Re: [OAUTH-WG] WGLC Review of PAR

Torsten Lodderstedt <> Sat, 29 August 2020 15:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7B8833A0CB8 for <>; Sat, 29 Aug 2020 08:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MdG3TF8C6t-C for <>; Sat, 29 Aug 2020 08:49:03 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 487133A0CB4 for <>; Sat, 29 Aug 2020 08:49:03 -0700 (PDT)
Received: by with SMTP id d26so3072980ejr.1 for <>; Sat, 29 Aug 2020 08:49:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=xTaUxCB9RrJ/RGMCv0pOyag4EwZzgctpndiRxsoUbRc=; b=ZaFJTrSKIk/u8BPrMd4NT1lCSx8sk7pMlnbzWaYh2y7gQZu88TAcOc2PhATE/wERwy hA1B07jQvbPLhO7uMvpJgGqGHsNqYaJ51oEUKsCplgGvuk6Jtr/iTnRwDLzAIqM1s448 +SHa7640qxrW3W5ZdieVCrZglcqcxRdjzG2juDQEmhLfP0urRjMItqw3B6vP4hOxMQIc NOtRrnYMnGM1Knxm2zCriMalFgNRZIg7nE8zBilbZBHBjfs86S0ESLJadpIoaj+fkGPN g6h8lH+3d0mLgGsmFt5+KicIbx0LU3PmPY5jBjsU3MD+3bvKXPTl2az3cHdGTbScCWlC chDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=xTaUxCB9RrJ/RGMCv0pOyag4EwZzgctpndiRxsoUbRc=; b=cFgoA1DfOMCtnMfIUCGIMljqtbRBC/kajFRaZ3M6hEuYnQK9q9ZnNaBBjSP5piPKsC KTnY2W/1Sr1MvGOJ+pe3+w2p+2Fvc/X7ERRiSl0/OjMt6uMuYABbbbl9L0NWebIlu3hJ aSysJgPLgcm6a5Dfc3MNvAhh57RVah326Yvldm4tvamEr0rmXoaU1wrHY7zjuV7GvLi0 /JEPP3BTS/g6jDJzua8izGuD8TVfUMU9co4dUNdlGu4wTXkUG8DMCFxrC6aKwpdk36sj gEUsGdxjYXBy86Cds0HOIEBSLGpSNT980TXeLLBrFanP5pzMJBIZW9fdlRsRNW80TACx wacA==
X-Gm-Message-State: AOAM530wBRqVKoV8aqvzNzQenyPaqORH/lUnd9Q6siGOy87NY45Aef/I 1LczDdHDnK8Ih7Jl8w9g6zUVLnTWxvwgnZkO
X-Google-Smtp-Source: ABdhPJx62+HYlqM7gfnTI5ChZr5YUoulRndCrltXpPbOAFzdPWWmlFHgKb7R/vNV+X8VtQyepZzfwQ==
X-Received: by 2002:a17:906:bcd4:: with SMTP id lw20mr3827912ejb.499.1598716141572; Sat, 29 Aug 2020 08:49:01 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id g19sm2423192ejj.124.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 29 Aug 2020 08:49:00 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail-27C64ADB-C891-4B14-A36F-B4E5030D4D7B"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <>
Mime-Version: 1.0 (1.0)
Date: Sat, 29 Aug 2020 17:48:59 +0200
Message-Id: <>
References: <>
Cc: oauth <>, Brian Campbell <>
In-Reply-To: <>
To: Justin Richer <>
X-Mailer: iPad Mail (17G80)
Archived-At: <>
Subject: Re: [OAUTH-WG] WGLC Review of PAR
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 29 Aug 2020 15:49:06 -0000

I gone draft this section.

> Am 29.08.2020 um 17:22 schrieb Justin Richer <>:
> I completely agree with the utility of the function in question here and it needs to be included. I’m in favor of creating a dedicated section for redirect_uri management, so that we can explain exactly how and why to relax the requirement from core OAuth. In addition, I think we want to discuss that the AS might have its own restrictions on which redirect URIs an authenticated client might be able to use. For example, registering a client with a Redirect URI prefix, or allowing only a query parameter to vary at runtime. All of these can be enforced in PAR because the client is presenting its authentication, as you point out, so the AS can determine which policies should apply.
> — Justin
>>> On Aug 29, 2020, at 7:52 AM, Torsten Lodderstedt <> wrote:
>>>   ¶6: Does the AS really have "the ability to authenticate and authorize clients”? I think what we mean here is "the ability to authenticate clients and validate client requests”, but I’m not positive of the intent. 
>>> I think the intent is that the AS can check whether a client is authorized to make a particular authorization request (specific scopes, response type, etc.). But checking authorization to request authorization is confusing wording. I think your working is less confusing and still allows for the intent. 
>>> I'll let Torsten interject if he feels differently as I think he originally wrote the text in question. 
>> that was the original intent. I think “validate" is fine. 
>>>   ¶7: I’m not sure I buy this example. Even if the clientID is managed externally, the association with a set or pattern of allowed redirect URIs is still important, and the AS will need to know what that is. I think this example could lead an AS developer to (erroneously and dangerously) conclude that they don’t have to check any other values in a request, including scope and redirect URI. It’s important that DynReg doesn’t alleviate that issue, but removal of DynReg doesn’t really change things in that regard. Suggest removing example or reworking paragraph.
>>> I'm going to have to defer to Torsten on this because, to be honest, I'm not too sure about it myself. I tend to lean towards thinking the draft would be better off without it.
>> In the traditional authorization flow, the redirect_uri serves as way to make sure the AS is really talking to the legit client and the allowed redirect_uri values are determined by the legit client at registration time (might be manually).
>> With PAR, we have a much stronger means to ensure the AS is talking to the legit client. That’s why I don’t see an issue with letting the client set a per transaction redirect_uri. This will give the client more flexibility (mint AS-specific redirect URIs on the fly) and makes client management much easier since redirect URIs are the most volatile part of a client policy. 
>> It also makes use of OAuth much easier in deployments where client identities are managed by external entities (even without any idea of OAuth). A prominent example is open banking in the EU (aka PSD2). The (technical) identity of any PSD2-licensed client is asserted by an eIDAS compliant CA in a special X.509 certificate. Those certificates contain the permissions (access to account information and/or payment initiation allowed) and the identity (member state specific). But they don’t contain OAuth policy values. Nevertheless, the regulation requires any financial institution in the EU to at runtime, without any registration, to accept and process calls from any licensed PSD2 clients.
>> There are two ways to cope with it in OAuth context:
>> a) use dynamic client registration with the X.509 cert as credential. Unfortunately, RFC 7591 does not support other client authentication means then an initial access token. Beside that, it would violate the text of the regulation. 
>> b) establish a redirect URL with every transaction. This is the recommended approach in at least one of the PSD2 specs.
>> PAR is a clean way to solve that problem. 
>> I don’t want this text to cause confusing. On the other hand this potential of PAR is way too important to not mention it at all. What about moving it into a special section "redirect_uri management”?