Ensure that GNAP can be an Authorization protocol extension #181
Comments
|
We need to define more concrete language in the specification that covers authorization mechanisms such as GNAP, OAuth2, etc... or say nothing at all. The next step here is to write a PR with more concrete language than exists in the current specification related to any authorization mechanism that a proposer would like to see in the VC API specification. |
|
I was considering a PR for this item in light of the discussion on issue #279 ; particularly the range of techniques to authenticate/authorize calls to this API. I believe there is a range; and perhaps the spec should define those ranges and recommendations. If the group agrees with the approach I can word smith a PR, but something along the lines of: API Authorization The VC API is meant to be a generic API that can be useful in many scenarios that require the issuance, holding, presenting and verifying Verifiable Credentials. As such there are the following classifications of use cases that the implementor should consider. Public. A Public API is one that can be called with no authorization. Examples include an open witness or timestamp service (a trusted service that can digitally sign a message with a timestamp for an audit trail purpose), or an open retail coupon endpoint ("15% off cheeseburgers"). Public verifiers may exist as well, acting as a agnostic third party to a trust scenario. Permissioned: Permissionsed authorization requires the entity making the API call to have an access control token issued from a mutually trusted source (like an authorization service in OAuth 2.0 Client Credential grant scenarios). These permissions grant access to the API but make no assumptions about credential subjects, previous interactions, or the like. Permissioned access is particularly useful in service-to-service based workflows, where credential subjects are not directly involved. The VC API test suite operates in a Permissioned mode, and all implementations acting on the test suite MUST support the OAuth 2.0 Client Credentials Grant. Bound. Bound authorization involves scenarios where the API calls are tightly coupled, linked, or bound to another out-of-band process that has authenticated the holder/subject to the API interaction. These use cases include but are not limited to, for example, issuance of subject specific identity claims directly to the subject in question, or verification of credentials to qualify the holder for service at the verifier. Examples of methods to bind activity on one channel to a VC API call include CHAPI, OpenID Connect, and Grant Negotiation Authorization protocol. Developers implementing bound authorization will need to take steps to ensure the appropriate level of assurance is achieved in the flow to properly protect the binding. The VC API provides methods for increasing the level of assurance within an (then maybe we have an example of methods / best practices on how to achieve a bound level of API authorization). Thoughts on the above approach? It still keeps specific OAuth/ CHAPI/ GNAP/ ZCAP protocol details out of scope; but I believe it provides implementors some level of guidance on how to approach protecting the API. It also clearly states the expectations of the test suite for interoperability and compliance testing. Thoughts? |
In general, I personally agree with the approach and really like most of the language provided above. There are at least three things I'm concerned that we're going to get push back from the group on are:
All that said, it would be great to have some variation of the text above in the spec @mavarley ... I believe it's an appropriate mental model for thinking about the VC API... and we can fine tune it later as we get more clarity. My suggestion would be to avoid the "If you're using OAuth, then you MUST" language for now as that's the stuff that got hackles up the last time. I acknowledge that avoid that is not going to address this specific issue, so we'll still need a PR for the more specific language that @jricher and others are asking for. The trick there might be to agree to define at least 3 simultaneously -- OAuth2, GNAP, ZCAPs. Thoughts? |
I believe the OAuth terminology may be "public/confidential/delegated" but terms may have deeper implications on the security profiles of the clients -- dunno if we want to go there. Agree with the other points as well. I also agree that concrete specs for interoperability (and recommended best practices) are important. (You'll notice I totally hand-waved the 'make sure it's secure enough for your use case, eh? good' above :) ). |
All the verbs should agree with each other... How about —
— or —
(ETA — I'll save other wordsmithing for the PR. Comments are a terrible place for collaborative editing.) |
|
The group discussed this on the 2023-12-05 call: @msporny noted that the API is authz mechanism agnostic. @mavarley's comment above was noted as a good direction. There were no objections for stating that the API is authz-mechanisms agnostic. The proposal was to start from @mavarley 's text and update it to match the current understanding in the group. |
The group should define how GNAP can be utilized for performing authorization and delegation through an Authorization protocol extension. The discussion thread that led to the raising of this issue can be found here:
https://lists.w3.org/Archives/Public/public-credentials/2021May/0002.html
The suggestion is that the specification should 1) have a section that discusses authorization and delegation mechanisms and extensibility, and 2) ensure that (through extension) GNAP is one of the authorization and delegation options.
The text was updated successfully, but these errors were encountered: