A new RFC Published: The GNAP Core Protocol
The GNAP Core protocol has just been published as RFC 9635. The protocol has been in the works for 5 years, four of them within the GNAP Working Group of the IETF, which I co-chaired with Leif Johansson. I am very proud of the final product.
The GNAP RFC establishes a flexible framework for managing access rights between different parties. It streamlines the process of requesting, granting, and managing authorization, enabling greater adaptability and control in diverse environments. By introducing standardized interactions and data structures, GNAP facilitates seamless communication between clients seeking access and authorization servers responsible for granting it. This versatile protocol supports various authorization models and grant types, offering the flexibility to accommodate a wide range of use cases and security requirements.
While OAuth remains deeply entrenched in the authorization ecosystem, GNAP offers several key advantages, some of which have been subsequently adopted by OAuth. These advantages include:
- Flexibility: GNAP is designed to be more flexible than OAuth 2.0, allowing for a wider range of authorization models and grant types. This makes it more adaptable to different use cases and security requirements.
- Fine-grained Access Control: GNAP introduces the concept of “resource access rights” (RAR), enabling more precise control over access to resources compared to OAuth 2.0’s scope-based approach.
- Enhanced Client Identification: GNAP utilizes client keys for identification and communication security, offering a more robust alternative to OAuth 2.0’s reliance on client secrets and redirect URIs.
- Versatile Interaction Models: GNAP supports more flexible interaction models, including continuous authorization and user-mediated interactions, exceeding the capabilities of OAuth 2.0’s predefined grant types.
I extend my gratitude to the authors, Justin Richer and Fabian Imbault, my co-chair Leif Johansson, and the former and current Area Directors, Roman Danyliw and Deb Cooley, for their invaluable contributions.
With the GNAP Resource Server protocol nearing publication, the working group will soon conclude its activities. While GNAP’s adoption has been gradual, it has already influenced OAuth and inspired several implementations. As often happens with emerging technologies, GNAP may yet find its niche within the diverse landscape of identity and access management.