IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 24 April 2019 17:08 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDECA1203CE for <oauth@ietfa.amsl.com>; Wed, 24 Apr 2019 10:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B02CDqk_hBea for <oauth@ietfa.amsl.com>; Wed, 24 Apr 2019 10:08:34 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6A91120226 for <oauth@ietf.org>; Wed, 24 Apr 2019 10:08:28 -0700 (PDT)
Received: from [84.158.239.111] (helo=[192.168.71.123]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1hJLNi-0006yJ-7x; Wed, 24 Apr 2019 19:08:26 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com>
Date: Wed, 24 Apr 2019 19:08:25 +0200
Cc: oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net>
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com>
To: Sascha Preibisch <saschapreibisch@gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5UjOF7Q27pIBfnUVxmjmPP7B6bA>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 17:08:39 -0000

Hi Sascha,

I see. I assume every element within the structured scope element to be an independent scope (value) object and intended to use the name of that object as kind of content type definition. 

In my last example, the scope is defined as 

   "structured_scope":{  
      "sign":{  
         "credentialID":"qes_eidas",
         "documentDigests":[  
            {  
               "hash":
                 "sTOgwOm+474gFj0q0x1iSNspKqbcse4IeiqlDg/HWuI=",
               "label":"Mobile Subscription Contract"
            }
         ],
         "hashAlgorithmOID":"2.16.840.1.101.3.4.2.1"
      },
      "payment":{  
         "type":"sepa-credit-transfer",
         "instructedAmount":{  
            "currency":"EUR",
            "amount":"123.50"
         },
         "debtorAccount":{  
            "iban":"DE40100100103307118608"
         },
         "creditorName":"Merchant123",
         "creditorAccount":{  
            "iban":"DE02100100109307118603"
         },
         "remittanceInformationUnstructured":"new Smartphone"
      }

This means “sign" and “payment" would determine the scheme of the respective object. 

What do you think?

best regards, 
Torsten. 

> On 23. Apr 2019, at 17:14, Sascha Preibisch <saschapreibisch@gmail.com> wrote:
> 
> Hi Torsten!
> 
> If 'structured_scope' would become a generic field for application
> specific content, I believe an indicator for the type of content would
> be needed on the long run. That is what I meant my 'profile'. I hope
> this helps!
> 
> Thank you,
> Sascha
> 
> Am Mo., 22. Apr. 2019 um 22:06 Uhr schrieb Torsten Lodderstedt
> <torsten@lodderstedt.net>:
>> 
>> Hi Sascha,
>> 
>>> Am 22.04.2019 um 20:34 schrieb Sascha Preibisch <saschapreibisch@gmail.com>:
>>> 
>>> Thank you for the article, Torsten!
>> 
>> my pleasure :-)
>> 
>>> 
>>> I like that 'scope' is out of the game for these kinds of authorizations.
>>> 
>>> What I can see for the general use case is a required identifier
>>> within the 'structures_scope' document that identifies the profile it
>>> should be used for.
>> 
>> What does profile mean in this context?
>> 
>> best regards,
>> Torsten.
>>> 
>>> Thank you,
>>> Sascha
>>> 
>>> Am Sa., 20. Apr. 2019 um 11:21 Uhr schrieb Torsten Lodderstedt
>>> <torsten@lodderstedt.net>:
>>>> 
>>>> Hi all,
>>>> 
>>>> I just published an article about the subject at: https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
>>>> 
>>>> I look forward to getting your feedback.
>>>> 
>>>> kind regards,
>>>> Torsten.
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email