interaction. | |||
While all of these cases are supported by GNAP, the details of their | While all of these cases are supported by GNAP, the details of their | |||
implementation, and for determining which RO's or related policies | implementation, and for determining which ROs or related policies are | |||
are required for a given request, are out of scope for this | required for a given request, are out of scope for this | |||
specification. | specification. | |||
4.1. Starting Interaction With the End User | 4.1. Starting Interaction with the End User | |||
When a grant request is in the _pending_ state, the interaction start | When a grant request is in the _pending_ state, the interaction start | |||
methods sent by the client instance can be used to facilitate | methods sent by the client instance can be used to facilitate | |||
interaction with the end user. To initiate an interaction start | interaction with the end user. To initiate an interaction start | |||
method indicated by the interaction start responses (Section 3.3) | method indicated by the interaction start responses (Section 3.3) | |||
from the AS, the client instance follows the steps defined by that | from the AS, the client instance follows the steps defined by that | |||
interaction start mode. The actions of the client instance required | interaction start mode. The actions of the client instance required | |||
for the interaction start modes defined in this specification are | for the interaction start modes defined in this specification are | |||
described in the following sections. Interaction start modes defined | described in the following subsections. Interaction start modes | |||
in extensions to this specification MUST define the expected actions | defined in extensions to this specification MUST define the expected | |||
of the client software when that interaction start mode is used. | actions of the client software when that interaction start mode is | |||
used. | ||||
If the client instance does not start an interaction start mode | If the client instance does not start an interaction start mode | |||
within an AS-determined amount of time, the AS MUST reject attempts | within an AS-determined amount of time, the AS MUST reject attempts | |||
to use the interaction start modes. If the client instance has | to use the interaction start modes. If the client instance has | |||
already begun one interaction start mode and the interaction has been | already begun one interaction start mode and the interaction has been | |||
successfully completed, the AS MUST reject attempts to use other | successfully completed, the AS MUST reject attempts to use other | |||
interaction start modes. For example, if a user code has been | interaction start modes. For example, if a user code has been | |||
successfully entered for a grant request, the AS will need to reject | successfully entered for a grant request, the AS will need to reject | |||
requests to an arbitrary redirect URI on the same grant request in | requests to an arbitrary redirect URI on the same grant request in | |||
order to prevent an attacker from capturing and altering an active | order to prevent an attacker from capturing and altering an active | |||
authorization process. | authorization process. | |||
4.1.1. Interaction at a Redirected URI | 4.1.1. Interaction at a Redirected URI | |||
When the end user is directed to an arbitrary URI through the | When the end user is directed to an arbitrary URI through the | |||
"redirect" (Section 3.3.1) mode, the client instance facilitates | "redirect" mode (Section 3.3.1), the client instance facilitates | |||
opening the URI through the end user's web browser. The client | opening the URI through the end user's web browser. The client | |||
instance could launch the URI through the system browser, provide a | instance could launch the URI through the system browser, provide a | |||
clickable link, redirect the user through HTTP response codes, or | clickable link, redirect the user through HTTP response codes, or | |||
display the URI in a form the end user can use to launch such as a | display the URI in a form the end user can use to launch, such as a | |||
multidimensional barcode. In all cases, the URI is accessed with an | multidimensional barcode. In all cases, the URI is accessed with an | |||
HTTP GET request, and the resulting page is assumed to allow direct | HTTP GET request, and the resulting page is assumed to allow direct | |||
interaction with the end user through an HTTP user agent. With this | interaction with the end user through an HTTP user agent. With this | |||
method, it is common (though not required) for the RO to be the same | method, it is common (though not required) for the RO to be the same | |||
party as the end user, since the client instance has to communicate | party as the end user, since the client instance has to communicate | |||
the redirection URI to the end user. | the redirection URI to the end user. | |||
In many cases, the URI indicates a web page hosted at the AS, | In many cases, the URI indicates a web page hosted at the AS, | |||
allowing the AS to authenticate the end user as the RO and | allowing the AS to authenticate the end user as the RO and | |||
interactively provide consent. The URI value is used to identify the | interactively provide consent. The URI value is used to identify the | |||
grant request being authorized. If the URI cannot be associated with | grant request being authorized. If the URI cannot be associated with | |||
a currently active request, the AS MUST display an error to the RO | a currently active request, the AS MUST display an error to the RO | |||
and MUST NOT attempt to redirect the RO back to any client instance | and MUST NOT attempt to redirect the RO back to any client instance, | |||
even if a redirect finish method is supplied (Section 2.5.2.1). If | even if a redirect finish method is supplied (Section 2.5.2.1). If | |||
the URI is not hosted by the AS directly, the means of communication | the URI is not hosted by the AS directly, the means of communication | |||
between the AS and the service provided by this URI are out of scope | between the AS and the service provided by this URI are out of scope | |||
for this specification. | for this specification. | |||
The client instance MUST NOT modify the URI when launching it, in | The client instance MUST NOT modify the URI when launching it; in | |||
particular the client instance MUST NOT add any parameters to the | particular, the client instance MUST NOT add any parameters to the | |||
URI. The URI MUST be reachable from the end user's browser, though | URI. The URI MUST be reachable from the end user's browser, though | |||
the URI MAY be opened on a separate device from the client instance | the URI MAY be opened on a separate device from the client instance | |||
itself. The URI MUST be accessible from an HTTP GET request and MUST | itself. The URI MUST be accessible from an HTTP GET request and MUST | |||
be protected by HTTPS, be hosted on a server local to the RO's | be protected by HTTPS, be hosted on a server local to the RO's | |||
browser ("localhost"), or use an application-specific URI scheme that | browser ("localhost"), or use an application-specific URI scheme that | |||
is loaded on the end user's device. | is loaded on the end user's device. | |||
4.1.2. Interaction at the Static User Code URI | 4.1.2. Interaction at the Static User Code URI | |||
When the end user is directed to enter a short code through the | When the end user is directed to enter a short code through the | |||
"user_code" (Section 3.3.3) mode, the client instance communicates | "user_code" mode (Section 3.3.3), the client instance communicates | |||
the user code to the end user and directs the end user to enter that | the user code to the end user and directs the end user to enter that | |||
code at an associated URI. The client instance MAY format the user | code at an associated URI. The client instance MAY format the user | |||
code in such a way as to facilitate memorability and transfer of the | code in such a way as to facilitate memorability and transfer of the | |||
code, so long as this formatting does not alter the value as accepted | code, so long as this formatting does not alter the value as accepted | |||
at the user code URI. For example, a client instance receiving the | at the user code URI. For example, a client instance receiving the | |||
user code "A1BC3DFF" could choose to display this to the user as | user code "A1BC3DFF" could choose to display this to the user as | |||
"A1BC 3DFF", breaking up the long string into two shorter strings. | "A1BC 3DFF", breaking up the long string into two shorter strings. | |||
When processing input codes, the AS MUST transform the input string | When processing input codes, the AS MUST transform the input string | |||
to remove invalid characters. In the above example, the space in | to remove invalid characters. In the above example, the space in | |||
between the two parts would be removed upon its entry into the | between the two parts would be removed upon its entry into the | |||
interactive form at the user code URI. Additionally, the AS MUST | interactive form at the user code URI. Additionally, the AS MUST | |||
treat user input as case insensitive. For example, if the user | treat user input as case insensitive. For example, if the user | |||
inputs the string "a1bc 3DFF", the AS will treat the input the same | inputs the string "a1bc 3DFF", the AS will treat the input the same | |||
as "A1BC3DFF". To facilitate this, it is RECOMMENDED that the AS use | as "A1BC3DFF". To facilitate this, it is RECOMMENDED that the AS use | |||
only ASCII letters and numbers as valid characters for the user code. | only ASCII letters and numbers as valid characters for the user code. | |||
It is RECOMMENDED that the AS choose from character values that are | It is RECOMMENDED that the AS choose from character values that are | |||
easily copied and typed without ambiguity. For example, some glyphs | easily copied and typed without ambiguity. For example, some glyphs | |||
have multiple Unicode code points for the same visual character, and | have multiple Unicode code points for the same visual character, and | |||
the end-user could potentially type a different character than what | the end user could potentially type a different character than what | |||
the AS has returned. For additional considerations of | the AS has returned. For additional considerations of | |||
internationalized character strings, see [RFC8264] | internationalized character strings, see [RFC8264]. | |||
This mode is designed to be used when the client instance is not able | This mode is designed to be used when the client instance is not able | |||
to communicate or facilitate launching an arbitrary URI. The | to communicate or facilitate launching an arbitrary URI. The | |||
associated URI could be statically configured with the client | associated URI could be statically configured with the client | |||
instance or in the client software's documentation. As a | instance or in the client software's documentation. As a | |||
consequence, these URIs SHOULD be short. The user code URI MUST be | consequence, these URIs SHOULD be short. The user code URI MUST be | |||
reachable from the end user's browser, though the URI is usually | reachable from the end user's browser, though the URI is usually | |||
opened on a separate device from the client instance itself. The URI | opened on a separate device from the client instance itself. The URI | |||
MUST be accessible from an HTTP GET request and MUST be protected by | MUST be accessible from an HTTP GET request and MUST be protected by | |||
HTTPS, be hosted on a server local to the RO's browser ("localhost"), | HTTPS, be hosted on a server local to the RO's browser ("localhost"), | |||
or use an application-specific URI scheme that is loaded on the end | or use an application-specific URI scheme that is loaded on the end | |||
user's device. | user's device. | |||
In many cases, the URI indicates a web page hosted at the AS, | In many cases, the URI indicates a web page hosted at the AS, | |||
allowing the AS to authenticate the end user as the RO and | allowing the AS to authenticate the end user as the RO and | |||
interactively provide consent. The value of the user code is used to | interactively provide consent. The value of the user code is used to | |||
identify the grant request being authorized. If the user code cannot | identify the grant request being authorized. If the user code cannot | |||
be associated with a currently active request, the AS MUST display an | be associated with a currently active request, the AS MUST display an | |||
error to the RO and MUST NOT attempt to redirect the RO back to any | error to the RO and MUST NOT attempt to redirect the RO back to any | |||
client instance even if a redirect finish method is supplied | client instance, even if a redirect finish method is supplied | |||
(Section 2.5.2.1). If the interaction component at the user code URI | (Section 2.5.2.1). If the interaction component at the user code URI | |||
is not hosted by the AS directly, the means of communication between | is not hosted by the AS directly, the means of communication between | |||
the AS and this URI, including communication of the user code itself, | the AS and this URI, including communication of the user code itself, | |||
are out of scope for this specification. | are out of scope for this specification. | |||
When the RO enters this code at the user code URI, the AS MUST | When the RO enters this code at the user code URI, the AS MUST | |||
uniquely identify the pending request that the code was associated | uniquely identify the pending request that the code was associated | |||
with. If the AS does not recognize the entered code, the interaction | with. If the AS does not recognize the entered code, the interaction | |||
component MUST display an error to the user. If the AS detects too | component MUST display an error to the user. If the AS detects too | |||
many unrecognized code enter attempts, the interaction component | many unrecognized code enter attempts, the interaction component | |||
SHOULD display an error to the user indicating too many attempts and | SHOULD display an error to the user indicating too many attempts and | |||
MAY take additional actions such as slowing down the input | MAY take additional actions such as slowing down the input | |||
interactions. The user should be warned as such an error state is | interactions. The user should be warned as such an error state is | |||
approached, if possible. | approached, if possible. | |||
4.1.3. Interaction at a Dynamic User Code URI | 4.1.3. Interaction at a Dynamic User Code URI | |||
When the end user is directed to enter a short code through the | When the end user is directed to enter a short code through the | |||
"user_code_uri" (Section 3.3.4) mode, the client instance | "user_code_uri" mode (Section 3.3.4), the client instance | |||
communicates the user code and associated URI to the end user and | communicates the user code and associated URI to the end user and | |||
directs the end user to enter that code at the URI. The client | directs the end user to enter that code at the URI. The client | |||
instance MAY format the user code in such a way as to facilitate | instance MAY format the user code in such a way as to facilitate | |||
memorability and transfer of the code, so long as this formatting | memorability and transfer of the code, so long as this formatting | |||
does not alter the value as accepted at the user code URI. For | does not alter the value as accepted at the user code URI. For | |||
example, a client instance receiving the user code "A1BC3DFF" could | example, a client instance receiving the user code "A1BC3DFF" could | |||
choose to display this to the user as "A1BC 3DFF", breaking up the | choose to display this to the user as "A1BC 3DFF", breaking up the | |||
long string into two shorter strings. | long string into two shorter strings. | |||
When processing input codes, the AS MUST transform the input string | When processing input codes, the AS MUST transform the input string | |||
skipping to change at page 82, line 34 ¶ | skipping to change at line 3690 ¶ | |||
and MUST be protected by HTTPS, be hosted on a server local to the | and MUST be protected by HTTPS, be hosted on a server local to the | |||
RO's browser ("localhost"), or use an application-specific URI scheme | RO's browser ("localhost"), or use an application-specific URI scheme | |||
that is loaded on the end user's device. | that is loaded on the end user's device. | |||
In many cases, the URI indicates a web page hosted at the AS, | In many cases, the URI indicates a web page hosted at the AS, | |||
allowing the AS to authenticate the end user as the RO and | allowing the AS to authenticate the end user as the RO and | |||
interactively provide consent. The value of the user code is used to | interactively provide consent. The value of the user code is used to | |||
identify the grant request being authorized. If the user code cannot | identify the grant request being authorized. If the user code cannot | |||
be associated with a currently active request, the AS MUST display an | be associated with a currently active request, the AS MUST display an | |||
error to the RO and MUST NOT attempt to redirect the RO back to any | error to the RO and MUST NOT attempt to redirect the RO back to any | |||
