Re: [OAUTH-WG] Transaction Authorization with OAuth
Dave Tonge <dave.tonge@momentumft.co.uk> Fri, 10 May 2019 13:52 UTC
Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7954512008D for <oauth@ietfa.amsl.com>; Fri, 10 May 2019 06:52:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sY7sDuTv3ni8 for <oauth@ietfa.amsl.com>; Fri, 10 May 2019 06:52:25 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3021A120020 for <oauth@ietf.org>; Fri, 10 May 2019 06:52:25 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id 66so5653096otq.0 for <oauth@ietf.org>; Fri, 10 May 2019 06:52:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=E2PahQQI7oENoFkKKiX7BaiAV6FowwLSvjoJDvzAlZk=; b=AMwmboQx1Qha+H8U4fYDkDKgOUN5ZbMVTParrUtmSOxYf/37PyNMaDJoRkBo5I0pxp SuDiZ9FYeLU5fGwLSC8r/V3eibT3Df8Ahh9GWSyjioiBKTNgvvTVxtJhJogSITV/mCES vphrrgB8G8w6qFyJxd3767rjbF0nlS2ayqRdY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E2PahQQI7oENoFkKKiX7BaiAV6FowwLSvjoJDvzAlZk=; b=oB5Q4RbLqG72u9NuOyATPGgaXDnaNTgLAy4MTuPIrYX1O6P9suM6ej93pm5yoI+Zvj Cb8sYldKwgTqiF20V0pop0AoSUkLBVKpkBNtRVfTG56/O5GcUwcyEGkDgZGGC5Ez8XAP hFJ/AFeminCHY0vlrCV1GrDwVS8DLsu3gzq2K7qWuZeGhrF7fPNyqnxVUuwu9ntg9NRc jo7ADekKnvzhcxxdE2OlB/x8SzgInQRYFZSvK+GDvN+C1WJqLogdY3NtQu0+USafzyhP d6b9d/+GCf3Hy+6KLoliOb9doFNXGA1QooQEpxpGZTc2nlIM5SNrzU33wyzUHhv7oyrp FzAA==
X-Gm-Message-State: APjAAAXCaK9W+RmksZE8y+uQUxURjrvmMRFZt+kJKHg2CqQ9ADGmlssV xzOPutLrXQBWbhgmBCuhKJVBD/vmGNtcOaMhZVObaQ==
X-Google-Smtp-Source: APXvYqzmKTsMIjAbKmlg65Fop6DQb40W6CZSsFUbEhfPvRur7iJqBicgke756EY6+RdkYoN34m36VvWNxsF0k8/ka4Y=
X-Received: by 2002:a9d:5e02:: with SMTP id d2mr4357806oti.222.1557496344286; Fri, 10 May 2019 06:52:24 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net> <119b93cb-d6c3-18dc-3e10-9ba087e0817e@aol.com> <B5BEEA54-B2B1-468A-AAE7-2B23A400919A@lodderstedt.net> <8c2187bd-3d17-9c9c-2b3c-6f9193ebdcbd@aol.com> <2EDD8634-20D1-40DE-AA0D-A64AB6AEA539@lodderstedt.net> <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com>
In-Reply-To: <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com>
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Fri, 10 May 2019 15:52:12 +0200
Message-ID: <CAP-T6TTsHqkyBF8n-x7Bw7kWC6vrEFw+QhyOMHSQ7NoR=xLzMg@mail.gmail.com>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Sascha Preibisch <saschapreibisch@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005730cd058888e08c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2khtbhWqtC5ao40szuKxlWP3D8s>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 13:52:26 -0000
Thanks Torsten for this article - it is incredibly helpful. I'm very much in favour of the "structured_scope" approach. While I understand George's point I think the line is very blurred between coarse-grained scopes and fine-grained transaction consent. In addition fine-grained authorisation metadata is needed for ongoing access APIs as well, e.g. how can a client ask for ongoing access to: - transactions in a users accounts with ids abc123 and abc124 >From a UX perspective it is beneficial for the AS to ask the user for consent once. The AS therefore needs to have all the information about relating to the consent available when the user is redirected to the authorization endpoint. There should be a standard way for the Client to pass this data to the AS and I think structured scopes either sent as a query param or in a request object are a neat way of doing this. Dave
- [OAUTH-WG] Transaction Authorization with OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Jim Manico
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Dave Tonge
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Nat Sakimura
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt