IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

Brian Campbell <bcampbell@pingidentity.com> Wed, 20 June 2018 21:58 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 165C6130EC4 for <oauth@ietfa.amsl.com>; Wed, 20 Jun 2018 14:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFOt4xxpG9bg for <oauth@ietfa.amsl.com>; Wed, 20 Jun 2018 14:58:37 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27557130EBF for <oauth@ietf.org>; Wed, 20 Jun 2018 14:58:37 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id l25-v6so1120534ioh.12 for <oauth@ietf.org>; Wed, 20 Jun 2018 14:58:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2+RPUhPRKgcxiueeL7YkfGkg7vel4NjBdZZL198pJWY=; b=oMcAmjjkqa4kE8QQ/gMkaDD/63BPVcYK5555fQ2SUkkig5gB6MFVUFe3sW+j1R5dZ+ ZS4m7Y73n7L8ypXQrEbW9F64HzeT6LPWerSbhvjAa1ssZ+UVpONcMIl5DlmU8/IOgjgB 8seUQ3FhTun4VUs4ys2X1D71YC/ZAG3UaoEDQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2+RPUhPRKgcxiueeL7YkfGkg7vel4NjBdZZL198pJWY=; b=HTtasgQEIOF/l95gjX/+AyKs/ikB8SYj6B0H2QZQQJWJ/O9Om7QtjYvo28zhhYCIdo 7vxuHnYELmX+bx6QW2c5uHJcBivSdzYf8gv8JZ1fEAcq/JzrmfdwYioa4HNGsczwFl1R D0habCF5ByiJGapkHAqPXN7Ig//PdqRkwphyEzfLE4X9YKZ5ncoQ0O3a0hXz4pEhyGqz Zkt3NxHik0p0uUeYV9zMZV0FeLsXEjrmf0SUCM0VSsZ2sdZwZoQjhrnuueBiCfxM4yfk BIaZRj2/EGK9fgIeVkhn4y52NRPbYkB2sqV/r+cxUICnquZZM98/sv0GeUza6MVrTIGg ZSRw==
X-Gm-Message-State: APt69E0d1UpqfKS25GfDUCcwcaEmABRvp1kGFotFNqJou655GqRhxDvp x4jLmLNZvWOfeaeR4kFFsrVJlODNdzdMKyTQ8c6oo1ORYlCrGxmFwUTNPiozM+ilFoefIurU+rq qY5zBNB5Cizt5oA1z
X-Google-Smtp-Source: ADUXVKKQ7g1vdwfh66Bg741SgM6Wivj93WWf85ZgRJRB8FiHpUG402Llz+LyPU0G7DAXPNHO1fXr63Pr+r5o5Au/evM=
X-Received: by 2002:a6b:284b:: with SMTP id o72-v6mr18461159ioo.168.1529531916209; Wed, 20 Jun 2018 14:58:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:9785:0:0:0:0:0 with HTTP; Wed, 20 Jun 2018 14:58:05 -0700 (PDT)
In-Reply-To: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net>
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 20 Jun 2018 15:58:05 -0600
Message-ID: <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008a0eb3056f19e6e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3dstgMCY3eDZXAZOgCIf6zvUlHs>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 21:58:40 -0000

In my own personal and humble opinion, Torsten, what you describe as "(1)
Parameter is part of the scope value" is the most natural approach and
works without needing changes to, or going outside of, RFC6749 The OAuth
2.0 Authorization Framework. There may be AS implementations that have made
assumption about scope values being static (I know of at least one!) but
that's an implementation/feature issue, which can change, and not a spec
issue.

The OIDC "claims" parameter is already a bit of a hairy beast and I think
using it and the ID Token to convey more dynamic access/authorization is
blurring the line between authorization and authentication a bit much.
Also, as others have pointed out, OIDC isn't always in play - particularly
for regular old authorization cases.

An additional query parameter might be simple for a one-off case but it's
nonstandard and not very repeatable.


On Mon, Jun 18, 2018 at 9:34 AM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> Hi all,
>
> I have been working lately on use cases where OAuth is used to authorize
> transactions in the financial sector and electronic signing. What I learned
> is there is always the need to pass resource ids (e.g. account numbers) or
> transaction-specific values (e.g. amount or hash to be signed) to the OAuth
> authorization process to further qualify the scope of the requested access
> token.
>
> It is obvious a static scope value, such as „payment“or „sign“, won’t do
> the job. For example in case of electronic signing, one must bind the
> authorization/access token to a particular document, typically represented
> by its hash.
>
> I would like to get your feedback on what you consider a good practice to
> cope with that challenge. As a starting point for a discussion, I have
> assembled a list of patterns I have seen in the wild (feel free to extend).
>
> (1) Parameter is part of the scope value, e.g. „sign:<hash_to_be_signed>“
> or "payments:<payment_resource_id>" - I think this is an obvious way to
> represent such parameters in OAuth, as it extends the scope parameter,
> which is intended to represent the requested scope of an access token. I
> used this pattern in the OAuth SCA mode in Berlin Group's PSD API.
>
> (2) One could also use additional query parameter to add further details
> re the requested authorization, e.g.
>
> GET /authorize?
> ....
> &scope=sign
> ....
> &hash_to_be_signed=<hash_to_be_signed>
>
> It seems to be robust (easier to implement?) but means the scope only
> represents the static part of the action. The AS needs to look into a
> further parameter to fully understand the requested authorization.
>
> (3) Open Banking UK utilizes the (OpenID Connect) „claims“ parameter to
> carry additional data.
>
> Example:
>
> "claims": {
>     "id_token": {
>         "acr": {
>             "essential": true,
>             "value": "..."
>           },
>         "hash_to_be_signed": {
>             "essential": true,
>             "value": "<hash_to_be_signed>"
>         }
>     },
>     "userinfo": {
>         "hash_to_be_signed": {
>             "essential": true,
>             "value": "<hash_to_be_signed>"
>         }
>     }
>   }
>
> I‘m looking forward for your feedback. Please also indicated whether you
> think we should flush out a BCP on that topic.
>
> kind regards,
> Torsten.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email