Re: [OAUTH-WG] draft-ietf-oauth-rar use of “WWW-Authenticate” Response Header
Brian Campbell <bcampbell@pingidentity.com> Thu, 25 May 2023 20:30 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80989C1522D9 for <oauth@ietfa.amsl.com>; Thu, 25 May 2023 13:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AUvTFbe_9sWj for <oauth@ietfa.amsl.com>; Thu, 25 May 2023 13:30:07 -0700 (PDT)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A24BC1519A2 for <oauth@ietf.org>; Thu, 25 May 2023 13:30:07 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-1ae452c2777so1247625ad.0 for <oauth@ietf.org>; Thu, 25 May 2023 13:30:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1685046607; x=1687638607; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TJ+uhZBMkxTq6r3jYCZWt1KyHIE7UIaFnAfHLy5UQIo=; b=QV9XDR/MpJDBT0tGd/7dpyubTxop/Me/AjUFMdieqlAZoI9DsVj+e8cFQqbN3jp9N0 Iyz/A7S5L1TXosiLiRhiuGv0j6MyZu0kq28uXOFbung57z2BNd9ZeXZ8plExCEWtvXDU CY2hIMPueqFKwwoFmxxQi2QZV3cJzr58AWU5NK+PJheuEWsOzIDALvLr5h+xU1dKMTNN CvENfwKxTXexdsOG5gCLUGRyz0hg5a45bebALm2p5zv0/WIN3wwKC80fJzGezlmPf17o a1DeaSaRzgcOeEX50JiQ4tPYJiyiYJgTSdNXWdjQXTBk23C+L9NITMc4mLlXJuF2saFX tGXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685046607; x=1687638607; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TJ+uhZBMkxTq6r3jYCZWt1KyHIE7UIaFnAfHLy5UQIo=; b=QfaWw2lINh9UAxlLVy4XLwd7hjo3W918kYLH74+7FgbUCgnkHPXNMW42eu9+3ubuUA 9WgceYF0wyGU43M4P/JRuPEDlzxKXLXPPTrWC6CVc133C7ygA5hpRJ+IPfalU5sB32Y0 BaBqEiX2QL+sKkfcH35RJDClELzQOkUlASsPa/ttnjIVQgwNYpdvP9tUe/Z0uTsJCtzk leYGs/hX+wYHPoXjZ+466dl+U/DGnB4hE3abCd29CSz3yfeuU6NMAiDzetHjth0zYAkg DGmsF6xc91eZgWXy99BVJk7N51ylHL5PLJkXQm8OJC+nef5owjA9qxZTfKmo0n7QqJRN B4lw==
X-Gm-Message-State: AC+VfDw0yQF3W/bG4uLSuts/6IKcxOfI+25EaTDLziG8xYdGiX3n/5t+ 47OeG1O8t3zNowzFkN/w3QuK4Y0XSeInAGDNCcTdYEn1QI88MSZkU6PapFdTfiCWE4+zZjxlnlz q8kulEGwbL4FAYvq58Hm8QsvUgDQ=
X-Google-Smtp-Source: ACHHUZ4k9vQId9OhtQ8A+F8uxq/AiMH+w9j5n2mBBR48VmZcHTmJbVYFtn8LcAzMgynviDT5yAORlxdmFeOYC/RzJB0=
X-Received: by 2002:a17:902:dac8:b0:1ac:6fc3:6beb with SMTP id q8-20020a170902dac800b001ac6fc36bebmr3799540plx.9.1685046606807; Thu, 25 May 2023 13:30:06 -0700 (PDT)
MIME-Version: 1.0
References: <41869F2A-F0B1-4409-8739-5BB3A820CBF6@santander.co.uk>
In-Reply-To: <41869F2A-F0B1-4409-8739-5BB3A820CBF6@santander.co.uk>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 25 May 2023 14:29:37 -0600
Message-ID: <CA+k3eCTWLVns4dAL-ant4Qh_Ler_eYFTx9UBUB3Uv5L-+ZRn+g@mail.gmail.com>
To: "Oliva Fernandez, Jorge" <Jorge.OlivaFernandez=40santander.co.uk@dmarc.ietf.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006de0ea05fc8a7cf8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-0LeprPat-rwOCgq8TAFbVFcAOw>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-rar use of “WWW-Authenticate” Response Header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 20:30:11 -0000
The thinking was generally that params of WWW-Authenticate Response Header Field weren't a great fit for rich JSON authorization data (both in syntax and semantics). The authorization detail types are really API-specific things, and as a result, it's expected that the methods by which clients obtain or generate the authorization details are also API-specific. Not sure that exactly answers the question but hopefully helps. On Thu, May 25, 2023 at 5:16 AM Oliva Fernandez, Jorge <Jorge.OlivaFernandez=40santander.co.uk@dmarc.ietf.org> wrote: > Hi, > > > > I have been reviewing the last RAR draft ( > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23) and I was > expecting to find some references about how to use the “WWW-Authenticate” > Response Header Field defined in RFC6750 ( > https://datatracker.ietf.org/doc/html/rfc6750#section-3) in this document. > > > > I think that RAR is a great idea for complex authorization where a “scope” > is not enough to describe what you want to authorize, in OAuth 2.0 there > exist a way for a protected resource to indicate what “scopes” are need it > to consider the request “authorized”, should not be an standard way to do > the same for rich authorization request? > > > > Best regards. > Emails aren't always secure, and they may be intercepted or changed after > they've been sent. Santander doesn't accept liability if this happens. If > you think someone may have interfered with this email, please get in touch > with the sender another way. This message doesn't create or change any > contract. Santander doesn't accept responsibility for damage caused by any > viruses contained in this email or its attachments. Emails may be > monitored. If you've received this email by mistake, please let the sender > know at once that it's gone to the wrong person and then destroy it without > copying, using, or telling anyone about its contents. > Santander UK plc. Registered Office: 2 Triton Square, Regent's Place, > London, NW1 3AN, United Kingdom. Registered Number 2294747. Registered in > England and Wales. https://www.santander.co.uk. Telephone 0800 389 7000. > Calls may be recorded or monitored. Authorised by the Prudential Regulation > Authority and regulated by the Financial Conduct Authority and the > Prudential Regulation Authority. Our Financial Services Register number is > 106054. You can check this on the Financial Services Register by visiting > the FCA’s website https://www.fca.org.uk/register. Santander and the > flame logo are registered trademarks. > > Ref:[PDB#1-4B] > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] draft-ietf-oauth-rar use of “WWW-Authe… Oliva Fernandez, Jorge
- Re: [OAUTH-WG] draft-ietf-oauth-rar use of “WWW-A… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-rar use of “WWW-A… Oliva Fernandez, Jorge
- Re: [OAUTH-WG] draft-ietf-oauth-rar use of “WWW-A… Brian Campbell