client instance even if a redirect finish method is supplied | client instance, even if a redirect finish method is supplied | |||
(Section 2.5.2.1). If the interaction component at the user code URI | (Section 2.5.2.1). If the interaction component at the user code URI | |||
is not hosted by the AS directly, the means of communication between | is not hosted by the AS directly, the means of communication between | |||
the AS and this URI, including communication of the user code itself, | the AS and this URI, including communication of the user code itself, | |||
are out of scope for this specification. | are out of scope for this specification. | |||
When the RO enters this code at the given URI, the AS MUST uniquely | When the RO enters this code at the given URI, the AS MUST uniquely | |||
identify the pending request that the code was associated with. If | identify the pending request that the code was associated with. If | |||
the AS does not recognize the entered code, the interaction component | the AS does not recognize the entered code, the interaction component | |||
MUST display an error to the user. If the AS detects too many | MUST display an error to the user. If the AS detects too many | |||
unrecognized code enter attempts, the interaction component SHOULD | unrecognized code enter attempts, the interaction component SHOULD | |||
display an error to the user indicating too many attempts and MAY | display an error to the user indicating too many attempts and MAY | |||
take additional actions such as slowing down the input interactions. | take additional actions such as slowing down the input interactions. | |||
The user should be warned as such an error state is approached, if | The user should be warned as such an error state is approached, if | |||
possible. | possible. | |||
4.1.4. Interaction through an Application URI | 4.1.4. Interaction through an Application URI | |||
When the client instance is directed to launch an application through | When the client instance is directed to launch an application through | |||
the "app" (Section 3.3.2) mode, the client launches the URI as | the "app" mode (Section 3.3.2), the client launches the URI as | |||
appropriate to the system, such as through a deep link or custom URI | appropriate to the system, such as through a deep link or custom URI | |||
scheme registered to a mobile application. The means by which the AS | scheme registered to a mobile application. The means by which the AS | |||
and the launched application communicate with each other and perform | and the launched application communicate with each other and perform | |||
any of the required actions are out of scope for this specification. | any of the required actions are out of scope for this specification. | |||
4.2. Post-Interaction Completion | 4.2. Post-Interaction Completion | |||
If an interaction "finish" (Section 3.3.5) method is associated with | If an interaction "finish" method (Section 3.3.5) is associated with | |||
the current request, the AS MUST follow the appropriate method upon | the current request, the AS MUST follow the appropriate method upon | |||
completion of interaction in order to signal the client instance to | completion of interaction in order to signal the client instance to | |||
continue, except for some limited error cases discussed below. If a | continue, except for some limited error cases discussed below. If a | |||
finish method is not available, the AS SHOULD instruct the RO to | finish method is not available, the AS SHOULD instruct the RO to | |||
return to the client instance upon completion. In such cases, it is | return to the client instance upon completion. In such cases, it is | |||
expected that the client instance will poll the continuation endpoint | expected that the client instance will poll the continuation endpoint | |||
as described in Section 5.2. | as described in Section 5.2. | |||
The AS MUST create an interaction reference and associate that | The AS MUST create an interaction reference and associate that | |||
reference with the current interaction and the underlying pending | reference with the current interaction and the underlying pending | |||
request. The interaction reference value is an ASCII string | request. The interaction reference value is an ASCII string | |||
consisting of only unreserved characters per Section 2.3 of | consisting of only unreserved characters per Section 2.3 of | |||
[RFC3986]. The interaction reference value MUST be sufficiently | [RFC3986]. The interaction reference value MUST be sufficiently | |||
random so as not to be guessable by an attacker. The interaction | random so as not to be guessable by an attacker. The interaction | |||
reference MUST be one-time-use to prevent interception and replay | reference MUST be one-time-use to prevent interception and replay | |||
attacks. | attacks. | |||
The AS MUST calculate a hash value based on the client instance and | The AS MUST calculate a hash value based on the client instance, AS | |||
AS nonces and the interaction reference, as described in | nonces, and the interaction reference, as described in Section 4.2.3. | |||
Section 4.2.3. The client instance will use this value to validate | The client instance will use this value to validate the "finish" | |||
the "finish" call. | call. | |||
All interaction finish methods MUST define a way to convey the hash | All interaction finish methods MUST define a way to convey the hash | |||
and interaction reference back to the client instance. When an | and interaction reference back to the client instance. When an | |||
interaction finish method is used, the client instance MUST present | interaction finish method is used, the client instance MUST present | |||
the interaction reference back to the AS as part of its continuation | the interaction reference back to the AS as part of its continuation | |||
request (Section 5.1). | request (Section 5.1). | |||
Note that in many error cases, such as when the RO has denied access, | Note that in many error cases, such as when the RO has denied access, | |||
the "finish" method is still enacted by the AS. This pattern allows | the "finish" method is still enacted by the AS. This pattern allows | |||
the client instance to potentially recover from the error state by | the client instance to potentially recover from the error state by | |||
modifying its request or providing additional information directly to | modifying its request or providing additional information directly to | |||
the AS in a continuation request. The AS MUST NOT follow the | the AS in a continuation request. The AS MUST NOT follow the | |||
"finish" method in the following circumstances: | "finish" method in the following circumstances: | |||
* The AS has determined that any URIs involved with the finish | * The AS has determined that any URIs involved with the finish | |||
method are dangerous or blocked. | method are dangerous or blocked. | |||
* The AS cannot determine which ongoing grant request is being | * The AS cannot determine which ongoing grant request is being | |||
referenced. | referenced. | |||
* The ongoing grant request has been cancelled or otherwise blocked. | * The ongoing grant request has been canceled or otherwise blocked. | |||
4.2.1. Completing Interaction with a Browser Redirect to the Callback | 4.2.1. Completing Interaction with a Browser Redirect to the Callback | |||
URI | URI | |||
When using the redirect interaction finish method defined in | When using the redirect interaction finish method defined in Sections | |||
Section 2.5.2.1 and Section 3.3.5, the AS signals to the client | 2.5.2.1 and 3.3.5, the AS signals to the client instance that | |||
instance that interaction is complete and the request can be | interaction is complete and the request can be continued by directing | |||
continued by directing the RO (in their browser) back to the client | the RO (in their browser) back to the client instance's redirect URI. | |||
instance's redirect URI. | ||||
The AS secures this redirect by adding the hash and interaction | The AS secures this redirect by adding the hash and interaction | |||
reference as query parameters to the client instance's redirect URI. | reference as query parameters to the client instance's redirect URI. | |||
hash: The interaction hash value as described in Section 4.2.3. | hash: The interaction hash value as described in Section 4.2.3. | |||
REQUIRED. | REQUIRED. | |||
interact_ref: The interaction reference generated for this | interact_ref: The interaction reference generated for this | |||
interaction. REQUIRED. | interaction. REQUIRED. | |||
The means of directing the RO to this URI are outside the scope of | The means of directing the RO to this URI are outside the scope of | |||
this specification, but common options include redirecting the RO | this specification, but common options include redirecting the RO | |||
from a web page and launching the system browser with the target URI. | from a web page and launching the system browser with the target URI. | |||
See Section 13.19 for considerations on which HTTP status code to use | See Section 11.19 for considerations on which HTTP status code to use | |||
when redirecting a request that potentially contains credentials. | when redirecting a request that potentially contains credentials. | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
https://client.example.net/return/123455\ | https://client.example.net/return/123455\ | |||
?hash=x-gguKWTj8rQf7d7i3w3UhzvuJ5bpOlKyAlVpLxBffY\ | ?hash=x-gguKWTj8rQf7d7i3w3UhzvuJ5bpOlKyAlVpLxBffY\ | |||
&interact_ref=4IFWWIKYBC2PQ6U56NL1 | &interact_ref=4IFWWIKYBC2PQ6U56NL1 | |||
The client instance MUST be able to process a request on the URI. If | The client instance MUST be able to process a request on the URI. If | |||
the URI is HTTP, the request MUST be an HTTP GET. | the URI is HTTP, the request MUST be an HTTP GET. | |||
When receiving the request, the client instance MUST parse the query | When receiving the request, the client instance MUST parse the query | |||
parameters to extract the hash and interaction reference values. The | parameters to extract the hash and interaction reference values. The | |||
client instance MUST calculate and validate the hash value as | client instance MUST calculate and validate the hash value as | |||
described in Section 4.2.3. If the hash validates, the client | described in Section 4.2.3. If the hash validates, the client | |||
instance sends a continuation request to the AS as described in | instance sends a continuation request to the AS as described in | |||
Section 5.1 using the interaction reference value received here. If | Section 5.1, using the interaction reference value received here. If | |||
the hash does not validate, the client instance MUST NOT send the | the hash does not validate, the client instance MUST NOT send the | |||
interaction reference to the AS. | interaction reference to the AS. | |||
4.2.2. Completing Interaction with a Direct HTTP Request Callback | 4.2.2. Completing Interaction with a Direct HTTP Request Callback | |||
When using the push interaction finish method defined in | When using the push interaction finish method defined in Sections | |||
Section 2.5.2.1 and Section 3.3.5, the AS signals to the client | 2.5.2.1 and 3.3.5, the AS signals to the client instance that | |||
instance that interaction is complete and the request can be | interaction is complete and the request can be continued by sending | |||
continued by sending an HTTP POST request to the client instance's | an HTTP POST request to the client instance's callback URI. | |||
callback URI. | ||||
The HTTP message content is a JSON object consisting of the following | The HTTP message content is a JSON object consisting of the following | |||
two fields: | two fields: | |||
hash (string): The interaction hash value as described in | hash (string): The interaction hash value as described in | |||
Section 4.2.3. REQUIRED. | Section 4.2.3. REQUIRED. | |||
interact_ref (string) The interaction reference generated for this | interact_ref (string): The interaction reference generated for this | |||
interaction. REQUIRED. | interaction. REQUIRED. | |||
POST /push/554321 HTTP/1.1 | POST /push/554321 HTTP/1.1 | |||
Host: client.example.net | Host: client.example.net | |||
Content-Type: application/json | Content-Type: application/json | |||
{ | { | |||
"hash": "pjdHcrti02HLCwGU3qhUZ3wZXt8IjrV_BtE3oUyOuKNk", | "hash": "pjdHcrti02HLCwGU3qhUZ3wZXt8IjrV_BtE3oUyOuKNk", | |||
"interact_ref": "4IFWWIKYBC2PQ6U56NL1" | "interact_ref": "4IFWWIKYBC2PQ6U56NL1" | |||
} | } | |||
Since the AS is making an outbound connection to a URI supplied by an | Since the AS is making an outbound connection to a URI supplied by an | |||
outside party (the client instance), the AS MUST protect itself | outside party (the client instance), the AS MUST protect itself | |||
against SSRF attacks when making this call as discussed in | against Server-Side Request Forgery (SSRF) attacks when making this | |||
Section 13.34. | call, as discussed in Section 11.34. | |||
When receiving the request, the client instance MUST parse the JSON | When receiving the request, the client instance MUST parse the JSON | |||
object and validate the hash value as described in Section 4.2.3. If | object and validate the hash value as described in Section 4.2.3. If | |||
either fails, the client instance MUST return an unknown_interaction | either fails, the client instance MUST return an unknown_interaction | |||
error (Section 3.6). If the hash validates, the client instance | error (Section 3.6). If the hash validates, the client instance | |||
sends a continuation request to the AS as described in Section 5.1 | sends a continuation request to the AS as described in Section 5.1, | |||
using the interaction reference value received here. | using the interaction reference value received here. | |||
4.2.3. Calculating the interaction hash | 4.2.3. Calculating the Interaction Hash | |||
The "hash" parameter in the request to the client instance's callback | The "hash" parameter in the request to the client instance's callback | |||
URI ties the front channel response to an ongoing request by using | URI ties the front-channel response to an ongoing request by using | |||
values known only to the parties involved. This security mechanism | values known only to the parties involved. This security mechanism | |||
allows the client instance to protect itself against several kinds of | allows the client instance to protect itself against several kinds of | |||
session fixation and injection attacks as discussed in Section 13.25 | session fixation and injection attacks as discussed in Section 11.25 | |||
and related sections. The AS MUST always provide this hash, and the | and related sections. The AS MUST always provide this hash, and the | |||
client instance MUST validate the hash when received. | client instance MUST validate the hash when received. | |||
To calculate the "hash" value, the party doing the calculation | To calculate the "hash" value, the party doing the calculation | |||
creates a hash base string by concatenating the following values in | creates a hash base string by concatenating the following values in | |||
the following order using a single newline (0x0A) character to | the following order using a single newline (0x0A) character to | |||
separate them: | separate them: | |||
* the "nonce" value sent by the client instance in the interaction | * the "nonce" value sent by the client instance in the interaction | |||
"finish" section of the initial request (Section 2.5.2) | "finish" section of the initial request (Section 2.5.2) | |||
* the AS's nonce value from the interaction finish response | * the AS's nonce value from the interaction finish response | |||
(Section 3.3.5) | (Section 3.3.5) | |||
* the "interact_ref" returned from the AS as part of the interaction | * the "interact_ref" returned from the AS as part of the interaction | |||
finish method (Section 4.2) | finish method (Section 4.2) | |||
* the grant endpoint URI the client instance used to make its | * the grant endpoint URI the client instance used to make its | |||
initial request (Section 2) | initial request (Section 2) | |||
There is no padding or whitespace before or after any of the lines, | There is no padding or whitespace before or after any of the lines | |||
and no trailing newline character. The following non-normative | and no trailing newline character. The following non-normative | |||
example shows a constructed hash base string consisting of these four | example shows a constructed hash base string consisting of these four | |||
elements. | elements. | |||
VJLO6A4CATR0KRO | VJLO6A4CATR0KRO | |||
MBDOFXG4Y5CVJCX821LH | MBDOFXG4Y5CVJCX821LH | |||
4IFWWIKYB2PQ6U56NL1 | 4IFWWIKYB2PQ6U56NL1 | |||
https://server.example.com/tx | https://server.example.com/tx | |||
The party then hashes the bytes of the ASCII encoding of this string | The party then hashes the bytes of the ASCII encoding of this string | |||
with the appropriate algorithm based on the "hash_method" parameter | with the appropriate algorithm based on the "hash_method" parameter | |||
under the "finish" key of the interaction finish request | under the "finish" key of the interaction finish request | |||
(Section 2.5.2). The resulting byte array from the hash function is | (Section 2.5.2). The resulting byte array from the hash function is | |||
