[Mailsec] Standard Oauth2 scopes for e-mail authorization

Clinton Bunch <cdb_ietf@zentaur.org> Wed, 12 April 2023 21:14 UTC

Return-Path: <cdb_ietf@zentaur.org>
X-Original-To: mailsec@ietfa.amsl.com
Delivered-To: mailsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92CEEC1524DC for <mailsec@ietfa.amsl.com>; Wed, 12 Apr 2023 14:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zentaur.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju1tE5-pZ763 for <mailsec@ietfa.amsl.com>; Wed, 12 Apr 2023 14:14:02 -0700 (PDT)
Received: from iris.zentaur.org (iris.zentaur.org [198.58.127.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62D7AC1522D9 for <mailsec@ietf.org>; Wed, 12 Apr 2023 14:14:01 -0700 (PDT)
Received: from iris.zentaur.org (localhost [127.0.0.1]) by iris.zentaur.org (Postfix) with ESMTP id 4Pxb6v67Yzz3wZj for <mailsec@ietf.org>; Wed, 12 Apr 2023 21:13:59 +0000 (UTC)
Authentication-Results: iris.zentaur.org (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=zentaur.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zentaur.org; h= content-transfer-encoding:content-type:content-type:subject :subject:from:from:to:content-language:user-agent:mime-version :date:date:message-id; s=dkim20200120; t=1681334039; x= 1681337640; bh=auCngQE+/DuRVk+o8CPIPGiXX69ZvydSFJ/7k83GX/8=; b=S 8X0ug+lR23Tx0txygxhJqJxCHsP3LWfL+941TlZ0UV0AKAh54/lU2LTmMJrHUo21 KvaW/VAWJyvL7sgN8vdGxWCd2zqVDk2iABaTH/a25g3Y4gdVpyNociO7TtVTaqox /WfDli1QRgmSQRYR1bJ4SXnL9Br5MBK4Sx1QsGKtNj38lsVizNnfevSqutI+sACG lNQVom/IVs4snVrCTRCthe4O0vEQgf5OLXN7vgo9a6I762LL9ZaZOackGsMQYhb8 vxGGXFfRTn7Ug7PprEfjE1tgrryoDBOn2vpnNAvgZ/MJBnmfSulJRRgaY6rgtCA0 RdXez9noAGef3zU+BHPyA==
X-Virus-Scanned: amavisd-new at iris.zentaur.org
Received: from iris.zentaur.org ([127.0.0.1]) by iris.zentaur.org (iris.zentaur.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Bl_BvHPEAhSo for <mailsec@ietf.org>; Wed, 12 Apr 2023 21:13:59 +0000 (UTC)
Received: from [10.251.11.121] (rrcs-24-173-95-34.sw.biz.rr.com [24.173.95.34]) by iris.zentaur.org (Postfix) with ESMTPSA id 4Pxb6v2lq6z3wZb for <mailsec@ietf.org>; Wed, 12 Apr 2023 21:13:59 +0000 (UTC)
Message-ID: <d5e85078-4ddc-5d0d-df50-76446b054376@zentaur.org>
Date: Wed, 12 Apr 2023 16:13:58 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1
Content-Language: en-US
To: mailsec@ietf.org
From: Clinton Bunch <cdb_ietf@zentaur.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mailsec/k2XKj4nHmYhNPWVrcCmd3hA0eOo>
Subject: [Mailsec] Standard Oauth2 scopes for e-mail authorization
X-BeenThere: mailsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Email Security Issues <mailsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mailsec>, <mailto:mailsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mailsec/>
List-Post: <mailto:mailsec@ietf.org>
List-Help: <mailto:mailsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mailsec>, <mailto:mailsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 21:14:06 -0000

With a growing interest in Multi-Factor authentication, delegating user 
authorizations to voice assistants, and the recent decisions of email 
giants like Google and Microsoft to mandate RFC7628, there is a strong 
push for Oauth authentication in the various protocols for e-mail.

 From what I've seen, the current support for this in open-source 
clients has been by hard-coding the Client ID, Client Secret, and 
necessary scopes for a few of the giant providers, but offering no 
support for smaller organizations to permit Oauth

RFC7591 gives a way forward without hard-coding Client ID or Client 
Secret.  But the problem of varying scopes and a lack of context for 
their meanings for both clients and servers remains a barrier to 
wide-spread adoption of this technology.

It seems appropriate for this list to discuss and approve some standard 
scopes for e-mail.

I propose the following based on use-cases I can foresee, but others may 
have additional ideas.

urn:ietf:params:oauth:scope:mail
     Read/send/notify authorization from the user. (Most common case for 
MUAs)
urn:ietf:params:oauth:scope:mail:send
     Authorization from the user to send mail on their behalf. (e.g. 
meeting request from a voice assistant)
urn:ietf:params:oauth:scope:mail:read
     Authorization to read e-mails, but not send.
urn:ietf:params:oauth:scope:mail:notify
     Permission to recieve notifications of new messages.  (Biff style 
application, maybe for a smartwatch)