Internet Engineering Task Force 107, 23 Mar 2020

Previous Meeting

⏯

youtube image

►

From YouTube: IETF107-TXAUTH-20200323-1950

Description

TXAUTH meeting session at IETF 107
2020/03/23 1950

https://datatracker.ietf.org/meeting/107/proceedings

A

All right, I guess we can start then.

A

So welcome everyone. This is the first session of the first ever fully virtual IDF and the wonder it's taking us a little bit of time to be to ramp up it. Please have your video off in most importantly, please be muted unless you're speaking also, if you'd like to to speak. If you'd like to be on my queue and there's a just a chat feature to WebEx, please say plus q and you will. We will note your name and we will call you to the mic.

A

Others in etherpad at the bottom of the etherpad, is the blue sheet. I see many many names already and just as a quick public service announcement. If you own.

B

A

Might very well be unable to reach usurper because of the port is using and if you are unable to note your name, please just send us a email directly and we will add you later and like slide. Please.

A

If the note1 applies today, just as it applies to any physical or virtual IDF meeting a next slide.

A

Boom- maybe it's a good time to say that I'm around Chester and dick.

A

I'm, the only one speaking stuff.

C

You start I needed to give way back to my screen to share screen.

A

Well, apparently, you already ceiling.

C

Yeah, okay, I'm.

A

C

A

So I was saying that day I'm around sofa coach of the axilla and you are Oh.

C

Dick heart, I'm co-chair of TX off and I authored the X off paper.

A

Okay next slide, please.

A

Next slide that.

C

Is the last of those slides.

A

Okay, this should have been one more thing and exosphere status.

A

Oh wait: you were sharing okay, I, wasn't sharing that okay, so now we conceal screen but different. Okay. This is better.

A

Okay! Thank you. So let me quickly go to the agenda.

D

A

Please let us know if you have any comments on the agenda, we'll start with just not, then we will have a shorter discussion. We realize that there are still open points that people want to discuss about the shelter, so we might go over 20 minutes, but at some point we will need to cut this discussion in order to discuss the to a possible starting points that we have for the 3x or protocol which are X Y Z.

A

That Justin will present and EXO that dick will present following that and depending on how much time remains, we will talk about the differences between the protocols and the.

E

A

The next steps for this service.

A

A

So a few words about where we are right now and we just completed I believe two days ago, a.

B

A

Call for the creation of the Texas, a working group, and we had over 20 people in favor and one person who was opposed to the creation of the working group. But still I would like to take to take part if an if and when it is created. A given.

B

A

A this, a reaction on the mailing.

B

A

The next step is for is three to make a decision on whether a working group will be created based on what we've seen on the mailing list, as well as this discussion today it to answer your question: yes, dick is responsible for the queue.

A

You so, let's open it up for agenda bashing.

C

There's someone.

C

A

So who leave the SKU animals.

F

A

I'm better, so let me do it for dick Annabelle. Can you pay Samuel to pick up? Yes,.

G

Hi Annabelle Backman Amazon we're doing a bit agenda. Bashing right, I, know we're past the agenda slide. So, okay, yeah I, want to kind of reiterate what I asked for on the mailing list, which I really think we need to add a little more structure than just 20 minutes for charter discussion because seems like there's a handful of key items for debate, and it would be helpful, I think for us to make sure we get a chance to talk about all of them.

G

I could easily see some of you know like, for example, the question of to what extent identities included in the Charter is just taking up like 40 minutes of our time.

A

And I could respond to that with we decided to to keep it open for now. If we realize that we're rattling on anything and in specific, we will ask to to cut the line at that point. They could you like to add anything.

C

Nope I might show my video I hope.

B

H

You are, yes, you are Emily, you.

G

C

This is not one of the easier pieces of software to use Oh.

C

uh No, we thought that we would, if the Charter discussion continued darn, we would let that run and for 40 minutes and take the time off the end of the discussion of the protocols.

G

I think my my question, or my concerns more around as it is. The Charter discussion is just sort of this big, unstructured block of time. I guess I'm, hoping the chairs are going to be ordering that or orchestrating that, so that we can actually try and, like maybe close out on on topics and not just kind of jump around or keep jumping back to the same topics. Just a little concerning since, like it's not assigned to anybody to lead that discussion or anything on that on the agenda. So, hopefully there's some organization plans there.

G

C

C

We will climb boxing, so they don't over run, run too long.

A

So specifically, you mentioned the you honorable mention their identity. I think we should start there. This seems to be the the most important subject that people brought up. So if people have an opinion in favor of including identity in the charter against or something in between, please add yourself to the queue and let's get to get going on identity.

C

Go ahead, Annabel.

G

So um Annabelle back on Amazon again up before that, I want to just quickly preface all of this discussion with the way I see it. The Charter should be about you know just outlining the problems, we're trying to solve and I think a lot of the suggestions on the discussions and debates that are coming up on the mailing list stem from people trying to put.

G

Trying to define in the Charter the solution to the problem we are solving rather than the proc describing the problem itself and I think the solution part is really where we need to get to have those discussions in the working group and decide at you know when we're designing the protocol what's going in it.

G

So just maybe other people don't see it that way, but if that makes sense to use and just try and keep that in the back of your mind as you as we discuss this on identity I think there a again specifically as there's a lot of room for us to go into to to to get clearer about what it is we're talking about and what problems we're trying to solve. When we say, oh we're going to put identity in the Charter, does that mean we're? You know communicating claims about a subject.

G

Does that mean we are solving? You know session management between the and an authentication, server and a client. Does that mean something else in between there?

G

It's different people are having coming to this with their own ideas about what that word means. So, let's try to be very specific about that.

G

A

Quick procedural note: please don't use the WebEx chat for anything other than adding yourself to the queue.

A

C

I

C

Mike is in the queue next Mike.

D

Sure and put the discussions on the list, I think it would be fairly important to understand what are the uses cases we're trying to solve before we would decide to rule identity in and, as Annabelle just said, identities a lot of things. Sometimes it just claims when you dedicate so sometimes it's session management.

D

Sometimes it has a whole lot more and I would like to see a scope, this small enough that it's actually achievable and adding unique value and just reusing identity stuff, that's already defined, where possible, but again I think we should be starting with use cases and or architecture, as not said, rather than starting with drafts.

C

Thanks Mike, the queue looks empty to me.

C

A

I

Hi I just wanted to follow up on what you had said Mike. What would you be looking for relative to the current charter language, which makes some references to the use cases.

D

um I would actually want some use cases written down like what are we trying to solve, what are the likely roles and of the participants?

D

Why is a unique solution needed for some of these things and to the identity question? What aspects of identity are needed by these use cases and what are we ruling out and what are we were using right now, it's just sort of a grab bag I do appreciate the new language that Justin and dick came up with a few days ago. I think on Saturday I proposed to tweak to it and try to skip that to something achievable, but I'd like to see much more focus on reuse and writing the use cases.

C

Up there kargh here in the queue the.

C

Sort of open, ID connect and Olaf is sort of being something that covers. Those use cases is that that sounds fairly clear to me. I think the myself I was interested in identity because open eggie connect uses OAuth and have it thinking about the identity.

C

Use cases would open, ie, connect, solves and making sure that those are all solved in TX off, as opposed to a group tacking it Arn and having to deal with whatever came out of TX off for what they're doing an identity made more sense to solve it holistically, as opposed to separately.

D

Other again, identity, as many things just releasing claims on medication time. It's easy! Are you, including the log out parts of open, ID, Connect and the session management parts I mean that's, what's needed for end and solution, there's more of identity for aggregated and distributed claims, there's verified claims, there's a whole bunch and the Charter is not at all clear whether you're talking about releasing claims- and you know have a nice day or whether you're building an end-to-end identity system and I think the latter is hard. Having done it.

C

C

I think the open, ID, Connect features and I think also that reuse is the key thing right. I, don't think we need to reinvent anything, but we don't want to have people that are building identity stuff, having to figure out how to go and chew horn it into TX aw Annabel's next, in the queue yeah so.

G

I'm glad we're talking about use cases start without putting a couple out there.

G

I I think the most obvious use case is kind of the one that Mike I, think you're getting at with just the a little bit is all right, an end dick, as well as just the ability to support.