then encoded using URL-Safe Base64 with no padding [RFC4648]. The | then encoded using URL-Safe Base64 with no padding [RFC4648]. The | |||
resulting string is the hash value. | resulting string is the hash value. | |||
If provided, the "hash_method" value MUST be one of the hash name | If provided, the "hash_method" value MUST be one of the hash name | |||
strings defined in the IANA Named Information Hash Algorithm Registry | strings defined in the IANA "Named Information Hash Algorithm | |||
[HASH-ALG]. If the "hash_method" value is not present in the client | Registry" [HASH-ALG]. If the "hash_method" value is not present in | |||
instance's request, the algorithm defaults to "sha-256". | the client instance's request, the algorithm defaults to "sha-256". | |||
For example, the "sha-256" hash method consists of hashing the input | For example, the "sha-256" hash method consists of hashing the input | |||
string with the 256-bit SHA2 algorithm. The following is the encoded | string with the 256-bit SHA2 algorithm. The following is the encoded | |||
"sha-256" hash of the above example hash base string. | "sha-256" hash of the hash base string in the example above. | |||
x-gguKWTj8rQf7d7i3w3UhzvuJ5bpOlKyAlVpLxBffY | x-gguKWTj8rQf7d7i3w3UhzvuJ5bpOlKyAlVpLxBffY | |||
For another example, the "sha3-512" hash method consists of hashing | As another example, the "sha3-512" hash method consists of hashing | |||
the input string with the 512-bit SHA3 algorithm. The following is | the input string with the 512-bit SHA3 algorithm. The following is | |||
the encoded "sha3-512" hash of the above example hash base string. | the encoded "sha3-512" hash of the hash base string in the example | |||
above. | ||||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
pyUkVJSmpqSJMaDYsk5G8WCvgY91l-agUPe1wgn-cc5rUtN69gPI2-S_s-Eswed8iB4\ | pyUkVJSmpqSJMaDYsk5G8WCvgY91l-agUPe1wgn-cc5rUtN69gPI2-S_s-Eswed8iB4\ | |||
PJ_a5Hg6DNi7qGgKwSQ | PJ_a5Hg6DNi7qGgKwSQ | |||
5. Continuing a Grant Request | 5. Continuing a Grant Request | |||
While it is possible for the AS to return an approved grant response | While it is possible for the AS to return an approved grant response | |||
(Section 3) with all the client instance's requested information | (Section 3) with all the client instance's requested information | |||
skipping to change at page 87, line 43 ¶ | skipping to change at line 3927 ¶ | |||
The ability to continue an already-started request allows the client | The ability to continue an already-started request allows the client | |||
instance to perform several important functions, including presenting | instance to perform several important functions, including presenting | |||
additional information from interaction, modifying the initial | additional information from interaction, modifying the initial | |||
request, and revoking a grant request in progress. | request, and revoking a grant request in progress. | |||
To enable this ongoing negotiation, the AS provides a continuation | To enable this ongoing negotiation, the AS provides a continuation | |||
API to the client software. The AS returns a continue field in the | API to the client software. The AS returns a continue field in the | |||
response (Section 3.1) that contains information the client instance | response (Section 3.1) that contains information the client instance | |||
needs to access this API, including a URI to access as well as a | needs to access this API, including a URI to access as well as a | |||
special access token to use during the requests, called the | special access token to use during the requests, called the | |||
_continuation access token_. | "continuation access token". | |||
All requests to the continuation API are protected by a bound | All requests to the continuation API are protected by a bound | |||
continuation access token. The continuation access token is bound to | continuation access token. The continuation access token is bound to | |||
the same key and method the client instance used to make the initial | the same key and method the client instance used to make the initial | |||
request (or its most recent rotation). As a consequence, when the | request (or its most recent rotation). As a consequence, when the | |||
client instance makes any calls to the continuation URI, the client | client instance makes any calls to the continuation URI, the client | |||
instance MUST present the continuation access token as described in | instance MUST present the continuation access token as described in | |||
Section 7.2 and present proof of the client instance's key (or its | Section 7.2 and present proof of the client instance's key (or its | |||
most recent rotation) by signing the request as described in | most recent rotation) by signing the request as described in | |||
Section 7.3. The AS MUST validate the signature and ensure that it | Section 7.3. The AS MUST validate the signature and ensure that it | |||
is bound to the appropriate key for the continuation access token. | is bound to the appropriate key for the continuation access token. | |||
Access tokens other than the continuation access tokens MUST NOT be | Access tokens other than the continuation access tokens MUST NOT be | |||
usable for continuation requests. Conversely, continuation access | usable for continuation requests. Conversely, continuation access | |||
tokens MUST NOT be usable to make authorized requests to RS's, even | tokens MUST NOT be usable to make authorized requests to RSs, even if | |||
if co-located within the AS. | co-located within the AS. | |||
In the following non-normative example, the client instance makes a | In the following non-normative example, the client instance makes a | |||
POST request to a unique URI and signs the request with HTTP Message | POST request to a unique URI and signs the request with HTTP Message | |||
Signatures: | Signatures: | |||
POST /continue/KSKUOMUKM HTTP/1.1 | POST /continue/KSKUOMUKM HTTP/1.1 | |||
Authorization: GNAP 80UPRY5NM33OMUKMKSKU | Authorization: GNAP 80UPRY5NM33OMUKMKSKU | |||
Host: server.example.com | Host: server.example.com | |||
Content-Length: 0 | Content-Length: 0 | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
skipping to change at page 89, line 17 ¶ | skipping to change at line 3980 ¶ | |||
Content-Type: application/json | Content-Type: application/json | |||
Authorization: GNAP 80UPRY5NM33OMUKMKSKU | Authorization: GNAP 80UPRY5NM33OMUKMKSKU | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
Content-Digest: sha-256=... | Content-Digest: sha-256=... | |||
{ | { | |||
"interact_ref": "4IFWWIKYBC2PQ6U56NL1" | "interact_ref": "4IFWWIKYBC2PQ6U56NL1" | |||
} | } | |||
In following non-normative alternative example, the client instance | In the following non-normative alternative example, the client | |||
had been provided a continuation URI unique to this ongoing grant | instance had been provided a continuation URI unique to this ongoing | |||
request: | grant request: | |||
POST /tx/rxgIIEVMBV-BQUO7kxbsp HTTP/1.1 | POST /tx/rxgIIEVMBV-BQUO7kxbsp HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Content-Type: application/json | Content-Type: application/json | |||
Authorization: GNAP eyJhbGciOiJub25lIiwidHlwIjoiYmFkIn0 | Authorization: GNAP eyJhbGciOiJub25lIiwidHlwIjoiYmFkIn0 | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
Content-Digest: sha-256=... | Content-Digest: sha-256=... | |||
{ | { | |||
skipping to change at page 89, line 46 ¶ | skipping to change at line 4009 ¶ | |||
If a wait parameter was included in the continuation response | If a wait parameter was included in the continuation response | |||
(Section 3.1), the client instance MUST NOT call the continuation URI | (Section 3.1), the client instance MUST NOT call the continuation URI | |||
prior to waiting the number of seconds indicated. If no wait period | prior to waiting the number of seconds indicated. If no wait period | |||
is indicated, the client instance MUST NOT poll immediately and | is indicated, the client instance MUST NOT poll immediately and | |||
SHOULD wait at least 5 seconds. If the client instance does not | SHOULD wait at least 5 seconds. If the client instance does not | |||
respect the given wait period, the AS MUST return the too_fast error | respect the given wait period, the AS MUST return the too_fast error | |||
(Section 3.6). | (Section 3.6). | |||
The response from the AS is a JSON object of a grant response and MAY | The response from the AS is a JSON object of a grant response and MAY | |||
contain any of the fields described in Section 3, as described in | contain any of the fields described in Section 3, as described in | |||
more detail in the sections below. | more detail in the subsections below. | |||
If the AS determines that the client instance can make further | If the AS determines that the client instance can make further | |||
requests to the continuation API, the AS MUST include a new | requests to the continuation API, the AS MUST include a new | |||
"continue" response (Section 3.1). The new continue response MUST | "continue" response (Section 3.1). The new continue response MUST | |||
include a continuation access token as well, and this token SHOULD be | include a continuation access token as well, and this token SHOULD be | |||
a new access token, invalidating the previous access token. If the | a new access token, invalidating the previous access token. If the | |||
AS does not return a new continue response, the client instance MUST | AS does not return a new continue response, the client instance MUST | |||
NOT make an additional continuation request. If a client instance | NOT make an additional continuation request. If a client instance | |||
does so, the AS MUST return an invalid_continuation error | does so, the AS MUST return an invalid_continuation error | |||
(Section 3.6). | (Section 3.6). | |||
For continuation functions that require the client instance to send a | For continuation functions that require the client instance to send | |||
message content, the content MUST be a JSON object. | message content, the content MUST be a JSON object. | |||
For all requests to the grant continuation API, the AS MAY make use | For all requests to the grant continuation API, the AS MAY make use | |||
of long polling mechanisms such as discussed in [RFC6202]. That is | of long polling mechanisms such as those discussed in [RFC6202]. | |||
to say, instead of returning the current status immediately, the long | That is to say, instead of returning the current status immediately, | |||
polling technique allows the AS additional time to process and | the long polling technique allows the AS additional time to process | |||
fulfill the request before returning the HTTP response to the client | and fulfill the request before returning the HTTP response to the | |||
instance. For example, when the AS receives a continuation request | client instance. For example, when the AS receives a continuation | |||
but the grant request is in the _processing_ state, the AS could wait | request but the grant request is in the _processing_ state, the AS | |||
until the grant request has moved to the _pending_ or _approved_ | could wait until the grant request has moved to the _pending_ or | |||
state before returning the response message. | _approved_ state before returning the response message. | |||
5.1. Continuing After a Completed Interaction | 5.1. Continuing after a Completed Interaction | |||
When the AS responds to the client instance's finish method as in | When the AS responds to the client instance's finish method as in | |||
Section 4.2.1, this response includes an interaction reference. The | Section 4.2.1, this response includes an interaction reference. The | |||
client instance MUST include that value as the field interact_ref in | client instance MUST include that value as the field interact_ref in | |||
a POST request to the continuation URI. | a POST request to the continuation URI. | |||
POST /continue HTTP/1.1 | POST /continue HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Content-Type: application/json | Content-Type: application/json | |||
Authorization: GNAP 80UPRY5NM33OMUKMKSKU | Authorization: GNAP 80UPRY5NM33OMUKMKSKU | |||
skipping to change at page 91, line 6 ¶ | skipping to change at line 4063 ¶ | |||
Since the interaction reference is a one-time-use value as described | Since the interaction reference is a one-time-use value as described | |||
in Section 4.2.1, if the client instance needs to make additional | in Section 4.2.1, if the client instance needs to make additional | |||
continuation calls after this request, the client instance MUST NOT | continuation calls after this request, the client instance MUST NOT | |||
include the interaction reference in subsequent calls. If the AS | include the interaction reference in subsequent calls. If the AS | |||
detects a client instance submitting an interaction reference when | detects a client instance submitting an interaction reference when | |||
the request is not in the _pending_ state, the AS MUST return a | the request is not in the _pending_ state, the AS MUST return a | |||
too_many_attempts error (Section 3.6) and SHOULD invalidate the | too_many_attempts error (Section 3.6) and SHOULD invalidate the | |||
ongoing request by moving it to the _finalized_ state. | ongoing request by moving it to the _finalized_ state. | |||
If the grant request is in the _approved_ state, the grant response | If the grant request is in the _approved_ state, the grant response | |||
(Section 3) MAY contain any newly-created access tokens (Section 3.2) | (Section 3) MAY contain any newly created access tokens (Section 3.2) | |||
or newly-released subject information (Section 3.4). The response | or newly released subject information (Section 3.4). The response | |||
MAY contain a new "continue" response (Section 3.1) as described | MAY contain a new "continue" response (Section 3.1) as described | |||
above. The response SHOULD NOT contain any interaction responses | above. The response SHOULD NOT contain any interaction responses | |||
(Section 3.3). | (Section 3.3). | |||
If the grant request is in the _pending_ state, the grant response | If the grant request is in the _pending_ state, the grant response | |||
(Section 3) MUST NOT contain access tokens or subject information, | (Section 3) MUST NOT contain access tokens or subject information and | |||
and MAY contain a new interaction responses (Section 3.3) to any | MAY contain a new interaction responses (Section 3.3) to any | |||
interaction methods that have not been exhausted at the AS. | interaction methods that have not been exhausted at the AS. | |||
For example, if the request is successful in causing the AS to issue | For example, if the request is successful in causing the AS to issue | |||
access tokens and release opaque subject claims, the response could | access tokens and release opaque subject claims, the response could | |||
look like this: | look like this: | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
{ | { | |||
"access_token": { | "access_token": { | |||
skipping to change at page 91, line 41 ¶ | skipping to change at line 4098 ¶ | |||
} | } | |||
}, | }, | |||
"subject": { | "subject": { | |||
"sub_ids": [ { | "sub_ids": [ { | |||
"format": "opaque", | "format": "opaque", | |||
"id": "J2G8G8O4AZ" | "id": "J2G8G8O4AZ" | |||
} ] | } ] | |||
} | } | |||
} | } | |||
With the above example, the client instance can not make an | With the above example, the client instance cannot make an additional | |||
additional continuation request because a continue field is not | continuation request because a continue field is not included. | |||
included. | ||||
In the following non-normative example, the RO has denied the client | In the following non-normative example, the RO has denied the client | |||
instance's request and the AS responds with the following response: | instance's request, and the AS responds with the following response: | |||
{ | { | |||
"error": "user_denied", | "error": "user_denied", | |||
"continue": { | "continue": { | |||
"access_token": { | "access_token": { | |||
"value": "33OMUKMKSKU80UPRY5NM" | "value": "33OMUKMKSKU80UPRY5NM" | |||
}, | }, | |||
"uri": "https://server.example.com/continue", | "uri": "https://server.example.com/continue", | |||
"wait": 30 | "wait": 30 | |||
} | } | |||
} | } | |||
In the preceding example, the AS includes the continue field in the | In the preceding example, the AS includes the continue field in the | |||
response. Therefore, the client instance can continue the grant | response. Therefore, the client instance can continue the grant | |||
negotiation process, perhaps modifying the request as discussed in | negotiation process, perhaps modifying the request as discussed in | |||
Section 5.3. | Section 5.3. | |||
5.2. Continuing During Pending Interaction (Polling) | 5.2. Continuing during Pending Interaction (Polling) | |||
When the client instance does not include a finish parameter, the | When the client instance does not include a finish parameter, the | |||
client instance will often need to poll the AS until the RO has | client instance will often need to poll the AS until the RO has | |||
authorized the request. To do so, the client instance makes a POST | authorized the request. To do so, the client instance makes a POST | |||
request to the continuation URI as in Section 5.1, but does not | request to the continuation URI as in Section 5.1 but does not | |||
include message content. | include message content. | |||
POST /continue HTTP/1.1 | POST /continue HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Authorization: GNAP 80UPRY5NM33OMUKMKSKU | Authorization: GNAP 80UPRY5NM33OMUKMKSKU | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
If the grant request is in the _approved_ state, the grant response | If the grant request is in the _approved_ state, the grant response | |||
(Section 3) MAY contain any newly-created access tokens (Section 3.2) | (Section 3) MAY contain any newly created access tokens (Section 3.2) | |||
or newly-released subject claims (Section 3.4). The response MAY | or newly released subject claims (Section 3.4). The response MAY | |||
contain a new "continue" response (Section 3.1) as described above. | contain a new "continue" response (Section 3.1) as described above. | |||
If a continue field is included, it SHOULD include a wait field to | If a continue field is included, it SHOULD include a wait field to | |||
facilitate a reasonable polling rate by the client instance. The | facilitate a reasonable polling rate by the client instance. The | |||
response SHOULD NOT contain interaction responses (Section 3.3). | response SHOULD NOT contain interaction responses (Section 3.3). | |||
If the grant request is in the _pending_ state, the grant response | If the grant request is in the _pending_ state, the grant response | |||
(Section 3) MUST NOT contain access tokens or subject information, | (Section 3) MUST NOT contain access tokens or subject information and | |||
and MAY contain a new interaction responses (Section 3.3) to any | MAY contain a new interaction responses (Section 3.3) to any | |||
interaction methods that have not been exhausted at the AS. | interaction methods that have not been exhausted at the AS. | |||
For example, if the request has not yet been authorized by the RO, | For example, if the request has not yet been authorized by the RO, | |||
the AS could respond by telling the client instance to make another | the AS could respond by telling the client instance to make another | |||
continuation request in the future. In the following non-normative | continuation request in the future. In the following non-normative | |||
example, a new, unique access token has been issued for the call, | example, a new, unique access token has been issued for the call, | |||
which the client instance will use in its next continuation request. | which the client instance will use in its next continuation request. | |||
{ | { | |||
"continue": { | "continue": { | |||
skipping to change at page 93, line 39 ¶ | skipping to change at line 4187 ¶ | |||
} | } | |||
}, | }, | |||
"subject": { | "subject": { | |||
"sub_ids": [ { | "sub_ids": [ { | |||
"format": "opaque", | "format": "opaque", | |||
"id": "J2G8G8O4AZ" | "id": "J2G8G8O4AZ" | |||
} ] | } ] | |||
} | } | |||
} | } | |||
See Section 13.23 for considerations on polling for continuation | See Section 11.23 for considerations on polling for continuation | |||
without an interaction finish method. | without an interaction finish method. | |||
In error conditions, the AS responds to the client instance with the | In error conditions, the AS responds to the client instance with an | |||
error code as discussed in Section 3.6. For example, if the client | error code as discussed in Section 3.6. For example, if the client | |||
instance has polled too many times before the RO has approved the | instance has polled too many times before the RO has approved the | |||
request, the AS would respond with a message like the following: | request, the AS would respond with a message like the following: | |||
{ | { | |||
"error": "too_many_attempts" | "error": "too_many_attempts" | |||
} | } | |||
Since this response does not include a continue section, the client | Since this response does not include a continue section, the client | |||
instance cannot continue to poll the AS for additional updates and | instance cannot continue to poll the AS for additional updates and | |||
the grant request is _finalized_. If the client instance still needs | the grant request is _finalized_. If the client instance still needs | |||
access to the resource, it will need to start with a new grant | access to the resource, it will need to start with a new grant | |||
request. | request. | |||
5.3. Modifying an Existing Request | 5.3. Modifying an Existing Request | |||
The client instance might need to modify an ongoing request, whether | The client instance might need to modify an ongoing request, | |||
or not tokens have already been issued or subject information has | depending on whether or not tokens have already been issued or | |||
already been released. In such cases, the client instance makes an | subject information has already been released. In such cases, the | |||
HTTP PATCH request to the continuation URI and includes any fields it | client instance makes an HTTP PATCH request to the continuation URI | |||
needs to modify. Fields that aren't included in the request are | and includes any fields it needs to modify. Fields that aren't | |||
considered unchanged from the original request. | included in the request are considered unchanged from the original | |||
request. | ||||
A grant request associated with a modification request MUST be in the | A grant request associated with a modification request MUST be in the | |||
_approved_ or _pending_ state. When the AS receives a valid | _approved_ or _pending_ state. When the AS receives a valid | |||
modification request, the AS MUST place the grant request into the | modification request, the AS MUST place the grant request into the | |||
_processing_ state and re-evaluate the authorization in the new | _processing_ state and re-evaluate the authorization in the new | |||
context created by the update request, since the extent and context | context created by the update request, since the extent and context | |||
of the request could have changed. | of the request could have changed. | |||
The client instance MAY include the access_token and subject fields | The client instance MAY include the access_token and subject fields | |||
as described in Section 2.1 and Section 2.2. Inclusion of these | as described in Sections 2.1 and 2.2. Inclusion of these fields | |||
fields override any values in the initial request, which MAY trigger | override any values in the initial request, which MAY trigger | |||
additional requirements and policies by the AS. For example, if the | additional requirements and policies by the AS. For example, if the | |||
client instance is asking for more access, the AS could require | client instance is asking for more access, the AS could require | |||
additional interaction with the RO to gather additional consent. If | additional interaction with the RO to gather additional consent. If | |||
the client instance is asking for more limited access, the AS could | the client instance is asking for more limited access, the AS could | |||
determine that sufficient authorization has been granted to the | determine that sufficient authorization has been granted to the | |||
client instance and return the more limited access rights | client instance and return the more limited access rights | |||
immediately. If the grant request was previously in the _approved_ | immediately. If the grant request was previously in the _approved_ | |||
state, the AS could decide to remember the larger scale of access | state, the AS could decide to remember the larger scale of access | |||
rights associated with the grant request, allowing the client | rights associated with the grant request, allowing the client | |||
instance to make subsequent requests of different subsets of granted | instance to make subsequent requests of different subsets of granted | |||
access. The details of this processing are out of scope for this | access. The details of this processing are out of scope for this | |||
specification, but a one possible approach is as follows: | specification, but a one possible approach is as follows: | |||
1. A client instance requests access to Foo, and is granted by the | 1. A client instance requests access to Foo, and this is granted by | |||
RO. This results in an access token, AT1. | the RO. This results in an access token: AT1. | |||
2. The client instance later modifies the grant request to include | 2. The client instance later modifies the grant request to include | |||
Foo and Bar together. Since the client instance was previously | Foo and Bar together. Since the client instance was previously | |||
granted Foo under this grant request, the RO is prompted to allow | granted Foo under this grant request, the RO is prompted to allow | |||
the client instance access to Foo and Bar together. This results | the client instance access to Foo and Bar together. This results | |||
in a new access token, AT2 This access token has access to both | in a new access token: AT2. This access token has access to both | |||
Foo and Bar. The rights of the original access token AT1 are not | Foo and Bar. The rights of the original access token AT1 are not | |||
modified. | modified. | |||
3. The client instance makes another grant modification to ask only | 3. The client instance makes another grant modification to ask only | |||
for Bar. Since the client instance was previously granted Foo and | for Bar. Since the client instance was previously granted Foo and | |||
Bar together under this grant request, the RO is not prompted and | Bar together under this grant request, the RO is not prompted, | |||
the access to Bar is granted in a new access token, AT3. This | and the access to Bar is granted in a new access token: AT3. | |||
new access token does not allow access to Foo. | This new access token does not allow access to Foo. | |||
4. The original access token AT1 expires and the client seeks a new | 4. The original access token AT1 expires, and the client seeks a new | |||
access token to replace it. The client instance makes another | access token to replace it. The client instance makes another | |||
grant modification to ask only for Foo. Since the client instance | grant modification to ask only for Foo. Since the client instance | |||
was previously granted Foo and Bar together under this grant | was previously granted Foo and Bar together under this grant | |||
request, the RO is not prompted and the access to Foo is granted | request, the RO is not prompted, and the access to Foo is granted | |||
in a new access token, AT4. This new access token does not allow | in a new access token: AT4. This new access token does not allow | |||
access to Bar. | access to Bar. | |||
All four access tokens are independent of each other and associated | All four access tokens are independent of each other and associated | |||
with the same underlying grant request. Each of these access tokens | with the same underlying grant request. Each of these access tokens | |||
could possibly also be rotated using token management, if available. | could possibly also be rotated using token management, if available. | |||
For example, instead of asking for a new token to replace AT1, the | For example, instead of asking for a new token to replace AT1, the | |||
client instance could ask for a refresh of AT1 using the rotation | client instance could ask for a refresh of AT1 using the rotation | |||
method of the token management API. This would result in a refreshed | method of the token management API. This would result in a refreshed | |||
AT1 with a different token value and expiration from the original AT1 | AT1 with a different token value and expiration from the original AT1 | |||
but with the same access rights of allowing only access to Foo. | but with the same access rights of allowing only access to Foo. | |||
skipping to change at page 95, line 48 ¶ | skipping to change at line 4292 ¶ | |||
consistent with any user information previously presented by the | consistent with any user information previously presented by the | |||
client instance or otherwise associated with this grant request. | client instance or otherwise associated with this grant request. | |||
The client instance MUST NOT include the client section of the | The client instance MUST NOT include the client section of the | |||
request, since the client instance is assumed not to have changed. | request, since the client instance is assumed not to have changed. | |||
Modification of client instance information, including rotation of | Modification of client instance information, including rotation of | |||
keys associated with the client instance, is outside the scope of | keys associated with the client instance, is outside the scope of | |||
this specification. | this specification. | |||
The client instance MUST NOT include post-interaction responses such | The client instance MUST NOT include post-interaction responses such | |||
as described in Section 5.1. | as those described in Section 5.1. | |||
Modification requests MUST NOT alter previously-issued access tokens. | Modification requests MUST NOT alter previously issued access tokens. | |||
Instead, any access tokens issued from a continuation are considered | Instead, any access tokens issued from a continuation are considered | |||
new, separate access tokens. The AS MAY revoke previously-issued | new, separate access tokens. The AS MAY revoke previously issued | |||
access tokens after a modification has occurred. | access tokens after a modification has occurred. | |||
If the modified request can be granted immediately by the AS (the | If the modified request can be granted immediately by the AS (the | |||
grant request is in the _approved_ state), the grant response | grant request is in the _approved_ state), the grant response | |||
(Section 3) MAY contain any newly-created access tokens (Section 3.2) | (Section 3) MAY contain any newly created access tokens (Section 3.2) | |||
or newly-released subject claims (Section 3.4). The response MAY | or newly released subject claims (Section 3.4). The response MAY | |||
contain a new "continue" response (Section 3.1) as described above. | contain a new "continue" response (Section 3.1) as described above. | |||
If interaction can occur, the response SHOULD contain interaction | If interaction can occur, the response SHOULD contain interaction | |||
responses (Section 3.3) as well. | responses (Section 3.3) as well. | |||
For example, a client instance initially requests a set of resources | For example, a client instance initially requests a set of resources | |||
using references: | using references: | |||
POST /tx HTTP/1.1 | POST /tx HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Content-Type: application/json | Content-Type: application/json | |||
skipping to change at page 97, line 45 ¶ | skipping to change at line 4378 ¶ | |||
{ | { | |||
"access_token": { | "access_token": { | |||
"access": [ | "access": [ | |||
"read" | "read" | |||
] | ] | |||
} | } | |||
... | ... | |||
} | } | |||
The AS replaces the previous access from the first request, allowing | The AS replaces the previous access from the first request, allowing | |||
the AS to determine if any previously-granted consent already | the AS to determine if any previously granted consent already | |||
applies. In this case, the AS would determine that reducing the | applies. In this case, the AS would determine that reducing the | |||
breadth of the requested access means that new access tokens can be | breadth of the requested access means that new access tokens can be | |||
issued to the client instance without additional interaction or | issued to the client instance without additional interaction or | |||
consent. The AS would likely revoke previously-issued access tokens | consent. The AS would likely revoke previously issued access tokens | |||
that had the greater access rights associated with them, unless they | that had the greater access rights associated with them, unless they | |||
had been issued with the durable flag. | had been issued with the durable flag. | |||
{ | { | |||
"continue": { | "continue": { | |||
"access_token": { | "access_token": { | |||
"value": "M33OMUK80UPRY5NMKSKU" | "value": "M33OMUK80UPRY5NMKSKU" | |||
}, | }, | |||
"uri": "https://server.example.com/continue", | "uri": "https://server.example.com/continue", | |||
"wait": 30 | "wait": 30 | |||
}, | }, | |||
"access_token": { | "access_token": { | |||
"value": "0EVKC7-2ZKwZM_6N760", | "value": "0EVKC7-2ZKwZM_6N760", | |||
"access": [ | "access": [ | |||
"read" | "read" | |||
] | ] | |||
} | } | |||
} | } | |||
For another example, the client instance initially requests read-only | As another example, the client instance initially requests read-only | |||
access but later needs to step up its access. The initial request | access but later needs to step up its access. The initial request | |||
could look like the following HTTP message. | could look like the following HTTP message: | |||
POST /tx HTTP/1.1 | POST /tx HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Content-Type: application/json | Content-Type: application/json | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
Content-Digest: sha-256=... | Content-Digest: sha-256=... | |||
{ | { | |||
"access_token": { | "access_token": { | |||
skipping to change at page 99, line 28 ¶ | skipping to change at line 4456 ¶ | |||
} | } | |||
} | } | |||
This allows the client instance to make an eventual continuation | This allows the client instance to make an eventual continuation | |||
call. The client instance later realizes that it now needs "write" | call. The client instance later realizes that it now needs "write" | |||
access in addition to the "read" access. Since this is an expansion | access in addition to the "read" access. Since this is an expansion | |||
of what it asked for previously, the client instance also includes a | of what it asked for previously, the client instance also includes a | |||
new interaction section in case the AS needs to interact with the RO | new interaction section in case the AS needs to interact with the RO | |||
again to gather additional authorization. Note that the client | again to gather additional authorization. Note that the client | |||
instance's nonce and callback are different from the initial request. | instance's nonce and callback are different from the initial request. | |||
Since the original callback was already used in the initial exchange, | Since the original callback was already used in the initial exchange | |||
and the callback is intended for one-time-use, a new one needs to be | and the callback is intended for one-time use, a new one needs to be | |||
included in order to use the callback again. | included in order to use the callback again. | |||
PATCH /continue HTTP/1.1 | PATCH /continue HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Content-Type: application/json | Content-Type: application/json | |||
Authorization: GNAP 80UPRY5NM33OMUKMKSKU | Authorization: GNAP 80UPRY5NM33OMUKMKSKU | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
Content-Digest: sha-256=... | Content-Digest: sha-256=... | |||
skipping to change at page 101, line 5 ¶ | skipping to change at line 4507 ¶ | |||
place it into the _finalized_ state, the client instance makes an | place it into the _finalized_ state, the client instance makes an | |||
HTTP DELETE request to the continuation URI. | HTTP DELETE request to the continuation URI. | |||
DELETE /continue HTTP/1.1 | DELETE /continue HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Content-Type: application/json | Content-Type: application/json | |||
Authorization: GNAP 80UPRY5NM33OMUKMKSKU | Authorization: GNAP 80UPRY5NM33OMUKMKSKU | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
If the request is successfully revoked, the AS responds with status | If the request is successfully revoked, the AS responds with HTTP | |||
code HTTP 204 (No Content). The AS SHOULD revoke all associated | status code 204 (No Content). The AS SHOULD revoke all associated | |||
access tokens, if possible. The AS SHOULD disable all token rotation | access tokens, if possible. The AS SHOULD disable all token rotation | |||
and other token management functions on such access tokens, if | and other token management functions on such access tokens, if | |||
possible. Once the grant request is in the _finalized_ state, it | possible. Once the grant request is in the _finalized_ state, it | |||
MUST NOT be moved to any other state. | MUST NOT be moved to any other state. | |||
If the request is not revoked, the AS responds with an | If the request is not revoked, the AS responds with an | |||
invalid_continuation error (Section 3.6). | invalid_continuation error (Section 3.6). | |||
6. Token Management | 6. Token Management | |||
If an access token response includes the manage field as described in | If an access token response includes the manage field as described in | |||
Section 3.2.1, the client instance MAY call this URI to manage the | Section 3.2.1, the client instance MAY call this URI to manage the | |||
access token with the rotate and revoke actions defined in the | access token with the rotate and revoke actions defined in the | |||
following sections. Other actions are undefined by this | following subsections. Other actions are undefined by this | |||
specification. | specification. | |||
{ | { | |||
"access_token": { | "access_token": { | |||
"value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", | "value": "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", | |||
"flags": ["bearer"], | "flags": ["bearer"], | |||
"manage": { | "manage": { | |||
"uri": "https://server.example.com/token/PRY5NM33O", | "uri": "https://server.example.com/token/PRY5NM33O", | |||
"access_token": { | "access_token": { | |||
"value": "B8CDFONP21-4TB8N6.BW7ONM" | "value": "B8CDFONP21-4TB8N6.BW7ONM" | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
The token management access token issued under the manage field is | The token management access token issued under the manage field is | |||
used to protect all calls to the token management API. The client | used to protect all calls to the token management API. The client | |||
instance MUST present proof of the key associated with the token | instance MUST present proof of the key associated with the token | |||
along with the token management access token value. | along with the value of the token management access token. | |||
The AS MUST validate the proof and ensure that it is associated with | The AS MUST validate the proof and ensure that it is associated with | |||
the token management access token. | the token management access token. | |||
The AS MUST uniquely identify the token being managed from the token | The AS MUST uniquely identify the token being managed from the token | |||
management URI, the token management access token, or a combination | management URI, the token management access token, or a combination | |||
of both. | of both. | |||
6.1. Rotating the Access Token Value | 6.1. Rotating the Access Token Value | |||
skipping to change at page 102, line 26 ¶ | skipping to change at line 4571 ¶ | |||
token in the authorization header as described in Section 7.2 and | token in the authorization header as described in Section 7.2 and | |||
signing the request with the appropriate key. | signing the request with the appropriate key. | |||
POST /token/PRY5NM33O HTTP/1.1 | POST /token/PRY5NM33O HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Authorization: GNAP B8CDFONP21-4TB8N6.BW7ONM | Authorization: GNAP B8CDFONP21-4TB8N6.BW7ONM | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
Content-Digest: sha-256=... | Content-Digest: sha-256=... | |||
The client instance can not request to alter the access rights | The client instance cannot request to alter the access rights | |||
associated with the access token during a rotation request. To get | associated with the access token during a rotation request. To get | |||
an access token with different access rights for this grant request, | an access token with different access rights for this grant request, | |||
the client instance has to call the continuation API's update | the client instance has to call the continuation API's update | |||
(Section 5.3) functionality to get a new access token. The client | functionality (Section 5.3) to get a new access token. The client | |||
instance can also create a new grant request with the required access | instance can also create a new grant request with the required access | |||
rights. | rights. | |||
The AS validates that the token management access token presented is | The AS validates that the token management access token presented is | |||
associated with the management URI, that the AS issued the token to | associated with the management URI, that the AS issued the token to | |||
the given client instance, and that the presented key is the correct | the given client instance, and that the presented key is the correct | |||
key for the token management access token. The AS determines which | key for the token management access token. The AS determines which | |||
access token is being rotated from the token management URI, the | access token is being rotated from the token management URI, the | |||
token management access token, or both. | token management access token, or both. | |||
If the token is validated and the key is appropriate for the request, | If the token is validated and the key is appropriate for the request, | |||
the AS MUST invalidate the current access token value associated with | the AS MUST invalidate the current access token value associated with | |||
this URI, if possible. Note that stateless access tokens can make | this URI, if possible. Note that stateless access tokens can make | |||
proactive revocation difficult within a system, see Section 13.32. | proactive revocation difficult within a system; see Section 11.32. | |||
For successful rotations, the AS responds with an HTTP 200 with a | For successful rotations, the AS responds with an HTTP 200 with JSON- | |||
JSON-formatted message content consisting of the rotated access token | formatted message content consisting of the rotated access token in | |||
in the access_token field described in Section 3.2.1. The value of | the access_token field described in Section 3.2.1. The value of the | |||
the access token MUST NOT be the same as the current value of the | access token MUST NOT be the same as the current value of the access | |||
access token used to access the management API. The response MUST | token used to access the management API. The response MUST include | |||
include an access token management URI, and the value of this URI MAY | an access token management URI, and the value of this URI MAY be | |||
be different from the URI used by the client instance to make the | different from the URI used by the client instance to make the | |||
rotation call. The client instance MUST use this new URI to manage | rotation call. The client instance MUST use this new URI to manage | |||
the rotated access token. | the rotated access token. | |||
The access rights in the access array for the rotated access token | The access rights in the access array for the rotated access token | |||
MUST be included in the response and MUST be the same as the token | MUST be included in the response and MUST be the same as the token | |||
before rotation. | before rotation. | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
{ | { | |||
skipping to change at page 104, line 4 ¶ | skipping to change at line 4638 ¶ | |||
], | ], | |||
"datatypes": [ | "datatypes": [ | |||
"metadata", | "metadata", | |||
"images" | "images" | |||
] | ] | |||
}, | }, | |||
"read", "dolphin-metadata" | "read", "dolphin-metadata" | |||
] | ] | |||
} | } | |||
} | } | |||
If the AS is unable or unwilling to rotate the value of the access | If the AS is unable or unwilling to rotate the value of the access | |||
token, the AS responds with an invalid_rotation error (Section 3.6). | token, the AS responds with an invalid_rotation error (Section 3.6). | |||
Upon receiving such an error, the client instance MUST consider the | Upon receiving such an error, the client instance MUST consider the | |||
access token to not have changed its state. | access token to not have changed its state. | |||
6.1.1. Binding a New Key to the Rotated Access Token | 6.1.1. Binding a New Key to the Rotated Access Token | |||
If the client instance wishes to bind a new presentation key to an | If the client instance wishes to bind a new presentation key to an | |||
access token, the client instance MUST present both the new key and | access token, the client instance MUST present both the new key and | |||
the proof of previous key material in the access token rotation | the proof of previous key material in the access token rotation | |||
request. The client instance makes an HTTP POST as a JSON object | request. The client instance makes an HTTP POST as a JSON object | |||
with the following field: | with the following field: | |||
key: The new key value or reference in the format described in | key: The new key value or reference in the format described in | |||
Section 7.1. Note that keys passed by value are always public | Section 7.1. Note that keys passed by value are always public | |||
keys. REQUIRED when doing key rotation. | keys. REQUIRED when doing key rotation. | |||
The proof method and parameters for the new key MUST be the same as | The proof method and parameters for the new key MUST be the same as | |||
those established for the previous key. | those established for the previous key. | |||
The client instance MUST prove possession of both the currently-bound | The client instance MUST prove possession of both the currently bound | |||
key and the newly-requested key simultaneously in the rotation | key and the newly requested key simultaneously in the rotation | |||
request. Specifically, the signature from the previous key MUST | request. Specifically, the signature from the previous key MUST | |||
cover the value or reference of the new key, and the signature of the | cover the value or reference of the new key, and the signature of the | |||
new key MUST cover the signature value of the old key. The means of | new key MUST cover the signature value of the old key. The means of | |||
doing so varies depending on the proofing method in use. For | doing so vary depending on the proofing method in use. For example, | |||
example, the HTTP Message Signatures proofing method uses multiple | the HTTP Message Signatures proofing method uses multiple signatures | |||
signatures in the request as described in Section 7.3.1.1, as shown | in the request as described in Section 7.3.1.1. This is shown in the | |||
in this example. | following example. | |||
POST /token/PRY5NM33O HTTP/1.1 | POST /token/PRY5NM33O HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Authorization: GNAP B8CDFONP21-4TB8N6.BW7ONM | Authorization: GNAP B8CDFONP21-4TB8N6.BW7ONM | |||
Signature-Input: \ | Signature-Input: \ | |||
sig1=("@method" "@target-uri" "content-digest" \ | sig1=("@method" "@target-uri" "content-digest" \ | |||
"authorization"),\ | "authorization"),\ | |||
sig2=("@method" "@target-uri" "content-digest" \ | sig2=("@method" "@target-uri" "content-digest" \ | |||
"authorization" "signature";key="sig1" \ | "authorization" "signature";key="sig1" \ | |||
"signature-input";key="sig1") | "signature-input";key="sig1") | |||
skipping to change at page 106, line 17 ¶ | skipping to change at line 4730 ¶ | |||
with the appropriate key. | with the appropriate key. | |||
DELETE /token/PRY5NM33O HTTP/1.1 | DELETE /token/PRY5NM33O HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Authorization: GNAP B8CDFONP21-4TB8N6.BW7ONM | Authorization: GNAP B8CDFONP21-4TB8N6.BW7ONM | |||
Signature-Input: sig1=... | Signature-Input: sig1=... | |||
Signature: sig1=... | Signature: sig1=... | |||
If the key presented is associated with the token (or the client | If the key presented is associated with the token (or the client | |||
instance, in the case of a bearer token), the AS MUST invalidate the | instance, in the case of a bearer token), the AS MUST invalidate the | |||
access token, if possible, and return an HTTP 204 response code. | access token, if possible, and return an HTTP response code 204. | |||
204 No Content | 204 No Content | |||
Though the AS MAY revoke an access token at any time for any reason, | Though the AS MAY revoke an access token at any time for any reason, | |||
the token management function is specifically for the client | the token management function is specifically for the client | |||
instance's use. If the access token has already expired or has been | instance's use. If the access token has already expired or has been | |||
revoked through other means, the AS SHOULD honor the revocation | revoked through other means, the AS SHOULD honor the revocation | |||
request to the token management URI as valid, since the end result is | request to the token management URI as valid, since the end result is | |||
still the token not being usable. | that the token is still not usable. | |||
7. Securing Requests from the Client Instance | 7. Securing Requests from the Client Instance | |||
In GNAP, the client instance secures its requests to an AS and RS by | In GNAP, the client instance secures its requests to an AS and RS by | |||
presenting an access token, presenting proof of a key that it | presenting an access token, proof of a key that it possesses (aka, a | |||
possesses (aka, a "key proof"), or both an access token and key proof | "key proof"), or both an access token and key proof together. | |||
together. | ||||
* When an access token is used with a key proof, this is a bound | * When an access token is used with a key proof, this is a bound | |||
token request. This type of request is used for calls to the RS | token request. This type of request is used for calls to the RS | |||
as well as the AS during grant negotiation. | as well as the AS during grant negotiation. | |||
* When a key proof is used with no access token, this is a non- | * When a key proof is used with no access token, this is a non- | |||
authorized signed request. This type of request is used for calls | authorized signed request. This type of request is used for calls | |||
to the AS to initiate a grant negotiation. | to the AS to initiate a grant negotiation. | |||
* When an access token is used with no key proof, this is a bearer | * When an access token is used with no key proof, this is a bearer | |||
token request. This type of request is used only for calls to the | token request. This type of request is used only for calls to the | |||
RS, and only with access tokens that are not bound to any key as | RS and only with access tokens that are not bound to any key as | |||
described in Section 3.2.1. | described in Section 3.2.1. | |||
* When neither an access token nor key proof are used, this is an | * When neither an access token nor key proof are used, this is an | |||
unsecured request. This type of request is used optionally for | unsecured request. This type of request is used optionally for | |||
