IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Pedro Igor Silva <psilva@redhat.com> Mon, 22 April 2019 16:58 UTC

Return-Path: <psilva@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757EB120261 for <oauth@ietfa.amsl.com>; Mon, 22 Apr 2019 09:58:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEHwY2aEhkI5 for <oauth@ietfa.amsl.com>; Mon, 22 Apr 2019 09:58:26 -0700 (PDT)
Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com [209.85.221.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71755120091 for <oauth@ietf.org>; Mon, 22 Apr 2019 09:58:26 -0700 (PDT)
Received: by mail-vk1-f181.google.com with SMTP id q189so2534591vkq.11 for <oauth@ietf.org>; Mon, 22 Apr 2019 09:58:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/cdjuO3zjjO8Nw9GiGqmTn6y5eSob/Bsjv2lFeEm2co=; b=kXgW+K3LBfmJTojBVnyGiI0Zr9QXNHaxbEha2iZbyM+h0T4ndBeWmhPqxBaEobsMuU gf/xoWUIDUT7KcVM7Q1o+TOiVgS0L0WQW4zmMZk+Ee8icr9aD5TBRR4i2xhAjsmQ2qZY L6AdfpUI2Yim8nlY5bKA3EtyhotGqe9qaTvoRhWtpJbjefkgRzHZu5u/rqupJqQ2s0Wm Hzs2EXCZO+xpNwCOj9lwZPMK/4H30LU6A9Sj5o4Ohsk4sMV5paTptw+zQ/rxLTa4lJPM OYm+37+je6FLXZX463hrHh4niFwq7nQP6vrIPHW/AOrTN2aTH09Djn8sncdFe/Qu7dwa +RPQ==
X-Gm-Message-State: APjAAAUPRvOV7RPnlQfUjF6zPMQxObfnj+SPHAo/GA4WKIDJOaRdv0wS OWlHj2od4fQN/Kr9U+83+UPQqwBKUjslx++3s3Pgtg==
X-Google-Smtp-Source: APXvYqxCbhmXpFgo68ofpoVGD58fTfbQvMcMHg7Akf3E6UvGtsMNRr1EFYs+/hnWei6z9M54DVw/7uz79DfS6e1Qsao=
X-Received: by 2002:ac5:cac5:: with SMTP id m5mr10430498vkl.50.1555952305291; Mon, 22 Apr 2019 09:58:25 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAJrcDBfmhR5Fx1okJv7xdgATytDTA8rhBZNJJviY39WGK06uPw@mail.gmail.com> <2261EA43-063D-4EA5-A55B-15235D5E525E@lodderstedt.net>
In-Reply-To: <2261EA43-063D-4EA5-A55B-15235D5E525E@lodderstedt.net>
From: Pedro Igor Silva <psilva@redhat.com>
Date: Mon, 22 Apr 2019 13:58:14 -0300
Message-ID: <CAJrcDBcm0x6zzWYBxjh4B8EJQozFC1ciyx5_j2rnW8DBLGqUCg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000071e53105872160c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5hsUgHi16zC0ZjmhFsJktF7XoS0>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 16:58:33 -0000

On Mon, Apr 22, 2019 at 1:33 PM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> Hi Pedro,
>
> > On 22. Apr 2019, at 16:34, Pedro Igor Silva <psilva@redhat.com> wrote:
> >
> > Hi Torsten,
> >
> > Great article, thanks for sharing it.
>
> my pleasure :-)
>
> >
> > We have been working on a solution for fine-grained authorization using
> OAuth2 but specific for first-party applications where the granted
> permissions/scopes depend on the policies associated with the
> resources/scopes a client is trying to access. We don't have extensions to
> the authorization endpoint but a specific grant type for this purpose on
> the token endpoint.
> >
> > The solution is similar to the Lodging Intent Pattern but also based on
> specific parts of UMA and ACE.
> >
> > Basically, when a client first tries to access a protected resource the
> RS will respond with all the information the client needs to obtain a valid
> token from the AS. The information returned by the RS can be a
> signed/encrypted JWT or just a reference that later the AS can use to
> actually fetch the information. With this information in hands, clients can
> then approach the AS in order to obtain an access token with the
> permissions to access the protected resource.
> >
> > The general idea is to empower RSs so that they can communicate to the
> AS how access to their resources should be granted as well as decoupling
> clients and RSs so that clients don't need to know the constraints imposed
> by the RS to their protected resources (e.g. scopes).
>
> Sounds very much like UMA2. The difference I see is the RS needs to be
> heavily involved in the authorization process (whereas the approaches I
> discussed leave it passive). How would you handle the use cases I
> described? So for example, how would you construct the JWT for the
> signature use case? I’m asking because the signing case uses more data in
> the authorization process and might bundle the request to sign multiple
> documents, even if the first signing request would only need the hashes or
> even just a single hash of a document.
>

Yes, it does. Like I mentioned, the model is based on UMA (Permission
Ticket/API) as well as ACE (Unauthorized Resource Request Message). I had
talked with UMA WG in the past about this solution and how we extended the
specs to solve this type of problem.

By being active during the authorization process the RS is in control over
additional claims that should be considered by the policies when making
decisions about the resources/scopes a client/user can access. Where the
information could be obtained from different sources such as the current
HTTP request or internally/externally to the RS.

We did not have much demand for addressing the signature use case, but use
cases similar to the "payment" use case. As I mentioned, the model I'm
talking about is not based on user consent. But considering that you can
also pass any information to the AS, you should be able to let users to
authorize the creation of signatures for one or more documents.


>
> >
> > I've started to write a document with this idea in mind and I'm happy to
> share it with you and see what you think.
> >
>
> Look forward to reading your article.
>
> best regards,
> Torsten.
>
> > Best regards.
> > Pedro Igor
> >
> > On Sat, Apr 20, 2019 at 3:21 PM Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
> > Hi all,
> >
> > I just published an article about the subject at:
> https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
>
> >
> > I look forward to getting your feedback.
> >
> > kind regards,
> > Torsten.
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email