| rfc9635v4.txt | rfc9635.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) J. Richer, Ed. | Internet Engineering Task Force (IETF) J. Richer, Ed. | |||
| Request for Comments: 9635 Bespoke Engineering | Request for Comments: 9635 Bespoke Engineering | |||
| Category: Standards Track F. Imbault | Category: Standards Track F. Imbault | |||
| ISSN: 2070-1721 acert.io | ISSN: 2070-1721 acert.io | |||
| September 2024 | October 2024 | |||
| Grant Negotiation and Authorization Protocol (GNAP) | Grant Negotiation and Authorization Protocol (GNAP) | |||
| Abstract | Abstract | |||
| The Grant Negotiation and Authorization Protocol (GNAP) defines a | The Grant Negotiation and Authorization Protocol (GNAP) defines a | |||
| mechanism for delegating authorization to a piece of software and | mechanism for delegating authorization to a piece of software and | |||
| conveying the results and artifacts of that delegation to the | conveying the results and artifacts of that delegation to the | |||
| software. This delegation can include access to a set of APIs as | software. This delegation can include access to a set of APIs as | |||
| well as subject information passed directly to the software. | well as subject information passed directly to the software. | |||
| skipping to change at line 7011 ¶ | skipping to change at line 7011 ¶ | |||
| The JSON type allowed for the value. | The JSON type allowed for the value. | |||
| Reference: | Reference: | |||
| Reference to one or more documents that specify the value, | Reference to one or more documents that specify the value, | |||
| preferably including a URI that can be used to retrieve a copy of | preferably including a URI that can be used to retrieve a copy of | |||
| the document(s). An indication of the relevant sections may also | the document(s). An indication of the relevant sections may also | |||
| be included but is not required. | be included but is not required. | |||
| 10.12.2. Initial Contents | 10.12.2. Initial Contents | |||
| +=============+==================+===========================+ | +==============+==================+===========================+ | |||
| | Name | Type | Reference | | | Name | Type | Reference | | |||
| +=============+==================+===========================+ | +==============+==================+===========================+ | |||
| | continue | object | Section 3.1 of RFC 9635 | | | continue | object | Section 3.1 of RFC 9635 | | |||
| +-------------+------------------+---------------------------+ | +--------------+------------------+---------------------------+ | |||
| | acces_token | object | Section 3.2.1 of RFC 9635 | | | access_token | object | Section 3.2.1 of RFC 9635 | | |||
| +-------------+------------------+---------------------------+ | +--------------+------------------+---------------------------+ | |||
| | acces_token | array of objects | Section 3.2.2 of RFC 9635 | | | access_token | array of objects | Section 3.2.2 of RFC 9635 | | |||
| +-------------+------------------+---------------------------+ | +--------------+------------------+---------------------------+ | |||
| | interact | object | Section 3.3 of RFC 9635 | | | interact | object | Section 3.3 of RFC 9635 | | |||
| +-------------+------------------+---------------------------+ | +--------------+------------------+---------------------------+ | |||
| | subject | object | Section 3.4 of RFC 9635 | | | subject | object | Section 3.4 of RFC 9635 | | |||
| +-------------+------------------+---------------------------+ | +--------------+------------------+---------------------------+ | |||
| | instance_id | string | Section 3.5 of RFC 9635 | | | instance_id | string | Section 3.5 of RFC 9635 | | |||
| +-------------+------------------+---------------------------+ | +--------------+------------------+---------------------------+ | |||
| | error | object | Section 3.6 of RFC 9635 | | | error | object | Section 3.6 of RFC 9635 | | |||
| +-------------+------------------+---------------------------+ | +--------------+------------------+---------------------------+ | |||
| Table 10 | Table 10 | |||
| 10.13. GNAP Interaction Mode Responses | 10.13. GNAP Interaction Mode Responses | |||
| This document defines a means for the AS to provide the client | This document defines a means for the AS to provide the client | |||
| instance with information that is required to complete a particular | instance with information that is required to complete a particular | |||
| interaction mode, for which IANA has created and maintains a new | interaction mode, for which IANA has created and maintains a new | |||
| registry titled "GNAP Interaction Mode Responses". Initial values | registry titled "GNAP Interaction Mode Responses". Initial values | |||
| for this registry are given in Section 10.13.2. Future assignments | for this registry are given in Section 10.13.2. Future assignments | |||