calls to the RS as part of an RS-first discovery process as | calls to the RS as part of an RS-first discovery process as | |||
described in Section 9.1. | described in Section 9.1. | |||
7.1. Key Formats | 7.1. Key Formats | |||
Several different places in GNAP require the presentation of key | Several different places in GNAP require the presentation of key | |||
skipping to change at page 107, line 22 ¶ | skipping to change at line 4782 ¶ | |||
All keys are associated with a specific key proofing method. The | All keys are associated with a specific key proofing method. The | |||
proofing method associated with the key is indicated using the proof | proofing method associated with the key is indicated using the proof | |||
field of the key object. | field of the key object. | |||
proof (string or object): The form of proof that the client instance | proof (string or object): The form of proof that the client instance | |||
will use when presenting the key. The valid values of this field | will use when presenting the key. The valid values of this field | |||
and the processing requirements for each are detailed in | and the processing requirements for each are detailed in | |||
Section 7.3. REQUIRED. | Section 7.3. REQUIRED. | |||
A key presented by value MUST be a public key and MUST be presented | A key presented by value MUST be a public key and MUST be presented | |||
in one and only one supported format, as discussed in Section 13.35. | in only one supported format, as discussed in Section 11.35. Note | |||
Note that while most formats present the full value of the public | that while most formats present the full value of the public key, | |||
key, some formats present a value cryptographically derived from the | some formats present a value cryptographically derived from the | |||
public key. See additional discussion of the presentation of public | public key. See additional discussion of the presentation of public | |||
keys in Section 13.7. | keys in Section 11.7. | |||
jwk (object): The public key and its properties represented as a | jwk (object): The public key and its properties represented as a | |||
JSON Web Key [RFC7517]. A JWK MUST contain the alg (Algorithm) | JSON Web Key (JWK) [RFC7517]. A JWK MUST contain the alg | |||
and kid (Key ID) parameters. The alg parameter MUST NOT be | (Algorithm) and kid (Key ID) parameters. The alg parameter MUST | |||
"none". The x5c (X.509 Certificate Chain) parameter MAY be used | NOT be "none". The x5c (X.509 Certificate Chain) parameter MAY be | |||
to provide the X.509 representation of the provided public key. | used to provide the X.509 representation of the provided public | |||
OPTIONAL. | key. OPTIONAL. | |||
cert (string): PEM serialized value of the certificate used to sign | cert (string): The Privacy-Enhanced Mail (PEM) serialized value of | |||
the request, with optional internal whitespace per [RFC7468]. The | the certificate used to sign the request, with optional internal | |||
PEM header and footer are optionally removed. OPTIONAL. | whitespace per [RFC7468]. The PEM header and footer are | |||
optionally removed. OPTIONAL. | ||||
cert#S256 (string): The certificate thumbprint calculated as per | cert#S256 (string): The certificate thumbprint calculated as per | |||
OAuth-MTLS [RFC8705] in base64 URL encoding. Note that this | OAuth-MTLS [RFC8705] in base64 URL encoding. Note that this | |||
format does not include the full public key. OPTIONAL. | format does not include the full public key. OPTIONAL. | |||
Additional key formats are defined in the GNAP Key Formats Registry | Additional key formats can be defined in the "GNAP Key Formats" | |||
(Section 11.17). | registry (Section 10.17). | |||
The following non-normative example shows a single key presented in | The following non-normative example shows a single key presented in | |||
two different formats. The example key is intended to be used with | two different formats. The example key is intended to be used with | |||
the HTTP Message Signatures (Section 7.3.1) proofing mechanism, as | the HTTP Message Signatures proofing mechanism (Section 7.3.1), as | |||
indicated by the httpsig value of the proof field. | indicated by the httpsig value of the proof field. | |||
As a JSON Web Key: | As a JWK: | |||
"key": { | "key": { | |||
"proof": "httpsig", | "proof": "httpsig", | |||
"jwk": { | "jwk": { | |||
"kty": "RSA", | "kty": "RSA", | |||
"e": "AQAB", | "e": "AQAB", | |||
"kid": "xyz-1", | "kid": "xyz-1", | |||
"alg": "RS256", | "alg": "RS256", | |||
"n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8xY..." | "n": "kOB5rR4Jv0GMeLaY6_It_r3ORwdf8ci_JtffXyaSx8xY..." | |||
} | } | |||
skipping to change at page 108, line 25 ¶ | skipping to change at line 4834 ¶ | |||
As a certificate in PEM format: | As a certificate in PEM format: | |||
"key": { | "key": { | |||
"proof": "httpsig", | "proof": "httpsig", | |||
"cert": "MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQsFA..." | "cert": "MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQsFA..." | |||
} | } | |||
When the key is presented in GNAP, proof of this key material MUST be | When the key is presented in GNAP, proof of this key material MUST be | |||
used to bind the request, the nature of which varies with the | used to bind the request, the nature of which varies with the | |||
location in the protocol the key is used. For a key used as part of | location in the protocol where the key is used. For a key used as | |||
a client instance's initial request in Section 2.3, the key value | part of a client instance's initial request in Section 2.3, the key | |||
represents the client instance's public key, and proof of that key | value represents the client instance's public key, and proof of that | |||
MUST be presented in that request. For a key used as part of an | key MUST be presented in that request. For a key used as part of an | |||
access token response in Section 3.2.1, the proof of that key MUST be | access token response in Section 3.2.1, the proof of that key MUST be | |||
used when the client instance later presents the access token to the | used when the client instance later presents the access token to the | |||
RS. | RS. | |||
7.1.1. Key References | 7.1.1. Key References | |||
Keys in GNAP can also be passed by reference such that the party | Keys in GNAP can also be passed by reference such that the party | |||
receiving the reference will be able to determine the appropriate | receiving the reference will be able to determine the appropriate | |||
keying material for use in that part of the protocol. Key references | keying material for use in that part of the protocol. A key | |||
are a single opaque string. | reference is a single opaque string. | |||
"key": "S-P4XJQ_RYJCRTSU1.63N3E" | "key": "S-P4XJQ_RYJCRTSU1.63N3E" | |||
Keys referenced in this manner MAY be shared symmetric keys. See the | Keys referenced in this manner MAY be shared symmetric keys. See the | |||
additional considerations for symmetric keys in Section 13.7. The | additional considerations for symmetric keys in Section 11.7. The | |||
key reference MUST NOT contain any unencrypted private or shared | key reference MUST NOT contain any unencrypted private or shared | |||
symmetric key information. | symmetric key information. | |||
Keys referenced in this manner MUST be bound to a single proofing | Keys referenced in this manner MUST be bound to a single proofing | |||
mechanism. | mechanism. | |||
The means of dereferencing this reference to a key value and proofing | The means of dereferencing this reference to a key value and proofing | |||
mechanism are out of scope for this specification. Commonly, key | mechanism are out of scope for this specification. Commonly, key | |||
references are created by the AS and are not necessarily needed to be | references are created by the AS and do not necessarily need to be | |||
understood by the client. These types of key references are an | understood by the client. These types of key references are an | |||
internal reference to the AS, such as an identifier of a record in a | internal reference to the AS, such as an identifier of a record in a | |||
database. In other applications, it can be useful to use key | database. In other applications, it can be useful to use key | |||
references that are resolvable by both clients and AS, which could be | references that are resolvable by both clients and the AS, which | |||
accomplished by a client publishing a public key at a URI, for | could be accomplished by a client publishing a public key at a URI, | |||
example. For interoperability, this method could later be described | for example. For interoperability, this method could later be | |||
as an extension, but doing so is out of scope for this specification. | described as an extension, but doing so is out of scope for this | |||
specification. | ||||
7.1.2. Key Protection | 7.1.2. Key Protection | |||
The security of GNAP relies on the cryptographic security of the keys | The security of GNAP relies on the cryptographic security of the keys | |||
themselves. When symmetric keys are used in GNAP, a key management | themselves. When symmetric keys are used in GNAP, a key management | |||
system or secure key derivation mechanism MUST be used to supply the | system or secure key derivation mechanism MUST be used to supply the | |||
keys. Symmetric keys MUST NOT be a human memorable password or a | keys. Symmetric keys MUST NOT be a human-memorable password or a | |||
value derived from one. Symmetric keys MUST NOT be passed by value | value derived from one. Symmetric keys MUST NOT be passed by value | |||
from the client instance to the AS. | from the client instance to the AS. | |||
Additional security considerations apply when rotating keys | Additional security considerations apply when rotating keys (see | |||
(Section 13.22). | Section 11.22). | |||
7.2. Presenting Access Tokens | 7.2. Presenting Access Tokens | |||
Access tokens are issued to client instances in GNAP to allow the | Access tokens are issued to client instances in GNAP to allow the | |||
client instance to make an authorized call to an API. The method the | client instance to make an authorized call to an API. The method the | |||
client instance uses to send an access token depends on whether the | client instance uses to send an access token depends on whether the | |||
token is bound to a key, and if so which proofing method is | token is bound to a key and, if so, which proofing method is | |||
associated with the key. This information is conveyed by the key | associated with the key. This information is conveyed by the key | |||
parameter and the bearer flag in the access token response structure | parameter and the bearer flag in the access token response structure | |||
(Section 3.2.1). | (Section 3.2.1). | |||
If the flags field does not contain the bearer flag and the key is | If the flags field does not contain the bearer flag and the key is | |||
absent, the access token MUST be sent using the same key and proofing | absent, the access token MUST be sent using the same key and proofing | |||
mechanism that the client instance used in its initial request (or | mechanism that the client instance used in its initial request (or | |||
its most recent rotation). | its most recent rotation). | |||
If the flags field does not contain the bearer flag and the key value | If the flags field does not contain the bearer flag and the key value | |||
skipping to change at page 110, line 20 ¶ | skipping to change at line 4924 ¶ | |||
Signature-Input: sig1=("@method" "@target-uri" "authorization")\ | Signature-Input: sig1=("@method" "@target-uri" "authorization")\ | |||
;created=1618884473;keyid="gnap-rsa";nonce="NAOEJF12ER2";tag="gnap" | ;created=1618884473;keyid="gnap-rsa";nonce="NAOEJF12ER2";tag="gnap" | |||
Signature: sig1=:FQ+EjWqc38uLFByKa5y+c4WyYYwCTGUhidWKfr5L1Cha8FiPEw\ | Signature: sig1=:FQ+EjWqc38uLFByKa5y+c4WyYYwCTGUhidWKfr5L1Cha8FiPEw\ | |||
DxG7nWttpBLS/B6VLfkZJogPbclySs9MDIsAIJwHnzlcJjwXWR2lfvm2z3X7EkJHm\ | DxG7nWttpBLS/B6VLfkZJogPbclySs9MDIsAIJwHnzlcJjwXWR2lfvm2z3X7EkJHm\ | |||
Zp4SmyKOS34luAiKR1xwf32NYFolHmZf/SbHZJuWvQuS4U33C+BbsXz8MflFH1Dht\ | Zp4SmyKOS34luAiKR1xwf32NYFolHmZf/SbHZJuWvQuS4U33C+BbsXz8MflFH1Dht\ | |||
H/C1E5i244gSbdLCPxzABc/Q0NHVSLo1qaouYIvnxXB8OT3K7mwWjsLh1GC5vFThb\ | H/C1E5i244gSbdLCPxzABc/Q0NHVSLo1qaouYIvnxXB8OT3K7mwWjsLh1GC5vFThb\ | |||
3XQ363r6f0OPRa4qWHhubR/d/J/lNOjbBdjq9AJ69oqNJ+A2XT+ZCrVasEJE0OBvD\ | 3XQ363r6f0OPRa4qWHhubR/d/J/lNOjbBdjq9AJ69oqNJ+A2XT+ZCrVasEJE0OBvD\ | |||
auQoiywhb8BMB7+PEINsPk5/8UvaNxbw==: | auQoiywhb8BMB7+PEINsPk5/8UvaNxbw==: | |||
If the flags field contains the bearer flag, the access token is a | If the flags field contains the bearer flag, the access token is a | |||
bearer token that MUST be sent using the Authorization Request Header | bearer token that MUST be sent using the Authorization request header | |||
Field method defined in [RFC6750]. | field method defined in [RFC6750]. | |||
Authorization: Bearer OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0 | Authorization: Bearer OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0 | |||
The Form-Encoded Body Parameter and URI Query Parameter methods of | The Form-Encoded Body Parameter and URI Query Parameter methods of | |||
[RFC6750] MUST NOT be used for GNAP access tokens. | [RFC6750] MUST NOT be used for GNAP access tokens. | |||
7.3. Proving Possession of a Key with a Request | 7.3. Proving Possession of a Key with a Request | |||
Any keys presented by the client instance to the AS or RS MUST be | Any keys presented by the client instance to the AS or RS MUST be | |||
validated as part of the request in which they are presented. The | validated as part of the request in which they are presented. The | |||
skipping to change at page 110, line 44 ¶ | skipping to change at line 4948 ¶ | |||
string, which consists of the key proof method name on its own, or by | string, which consists of the key proof method name on its own, or by | |||
a JSON object with the required field method: | a JSON object with the required field method: | |||
method: The name of the key proofing method to be used. REQUIRED. | method: The name of the key proofing method to be used. REQUIRED. | |||
Individual methods defined as objects MAY define additional | Individual methods defined as objects MAY define additional | |||
parameters as members in this object. | parameters as members in this object. | |||
Values for the method defined by this specification are as follows: | Values for the method defined by this specification are as follows: | |||
"httpsig" (string or object): HTTP Signing signature headers. See | "httpsig" (string or object): HTTP signing signature headers. See | |||
Section 7.3.1. | Section 7.3.1. | |||
"mtls" (string): Mutual TLS certificate verification. See | "mtls" (string): Mutual TLS certificate verification. See | |||
Section 7.3.2. | Section 7.3.2. | |||
"jwsd" (string): A detached JWS signature header. See | "jwsd" (string): A detached JWS signature header. See | |||
Section 7.3.3. | Section 7.3.3. | |||
"jws" (string): Attached JWS payload. See Section 7.3.4. | "jws" (string): Attached JWS Payload. See Section 7.3.4. | |||
Additional proofing methods are defined by the GNAP Key Proofing | Additional proofing methods can be defined in the "GNAP Key Proofing | |||
Methods Registry (Section 11.16). | Methods" registry (Section 10.16). | |||
Proof methods MAY be defined as both an object and a string. For | Proof methods MAY be defined as both an object and a string. For | |||
example, the httpsig method can be specified as an object with its | example, the httpsig method can be specified as an object with its | |||
parameters explicitly declared, such as: | parameters explicitly declared, such as: | |||
{ | { | |||
"proof": { | "proof": { | |||
"method": "httpsig", | "method": "httpsig", | |||
"alg": "ecdsa-p384-sha384", | "alg": "ecdsa-p384-sha384", | |||
"content-digest-alg": "sha-256" | "content-digest-alg": "sha-256" | |||
skipping to change at page 111, line 40 ¶ | skipping to change at line 4992 ¶ | |||
} | } | |||
All key binding methods used by this specification MUST cover all | All key binding methods used by this specification MUST cover all | |||
relevant portions of the request, including anything that would | relevant portions of the request, including anything that would | |||
change the nature of the request, to allow for secure validation of | change the nature of the request, to allow for secure validation of | |||
the request. Relevant aspects include the URI being called, the HTTP | the request. Relevant aspects include the URI being called, the HTTP | |||
method being used, any relevant HTTP headers and values, and the HTTP | method being used, any relevant HTTP headers and values, and the HTTP | |||
message content itself. The verifier of the signed message MUST | message content itself. The verifier of the signed message MUST | |||
validate all components of the signed message to ensure that nothing | validate all components of the signed message to ensure that nothing | |||
has been tampered with or substituted in a way that would change the | has been tampered with or substituted in a way that would change the | |||
nature of the request. Key binding method definitions MUST enumerate | nature of the request. Definitions of key binding methods MUST | |||
how these requirements are fulfilled. | enumerate how these requirements are fulfilled. | |||