G

And a authentication protocol like open ID connect over TX author / /. Whatever protocol we come up with, you know, open ID connect had to invent a bunch of stuff on top of OAuth 2 I think the goal here. One of the goals for us ought to be to.

G

Make that unnecessary, not necessarily to doesn't necessarily mean reinventing everything, but whatever protocol we come up with, it should be clear and obvious how you do a full-fledged identity system on top of that, and maybe that means maybe all that means is, we have a way of you know talking about claims and Borla part, maybe we're lifting that from OID C.

G

And then you know once once you get your your tokens, your just doing everything that's been built on to IDC from there I don't know, but it might be helpful to kind of to put the Charter language. In those terms, you can put it less about just we're going to do identity and more about we're going to enable identity to work over this thing.

G

Another use case I want to throw in here because it's a little decoupled from IDC is the ability to communicate to the authorization server the identities that you are that these that the client is expecting one of the problems off to has, especially if you're trying to do incremental authorization, is there's no real good way for the client to tell the oauth2 authorization server who they expect or who they require, the subject to be, and so, if you're doing, incremental op C, it's entirely possible that the subject is a resource owner for the tokens you get back in this incremental authorization is different from the ones you started with before.

G

So, if you're trying to do an incremental, so you get access to you've got access to resources a now you need access to resource, be in that same resource owner account, it's possible. What you end up with is access to resource, be in a totally different account, and you don't really just with us. You don't really have any good way of determining that's the case, and that can lead to some really weird broken experiences.

G

um So that's something that I would like to I think it's squarely you know needed with just within the authorization domain, even if you're not doing any sort of like authentication into the client using that or any sort of like shared session management, or anything like that. um That's something that's missing an auth that I would like to see here.

G

The last point I'll add on this talking about reuse and talking about claims.

G

One thing that I would like to steer clear of is having multiple structured languages for talking about, like you know, one structured language for talking about resources that I'm asking for authorization for and another structured language for talking about claims, and so, if we're keeping those as two separate things, I think there's a risk of that. So I think that would just be unnecessarily complex, unnecessarily confusing. So, yes, we talk about reused. Think about things like that.

G

E

Okay, so I had two points, one of which is real, quick, just to remind everyone that, when we're writing the charter text, the Charter needs to be understandable by people who are not conversant with the details of open ID connect. And so, if we're talking about doing identity in terms of the functionality that Open ID Connect does we should describe that a little bit more when we start to put that into Charter text.

E

So we don't have to expect people to go, read up on an ID connect and then my second point, which is a little bit more detailed, is that coming into today, based on what I had read, which is incomplete of the mailing list, my understanding was that when we talked about identity, we could perhaps say that TX off wants to be able to convey.

E

You know some information or claims from the S to the RS, and it just so happens that some of those claims or information might relate to the identity of the user, saying so that it's just sort of calling that out as a particular type of information that we would want to be transacting. As opposed to being necessarily a fundamentally different thing, having now just listens to what Annabel was saying, though I'm no longer sure that's the case.

E

So it would help me personally to have a little bit more clarity about whether my initial understanding was correct, that we were just having identity information as a class of claim that we are conveying, but it is not sort of privileged in some other sense.

C

: is next in the queue so dicks answer that the the use cases were they like the the oauth2 and the open ID connect, use cases, sort of sort of surprised me and I'm wondering if anyone can speak to what are the use cases that we want to solve with this working group that aren't already covered by one of those existing are well by open, I need connect. Basically, could somebody talk about that and get those into the charter bit more.

A

A question Cullen.

A

I understand the shuttle does actually mentioned the motivation, hey. What exactly is.

B

A

In the initial part of the Charter text, for you.

C

The way I read the Charter and I threat, the mailing will track the other stuff on here. It almost seemed to me like Oh, ought to would would solve most of the things that I tore sit there. So if there were specific use, cases that ought to does not meet, it would be great to at least have a better understanding of them for this group of people here right now, and maybe that would result in update of the Charter as well.

C

But if the use case is purely.

I

C

I

Redo the use cases.

C

That go off to MIT does in another standards organization, I'm in write that down go for it and you know, but let's be fair about which of the two. It is.

C

I'll just respond to that someone to help provide some clarity, the use cases of OAuth, 2 and open ID connect arm.

C

You can kind of view those fairly broadly and so there's a number of things that don't work today with OAuth 2 and open ID Connect, which is what's driving this new work. And while you can solve a fair amount of identity, things with open ID connect the concern and why I wanted to have identity and the TX off charter. Is that someone's going to go and deploy TX off?

C

Not only are they going to want autism but they're also going to want to identity, because that's a common pattern, and so, while somebody might be able to solve the identity with just open ID connect on top of OAuth, they wouldn't be able to solve it when they're using TX, unless they also have the same features that open ID Connect offers within TX off.

C

Does that clarify things on that does yeah? Okay? Next, in the queue is Justin yeah.

F

Really just seconding that that we wanted to really bring into the fold some of the core identity capabilities of Open ID connect and I really see that and as I try to reflect in the latest version of the Charter tax. As you know, releasing a couple of identifiers.

F

You know really basic claims about the user being able to release a set of assertion from the AAS and to Annabel's point being able to present identity information on the request and beyond, just a notion of who the user might be. But if I'm using a you know, verifiable credential proofs I can actually prove that you know the user really did authenticate to me as a piece of software cryptographically. There are other protocols that allow me to do that and txl should be able to convey that information as well.

F

We are not looking at least it was never my intent for us to define a whole end-to-end identity ecosystem here, but I think that it would behoove us to have the basic hooks in the right place so that we don't end up in a space where, like dick was saying, people take T, X off and just kind of build something on it, which, as great as open ID Connect, is that's kind of where the internet is today with OAuth 2, because we've got a lot lot lot of WAP 2 based identity protocols that are not open, ID connect out there, and so by having at least the basics of identity and authenticating to the client as part of the protocol and whether that's in the core document or second document.

F

That's a different discussion. But having that defined here in this group and to Anabelle's point, you know extensions on where you can kind of it make it obvious and where you would build all of this other stuff, whether the you know- and that should probably happen in another group, then I think it's that's really the best direction that we can go now, whether we pull those bits and pieces from Open, ID, Connect or from skim or from Facebook or from verifiable credentials or wherever. That's something that the working group needs to decide.

F

What makes the most sense right. We are not presuming. We and the Charter cannot presume an existing answer to those questions, but it can provide the right framework for those questions.

F

So that's why, if you look at the current charter text, it says you know, including asserted: identity claims and approval of AF attestation to identity claims, and it really is in those specific terms that I think the details lie.

C

Oh knees next in the queue yeah.

J

So, along with everybody else, identity is quite large, I think just a state, as it's currently stated in the Charter and yet there's no connection at all with authentication and how binding would happen with the authentic reject, with an authentication mechanism to actually obtain identity, so I'm still missing why identity would be in there and an authentication wouldn't necessarily begin in the scope of the Charter I'm, not suggesting that it should be, but I don't see how you can have either of them without the binding between the two I think it's too much to take on in this particular charter.

J

You know the world of identity. It's quite large, you know goes from proofing. You know all the way to validation and things like that. So there's a lot of other groups doing multitude of work in this space. I, don't think it's worth time wasting it in this group to to rehash some of that stuff.

J

C

And Tony, but you know once again I think the goal of the Charter is to make sure that people aren't having to tax that barn to TX off and so go.

J

C

Interesting things not reinventing anything right.

J

And so I think that's where it can be a lot clearer, because it's not currently just saying it's, it's there to absorb existing frameworks or existing technologies that are out there. It's Atlanta g12 believe it's reinventing identity in some in some particular case. So.

E

Just to jump in as the ad this is been Caidic Tony. You want the clarification to be about sort of the way that we plan to use existing authentication stuff and have that tie into the identity information that we are conveying yeah.

J

Both identity, you know how, how existing authentication and existing identity and play into TX off. Okay.

E

C

Next NICU is Mike. If somebody's got the text of the Charter handy, they want to paste it into jabber. Just so.

F

The other people.

C

Have it all available or is it somewhere yeah.

