A Crash Course in the Grant Negotiation and Authorization Protocol (GNAP)
<p>This article is aimed at those looking for an overview of the <a href="https://datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol" rel="noopener ugc nofollow" target="_blank">draft IETF GNAP core protocol</a>.</p>
<p>It’s going to be very broad brushstrokes, but hopefully enough to give you a flavour of what GNAP is, and specifically how it differs to OAuth2.0.</p>
<p>The reason that the piece is written through a comparative lens is that the authorization paradigm most engineers (myself included) are familiar with is OAuth2.0. Therefore it can provide the base we build from.</p>
<p>This means you’ll need a fairly solid understanding of OAuth2.0, luckily this can be gleaned from an excellent article <a href="https://medium.com/@jc1175/a-crash-course-in-oauth-c4c00e418db0" rel="noopener">here</a>. We’ll also be referencing some of its extensions, but won’t refer to them as separate entities.</p>
<h2>Why GNAP?</h2>
<p><a href="https://datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#name-introduction" rel="noopener ugc nofollow" target="_blank">GNAP was introduced to solve the same problems as OAuth2.0 and OIDC</a>, and does so in a similar way. It still requests delegated authorization from a resource owner via a grant, and still utilises an authorization server.</p>
<p>I can immediately hear you asking ‘why do we need it then?’ which is incredibly fair. However, <a href="https://datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#appendix-B-2.1.1" rel="noopener ugc nofollow" target="_blank">GNAP does address some important concerns</a>, which we’ll explore next.</p>
<p><a href="https://datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#appendix-B-2.1.1" rel="noopener ugc nofollow" target="_blank"><strong>Consent and authorization flexibility</strong></a></p>
<p>In OAuth2.0 we generally assume we have access to a web-browser. Additionally how our flow works is dictated by the grant type at the start. For example when we start the <a href="https://datatracker.ietf.org/doc/html/rfc8628" rel="noopener ugc nofollow" target="_blank">device authorisation grant</a> for limited input devices (e.g. smart TVs) we make a request to a certain endpoint. Once we’ve begun this grant we can’t swap to another.</p>
<p><a href="https://jc1175.medium.com/a-crash-course-in-the-grant-negotiation-and-authorization-protocol-gnap-9cc30ed21ce5">Read More</a></p>