A new RFC Published: The GNAP Core Protocol

The GNAP Core protocol has just been published as RFC 9635. The protocol has been in the works for 5 years, four of them within the GNAP Working Group of the IETF, which I co-chaired with Leif Johansson. I am very proud of the final product.

The GNAP RFC establishes a flexible framework for managing access rights between different parties. It streamlines the process of requesting, granting, and managing authorization, enabling greater adaptability and control in diverse environments. By introducing standardized interactions and data structures, GNAP facilitates seamless communication between clients seeking access and authorization servers responsible for granting it. This versatile protocol supports various authorization models and grant types, offering the flexibility to accommodate a wide range of use cases and security requirements.

While OAuth remains deeply entrenched in the authorization ecosystem, GNAP offers several key advantages, some of which have been subsequently adopted by OAuth. These advantages include:

I extend my gratitude to the authors, Justin Richer and Fabian Imbault, my co-chair Leif Johansson, and the former and current Area Directors, Roman Danyliw and Deb Cooley, for their invaluable contributions.

With the GNAP Resource Server protocol nearing publication, the working group will soon conclude its activities. While GNAP’s adoption has been gradual, it has already influenced OAuth and inspired several implementations. As often happens with emerging technologies, GNAP may yet find its niche within the diverse landscape of identity and access management.

 
12
Kudos
 
12
Kudos

Now read this

HTTP Message Signatures in Go, by the Book

There are many good reasons to sign HTTP messages, to ensure authenticity and integrity of HTTP service calls (a.k.a. REST APIs). Now that RFC 9421 is finally published, we can expect many people to migrate from provisional and... Continue →