F

So uh so I can do that I'm not on the jabber Channel I could put it on the ether pad, but I know not everybody's on there either. Once.

C

You post it into the chat and WebEx I've got the queue already: we've cut the queue. Okay I'll do that so.

D

This is Mike Jones at Microsoft.

D

If, as Justin describes it all that's being included, is releasing some identity claims at authorization time you're, guaranteeing that you're going to have to build some additional layers which, for instance, the session management, the logout, you don't just login, you have to decide when to logout, you have to contact the logged in relying parties, you have to get them logged out. You have to do the cookie management underneath, etc, and I would rather there be a clean layering.

D

We're sure we think about the experience we've learned from sam'l and connect and Facebook Connect and what-have-you and think about where to do the cut for the layering. But you know to towards its point on the list. Entities identity is a really big topic. I think we will be much more likely to succeed in refactoring authorization. If that's what we do and we leave the hooks there. For instance, you could build an open ID connect profile for TX off. Just like you have an open, ID connect profile for different response types.

D

Iv TX off is primarily creating a different kind of response type with different messages, but all the identity stuff should layer the same.

D

And the Charter I'll close by saying this, the Charter is completely a US about whether session management is in or out at a minimum. For the ad comments, it has to be clear whether that's in scope or not, because just saying identity is wildly ambiguous.

D

C

A Carson's next, we still don't whole charter in Peru yeah go ahead towards them. I.

H

Think just that we'll manage that cost, Motor City s have come hi everybody um yeah identity is a broad topic and I personally think it's all first of all, focus on on defining a new authorization protocol. Although there are some elements of identity that I think belong to the core of this of the new authorization protocol.

H

Anabelle just mentioned the incremental authorization. I fully agree, that's a use case, that's purely soft or even not solved in the off two and open and econnect space. Today, I, even don't think it's really an identity use case, because I would like to see a solution that are tries to not really expose an identity to allow R'lyeh clients to to to upgrade an existing authorization with the same user. So we have done some work in that in that regard, in the grant management protocol for two, so I think.

H

That's that's a very really reasonable in this case that I'm supporting second use case is are providing identity and the at the AAS to RS interface as I as I said under on the on the mailing list. This is today and off to this is a no-man's land, so everybody is doing it differently and I think that's that's a viable use case, because we need to somehow specify this interface in order to come up with interim bold solutions between a SS and our SS, and it brings me to my last two topics.

H

First of all and I think we already agreed on the list to to make that part of the Charter intro bility of all the three interfaces. Client to AF, AF, 2, RS and client to RS must be in scope for that shorter I even went one step further and um asked for testability, so the goal my goal would be to have intro bility, really on the on the on the on the wire level.

H

And last but not least, we have discussed that over the course of the last week intensively. I would like to see support in the new protocol for a great number of different designs for ways to manage tokens from single single access. Token designs to multiple for LSM access. Token designs I've got some extensive conversations with the with the editors of their proposals that we have right now and I feel that, with we came up with a common understanding that this is covered by the current charter.

H

The current total text, as far as SC doesn't have the text recording intro, bility and testability. Yes,.

H

Right, y'all right.

A

That's correct: the chart detects that I'm linking it here is the Charter texted that we had for their consensus call there are you a few changes that we agreed on on the mailing list following the consensus code and that Justin posted is so we will consolidate all of them and in post them, but not they're, not yet available in all.

B

A

One place: okay,.

F

Thank you right if I can just follow up with that, there are there's a small handful changes, one first, as I mentioned, requests versus requested response from part of it. As a fine clarification. There was a note about interoperability.

F

There's a couple of things like that that had not been incorporated and publicized yet, but then you know, I've got it on my screen to add that stuff.

C

Thanks Justin last person, the queue is George Fletcher.

B

I yep George Fletcher rise in media, so in listening to this conversation, I feel like we're not trying to solve identity at all we're trying to provide some standardization around identifiers and communication of claims, and maybe, if we framed it in that those kinds of terms, it would make this easier.

B

I think that for adoption, we're going to have to hook into a bunch of existing identity infrastructures right when we start talking about the kinds of things that might talked about- and you know in identity management, we're doing all sorts of full life-cycle kinds of things, only a small piece of those cut and authorization flow. So if the core element of what we're talking about is how do we represent an identifier? What are some core elements of identifiers, some standardization around?

B

How those you know core attributes, get communicated, or maybe even some sort of scheme, as it allows you to specify here's the the here's the the way I'm talking about these things and multiple can get slotted in I. Think for me, that's a lot clearer right and effectively. The aspects like Tony was talking about of authentication or Mike. Was talking about session management? Those things are left out of scope from a TX off perspective and we're just talking about where the intersection happens, as it relates to authorization.

C

C

Q ah round you wanna yeah.

A

Before we move on to XYZ, if there's anybody who feels that they have something essential that an essential comment to make to the Charter, that's now squirrely in the identity, what kind of identity or how do we deal with identity?

A

If there's anybody who still needs to make a comment to the Charter up to three people, please add yourself to the queue. Otherwise, let's move on.

A

D

Yeah I think it's essential that we somehow do the equivalent of a hum about whether session management, part of identity and identity proofing or in or out of scope and or whether we do layering to allow them and I sure hope it comes out layering.

D

But you know in any event the Charter has to say right now. It's just ambiguous.

I

So this is Roman jumping it as the idea I think it's going to be very tricky to do. The humming we're gonna have to take just to the mountain list. I think we have a fairly fairly long list of items, we're going to need to sort out and what I be interested in and kind of. The chairs kind of help me out here is I'm, going to read a list, and if someone feels like this is not a bigger topic that we need discussion on or you I'm sorry you need to add.

I

You know add something too. Unless you please kind of speak up, so you know going backwards. Mike. You just mentioned session management. We have multiple folks, tell us that we need to have more precision on on kind of what is the definition of identity. We talked a little bit about. We need precision on. Are you inventing new stuff or are you going to be referencing other stuff, and then we have some feedback from multiple parties around? You know clarity and use cases.

I

Given you know, given the current text, if there's someone else that wants to jump into queue to say that they're, there kind of feedback is not captured by those larger bullets.

I

I

All right, okay, seen anyone jump in early.

A

Go ahead, Roman no.

I

I was just saying over the year urine.

A

So just one more procedure at a point: we simply don't have a solution for humming at virtual meetings, so everything will need to go to the mailing list exclusively and we will be discussing the points that were raised here. Hey next on the agenda is just in on XYZ Oh.

F

C

F

For yeah, just a quick procedural bit would it be helpful if I tried to do a revision of the Charter. Based on the comments that we've had over the last week and a couple of comments here like what George was just saying and put that out, because there's a couple of things that it seems clear, we need to change so I'm asking. Should we do a revision first and then consensus on that.

A

A discussion on the list obviously includes I mean a total checked proposal is a very valid way of driving this discussion. So yes, Kane, okay,.

F

I will I will know to myself to do that.

C

Coordinate with us on that separately, yes, okay, are.

F

K

C

F

C

F

Plus ones in the church.

C

This is, there was a couple people in the queue over there, I thought.

F

I won in the cute sorry.

C

No, no and when you took over my window, disappeared, I've lost my cue window. Oh that's.

F

Best really that's.

C

F

You should you should still have WebEx it. Just will be in a different window. Yeah, it's not the best UI. It really isn't. It's.

C

Pretty and like my my chat window is suddenly gone, can anybody else see the chat? Oh.

E

C

E

They are plus ones, not plus cues, so I think that was just a an intent.

B

E

B

F

E

F

E

Jabiru and now transit man, okay, yeah.

F

Too many chats, okay.

F

Okay, so I'm going to do my best to be quick here and talk about the XYZ project, which is something that I started almost a year and a half ago now to make a concrete set of suggestions to address things that I was seeing in the wild. You know, including avoiding using the front channel to pass security information, assuming everybody had web browsers and making a lot of assumptions about how clients and keying and everything works really just based on.

F

You know the last decade of experience with how a walk to works and where it is falling short today. So the goals of the project are to take care advantage of what we can do on the web today and kind of how deployments work, including things like being able to post JSON to an API who would have thought but to enable things like rich resource requests, different kinds of interaction, modes, different kinds of key presentation and a key point through the XYZ project was to allow choose, use cases.

