IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Dave Tonge <dave.tonge@momentumft.co.uk> Fri, 10 May 2019 13:52 UTC

Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7954512008D for <oauth@ietfa.amsl.com>; Fri, 10 May 2019 06:52:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sY7sDuTv3ni8 for <oauth@ietfa.amsl.com>; Fri, 10 May 2019 06:52:25 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3021A120020 for <oauth@ietf.org>; Fri, 10 May 2019 06:52:25 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id 66so5653096otq.0 for <oauth@ietf.org>; Fri, 10 May 2019 06:52:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=E2PahQQI7oENoFkKKiX7BaiAV6FowwLSvjoJDvzAlZk=; b=AMwmboQx1Qha+H8U4fYDkDKgOUN5ZbMVTParrUtmSOxYf/37PyNMaDJoRkBo5I0pxp SuDiZ9FYeLU5fGwLSC8r/V3eibT3Df8Ahh9GWSyjioiBKTNgvvTVxtJhJogSITV/mCES vphrrgB8G8w6qFyJxd3767rjbF0nlS2ayqRdY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E2PahQQI7oENoFkKKiX7BaiAV6FowwLSvjoJDvzAlZk=; b=oB5Q4RbLqG72u9NuOyATPGgaXDnaNTgLAy4MTuPIrYX1O6P9suM6ej93pm5yoI+Zvj Cb8sYldKwgTqiF20V0pop0AoSUkLBVKpkBNtRVfTG56/O5GcUwcyEGkDgZGGC5Ez8XAP hFJ/AFeminCHY0vlrCV1GrDwVS8DLsu3gzq2K7qWuZeGhrF7fPNyqnxVUuwu9ntg9NRc jo7ADekKnvzhcxxdE2OlB/x8SzgInQRYFZSvK+GDvN+C1WJqLogdY3NtQu0+USafzyhP d6b9d/+GCf3Hy+6KLoliOb9doFNXGA1QooQEpxpGZTc2nlIM5SNrzU33wyzUHhv7oyrp FzAA==
X-Gm-Message-State: APjAAAXCaK9W+RmksZE8y+uQUxURjrvmMRFZt+kJKHg2CqQ9ADGmlssV xzOPutLrXQBWbhgmBCuhKJVBD/vmGNtcOaMhZVObaQ==
X-Google-Smtp-Source: APXvYqzmKTsMIjAbKmlg65Fop6DQb40W6CZSsFUbEhfPvRur7iJqBicgke756EY6+RdkYoN34m36VvWNxsF0k8/ka4Y=
X-Received: by 2002:a9d:5e02:: with SMTP id d2mr4357806oti.222.1557496344286; Fri, 10 May 2019 06:52:24 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net> <119b93cb-d6c3-18dc-3e10-9ba087e0817e@aol.com> <B5BEEA54-B2B1-468A-AAE7-2B23A400919A@lodderstedt.net> <8c2187bd-3d17-9c9c-2b3c-6f9193ebdcbd@aol.com> <2EDD8634-20D1-40DE-AA0D-A64AB6AEA539@lodderstedt.net> <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com>
In-Reply-To: <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com>
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Fri, 10 May 2019 15:52:12 +0200
Message-ID: <CAP-T6TTsHqkyBF8n-x7Bw7kWC6vrEFw+QhyOMHSQ7NoR=xLzMg@mail.gmail.com>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Sascha Preibisch <saschapreibisch@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005730cd058888e08c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2khtbhWqtC5ao40szuKxlWP3D8s>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 13:52:26 -0000

Thanks Torsten for this article - it is incredibly helpful.

I'm very much in favour of the "structured_scope" approach.

While I understand George's point I think the line is very blurred between
coarse-grained scopes and fine-grained transaction consent. In addition
fine-grained authorisation metadata is needed for ongoing access APIs as
well, e.g. how can a client ask for ongoing access to:
 - transactions in a users accounts with ids abc123 and abc124

>From a UX perspective it is beneficial for the AS to ask the user for
consent once. The AS therefore needs to have all the information about
relating to the consent available when the user is redirected to the
authorization endpoint. There should be a standard way for the Client to
pass this data to the AS and I think structured scopes either sent as a
query param or in a request object are a neat way of doing this.

Dave

v2.23.0 | Report a Bug | By Email