| and modifications to existing assignments are to be made through the | and modifications to existing assignments are to be made through the | |||
| Specification Required registration policy [RFC8126]. | Specification Required registration policy [RFC8126]. | |||
| skipping to change at line 7933 ¶ | skipping to change at line 7933 ¶ | |||
| Furthermore, it is the case that any clients using symmetric | Furthermore, it is the case that any clients using symmetric | |||
| cryptography for key proofing mechanisms need to have their keys pre- | cryptography for key proofing mechanisms need to have their keys pre- | |||
| registered. The registration should also include any information | registered. The registration should also include any information | |||
| that would aid in the authorization process, such as a display name | that would aid in the authorization process, such as a display name | |||
| and logo. The registration record can also limit a given client to | and logo. The registration record can also limit a given client to | |||
| ask for certain kinds of information or use specific interaction | ask for certain kinds of information or use specific interaction | |||
| mechanisms at runtime. | mechanisms at runtime. | |||
| It also is sensible to pre-register client instances when the | It also is sensible to pre-register client instances when the | |||
| software is acting autonomously, without the need for a runtime | software is acting autonomously, without the need for a runtime | |||
| approval by a RO or any interaction with an end user. In these | approval by an RO or any interaction with an end user. In these | |||
| cases, an AS needs to rely on the trust decisions that have been | cases, an AS needs to rely on the trust decisions that have been | |||
| determined prior to runtime to determine what rights and tokens to | determined prior to runtime to determine what rights and tokens to | |||
| grant to a given client instance. | grant to a given client instance. | |||
| However, it does not make sense to pre-register many types of | However, it does not make sense to pre-register many types of | |||
| clients. Single-page applications (SPAs) and mobile/desktop | clients. Single-page applications (SPAs) and mobile/desktop | |||
| applications in particular present problems with pre-registration. | applications in particular present problems with pre-registration. | |||
| For SPAs, the instances are ephemeral in nature, and long-term | For SPAs, the instances are ephemeral in nature, and long-term | |||
| registration of a single instance leads to significant storage and | registration of a single instance leads to significant storage and | |||
| management overhead at the AS. For mobile applications, each | management overhead at the AS. For mobile applications, each | |||
| skipping to change at line 9189 ¶ | skipping to change at line 9189 ¶ | |||
| and Engineering, Chalmers University of Technology and | and Engineering, Chalmers University of Technology and | |||
| University of Gothenburg, 2021, | University of Gothenburg, 2021, | |||
| <https://hdl.handle.net/20.500.12380/304105>. | <https://hdl.handle.net/20.500.12380/304105>. | |||
| [GNAP-REG] IANA, "Grant Negotiation and Authorization Protocol | [GNAP-REG] IANA, "Grant Negotiation and Authorization Protocol | |||
| (GNAP)", <https://www.iana.org/assignments/gnap>. | (GNAP)", <https://www.iana.org/assignments/gnap>. | |||
| [GNAP-RS] Richer, J., Ed. and F. Imbault, "Grant Negotiation and | [GNAP-RS] Richer, J., Ed. and F. Imbault, "Grant Negotiation and | |||
| Authorization Protocol Resource Server Connections", Work | Authorization Protocol Resource Server Connections", Work | |||
| in Progress, Internet-Draft, draft-ietf-gnap-resource- | in Progress, Internet-Draft, draft-ietf-gnap-resource- | |||
| servers-08, 9 August 2024, | servers-09, 23 September 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-gnap- | <https://datatracker.ietf.org/doc/html/draft-ietf-gnap- | |||
| resource-servers-08>. | resource-servers-09>. | |||
| [HELMSCHMIDT2022] | [HELMSCHMIDT2022] | |||
| Helmschmidt, F., "Security Analysis of the Grant | Helmschmidt, F., "Security Analysis of the Grant | |||
| Negotiation and Authorization Protocol", Master's thesis, | Negotiation and Authorization Protocol", Master's thesis, | |||
| Institute of Information Security, University of Stuggart, | Institute of Information Security, University of Stuggart, | |||
| DOI 10.18419/opus-12203, 2022, | DOI 10.18419/opus-12203, 2022, | |||
| <http://dx.doi.org/10.18419/opus-12203>. | <http://dx.doi.org/10.18419/opus-12203>. | |||
| [MediaTypes] | [MediaTypes] | |||
| IANA, "Media Types", | IANA, "Media Types", | |||
| End of changes. 6 change blocks. | ||||
| 22 lines changed or deleted | 22 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||