Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-rar-02.txt

Janak Amarasena <janakama360@gmail.com> Sun, 22 September 2019 07:45 UTC

Return-Path: <janakama360@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F31F12003E for <oauth@ietfa.amsl.com>; Sun, 22 Sep 2019 00:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.747
X-Spam-Level:
X-Spam-Status: No, score=-1.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0YIp_UyixrS for <oauth@ietfa.amsl.com>; Sun, 22 Sep 2019 00:45:55 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0E712002F for <oauth@ietf.org>; Sun, 22 Sep 2019 00:45:54 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id y135so12587105wmc.1 for <oauth@ietf.org>; Sun, 22 Sep 2019 00:45:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GblSD8+BT1lXwo5vJlcXxBd/VKDixyROnGvtMKdd7nE=; b=m268xB2JyiCc/qnhqEgQNs1fnCZe1krrNQtMN9xR+DR+npYGVgbUYJe3HPlChSyAPG Y9dX1hXCcieome23zRMjKyfSGOrulhtLZ9gZ47BbpkGi5TkvYzdyj3laAcU2V6gNZ9UU KX7vuHTeWVfj0+QtD6MBsnHZAWzJ9T1SIMpU5u/yuhbJ1efEbPvv/F5YIgV3JwdwxCq4 u2PXRWULhOhgNOVhvDRReYb14QYF8/c0cR4T6oMnHzSBlVwuDt4vQ5CSxbATMCE7LXjf D5bpu7JMY81hFx8mRi5nGFibF2vwesimhq8U0K+7zM6ZAFLjJvLMHSJhkZNWpN1XCj9m 8Qag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GblSD8+BT1lXwo5vJlcXxBd/VKDixyROnGvtMKdd7nE=; b=iSaSzJbWyAQN/lW5ujyuLrvidGSh8nXRwU5cra5u5RKcESrwFurjzKnQIPOmMW3fCx GeGRZ8PQska5/xL26m+rZdKS42RAnAwo64rLwYkksBCqU/9/Oo0XY/FGZEVkwOdYHS8M mhxZ2I5v7JAh+AD6dwiPc4JelJu4d7qmctnnRnRZDb6ydHhyBXAIs6xI7QK41gtaxEQI 5J+65MQ2TxhLn188ZZaTwO0G/muLBBiq6HUeQ5JLjpHeiLV0NbHec+j+sCZOL2HzHvLE 0eVoGPV06lpS3WvSrNFhyEJQp6xbF99CIj4H53Olr7oWEUQBVKBV/xwStBHZI86X6P+O whPw==
X-Gm-Message-State: APjAAAUv7rwVN/uUw949d/K7fT4zcy2P9m+auyyQq/BXytdEw4/0+bEG gcy3ylRJvJdqxOZiY7rhbjSiyGlVT11TLWY8ctO8W0Be
X-Google-Smtp-Source: APXvYqyfxJNM5SVGRqXtcS+wnUDur0wBHZz2GP4nm8DoerxBmblLm8a4bWbWzfMVnQH/NFE8PYcjiEnlFg/ZiwcGWTg=
X-Received: by 2002:a05:600c:24d1:: with SMTP id 17mr9457645wmu.104.1569138353088; Sun, 22 Sep 2019 00:45:53 -0700 (PDT)
MIME-Version: 1.0
References: <156907504831.22964.1710780113673136607.idtracker@ietfa.amsl.com> <A82AA337-86BF-485D-901B-3A3C73C6177B@lodderstedt.net>
In-Reply-To: <A82AA337-86BF-485D-901B-3A3C73C6177B@lodderstedt.net>
From: Janak Amarasena <janakama360@gmail.com>
Date: Sun, 22 Sep 2019 13:15:44 +0530
Message-ID: <CAM7dPt1vUQhFd0uMMS7e=WvzkiRP9UAuEcO7uGANTz-4qL58ug@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>, Justin Richer <justin@bspk.io>
Content-Type: multipart/alternative; boundary="00000000000023ae8a05931f7ee9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2ngyvVV7dJO6OtglcMSf7qXCqxI>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-rar-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2019 07:45:56 -0000

Hi,

Since the "authorization_details" parameter is newly introduced I feel it
would be better to show how this is used with the existing authorization
request at the beginning of the specification. Maybe a small sample of the
complete authorization request in the "introduction" section.

Also, in the "Security Considerations" section it says

Authorization details are sent through the user agent in case of an

OAuth authorization request, which makes them vulnerable to

modifications by the *user*.


Do we really need to worry that the "authorization_details" could be
manipulated by the user(Resource Owner) as the client is trying to access
the users' resources which the user is giving consent to? Also, the
resulting token will contain the given permissions as well.

Best Regards,
Janak Amarasena

On Sat, Sep 21, 2019 at 11:21 PM Torsten Lodderstedt <
torsten@lodderstedt.net>; wrote:

> Hi all,
>
> I just published a draft about “OAuth 2.0 Rich Authorization Requests”
> (formerly known as “structured scopes”).
>
> https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02
>
> It specifies a new parameter “authorization_details" that is used to carry
> fine grained authorization data in the OAuth authorization request. This
> mechanisms was designed based on experiences gathered in the field of open
> banking, e.g. PSD2, and is intended to make the implementation of rich and
> transaction oriented authorization requests much easier than with current
> OAuth 2.0.
>
> I’m happy that Justin Richer and Brian Campbell joined me as authors of
> this draft. We would would like to thank Daniel Fett, Sebastian Ebling,
> Dave Tonge, Mike Jones, Nat Sakimura, and Rob Otto for their valuable
> feedback during the preparation of this draft.
>
> We look forward to getting your feedback.
>
> kind regards,
> Torsten.
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **New Version Notification for
> draft-lodderstedt-oauth-rar-02.txt*
> *Date: *21. September 2019 at 16:10:48 CEST
> *To: *"Justin Richer" <ietf@justin.richer.org>;, "Torsten Lodderstedt" <
> torsten@lodderstedt.net>;, "Brian Campbell" <bcampbell@pingidentity.com>;
>
>
> A new version of I-D, draft-lodderstedt-oauth-rar-02.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
>
> Name: draft-lodderstedt-oauth-rar
> Revision: 02
> Title: OAuth 2.0 Rich Authorization Requests
> Document date: 2019-09-20
> Group: Individual Submission
> Pages: 16
> URL:
> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt
> Status:
> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02
>
> Abstract:
>   This document specifies a new parameter "authorization_details" that
>   is used to carry fine grained authorization data in the OAuth
>   authorization request.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>