F

But not necessarily repeat it exactly always questioned why something was put in a wall and take a step back from that. One of the technologies that we make use of in designing the protocol is polymorphic JSON, which just very quickly means that if you've got a JSON object, the same field name could have a string value or a boolean value or really any kind of JSON value. In different circumstances. This doesn't mean that it's untyped. It means that each of those types has a very specific semantics associated with it.

F

The philosophy was, you know, borrowed from the very successful philosophy of open, ID Connect is to keep simple things simple and make the complex things possible as long as they don't mess up the simply keeping the simple things simple, which meant that every extension point needed to be very clearly defined and described all of the elements needed to be very clearly modeled and represented in the underlying systems, which for us was HTTP and JSON, and we also took a philosophy of only putting things in the spec if we were able to you at least have a have a toy implementation on it.

F

So there's a lot of ideas and XYZ that aren't in the spec speaking of implementations, we've got several in Java, no js' from multiple teams, and we run you know point-to-point interoperability. With these things, for both clients and server side, different signing and proofing mechanisms, there is an ID in the data tracker for a more full write-up, for the entire project is on the website. Althought XYZ.

F

The reason for this is that it's a lot easier to describe things on a website where you can have you know full diagrams and interactive bits and links to videos and stuff like.

B

That, then, you can in.

F

Specification text so there's a lot more information there, so that I'm going to dive straight into the protocol and I am going to be going fast and skimming over the tops of things so that you fill out a little bit of time for questions. Everything in Xyz starts with a the client starting a transaction at the AAS or the client tells bas. Here's who I am what I want that looks like a JSON object and all of these different fields in the JSON object need different means, specific things.

F

So, for example, as a delegation protocol, we want to know what we're delegating access to and we've got a rich description, language saying what I want where I want it. What I want to do that kind of stuff here, and if this reminds you of offer each authorization request is very very good reason, for that is that rar is basically kind of a the content abroad was kind of a backcourt of what we have done in Xyz is that that's intentional I think that that should continue.

F

Clay needs to be able to have you know some user facing fields. That's not that interesting, what's more interesting as the client needs to be able to identify itself and instead of identifying itself with an abstract, client identifier, we identify clients using the keying material that they use to prove that they also prove with the presentation of the request. In this case it's a jwk and one of the places where we thought it was really important to have.

F

Flexibility was in the key proving mechanisms, so there's a way that you can do this XYZ by using detached jws signatures again we're using stuff, that's out there and just signing the JSON of the HTTP message body. This is you know, fragile, but functional. In some cases you could also use HTTP message signatures, which was a community draft that Annabel and I are actually just just now, as it's supposed to be this week, bringing it into the HTTP working group. So that's going to be doing work going forward as well.

F

That I think we should be able to leverage here. It's also MPLS, even deep on style, header signatures, there's a lot of things that different deployments of clients should be able to do here. So at this point, the a s can look at that incoming request and decide. Well, maybe I've got all of the information. I need and I can just easily even access to it because we're starting in the back channel. We can actually do that. This covers client credentials.

F

The assertion flows a lot of other stuff in the OAuth, the wider ecosystem that doesn't necessarily have a user involved interactively but, of course, there's a lot of stuff that does have a use for involved, because the AAS can say you know what, for what you're asking for I need to talk to a user, so I need to interact with them and XYZ.

F

We signal that by allowing the client to say to the authorization server, here's all of the ways that I am able to interact, because ultimately it's the client software that decides how it is able to interact with the user. It knows whether it's a web browser or an SP a or a light switch. It knows what it can do, so it sends all of that information over not going to go over all of the combinatoric here, but I'm going to cover a couple of common combinations.

F

The first is effectively the authorization code flow from OAuth 2, where the client says I can redirect the user to an arbitrary URL that you give me not knowing what it is ahead of time and I can take callbacks as the result of that interaction on this specific URL and by the way I'm going to give you a nonce to help secure that we'll get into where that comes in in just a minute.

F

The server is going to return and say yes, send the user to this URL, which I've just created in response to this request and by the way since you're, using a call, here's mine owns that we're going to also use to secure that call back and the next time you come talk to me. Here's a handle you can use to to reference all the stuff that we've been doing so far. So the client say it's a web browser sort of web server based client. It can just redirect her over or it can open heads.

F

You know the protocol doesn't actually matter as long as the user gets there. The user interacts with the server logs in authorizes, whatever all they need to do, and then we called call back of the clients, and that has two bits of information, not sure if my mouse is coming through, but this interact reference down at the bottom plays the role of the authorization code from aloft to, and the OAuth verifier from one, and this hash right here is that security component.

F

That I was talking about before, because what it is, is we hash together the nonce that the client sent in its first request, the non set, the server returned in its response and the interaction handle that just came back in the front channel, so we've tied together the front channel in the back channel with a simple hash that the client can validate to make sure that that interact, reference that is getting is tied to a specific request that it had made before.

F

The client then takes that reference, along with the handle that it got back and sends those back to the server in order to go, hopefully get its access to it and stop at this point. The client here also has to prove possession of the same key that it used to start the transaction so that the server knows that it's the same piece of software. That's coming and doing this follow up this pattern right here already closes tons of potential attack vectors that existing off to today.

F

If the client can't redirect, but can only maybe trip out a user code, we allow them to say that this is the only interaction method that I can do and the server come back with. Oh for the thing that you're asking for sure, that's fine send the user to this static URL, which maybe you can't even display, so you know put it on your packaging or something. But this is this is not going to bury but tell them this user code. That will be very.

F

This is the device flow from OAuth 2, while the user is sent off to go to that. The question is going to be pulling with its transaction handle and the server, incidentally, can come and say you know hold up. You know, wait another 30 seconds before you call me again and here's another handle they used to to keep updating this, because we have an opportunity to rotate that a lot of people when they see this ask you know what about being able to combine these two. Well, we realized in Xyz.

F

We didn't actually need a separate modes. Do that because it turns out that really what you're saying is I can get the user to an arbitrary URL or show them a code. But I can't have a I, don't have a callback, you know, I, don't have a front channel callback, so we can reuse that same mechanism, because we've decoupled the various parts of the interaction and the server comes back and says here's an interaction URL, which we can then render it as a QR code.

F

Here's a user code that the user can type in and then the rest of the protocol falls out exactly the same as it did before. Access tokens on the surface. There's nothing really new here we can do a bearer token, just like in but syntactically since this is coming back as a substructure of the response. We now have an opportunity to hang additional information on it. So all of the questions that we're having about how do we bind you know keys to tokens whether it's embedded in the token or not, or you know not where?

F

How does the client get that material or even a reference to that material?

F

We can now do that because we have the opportunity to hang that type of stuff on top of the access token, for all proof of possession type of tokens which could be an MPLS certificate, hash or thumbprint, or any number of things as well, I've posted on the list about how I would propose and how we built a way to do multiple, unnamed access tokens and how to get back multiple native access tokens not going to go into those details here, I've been having a lot of great discussion with folks on the list and I had a call with Torsten.

F

Earlier today. We both agree that this is. This is a really interesting space where, where we can do something that oh well really can't do it's just not set up to do now.

F

You may be thinking that there's a lot of stuff happening in this protocol, where the client is sending all of these giant objects. You know why should we force a client to do that? Can't I just register all of my information and send something else.

F

Instead, that's where this notion of a handle comes in, and this is really where the polymorphic JSON starts to shine, because using the exact same fields that we had before with the keys and the display and the resources field we can now, instead of sending that giant object, we can send a string that the authorization server has created in order to reference the object that the client would otherwise be sending by value and I want to zoom in a little bit on that resources component, because this is the type of this is the type of string which we would call a resource handle.

F

Then an API designer in working with their authorization. Server would say you know, there's this common set of dimensions that people are asking for so say they want. You know, email addresses from the user info endpoint or the current user. I can bundle that up and say that is now the string email.

F

In other words, this is the OAuth 2 scope mechanism and we can use it alongside of the rich authorization request, type objects, the multi-dimensional objects and these sort of predefined scopes, because the semantics of how these combine is exactly the same as how the multiple bits of those fully specified objects combine. So it's reusing components, but in a way that allows them to be extended a lot more.

F

Additionally, we can get these handles back, not just from a static registration but the first time the client goes and talks to the a s. The a s can come back and say: oh hey, that key that you sent me again, not sure if my mouse cursor is pointing up at that key that you sent me uh instead of sending the key object, send this key handle as the fourth field down here so and I will know what that means. You know. Maybe this is going to be a thumbprint of a key.

F

Maybe it's not because it could ultimately be kind of like the kind of like a client ID in that case, and we can tie the the rights of other stuff to that. So this gives us dynamic and Static registration and fully walk-up non registered client interaction all using the same structure into me. That's really really powerful. So how do I think identity fits into it and how does it fit into XYZ?

F

As I said on the list, I said earlier on the call you really should be querying what I like what George said, really just kind of identifiers and assertions about the current user. I call them claims again to try and reuse what was what was already out there and other protocols to just say that hey here's stuff that that I know about I. This is stuff that I want to know about. The current user and I get that back from the authorization server I.

F

Would, additionally, an XYZ I, don't have it in the example, but you can get signed assertions like an open, ID, Connect, ID token or verified a credential from the authorization server as part of this requested response as well any notions of session management and other stuff.

F

Like that, that's you know: I think that is outside of the scope of what we're after and not what I was intending when I wrote the Charter text, but anyway, all of this comes just like Open ID Connect right alongside the access token in the same JSON structure and Aaron pranky did a great blog post kind of laying out sort of the. Why and how that it makes sense.

F

I also think it's incredibly important, as Annabelle mentioned earlier, for the client to be able to push information to the authorization server as part of its request, but not just an identifier who it thinks the user is I also need the client to be able to say, I know who the user is and I can prove it, and I can prove that the user was verified to be using me and that they're here, using you know an ID token or a verifiable claim, prove that's tied to the client's key, a lot of really good things that we can do here, because at that point the a/s might be able to say, I know what you're asking for I know who the user is I might be able to.

F

Just you know, bypass the all of the interaction stuff because we don't need it. This is really important for us and X Y Z to map things on to OAuth 2, even though we're not necessarily using the we're, definitely not using the same syntax and we're not using all the same structures.

F

What we're doing instead is taking these concepts like a client ID and putting them into a space where, instead of still calling it a client ID we're saying it we're tying it in to the overall architecture in ways that actually is consistent with other things same with all the proofing mechanisms, we can do that consistently across the things. I showed you how scopes work.

F

We can do refresh tokens even advanced stuff, like persistent claims, tokens and ID tokens um those concepts inside of XYZ, which means that from a developer's perspective, you can sit them down and say: hey here's, these arbitrary values that make your program do what it's supposed to do, put them into this JSON object and send it to the server and it's going to work for you. This client simplicity is absolutely important here and there's a lot of stuff.

F

That's been going on in the oauth2 world as well, making a lot of these concepts available to the oauth2 world. What we try to do with XYZ is really kind of collect this stuff and, in some cases, invent this stuff in a way that wasn't a that wasn't tied down to the assumptions and background of oauth2.

F

That's all I've got the details of the protocol, including links to the spec and other talks. I've given are on the website.

A

F

A

Yeah with just some time now so we will not be taking questions. Let's spin once to raise the point as an ad I should still have five minutes for questions.

F

I believe no okay, I'm, not sure where that five minutes, one done. Okay, yeah.

A

So we will do questions in the discussion section after Dick's presentation now.

I

No, this is Roman speaking. Let's just move on. Okay.

C

And where did Justin go so I can get the ball.

F

So you should actually need it. I didn't have it before. I was just able to share, but you have it now: okay,.

C

Your foo are not doing. This is definitely better than mine.

C

Okay, am I sharing now? Yes, you are okay,.

C

So very excited when I saw Justin's XYZ work I really liked the ideas of being it.

C

You know the client authenticates directly to the AAF and you'll have a much richer interaction between the clients and the AF than trying to ram everything over in a redirect, and you know if we'd have thought of that back when you're doing a lot too, we might have done that, but there's a few things where I thought I had some different ideas around some pieces, I looked at trying to go and add those into Justin's draft, but it just didn't seem to work so I wrote in another draft to go and sort of capture all of my ideas.

C

My goal of that was really. You know to expand the marketplace ideas or what are the different things we could be doing so the goals one want to make sure it was extensible in a number of different dimensions. To me, I think it's really important that it's easy to migrate from bought to an open, ID Connect that we're just you know. People can very easily understand how they drop that in and work with it. Also. Let's reuse, what we've already got before?

C

Let's not, we don't need to reinvent everything scalable having worked in AWS for a while I have a much bigger appreciation for how decomposable, and you know how you want different security parameters and similar to Justin. You know simple things are simple and hard. Things are possible, something that I learned from Larry wall back in my Perl days. So here's a party's the same parties that Justin talked about, except that I call it a grant server instead of an authorizer server which I'll go into in more detail later. Our key terms claims.

C

You know this is information about the user provider by the GS when I think of identity. This is essentially I'm scoping it around to claims that are being moved around I. Don't think that session management is in there to answer Mike's question authorization. Is you know what has? What does the client have is access to the resource server? The grant is a collection of authorizations and claims, and so the grant is what the client is asking the grant server for and so I renamed it to grant server to encompass both authorizations and claims.

C

So that's the G F which, if you're familiar with OAuth and OpenID Connect, turns it to AAS and the O key, and then the interaction you know is as Justin defined. You know how the user is interacting with the GS. You know, how does how does the client needs to get the user over to the GS.

C

And yeah, so here's the general sequence, the besides, once a create a grant. The GS says: okay, I need to interact with user, so something interaction, response use the client redirects user over to the GS, the user is authenticated. N Achatz at the GS then authorizes what the client asks for the GS redirection user back to the client and the client reads a grant, and then it gets a grant response.

C

So I'll go into detail on each of those steps, so the creating the grant it's an HD post to the GS URI, which is the endpoint, includes information as the client ID. The things in red I'll go into more detail later aren't about, and it says what kind of interaction is going to be now go to more detail about that interaction. Response, then, is the GS.

C

You know creates a grant URI and a redirect URI, and so the grants are represented by a URI and so you'll see that as being the URI and we'll pop that up later on, when you see things and then the redirect URI is where the user is going to get redirected to what Justin are called interaction. Uri. It's all these things in red. You know this is pretty much the same way as have an ID connect.

C

Work usually gets redirected, stuff happens, bounces back, not really it's part of the protocol, but isn't part of the API. It was kept to the 7 which is reading the grant, and so here the client is doing a gift of the grant URI and then the response is going to be the grant, and you know so, there's some stuff on top and then you know the key thing from the response with the authorization and the claims.

C

So the request, client objects, you've got the two types of clients, I, sort of view, there's like the registered clients that have an ID and for this corrupt and from being the same ID that you have an open, ID connect and in a lost deployment. So the existing deployments don't have to come up with some new identifiers for their client and then for a dynamic client itself declares what it is and the self the dynamic client is.

C

You know creating its own key pair, signing that sending it over and then using that same key for all the subsequent requests.

C

Quest's are going to be on the grant URI the.

C

Gs knows which plan to expect to be calling on that particular grant URI and so knows what key to be used.

C

The interaction object, so I sort of a little bit similar to Justin, but a little more coarsely grained. The plan can either get a redirect or not and think those are that that's the key interaction mechanism, because if you can redirect back to the client you can deal and with such an fixation. But if you can't redirect back to the client, then you know if you've got a scannable, you are code or something like that. An attacker could take that and try to trick some.

C

You know a victim into clicking on that and granting access and the victim won't know that they're just granted access to an attacker using a client, so I split it like that. And then you provide different information so that the completion URI is where the a GS would redirected use when it's done and information URI is also where the if there is where the GS would redirect a user when that's done, but that would not be to the client.

C

That's essentially an information page that the client wants to show the once the user to see as so sort of what are the next steps and then, of course, you know this, there's also an accession point here for new interaction types.

C

The authorization object in the request, so you can just have a to scope type and so in the authorization you can say it's a type of scope and then PAP scope, but it also can support other authorization types. You know rar or XYZ cell, which are similar to each other, but it also from an accessibility point of view. People might have other languages and other places or other ways of describing authorizations, and so by having a type you can go and have different types of authorizations. You want to request authorization z' in the current spec.

C

I have it as an array, and so you either have authorization or authorization in the request, and so we have the GS. I would imagine many GS s initially will only support what they're already doing in coop, so they would only support authorization, but if they can support multiple, then the client can ask for multiple authorizations, which I've currently got as a array of objects, or it could be a dictionary of objects summer to the model that is in Xyz now or you can do authorizations with polymorphism Utz number of different choices.

C

I think it's a good discussion point to figure out. What do we think is going to be easier for people to understand and then the claims object? You have claims, there's number of different claims types, so you can request, though ID see, you know an ID token or information and user info, and you have other claim types like the open, ID connect for identity at cessation. That's coming out or verified credentials that a w3c d-did and then you can extend and ask for other types of claims in here as well.

C

So now we're moving over into the response as to what comes back so coming back in the authorization is your is in that authorization object, and so, if there's only one of those, it's either a URI that you then use to go and get the access token, or if it's a single-use or limited time authorizations lose no management that you know you can't renew it or anything. Then you actually get the token and the metadata about that and then in the authorization object.

C

You know the JSON itself, you say the mechanism, and so here and the bottom one we've got bearer, but it could be other mechanisms like was a or something like that.

C

The response and the claims objects. You can see here that you know we requested open ID Kinect until we've got an ID token and we've got user info coming back.

C

And so now one of the things you got back then was the authorization or AG URI, and so, if you do a get on that, then you get back the you know the URI that you're called let you know that you've got what you asked for and all that authorization JSON, and so when you want to refresh a token it's just another, get to that same a Z URI end point.

C

Also added discovery, and so if you do an options, call to the GS URI you get back. Essentially, what is the grant server support for you if it's an authenticated call, if it's an unsent educator call, then potentially the grant server might only return back the types of authentication that it supports.

C

So here's a list of all the API, so I only covered sort of some of the ones, but as you can see, it's very much of a URI resource with an HTTP verb for the different types of requests. Now, so you create a grant with a post to the GS URI and then you can verify a grant. Read a grant, update, bolita graph, all with different birds.

C

On the authorization URI, you can read, it updated, delete it and the options. Kanji s is your main discovery point. But since we have options, you could go and find out what verbs are supported on a grant your I or what verbs are supported on an authorization, a URI.

C

So summary of the different your eyes I've got the GS URI you can see sort of, in example the structure, so the grant and AZ URI start with the GS URI, and so another feature of that is that if you've got a, you know GGO a URI of a grant or a authorization. You know which grant server came from as opposed to just a random string like a Tokyo that usually you get with a token that's like well.

C

Where did I get that token from and then the redirect URI is the one that, if you're going to be able to redirect back the short your eye. I call that because I think when you have a scannable, Col call expandable code you're trying to scan something you need it to be shorter.

C

It also is going to be in a different context as far as the GS concerned, because it knows that it isn't going to be able to redirect back and then the completion URI is the your ID that the geo sends the and the user back and the information your eyes what gets shown if they just want to show the information.

C

So some other features that I didn't go into. You know that if GF isn't ready to respond, it could say wait, and so that could map into a mile of where the GS needs actually go and maybe get authorization from some other place, and so it says tilt it to wait until it's all done before the client should call back. You have a bunch of different mechons.

C

You can do on a grant you an update, verify deleted, update and delete an authorization in the flow I've got a flow in there, where you can have a GF initiated grant creation so that the sort of a open ID. You know the idea of a provider, and you see a login to an application. So you could start off at the GS click. A button and the user could pop over into the app and the app would be able to use the grant URI to make a call to go and get information about which user.

C

It is reciprocal delegation, which is where the client and the GS are essentially a party a and party B and each party is, has both roles, and so how does each of them get authorization to the other ones, resources and then a couple of other features instead of our for more advanced use cases? One of them is, you know, similar to Justin, there's an idea of being able to identify which user you think it is in making the call, and so with this the client could say: I've got a user.

C

They gave me this email address and I want to know.

C

If you've got somebody with that email address and the GS would respond says yes, I have somebody with that email address, and so then that would enable the client to decide that they actually will surface some experience to the user to use that particular GS, as opposed to you, know, they're sending somebody over to a GS without knowing whether or not that GS has that user or not, and they interaction keep, was an idea that, since we've got a back-channel going between the client and the GS is that you could actually have multiple steps of the GS asking for different releases of claims, and/or authorizations.

C

So it's multi step, and so the client would be able to get each chunk along the way. And so you can envision a more advanced scenarios where, depending on the country, the users in.

B

C

The client may need to ask for different kinds of claims, the different kinds of authorizations, and so it can update the grant as the user moves through and add different things that then the user is prompted for, while still in the experience at the GAF and then get sent back to the GS. So a number of these advanced ones, I did sequence diagrams in the document sort of helped them out. So it looks like a lot of sequence diagrams, but they're, really just using the same API is in a few different ways.

C

One of the other things that I did is I included a authentication mechanism in the draft to simplify for people, picking it up that they're not having to go and look at some other thing for how to do it. You know it could be broken out into a separate document and one of the great pieces of feedback Dustin gave me early and some earlier drafts was to factor how authentication happens out of the rest of the protocol, and so now it's all in one section and it's independent of everything else.

C

So it's easy easier for someone to use MPLS or a she be signing as opposed to Jose.

C

My opinion is I think that the Jose is a simple mechanism that can be used most places things like MPLS and you should be signing map into some environments much better than Jose might so when the client is making a call to that should say actually Jose GF, client authentication set up a s.

C

If it's a get bleeped or options method, then it just puts it in the header. That's the payload! You can see an example of get endpoint, you know, which is a grant call, and it's including it as author as a Jose type in an authorization header and if it's a post, put or patch you take all the JSON and that's the payload, and you sign that and you send that Jose token over as the payload to the endpoint.

C

And then you can use that same Jose mechanism when the client is calling an RF. So for all of the verbs you know, here's a header and the payload, and once again you can see at the bottom that is used an authorization, header type Jose and then that's the example Jose token being sent over, and so that allows you to have proof of possession API calls to an RF using where the client is able to use the same key that it used for calling the GS six two minutes you'll probably want to skip them.

C

Yep I've got three slides, so reviewing the goals, the first one is extensible, so I think we're extending on all these different points. In the request and in the response and authentication mechanism from a migration you know here is the what the request would look like from a client I. Can you drop in your existing client, ID os copes and which claims you want to have and reuse reusing, an awful lot of existing things and scalable on the grant server, because you've got different methods and different your eyes.

C

You can go and do routing to different services that are doing different types of things and break apart your thing, as opposed to one big monolith, the sign body and and header in the calls to the GS, enable those to be passed down so that each of the components in your server can independently verify it. You know proof of possession is so much better as a technician. The shared secret. Now each of the components can verify who call without, of course, having the secret to verify it.

C

The client, you have a certificate chain of proof of possession versus shared secret for the client, and so that enables different instances of the client to have their own private key in the resource server. In the proof of possession mechanism, you could have a certificate on the GS, a delegates, a client ID, so that the RS knows. Okay, you are the client that was talking to my D s.

C

I can feel that that fine, sleep oka, my god, simple and flexible I, think so, and questions and I think that's the end of my time as well.

A

Thank You dick so before we move to the next section, a pic and Justin will show the mic. They prepared a few slides to focus. The discussion are different on a specific differences between the tool proposed protocols.

A

However, please also use this section to ask Laurie clarification, questions about either or both of the protocols and with that yes, stick.

C

The fir-tree Justin I did some back-channel discussion on the differences between our two documents and we came up with sort of five major areas.

C

We stood each of these out to the mailing list and then I've got a slide for each of those I'm. Also trying to find my.

C

A chat window to figure out.

A

C

A

C

A

Bothered to to count the number of people on the blue sea, and so if you have a gets on the blue sheet, please do so now and thank you. Robot.

F

All right so dick, how did you want to run this section? Do you want us to just make a quick statement on on each bit as we go through and then field questions or what.

C

Because I'm trying to find my chat window again.

C

You go ahead while I'm doing that.

F

If we lose the connection, no he's still here, I'm.

K

F

C

I

Was audio? Can people hear.

J

I

F

E

You just indica Seng. You should go ahead. I can't.

F

F

You, okay, okay, so people people can hear me I'm, not sure what happened to dick so I'll just start this bid and until we get back so basically in X Y Z, the client says these are all of the things that I can do, including separating whether or not I can get a user out to you versus whether I can get a user back. Those are two separate fields in X, Y Z.

F

So that's for the same reasons that call splits out the authentication type and the a s responds to all of the capabilities in that list that it can actually support and that match what the client is asking for, because different policies might say that it can do different things. X off uses a type based system where the client states, as per the current version, really only whether or not it can do a redirection, so either you can redirect or you can't, but with the type field.

F

That's intended to be extensible to other other kinds of things. So either you respond with that or you or you throw an error.

F

Still, all right so dick is unmuted. Oh I can hello. There we go I got my little window, I will say for from my part here on the XYZ project. We actually started with a type based system like X auth has and after we implemented it, realize we didn't like it and then we once we had decoupled the different parts of the interaction request. We found that that drastically simplified our code, especially on the authorization server side. Honestly didn't change things that much for the client, because the client was always fairly simple.

F

It's just each client is probably going to send the same thing every single time anyway, but that that was our experience with the interaction Oh still they'll hear anything from dick, but animals on the cue yarn, ok would be running queue well, we'll go run audio issues.

A

And no problem that dick is so.

F

Exciting at all, I'm sorry, if you've been talking this whole time, I am.

C

Talking you don't hear me.

A

C

A

C

A

Justin cannot tell you that's funny. Annabel Annabel go ahead.

G

Are we doing Q&A in the middle I figured you're going to do the Q at the end of velocities? Okay, we.

C

G

C

We don't do Q&A on each on each topic and a scope. Each topic that.

G

Makes good sense are L on the interaction note then I guess is. We talked about this on the list back and forth a bit, but to me it's it's very important for the client to be able to request multiple capabilities, because it is there a variety of scenarios where the client may not exactly know until it tries whether or not it can successfully redirect and also may not necessarily know which mechanism the end user is going to prefer to do.

G

There's situations where, where it might be capable of technically opening but might technically be capable of opening a URL, but the end user won't actually want it to do that in the whatever environment. It's in whatever environment the client is running and it would prefer to do a indirect flow instead, so yeah I'm very much in favor of the client being able to request multiple interaction mechanisms and either decide or or give the end user the option of choosing which one to move forward with.

C

I agree that the I mean the client knows what it can do and.

C

To me that the key thing, which was the security point of view, which was, can the can the GS get the user back to the client or not was sort of a key pivot point, and so in X auth, the you know, if it's an indirect interaction than the GS ends, you know a short URL and sends a display URL in a code to the client, and it can decide what it wants to do and show it to the user which them you know if the client is able to do both of those and the user gets to choose.

C

F

And in X Y Z, we signal the exact same thing by whether or not the client includes the callback as part of its interaction, because the the redirect flag and the callback flag are separate from each other. For exactly that same reason, because the security properties are very different.

G

But dig I was looking at next month. The current draft I it looked to me like the the client, was choosing one or the other in direct or redirect is that is that.

C

Not the case so when you say redirect, that can mean two things: can the right redirect, okay, when I say redirect it means? Can the GS redirect the user back to the client? Aha.

G

C

Right, yes, because I the client is choosing between those two things, because the client knows whether it can get the weather did. Jesus was able to get it back to it or not.

G

Whether or not the GS can get it back, get back to the client depend on which interaction method, the end user, chooses, for example, I, could, as a native app open a URL in my environment and also fire up a web server. That's listening on localhost, and so that means, if the end user goes in through the direct route. Basically on that device, they'll be able to get back to me, but if they were to, you know open that URL on another device or if they were to opt for the indirect route.

G

Instead, um they're not going to be able to redirect. You know the GS. At that point, it's not gonna be able to redirect back to me because they're going to be on a different device that I'm, not you know, doesn't have my web server listening on it. The the scenario for this would be if, if an app is running in an environment, that technically is capable opening a browser, but not one where the customer actually wants it to. For example, if it's a a.

G

Cli program running in a server on a headless service or a server right.

C

Maybe walk through there if the, if there's a intersection where both of them could happen but as I thought about it, I thought that you either are in one or the other, but.

C

A

C

Out an idea because to me the time you can come back or not it's important, because the the GS may say I am NOT, going to interact with clients that are indirect. I am only going to go and hand this hour or there's only certain types of information when a hand to a client if it's indirect, yep, yeah.

G

I I agree in the because and I think you mention it either in the slides in Ex off doc. The you know the issue fundamentally being about whether you can have that session fixation or whether you can confirm that you're in the same session, um when, when you come back to the client and that's an important security property and I, think we want to make sure that GS is have have an ability to understand whether or not that capable capability is in play.

G

I, don't think it's necessary to couple sort of the redirect the ability to redirect to the GS and the ability to redirect back to the the client in order to do that right.

F

And I will say it is exactly that decoupling that drove us to current structure in Xyz. It was figuring out that we we could decouple it and get both the behavior that a type based interaction system, gifts and additional kinds of stuff and additional kinds of flexibility that we really wanted. So we've got a case where users might be able to go to a web page or might be able to send a message to an agent that's installed on their device. You know we don't know necessarily ahead of time.

F

What is going to be the right answer, it's kind of up to what the users doing in the client and what they're asking for what that's going to be so the client basically says I can send you to a web. I can send someone to a web page or I can relay a message that you might have to their agent. What would you like, and the off server can come back with I can do I can do both of those.

F

So you know new you you now get to pick, and that is, as Annabella saying, also still separate from how the user gets back to the client because of the session fixation thing which, which is what the whole hashing thing is for.

C

Now that says,.

F

C

Our ATS signaling, we should probably move on to the next thing. um You know, and then we should mean take this onto the list. The to me. It was important that the GS knows or am I going to be able to redirect the user back or not, and that's a better signal that the client can't choose which one it wants to do afterwards. So I'm going to go to the next slide. Everybody see you see that Dustin. Yes, yes,.

F

I can I can I can hear you now I just have to restart WebEx, so we're good. Okay.

C

And then, just from my time check, we've got seven minutes left sorry.

A

Go ahead, dick okay.

F

So TL DR version on XYZ. There is a single URL that the client always talks to and it gets identifiers that it uses to reference things in between requests. And you know that's, that's. That's the whole API.

C

And in Excel I factored it off, so you had. Each type of thing was a resource and you use different methods depending on what you were trying to do against it.

F

Maybe sang yeah, and so I will say here that what's specified in X, auth is in the direction of what we had talked about at one point and X Y Z, but never never went down to implementing and in all honesty, I think that the right answer is somewhere in between these two I. Don't know exactly what that looks like I have to actually thing, um but uh you know I, don't think that there's a lot of I, don't think that there's a lot of contention here.

F

Especially if we're going to be going in the direction of multiple access tokens, which again we you know, we just implemented like what last Thursday or whatever then I want to. It makes sense to start to separate management of individual access tokens as opposed to the transaction overall or what Excel calls Monroe's overall.

C

And not seeing anybody in the queue just and why don't we move to them? Let's move on there, okay.

F

um Yeah client authentication, there's there's actually a fair amount of overlap between the two drafts. Now because, fundamentally it's about you know, presenting JSON in the biggest question is kind of you know what the signalling discovery and mandatory to implement mechanisms are in Xyz, at least as we've written it.

F

There is no MTI, because you know it's a small project and we just kind of do things for a specification. I think that that's something the working group needs to need to answer.

C

Now so and then an X off wanted it to be easy to go and factor another ones, but that the idea would be that Jose would be MTI and that you be able to, as opposed to having detached signatures I'm in favor. That the the posted message is.

C

A token, and so that then inside of machinery within a GS that token MIT can move around as opposed to having to move two pieces around of the the Jason that maybe gets munched up or something like that and then no longer matches the detached signature, see Annabelle's in the queue all right. Good.

