Re: [OAUTH-WG] Dynamic Scopes

David Waite <> Mon, 18 June 2018 18:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 11E68130E2E for <>; Mon, 18 Jun 2018 11:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DgXKbbSjFOZk for <>; Mon, 18 Jun 2018 11:59:36 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 87E7D130E29 for <>; Mon, 18 Jun 2018 11:59:36 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:cd65:9d8a:6537:2e83] (unknown [IPv6:2601:282:202:b210:cd65:9d8a:6537:2e83]) by (Postfix) with ESMTPSA id D9FE531544; Mon, 18 Jun 2018 18:59:35 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
From: David Waite <>
In-Reply-To: <>
Date: Mon, 18 Jun 2018 12:59:34 -0600
Cc: oauth <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Torsten Lodderstedt <>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Jun 2018 18:59:40 -0000

One of the reasons I hear for people wanting parameterized scopes is to deal with transactions. I’d love to hear thoughts from the group on if/how OAuth should be used to authorize a transaction, vs authorize access to information/actions for a period of time. This approach for instance sounds like it is trying to scope down access to a single resource representing a transaction to be performed?

I also hear people wanting dynamic scopes to support a finer-grained access control, for instance not ‘allow moderation of chat rooms’ but rather the list of *specific* rooms. There is sometimes a case to be made that this would be better served as local state in the resource, or as the result of an API call, but there is value in some use cases to represent this as a finer-grained consent to the user.

I’ve seen parameterized scopes take the form of colon-deliminated name:param, as a function name(param), or as a URL https://nameurl?param=value.  The latter is recommended sometimes in specs like opened connect as a way to prevent conflicting vendor extensions.

In terms of requesting a parameterized scope - I prefer overloading scope (or perhaps claims when using connect) vs adding a new authorization request parameter - for one, use of authorization request parameters limits your grant type options unless you also define them as token request parameters for the other types. Second, the consent/business logic for determining which scopes a client get should already be a customization point for a reusable AS.


> On Jun 18, 2018, at 9:34 AM, Torsten Lodderstedt <> wrote:
> Hi all,
> I have been working lately on use cases where OAuth is used to authorize transactions in the financial sector and electronic signing. What I learned is there is always the need to pass resource ids (e.g. account numbers) or transaction-specific values (e.g. amount or hash to be signed) to the OAuth authorization process to further qualify the scope of the requested access token. 
> It is obvious a static scope value, such as „payment“or „sign“, won’t do the job. For example in case of electronic signing, one must bind the authorization/access token to a particular document, typically represented by its hash.
> I would like to get your feedback on what you consider a good practice to cope with that challenge. As a starting point for a discussion, I have assembled a list of patterns I have seen in the wild (feel free to extend). 
> (1) Parameter is part of the scope value, e.g. „sign:<hash_to_be_signed>“ or "payments:<payment_resource_id>" - I think this is an obvious way to represent such parameters in OAuth, as it extends the scope parameter, which is intended to represent the requested scope of an access token. I used this pattern in the OAuth SCA mode in Berlin Group's PSD API. 
> (2) One could also use additional query parameter to add further details re the requested authorization, e.g. 
> GET /authorize?
> ....
> &scope=sign
> ....
> &hash_to_be_signed=<hash_to_be_signed>
> It seems to be robust (easier to implement?) but means the scope only represents the static part of the action. The AS needs to look into a further parameter to fully understand the requested authorization. 
> (3) Open Banking UK utilizes the (OpenID Connect) „claims“ parameter to carry additional data. 
> Example:  
> "claims": {
>    "id_token": {
>        "acr": {
>            "essential": true,
>            "value": "..."
>          },
>        "hash_to_be_signed": {
>            "essential": true,
>            "value": "<hash_to_be_signed>"
>        }
>    },
>    "userinfo": {
>        "hash_to_be_signed": {
>            "essential": true,
>            "value": "<hash_to_be_signed>"
>        }
>    }
>  }
> I‘m looking forward for your feedback. Please also indicated whether you think we should flush out a BCP on that topic. 
> kind regards,
> Torsten._______________________________________________
> OAuth mailing list