TwigBush Docs
Concepts

GNAP Protocol

Understanding the Grant Negotiation and Authorization Protocol (RFC 9635)

Overview

The Grant Negotiation and Authorization Protocol (GNAP) is a modern authorization framework standardized in RFC 9635. GNAP addresses fundamental security and usability limitations in OAuth 2.0 while providing a more flexible and secure authorization model.

Key Concepts

Grant Negotiation

Unlike OAuth's fixed flows, GNAP uses a negotiation model where:

  • Clients request specific capabilities
  • Authorization servers propose alternatives
  • Both parties reach agreement on access terms

Cryptographic Binding

Every GNAP token is cryptographically bound to the client:

  • Prevents token theft and replay attacks
  • Requires proof-of-possession for token use
  • Supports multiple proof methods (DPoP, mTLS, HTTP Signatures)

No Pre-Registration

GNAP clients can:

  • Present credentials dynamically
  • Operate without pre-shared secrets
  • Use public key cryptography for authentication

Protocol Flow

1. Grant Request

The client initiates authorization by sending a grant request:

POST /grant HTTP/1.1
Host: as.example.com
Content-Type: application/json
Signature: sig1=:eyJ0eXAiOiJq...

{
  "access_token": {
    "access": [
      {
        "type": "api",
        "actions": ["read", "write"],
        "locations": ["https://api.example.com/resources"]
      }
    ]
  },
  "client": {
    "key": {
      "proof": "httpsig",
      "jwk": {
        "kty": "RSA",
        "n": "...",
        "e": "AQAB"
      }
    }
  },
  "interact": {
    "start": ["redirect"],
    "finish": {
      "method": "redirect",
      "uri": "https://client.example.com/callback",
      "nonce": "LKLTI25DK82FX4T4QFZC"
    }
  }
}

2. Authorization Server Response

The AS evaluates the request and responds:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "continue": {
    "access_token": {
      "value": "80UPRY5NM33OMUKMKSKU"
    },
    "uri": "https://as.example.com/continue/XQHWJ7IOPTMZ"
  },
  "interact": {
    "redirect": "https://as.example.com/interact/4CF492ML",
    "finish": "WDJKL8S7N4BF9VKQ"
  }
}

3. User Interaction

If required, the user is redirected for authentication/consent:

https://as.example.com/interact/4CF492ML

4. Token Exchange

After interaction, the client continues the grant:

POST /continue/XQHWJ7IOPTMZ HTTP/1.1
Host: as.example.com
Authorization: GNAP 80UPRY5NM33OMUKMKSKU
Signature: sig1=:eyJ0eXAiOiJq...

{
  "interact_ref": "4IFWWIKYBC2PQ6U56NL1"
}

5. Access Token Response

The AS issues the final access token:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "access_token": {
    "value": "OS9M2PMH2T7T2K5",
    "bound": true,
    "access": [
      {
        "type": "api",
        "actions": ["read", "write"],
        "locations": ["https://api.example.com/resources"]
      }
    ]
  }
}

Proof Methods

Detached JWS

Client signs requests with a detached JSON Web Signature:

POST /api/resource HTTP/1.1
Host: api.example.com
Authorization: GNAP OS9M2PMH2T7T2K5
Detached-JWS: eyJ0eXAiOiJq...

HTTP Message Signatures

Uses HTTP Message Signatures (RFC 9421):

POST /api/resource HTTP/1.1
Host: api.example.com
Authorization: GNAP OS9M2PMH2T7T2K5
Signature-Input: sig1=("@method" "@target-uri" "authorization");created=1618884473;keyid="test-key"
Signature: sig1=:KuhJjsOKCiISnFZBJWLJidD...

DPoP (Demonstrating Proof of Possession)

Includes a DPoP proof JWT:

POST /api/resource HTTP/1.1
Host: api.example.com
Authorization: GNAP OS9M2PMH2T7T2K5
DPoP: eyJ0eXAiOiJkcG9w...

Security Benefits

Token Binding

  • Access tokens are useless if stolen
  • Requires possession of the private key
  • Prevents bearer token vulnerabilities

Dynamic Registration

  • No client secret storage
  • Public key authentication
  • Reduced attack surface

Fine-Grained Access

  • Request specific resources
  • Time-limited access
  • Capability-based security

Interaction Flexibility

  • Support for various authentication methods
  • Step-up authentication
  • Machine-to-machine flows

Comparison with OAuth 2.0

FeatureGNAPOAuth 2.0
Token BindingRequiredOptional (DPoP)
Client RegistrationDynamicPre-registered
Grant TypesNegotiatedFixed flows
Bearer TokensNoYes
Proof MethodsMultipleLimited
Machine ClientsNativeAdapted

Use Cases

API Security

  • Microservices authentication
  • Zero-trust architectures
  • Service mesh integration

AI Agent Authorization

  • Automated workflows
  • Machine-to-machine communication
  • Capability-based delegation

IoT and Edge Computing

  • Device authentication
  • Constrained environments
  • Offline operation support

Financial Services

  • High-security transactions
  • Regulatory compliance
  • Non-repudiation requirements

Implementation Considerations

Key Management

  • Secure key generation and storage
  • Key rotation policies
  • Hardware security module (HSM) integration

Token Lifecycle

  • Short-lived tokens (5-15 minutes typical)
  • Refresh through continuation
  • Explicit revocation support

Policy Integration

  • Fine-grained access control
  • Relationship-based authorization
  • Dynamic policy evaluation

Next Steps

Introduction

Get started with TwigBush - an open source GNAP Authorization Server for modern access control

Developer Setup

Local setup instructions for TwigBush developers