When a key proofing mechanism is bound to an access token, the key | When a key proofing mechanism is bound to an access token, the key | |||
being presented MUST be the key associated with the access token and | being presented MUST be the key associated with the access token, and | |||
the access token MUST be covered by the signature method of the | the access token MUST be covered by the signature method of the | |||
proofing mechanism. | proofing mechanism. | |||
The key binding methods in this section MAY be used by other | The key binding methods in this section MAY be used by other | |||
components making calls as part of GNAP, such as the extensions | components making calls as part of GNAP, such as the extensions | |||
allowing the RS to make calls to the AS defined in | allowing the RS to make calls to the AS defined in [GNAP-RS]. To | |||
[I-D.ietf-gnap-resource-servers]. To facilitate this extended use, | facilitate this extended use, the sections below are defined in | |||
the sections below are defined in generic terms of the "signer" and | generic terms of the "signer" and "verifier" of the HTTP message. In | |||
"verifier" of the HTTP message. In the core functions of GNAP | the core functions of GNAP specified in this document, the "signer" | |||
specified in this document, the "signer" is the client instance and | is the client instance, and the "verifier" is the AS (for grant | |||
the "verifier" is the AS (for grant requests) or RS (for resource | requests) or RS (for resource requests), as appropriate. | |||
requests), as appropriate. | ||||
When used for delegation in GNAP, these key binding mechanisms allow | When used for delegation in GNAP, these key binding mechanisms allow | |||
the AS to ensure that the keys presented by the client instance in | the AS to ensure that the keys presented by the client instance in | |||
the initial request are in control of the party calling any follow-up | the initial request are in control of the party calling any follow-up | |||
or continuation requests. To facilitate this requirement, the | or continuation requests. To facilitate this requirement, the | |||
continuation response (Section 3.1) includes an access token bound to | continuation response (Section 3.1) includes an access token bound to | |||
the client instance's key (Section 2.3), and that key (or its most | the client instance's key (Section 2.3), and that key (or its most | |||
recent rotation) MUST be proved in all continuation requests | recent rotation) MUST be proved in all continuation requests | |||
(Section 5). Token management requests (Section 6) are similarly | (Section 5). Token management requests (Section 6) are similarly | |||
bound to either the access token's own key or, in the case of bearer | bound to either the access token's own key or, in the case of bearer | |||
tokens, the client instance's key. | tokens, the client instance's key. | |||
In the following sections, unless otherwise noted, the RS256 JOSE | In the following subsections, unless otherwise noted, the RS256 JSON | |||
Signature Algorithm (defined in Section 3.3 of [RFC7518]) is applied | Object Signing and Encryption (JOSE) signature algorithm (defined in | |||
using the following RSA key (presented here in JWK format): | Section 3.3 of [RFC7518]) is applied using the following RSA key | |||
(presented here in JWK format): | ||||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
{ | { | |||
"kid": "gnap-rsa", | "kid": "gnap-rsa", | |||
"p": "xS4-YbQ0SgrsmcA7xDzZKuVNxJe3pCYwdAe6efSy4hdDgF9-vhC5gjaRk\ | "p": "xS4-YbQ0SgrsmcA7xDzZKuVNxJe3pCYwdAe6efSy4hdDgF9-vhC5gjaRk\ | |||
i1wWuERSMW4Tv44l5HNrL-Bbj_nCJxr_HAOaesDiPn2PnywwEfg3Nv95Nn-\ | i1wWuERSMW4Tv44l5HNrL-Bbj_nCJxr_HAOaesDiPn2PnywwEfg3Nv95Nn-\ | |||
eilhqXRaW-tJKEMjDHu_fmJBeemHNZI412gBnXdGzDVo22dvYoxd6GM", | eilhqXRaW-tJKEMjDHu_fmJBeemHNZI412gBnXdGzDVo22dvYoxd6GM", | |||
"kty": "RSA", | "kty": "RSA", | |||
"q": "rVdcT_uy-CD0GKVLGpEGRR7k4JO6Tktc8MEHkC6NIFXihk_6vAIOCzCD6\ | "q": "rVdcT_uy-CD0GKVLGpEGRR7k4JO6Tktc8MEHkC6NIFXihk_6vAIOCzCD6\ | |||
skipping to change at page 113, line 48 ¶ | skipping to change at line 5068 ¶ | |||
zywzwPTuq-cVQDyEN7aL0SxCb3Hc4IdqDaMg8qHUyObpPitDQ" | zywzwPTuq-cVQDyEN7aL0SxCb3Hc4IdqDaMg8qHUyObpPitDQ" | |||
} | } | |||
Key proofing methods SHOULD define a mechanism to allow the rotation | Key proofing methods SHOULD define a mechanism to allow the rotation | |||
of keys discussed in Section 6.1.1. Key rotation mechanisms MUST | of keys discussed in Section 6.1.1. Key rotation mechanisms MUST | |||
define a way for presenting proof of two keys simultaneously with the | define a way for presenting proof of two keys simultaneously with the | |||
following attributes: | following attributes: | |||
* The value of or reference to the new key material MUST be signed | * The value of or reference to the new key material MUST be signed | |||
by the existing key. Generally speaking, this amounts to using | by the existing key. Generally speaking, this amounts to using | |||
the existing key to sign the content of the message which contains | the existing key to sign the content of the message that contains | |||
the new key. | the new key. | |||
* The signature of the old key MUST be signed by the new key. | * The signature of the old key MUST be signed by the new key. | |||
Generally speaking, this means including the signature value of | Generally speaking, this means including the signature value of | |||
the old key under the coverage of the new key. | the old key under the coverage of the new key. | |||
7.3.1. HTTP Message Signatures | 7.3.1. HTTP Message Signatures | |||
This method is indicated by the method value httpsig and can be | This method is indicated by the method value httpsig and can be | |||
declared in either object form or string form. | declared in either object form or string form. | |||
When the proof method is specified in object form, the following | When the proof method is specified in object form, the following | |||
parameters are defined: | parameters are defined: | |||
alg: The HTTP signature algorithm, from the HTTP Signature Algorithm | alg: The HTTP signature algorithm, from the "HTTP Signature | |||
registry. REQUIRED. | Algorithms" registry. REQUIRED. | |||
content-digest-alg: The algorithm used for the Content-Digest field, | content-digest-alg: The algorithm used for the Content-Digest field, | |||
used to protect the content when present in the message. | used to protect the content when present in the message. | |||
REQUIRED. | REQUIRED. | |||
This example uses the ECDSA signing algorithm over the P384 curve and | This example uses the Elliptic Curve Digital Signature Algorithm | |||
the SHA-512 hashing algorithm for the content digest. | (ECDSA) signing algorithm over the P384 curve and the SHA-512 hashing | |||
algorithm for the content digest. | ||||
{ | { | |||
"proof": { | "proof": { | |||
"method": "httpsig", | "method": "httpsig", | |||
"alg": "ecdsa-p384-sha384", | "alg": "ecdsa-p384-sha384", | |||
"content-digest-alg": "sha-512" | "content-digest-alg": "sha-512" | |||
} | } | |||
} | } | |||
When the proof method is specified in string form, the signing | When the proof method is specified in string form, the signing | |||
skipping to change at page 115, line 34 ¶ | skipping to change at line 5148 ¶ | |||
this value. The signer MUST include the created signature parameter | this value. The signer MUST include the created signature parameter | |||
with a timestamp of when the signature was created, and the verifier | with a timestamp of when the signature was created, and the verifier | |||
MUST ensure that the creation timestamp is sufficiently close to the | MUST ensure that the creation timestamp is sufficiently close to the | |||
current time given expected network delay and clock skew. The signer | current time given expected network delay and clock skew. The signer | |||
SHOULD include the nonce parameter with a unique and unguessable | SHOULD include the nonce parameter with a unique and unguessable | |||
value. When included, the verifier MUST determine that the nonce | value. When included, the verifier MUST determine that the nonce | |||
value is unique within a reasonably short time period such as several | value is unique within a reasonably short time period such as several | |||
minutes. | minutes. | |||
If the signer's key presented is a JWK, the keyid parameter of the | If the signer's key presented is a JWK, the keyid parameter of the | |||
signature MUST be set to the kid value of the JWK, the signing | signature MUST be set to the kid value of the JWK, and the signing | |||
algorithm used MUST be the JWS algorithm denoted by the key's alg | algorithm used MUST be the JWS algorithm denoted by the key's alg | |||
field of the JWK. | field of the JWK. | |||
The explicit alg signature parameter MUST NOT be included in the | The explicit alg signature parameter MUST NOT be included in the | |||
signature, since the algorithm will be derived either from the key | signature, since the algorithm will be derived from either the key | |||
material or from the proof value. | material or the proof value. | |||
In the following non-normative example, the message content is the | In the following non-normative example, the message content is a JSON | |||
following JSON object: | object: | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
{ | { | |||
"access_token": { | "access_token": { | |||
"access": [ | "access": [ | |||
"dolphin-metadata" | "dolphin-metadata" | |||
] | ] | |||
}, | }, | |||
"interact": { | "interact": { | |||
skipping to change at page 118, line 33 ¶ | skipping to change at line 5283 ¶ | |||
} | } | |||
The verifier MUST ensure that the signature covers all required | The verifier MUST ensure that the signature covers all required | |||
message components. If the HTTP Message includes content, the | message components. If the HTTP Message includes content, the | |||
verifier MUST calculate and verify the value of the Content-Digest | verifier MUST calculate and verify the value of the Content-Digest | |||
header. The verifier MUST validate the signature against the | header. The verifier MUST validate the signature against the | |||
expected key of the signer. | expected key of the signer. | |||
A received message MAY include multiple signatures, each with its own | A received message MAY include multiple signatures, each with its own | |||
label. The verifier MUST examine all included signatures until it | label. The verifier MUST examine all included signatures until it | |||
finds (at least) one that's acceptable according to its policy and | finds (at least) one that is acceptable according to its policy and | |||
meets the requirements in this section. | meets the requirements in this section. | |||
7.3.1.1. Key Rotation using HTTP Message Signatures | 7.3.1.1. Key Rotation Using HTTP Message Signatures | |||
When rotating a key using HTTP Message Signatures, the message, which | When rotating a key using HTTP Message Signatures, the message, which | |||
includes the new public key value or reference, is first signed with | includes the new public key value or reference, is first signed with | |||
the old key following all of the requirements in Section 7.3.1. The | the old key following all of the requirements in Section 7.3.1. The | |||
message is then signed again with the new key by following all of the | message is then signed again with the new key by following all of the | |||
requirements in Section 7.3.1 again with the following additional | requirements in Section 7.3.1 again, with the following additional | |||
requirements: | requirements: | |||
* The covered components MUST include the Signature and Signature- | * The covered components MUST include the Signature and Signature- | |||
Input values from the signature generated with the old key | Input values from the signature generated with the old key. | |||
* The tag value MUST be gnap-rotate. | ||||
* The tag value MUST be gnap-rotate | ||||
For example, the following request to the token management endpoint | For example, the following request to the token management endpoint | |||
for rotating a token value contains the new key in the request. The | for rotating a token value contains the new key in the request. The | |||
message is first signed using the old key and the resulting signature | message is first signed using the old key, and the resulting | |||
is placed in "old-key": | signature is placed in "old-key": | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
POST /token/PRY5NM33 HTTP/1.1 | POST /token/PRY5NM33 HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Authorization: GNAP 4398.34-12-asvDa.a | Authorization: GNAP 4398.34-12-asvDa.a | |||
Content-Digest: sha-512=:Fb/A5vnawhuuJ5xk2RjGrbbxr6cvinZqd4+JPY85u/\ | Content-Digest: sha-512=:Fb/A5vnawhuuJ5xk2RjGrbbxr6cvinZqd4+JPY85u/\ | |||
JNyTlmRmCOtyVhZ1Oz/cSS4tsYen6fzpCwizy6UQxNBQ==: | JNyTlmRmCOtyVhZ1Oz/cSS4tsYen6fzpCwizy6UQxNBQ==: | |||
Signature-Input: old-key=("@method" "@target-uri" "content-digest" \ | Signature-Input: old-key=("@method" "@target-uri" "content-digest" \ | |||
"authorization");created=1618884475;keyid="test-key-ecc-p256"\ | "authorization");created=1618884475;keyid="test-key-ecc-p256"\ | |||
skipping to change at page 123, line 40 ¶ | skipping to change at line 5483 ¶ | |||
The verifier compares the TLS client certificate presented during | The verifier compares the TLS client certificate presented during | |||
mutual TLS negotiation to the expected key of the signer. Since the | mutual TLS negotiation to the expected key of the signer. Since the | |||
TLS connection covers the entire message, there are no additional | TLS connection covers the entire message, there are no additional | |||
requirements to check. | requirements to check. | |||
Note that in many instances, the verifier will not do a full | Note that in many instances, the verifier will not do a full | |||
certificate chain validation of the presented TLS client certificate, | certificate chain validation of the presented TLS client certificate, | |||
as the means of trust for this certificate could be in something | as the means of trust for this certificate could be in something | |||
other than a PKI system, such as a static registration or trust-on- | other than a PKI system, such as a static registration or trust-on- | |||
first-use. See Section 13.3 and Section 13.4 for some additional | first-use. See Sections 11.3 and 11.4 for some additional | |||
considerations for this key proofing method. | considerations for this key proofing method. | |||
7.3.2.1. Key Rotation using MTLS | 7.3.2.1. Key Rotation Using MTLS | |||
Since it is not possible to present two client authenticated | Since it is not possible to present two client authenticated | |||
certificates to a mutual TLS connection simultaneously, dynamic key | certificates to a mutual TLS connection simultaneously, dynamic key | |||
rotation for this proofing method is not defined. Instead, key | rotation for this proofing method is not defined. Instead, key | |||
rotation for MTLS-based client instances is expected to be managed | rotation for MTLS-based client instances is expected to be managed | |||
through deployment practices, as discussed in Section 13.4. | through deployment practices, as discussed in Section 11.4. | |||
7.3.3. Detached JWS | 7.3.3. Detached JWS | |||
This method is indicated by the method value jwsd in string form. | This method is indicated by the method value jwsd in string form. | |||
{ | { | |||
"proof": "jwsd" | "proof": "jwsd" | |||
} | } | |||
The signer creates a JSON Web Signature (JWS) [RFC7515] object as | The signer creates a JSON Web Signature (JWS) [RFC7515] object as | |||
follows: | follows. | |||
To protect the request, the JOSE header of the signature contains the | To protect the request, the JOSE header of the signature contains the | |||
following claims: | following claims: | |||
kid (string): The key identifier. REQUIRED if the key is presented | kid (string): The key identifier. REQUIRED if the key is presented | |||
in JWK format, this MUST be the value of the kid field of the key. | in JWK format, this MUST be the value of the kid field of the key. | |||
alg (string): The algorithm used to sign the request. MUST be | alg (string): The algorithm used to sign the request. MUST be | |||
appropriate to the key presented. If the key is presented as a | appropriate to the key presented. If the key is presented as a | |||
JWK, this MUST be equal to the alg parameter of the key. MUST NOT | JWK, this MUST be equal to the alg parameter of the key. MUST NOT | |||
be none. REQUIRED. | be none. REQUIRED. | |||
typ (string): The type header, value "gnap-binding-jwsd". REQUIRED. | typ (string): The type header, value "gnap-binding-jwsd". REQUIRED. | |||
htm (string): The HTTP Method used to make this request, as a case- | htm (string): The HTTP method used to make this request, as a case- | |||
sensitive ASCII string. Note that most public HTTP methods are in | sensitive ASCII string. Note that most public HTTP methods are in | |||
uppercase ASCII by convention. REQUIRED. | uppercase ASCII by convention. REQUIRED. | |||
uri (string): The HTTP URI used for this request. This value MUST | uri (string): The HTTP URI used for this request. This value MUST | |||
be an absolute URI, including all path and query components and no | be an absolute URI, including all path and query components and no | |||
fragment component. REQUIRED. | fragment components. REQUIRED. | |||