G

So X sauce Jose authentication mechanism, it seems like X auth- is basically rolling a new author's Altana client authentication mechanism here and then wondering why, and certainly I do not think that this protocol document is the right place for us to be doing that, in particular with our regarding our s, calls I think a dedication mechanism that requires that forces changes on the API itself by changing the body is a non-starter for a lot of use cases right.

C

And there's no change on the body. Well, yeah! The body is now a jose object and the body is only a jose odd cake in the GS api calls. It's always a header in an RS call.

G

Okay, I've done joking, that I thought you were changing the body for RS as well. No.

B

G

C

That no, since.

G

C

The gos didn't exist. You.

G

C

G

C

G

I'll retract the RS side of the issue, but I still maintain that this is not the right place for us to be rolling a new authentication mechanism, particularly given that ones exist right.

F

And I just wanted to make a one additional point based on what dick was saying that, if your, if your architecture can keep the bytes of the Jose object intact, when passing things around, it can keep the bytes of the JSON intact as well. So I honestly find that to be a bit of a red herring.

C

Know your mileage may vary. I've. Definitely seen people blow that one up, but.

F

But only when it have been required to do it and yeah now ed slide sign doesn't just live any heart yep. So what we tried to do with XYZ was to map concepts into a structure that was internally consistent instead of just applying things that existed before. Just because we had taken one solution in OAuth, 2 did not mean that we would take that same solution in XYZ, and so what that basically means is that there's a lot of translation between the two worlds, that that makes sense.

F

So you know there's a there's a key handle if you've got a registered client and you don't want to pass the public key itself, but that always represents the key which is used for dynamic clients. And you know little little things like that in order to simplify the overall the overall protocol structure and to make things easier to understand both from a developer and from a conceptual perspective,.

C

And in excess I went with much more of a let's take those values and find a place for them within the request, so that it's that the friction aren't somebody knowing where and what to do is lower and that's easy for them to understand, and also that there's likely going to be different ways of requesting claims in different ways of requesting authorizations and so typing those as opposed to defining a new language in it and I see no one in the queue. Let's move to our last slide because we're.

F

Right, so, if you don't mind, I'll, just summarize that in Xyz we've got an inline discovery mechanism, X all uses options, I really. You know and I've said this on the list. I think our eventual solution will have some mix of both I think that it makes sense to do some preflight on on one XYZ. You would call the transaction endpoint I I'm, not convinced on the others, but I understand that. That's you know.

F

That's part of the idea of X off, but I also think that being able to do things fully dynamically without a discovery step beyond knowing just the transaction. Endpoint is a really really really powerful thing that that clients can do so. I think, eventually we're probably going to have some expose Nick, your house.

C

Well, I think, there's always you know here's what I'd like to get and you get back with what happened. Some negotiation, but I did think it was important to have I would like to know what you can do before I start doing things and have an API for that. So the options call and since we've got your eyes for each different thing, then you can go and you know new options on each of them right.

F

And to me and I think that this is this is true for both of the protocols. Something that's really important for XYZ was that the client has one piece of information to start off and that's the transaction endpoint. There are a lot of attacks against oo-ahh, because the authorization endpoint in token endpoint and discovery endpoint key endpoint, all this other stuff.

F

Our difference and the discovery document now becomes an attack surface because it's up to the client to correctly piece all of those together, um you know, there's a substitution attack that makes em attack all this other stuff and.

C

I'm and I'm fully aligned on that because you know effectively. X auth works like that. You have the GS URI and all the other endpoints are ones that you got from, calling that and they're all you know dynamic and specific to the client. The client doesn't know them until it gets them right in many ways.

C

It's sort of you know packing the identifiers and the you know the TX endpoint of the the XYZ endpoint and the same thing, but just making that a URI, so it's kind of like a handle plus a URI, was Mali, but then, when I realize I was doing that I thought. Oh, if I'm doing that, then I can just have different methods on it, because it's a URI I, don't see anybody in the queue we're almost out of time. Was there something else you wanted to conclude with Justin, otherwise I'm going to.

F

Go ahead, we can. We can follow up on the list. Others there's been good discussion. Okay,.

C

Mike Mike's just joined the queue okay.

K

D

Yeah, this is a very old comment that I was going to make on Justin's XYZ, but it also pertains to X off that the XYZ claimed slide showed some claims, some of which came from the JSON web token claims registries such as email and few others, but it also invented some and it didn't say where that invention was occurring. This to me as an example of.

D

De facto inventing a new identity schema without trying to reuse the others, whereas X auth presentation showed explicitly that it was reusing cleans already in our existing registries, which is part of what makes me much more in favor. If we have a starting draft of starting with X off XYZ, because it's not trying to reinvent identity schema.

F

And I mean I repeat what I've said during the Charter discussion is that there are a lot of different identity schemas out there open ID Connect is one of them and for the types of information that that we want to get back, I mean I, don't think we want to adopt all of open, ID connect or or jot inside that response. I, don't think we want to encourage people to put all of that information in there.

F

I do think it should be limited and I'm never explains whether those claims that we use come from open, ID or from skim or from some schema.org thing. I think is a working group decision and I. Don't think that that should really be input to to which is the starting draft. I think that that's a syntactical bike shedding question our.

A

Most rigorous about so guys, that's it. We have five minutes and we need to wrap the discussion.

A

And a thank you to everyone for lots of good inputs. We need to do some more work and on the Charter, and we would continue doing that on the mailing list. We've had really good discussion over the last week and so I expect more that in the coming days, we will discuss with the ad whether we need to have a discussion specifically on the deltas from the Charter that was previously published or whether we want to have a repeat consensus called a once.

A

We have a new version of the Charter and tick and I think you'd like to add, if allowed over the wrong one I'm.

C

Ready to hand it over to Roman, besides thanking everybody for all the great feedback and showing up yeah, we've got a large group here and I appreciate everyone's patience as we're trying to manage a virtual meeting.

I

Hi yeah: this is Robin wrapping up yeah I, second, that thank you, everyone for your flexibility of patience with this all virtual format. Given this unprecedented these unprecedented circumstances and to you taking your on as well you uh you ran kind of this first meeting of the week for us and that's kind of tricky, and hopefully we'll also learn how to iron outs of the details for the rest of the week for this bhave.

I

What really excites me is, you know we're talking about solutions, we're talking about running code, but I would really urge us not to get ahead of ourselves. I mean we need to refine the scope. The discussion here enumerated a number of places where, where we need to get that clarity, we're of course going to have to take that back to the list and I think in the absence of that scope and that clarity, it's going to be difficult to really top them. Talk too quickly about implementations.

I

So, as was just mentioned, I mean the next step. Is we need to take this feedback? We just got here back to the manual list, see how that see. How that relates to the Charter text, we have and cut it from there figure out kind of the plan, so the chairs and I will chat about how how we can do that with an incremental tip or whether we're going to reissue consensus, but again kind of thank you for all that feedback and for those all online.

I

Please do you know, please do kind of watch the mail list for discussions and, as one last call administrative ly, you'll please fill out the blue sheets before you exit. There is a noticeable death between the number of participants in WebEx and in on the virtual blue sheet place. So please do who, in there so again kind of thanks everyone out.

A

Thank You Roman now.

C

I'm going to post a link to the blue sheet, if I can find it in the chat.

C

You or somebody else has now there we go.

C

We'll hang out, we've got another two minutes left one minute left.

C

If I think, when we close it off, the chat goes away and everybody loses the link. You.

I

We should have spoken more slowly.

C

So next steps we don't know I think it might.

K

Be going through the Charter and tuning that all up close the chat.

F

Alright, so um as as I mentioned earlier, I will take an action to propose a gift to the the original charter. Just like I did the other day I'm going to dip from the original one that Yaron made the consensus call on not the latest one, so it'll be a it'll, be a complete diff, incorporating the MV pack from the secondary one, and also from some of the discussion.

F

Today's I think there were a few clarifying terms that I picked up today, especially on the identity side of things that that will hopefully, hopefully nail things down better and I will get that out to the list, probably tomorrow. At this point,.

A

They can Justin, please go through the minutes. I really don't feel like going back to the recording, but we might, if you feel better thing for covered appropriately. Please take a look all.

F

Right. Thank you.

I

Okay, that's time, everyone thank you.

F

All right, thank you all very much. Your.

A