created (integer): A timestamp of when the signature was created, in | created (integer): A timestamp of when the signature was created, in | |||
integer seconds since UNIX Epoch. REQUIRED. | integer seconds since UNIX Epoch. REQUIRED. | |||
When the request is bound to an access token, the JOSE header MUST | When the request is bound to an access token, the JOSE header MUST | |||
also include the following: | also include the following: | |||
ath (string): The hash of the access token. The value MUST be the | ath (string): The hash of the access token. The value MUST be the | |||
result of Base64url encoding (with no padding) the SHA-256 digest | result of Base64url encoding (with no padding) the SHA-256 digest | |||
of the ASCII encoding of the associated access token's value. | of the ASCII encoding of the associated access token's value. | |||
REQUIRED. | REQUIRED. | |||
If the HTTP request has content, such as an HTTP POST or PUT method, | If the HTTP request has content (such as an HTTP POST or PUT method), | |||
the payload of the JWS object is the Base64url encoding (without | the payload of the JWS object is the Base64url encoding (without | |||
padding) of the SHA256 digest of the bytes of the content. If the | padding) of the SHA256 digest of the bytes of the content. If the | |||
request being made does not have content, such as an HTTP GET, | request being made does not have content (such as an HTTP GET, | |||
OPTIONS, or DELETE method, the JWS signature is calculated over an | OPTIONS, or DELETE method), the JWS signature is calculated over an | |||
empty payload. | empty payload. | |||
The signer presents the signed object in compact form [RFC7515] in | The signer presents the signed object in compact form [RFC7515] in | |||
the Detached-JWS HTTP Header field. | the Detached-JWS header field. | |||
In the following non-normative example, the JOSE Header contains the | In the following non-normative example, the JOSE header contains the | |||
following parameters: | following parameters: | |||
{ | { | |||
"alg": "RS256", | "alg": "RS256", | |||
"kid": "gnap-rsa", | "kid": "gnap-rsa", | |||
"uri": "https://server.example.com/gnap", | "uri": "https://server.example.com/gnap", | |||
"htm": "POST", | "htm": "POST", | |||
"typ": "gnap-binding-jwsd", | "typ": "gnap-binding-jwsd", | |||
"created": 1618884475 | "created": 1618884475 | |||
} | } | |||
skipping to change at page 126, line 44 ¶ | skipping to change at line 5600 ¶ | |||
N7aL0SxCb3Hc4IdqDaMg8qHUyObpPitDQ" | N7aL0SxCb3Hc4IdqDaMg8qHUyObpPitDQ" | |||
} | } | |||
} | } | |||
"display": { | "display": { | |||
"name": "My Client Display Name", | "name": "My Client Display Name", | |||
"uri": "https://client.foo/" | "uri": "https://client.foo/" | |||
}, | }, | |||
} | } | |||
} | } | |||
This is hashed to the following Base64 encoded value: | This is hashed to the following Base64-encoded value: | |||
PGiVuOZUcN1tRtUS6tx2b4cBgw9mPgXG3IPB3wY7ctc | PGiVuOZUcN1tRtUS6tx2b4cBgw9mPgXG3IPB3wY7ctc | |||
This leads to the following full HTTP request message: | This leads to the following full HTTP request message: | |||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
POST /gnap HTTP/1.1 | POST /gnap HTTP/1.1 | |||
Host: server.example.com | Host: server.example.com | |||
Content-Type: application/json | Content-Type: application/json | |||
skipping to change at page 128, line 15 ¶ | skipping to change at line 5664 ¶ | |||
"uri": "https://client.foo/" | "uri": "https://client.foo/" | |||
}, | }, | |||
} | } | |||
} | } | |||
When the verifier receives the Detached-JWS header, it MUST parse and | When the verifier receives the Detached-JWS header, it MUST parse and | |||
validate the JWS object. The signature MUST be validated against the | validate the JWS object. The signature MUST be validated against the | |||
expected key of the signer. If the HTTP message request contains | expected key of the signer. If the HTTP message request contains | |||
content, the verifier MUST calculate the hash of the content just as | content, the verifier MUST calculate the hash of the content just as | |||
the signer does, with no normalization or transformation of the | the signer does, with no normalization or transformation of the | |||
request. All required fields MUST be present and their values MUST | request. All required fields MUST be present, and their values MUST | |||
be valid. All fields MUST match the corresponding portions of the | be valid. All fields MUST match the corresponding portions of the | |||
HTTP message. For example, the htm field of the JWS header has to be | HTTP message. For example, the htm field of the JWS header has to be | |||
the same as the HTTP verb used in the request. | the same as the HTTP verb used in the request. | |||
Note that this proof method depends on a specific cryptographic | Note that this proof method depends on a specific cryptographic | |||
algorithm, SHA-256, in two ways: the ath hash algorithm is hardcoded, | algorithm, SHA-256, in two ways: the ath hash algorithm is hardcoded, | |||
and computing the payload of the detached/attached signature also | and computing the payload of the detached/attached signature also | |||
uses a hardcoded hash. A future version of this document may address | uses a hardcoded hash. A future version of this document may address | |||
crypto-agility for both these uses by replacing ath with a new header | crypto-agility for both these uses by replacing ath with a new header | |||
that upgrades the algorithm, and possibly defining a new JWS header | that upgrades the algorithm and possibly defining a new JWS header | |||
that indicates the HTTP content's hash method. | that indicates the HTTP content's hash method. | |||
7.3.3.1. Key Rotation using Detached JWS | 7.3.3.1. Key Rotation Using Detached JWS | |||
When rotating a key using Detached JWS, the message, which includes | When rotating a key using Detached JWS, the message, which includes | |||
the new public key value or reference, is first signed with the old | the new public key value or reference, is first signed with the old | |||
key as described above using a JWS object with typ header value | key as described above using a JWS object with typ header value | |||
"gnap-binding-rotation-jwsd". The value of the JWS object is then | "gnap-binding-rotation-jwsd". The value of the JWS object is then | |||
taken as the payload of a new JWS object, to be signed by the new key | taken as the payload of a new JWS object, to be signed by the new key | |||
using the parameters above. | using the parameters above. | |||
The value of the new JWS object is sent in the Detached-JWS header. | The value of the new JWS object is sent in the Detached-JWS header. | |||
7.3.4. Attached JWS | 7.3.4. Attached JWS | |||
This method is indicated by the method value jws in string form. | This method is indicated by the method value jws in string form. | |||
{ | { | |||
"proof": "jws" | "proof": "jws" | |||
} | } | |||
The signer creates a JWS [RFC7515] object as follows: | The signer creates a JWS [RFC7515] object as follows. | |||
To protect the request, the JWS header contains the following claims. | To protect the request, the JWS header contains the following claims: | |||
kid (string): The key identifier. REQUIRED if the key is presented | kid (string): The key identifier. REQUIRED if the key is presented | |||
in JWK format, this MUST be the value of the kid field of the key. | in JWK format, this MUST be the value of the kid field of the key. | |||
alg (string): The algorithm used to sign the request. MUST be | alg (string): The algorithm used to sign the request. MUST be | |||
appropriate to the key presented. If the key is presented as a | appropriate to the key presented. If the key is presented as a | |||
JWK, this MUST be equal to the alg parameter of the key. MUST NOT | JWK, this MUST be equal to the alg parameter of the key. MUST NOT | |||
be none. REQUIRED. | be none. REQUIRED. | |||
typ (string): The type header, value "gnap-binding-jws". REQUIRED. | typ (string): The type header, value "gnap-binding-jws". REQUIRED. | |||
htm (string): The HTTP Method used to make this request, as a case- | htm (string): The HTTP method used to make this request, as a case- | |||
sensitive ASCII string. (Note that most public HTTP methods are | sensitive ASCII string. (Note that most public HTTP methods are | |||
in uppercase.) REQUIRED. | in uppercase.) REQUIRED. | |||
uri (string): The HTTP URI used for this request, including all path | uri (string): The HTTP URI used for this request, including all path | |||
and query components and no fragment component. REQUIRED. | and query components and no fragment components. REQUIRED. | |||
created (integer): A timestamp of when the signature was created, in | created (integer): A timestamp of when the signature was created, in | |||
integer seconds since UNIX Epoch. REQUIRED. | integer seconds since UNIX Epoch. REQUIRED. | |||
When the request is bound to an access token, the JOSE header MUST | When the request is bound to an access token, the JOSE header MUST | |||
also include the following: | also include the following: | |||
ath (string): The hash of the access token. The value MUST be the | ath (string): The hash of the access token. The value MUST be the | |||
result of Base64url encoding (with no padding) the SHA-256 digest | result of Base64url encoding (with no padding) the SHA-256 digest | |||
of the ASCII encoding of the associated access token's value. | of the ASCII encoding of the associated access token's value. | |||
REQUIRED. | REQUIRED. | |||
If the HTTP request has content, such as an HTTP POST or PUT method, | If the HTTP request has content (such as an HTTP POST or PUT method), | |||
the payload of the JWS object is the JSON serialized content of the | the payload of the JWS object is the JSON serialized content of the | |||
request, and the object is signed according to JWS and serialized | request, and the object is signed according to JWS and serialized | |||
into compact form [RFC7515]. The signer presents the JWS as the | into compact form [RFC7515]. The signer presents the JWS as the | |||
content of the request along with a content type of application/jose. | content of the request along with a content type of application/jose. | |||
The verifier MUST extract the payload of the JWS and treat it as the | The verifier MUST extract the payload of the JWS and treat it as the | |||
request content for further processing. | request content for further processing. | |||
If the request being made does not have content, such as an HTTP GET, | If the request being made does not have content (such as an HTTP GET, | |||
OPTIONS, or DELETE method, the JWS signature is calculated over an | OPTIONS, or DELETE method), the JWS signature is calculated over an | |||
empty payload and passed in the Detached-JWS header as described in | empty payload and passed in the Detached-JWS header as described in | |||
Section 7.3.3. | Section 7.3.3. | |||
In the following non-normative example, the JOSE header contains the | In the following non-normative example, the JOSE header contains the | |||
following parameters: | following parameters: | |||
{ | { | |||
"alg": "RS256", | "alg": "RS256", | |||
"kid": "gnap-rsa", | "kid": "gnap-rsa", | |||
"uri": "https://server.example.com/gnap", | "uri": "https://server.example.com/gnap", | |||
skipping to change at page 132, line 44 ¶ | skipping to change at line 5839 ¶ | |||
AogICAgfSwKICAgICJzdWJqZWN0IjogewogICAgICAgICJmb3JtYXRzIjogWyJpc3Nf\ | AogICAgfSwKICAgICJzdWJqZWN0IjogewogICAgICAgICJmb3JtYXRzIjogWyJpc3Nf\ | |||
c3ViIiwgIm9wYXF1ZSJdCiAgICB9Cn0K.MwNoVMQp5hVxI0mCs9LlOUdFtkDXaA1_eT\ | c3ViIiwgIm9wYXF1ZSJdCiAgICB9Cn0K.MwNoVMQp5hVxI0mCs9LlOUdFtkDXaA1_eT\ | |||
vOXq7DOGrtDKH7q4vP2xUq3fH2jRAZqnobo0WdPP3eM3NH5QUjW8pa6_QpwdIWkK7r-\ | vOXq7DOGrtDKH7q4vP2xUq3fH2jRAZqnobo0WdPP3eM3NH5QUjW8pa6_QpwdIWkK7r-\ | |||
u_52puE0lPBp7J4U2w4l9gIbg8iknsmWmXeY5F6wiGT8ptfuEYGgmloAJd9LIeNvD3U\ | u_52puE0lPBp7J4U2w4l9gIbg8iknsmWmXeY5F6wiGT8ptfuEYGgmloAJd9LIeNvD3U\ | |||
LW2h2dz1Pn2eDnbyvgB0Ugae0BoZB4f69fKWj8Z9wvTIjk1LZJN1PcL7_zT8Lrlic9a\ | LW2h2dz1Pn2eDnbyvgB0Ugae0BoZB4f69fKWj8Z9wvTIjk1LZJN1PcL7_zT8Lrlic9a\ | |||
PyzT7Q9ovkd1s-4whE7TrnGUzFc5mgWUn_gsOpsP5mIIljoEEv-FqOW2RyNYulOZl0Q\ | PyzT7Q9ovkd1s-4whE7TrnGUzFc5mgWUn_gsOpsP5mIIljoEEv-FqOW2RyNYulOZl0Q\ | |||
8EnnDHV_vPzrHlUarbGg4YffgtwkQhdK72-JOxYQ | 8EnnDHV_vPzrHlUarbGg4YffgtwkQhdK72-JOxYQ | |||
When the verifier receives an attached JWS request, it MUST parse and | When the verifier receives an attached JWS request, it MUST parse and | |||
validate the JWS object. The signature MUST be validated against the | validate the JWS object. The signature MUST be validated against the | |||
expected key of the signer. All required fields MUST be present and | expected key of the signer. All required fields MUST be present, and | |||
their values MUST be valid. All fields MUST match the corresponding | their values MUST be valid. All fields MUST match the corresponding | |||
portions of the HTTP message. For example, the htm field of the JWS | portions of the HTTP message. For example, the htm field of the JWS | |||
header has to be the same as the HTTP verb used in the request. | header has to be the same as the HTTP verb used in the request. | |||
Note that this proof method depends on a specific cryptographic | Note that this proof method depends on a specific cryptographic | |||
algorithm, SHA-256, in two ways: the ath hash algorithm is hardcoded, | algorithm, SHA-256, in two ways: the ath hash algorithm is hardcoded, | |||
and computing the payload of the detached/attached signature also | and computing the payload of the detached/attached signature also | |||
uses a hardcoded hash. A future version of this document may address | uses a hardcoded hash. A future version of this document may address | |||
crypto-agility for both these uses by replacing ath with a new header | crypto-agility for both these uses by replacing ath with a new header | |||
that upgrades the algorithm, and possibly defining a new header that | that upgrades the algorithm and possibly defining a new header that | |||
indicates the HTTP content's hash method. | indicates the HTTP content's hash method. | |||
7.3.4.1. Key Rotation using Attached JWS | 7.3.4.1. Key Rotation Using Attached JWS | |||
When rotating a key using Attached JWS, the message, which includes | When rotating a key using Attached JWS, the message, which includes | |||
the new public key value or reference, is first signed with the old | the new public key value or reference, is first signed with the old | |||
key using a JWS object with typ header value "gnap-binding-rotation- | key using a JWS object with typ header value "gnap-binding-rotation- | |||
jws". The value of the JWS object is then taken as the payload of a | jws". The value of the JWS object is then taken as the payload of a | |||
new JWS object, to be signed by the new key. | new JWS object, to be signed by the new key. | |||
8. Resource Access Rights | 8. Resource Access Rights | |||
GNAP provides a rich structure for describing the protected resources | GNAP provides a rich structure for describing the protected resources | |||
hosted by RSs and accessed by client software. This structure is | hosted by RSs and accessed by client software. This structure is | |||
used when the client instance requests an access token (Section 2.1) | used when the client instance requests an access token (Section 2.1) | |||
and when an access token is returned (Section 3.2). GNAP's structure | and when an access token is returned (Section 3.2). GNAP's structure | |||
is designed to be analogous to the OAuth 2.0 Rich Authorization | is designed to be analogous to the OAuth 2.0 Rich Authorization | |||
Request data structure defined in [RFC9396]. | Requests data structure defined in [RFC9396]. | |||
The root of this structure is a JSON array. The elements of the JSON | The root of this structure is a JSON array. The elements of the JSON | |||
array represent rights of access that are associated with the access | array represent rights of access that are associated with the access | |||
token. Individual rights of access can be defined by the RS as | token. Individual rights of access can be defined by the RS as | |||
either an object or a string. The resulting access is the union of | either an object or a string. The resulting access is the union of | |||
all elements within the array. | all elements within the array. | |||
The access associated with the access token is described using | The access associated with the access token is described using | |||
objects that each contain multiple dimensions of access. Each object | objects that each contain multiple dimensions of access. Each object | |||
contains a REQUIRED type property that determines the type of API | contains a REQUIRED type property that determines the type of API | |||
skipping to change at page 134, line 15 ¶ | skipping to change at line 5905 ¶ | |||
While it is expected that many APIs will have their own properties, | While it is expected that many APIs will have their own properties, | |||
this specification defines a set of common data fields that are | this specification defines a set of common data fields that are | |||
designed to be usable across different types of APIs. This | designed to be usable across different types of APIs. This | |||
specification does not require the use of these common fields by an | specification does not require the use of these common fields by an | |||
API definition but, instead, provides th |