Re: [OAUTH-WG] PAR Shepherd Review
Brian Campbell <bcampbell@pingidentity.com> Tue, 10 November 2020 16:10 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616703A0967 for <oauth@ietfa.amsl.com>; Tue, 10 Nov 2020 08:10:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyXZ9TkccCdl for <oauth@ietfa.amsl.com>; Tue, 10 Nov 2020 08:10:57 -0800 (PST)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B7513A0978 for <oauth@ietf.org>; Tue, 10 Nov 2020 08:10:56 -0800 (PST)
Received: by mail-lj1-x229.google.com with SMTP id y16so15323443ljk.1 for <oauth@ietf.org>; Tue, 10 Nov 2020 08:10:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7KUgikBpJ2zbItwOa5KvbReAtxrcPpcx5XalG4dt1R4=; b=aAShRT92JlV5xtfTj4dnseJohk4FRAtP6WCim6O4fMulMvaSTlnpsc/ikMRNrI01NB yeClX3Yr3Yt3V0URQCCnGyiYI/+hioUxg4IIpWDXdBL8wJNyJ6x8kwaYECtnT0ax0Rf4 LursZ5WuJfWNqxu3xHZqPQcE8SRC/QpH7UN6ipd/B5FZU8t7Z7/bxOdW1fIDAJ5Qakgy fZlC1UHsDRuin1hdflba14/CM7UQFamrQEcu7zLn6Hq1KbgqC8PZJmeFuB0TnV8BBmfw OxwhJ7CFSj/r3z7QqJdRXgWGC2WpNbZOqFITDH1fYqX65D/4V/J1ESzlbhVKIQzDiTs4 0zBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7KUgikBpJ2zbItwOa5KvbReAtxrcPpcx5XalG4dt1R4=; b=aRoNm/aP0jneXIoF7RRr9U+nOeuilcY+7MaPQF0UgvdiM98wX+o6ZAKe8Z8jaEXVkt jdKN3CNYN/Bhhe4FFdFKC3xvabfO2o+1PyfTyyejniqrcgHMerJPYDR4tRvp4LeJicfO mf+ism4sAFpG3nDSaSp+ZA/i6nms+SYOPJuln1+RpAJDphjHF4X/CnuwHx9crFuT4y0Q ZgFX3FU1vJMx3wY9jmCfTioqpvXBT+ezqSVAFjXQq6pzg4G9U8fVq4K0vM2HSHQkVZL6 QaoMfXQMVCe+khcHembqCsV407edre0/DpmmdWg5+6fKxJR+VxoQ4jekpg1BD1Yr2C8l tubA==
X-Gm-Message-State: AOAM532wgD2qA3khkdmmhutVVqg1+CWXKgm6iAF747XPaljqRPcAbU5/ VKnlTLi5BajETz91Zx7XJgze7P/ud3ywbMeLqRJT5BHAc3yAeTreqnyA2yHExZ3zvB7LaoN9pdI muIMP/ai7IRieKg==
X-Google-Smtp-Source: ABdhPJyKdR8rgGe272udnHFOY2SbCmctzl5uiJa6qengFMedK5fDSlB8iStoE8iYXXOYMuDIoxvUgTvE5I4W+pE3yzc=
X-Received: by 2002:a2e:8681:: with SMTP id l1mr7657665lji.170.1605024655109; Tue, 10 Nov 2020 08:10:55 -0800 (PST)
MIME-Version: 1.0
References: <AM0PR08MB37165B2123C9848795F47477FAE90@AM0PR08MB3716.eurprd08.prod.outlook.com>
In-Reply-To: <AM0PR08MB37165B2123C9848795F47477FAE90@AM0PR08MB3716.eurprd08.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 10 Nov 2020 09:10:28 -0700
Message-ID: <CA+k3eCR2WjNScSm=Anyzb4kvOzJUY8cCaM4BQnCzCkZp6CVJGg@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006c9c1c05b3c2ecff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6zmQRYifW6H6iAI9irNTlFfgkBo>
Subject: Re: [OAUTH-WG] PAR Shepherd Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 16:10:59 -0000
On Tue, Nov 10, 2020 at 2:44 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > Hi all, > > > > I am in the process of writing my shepherd write-up for the PAR document > and wanted to make sure that I properly understand the document. > > The introduction says: > > > > “ > > > > This document [PAR] complements JAR by providing an interoperable way > to > > push the payload of an authorization request directly to the > > authorization server in exchange for a "request_uri" value usable at > > the authorization server in a subsequent authorization request. > > “ > > > > JAR provides the ability to send Authorization Request parameters in a JWT > format protected with JWS and optionally JWE. It allows the JAR to be > conveyed by value and by reference but does not define how the client would > upload the JAR and how to obtain the reference. > For pass-by-reference JAR really only covers the case where the client hosts the request object at some HTTPS URL that it controls and the value of that URL is the request_uri. PAR defines how the AS can host/hold the authorization request data and how a client can deliver it directly to the AS. > > > PAR defines how the client uploads the request object and how to obtain > the reference. It relies primarily on TLS to protect the communication but > mentions that it is possible to also use the JWT-based approach suggested > by JAR. > Primarily TLS but also client authentication. A JWT request object can also be used. > > Both drafts claim to have solved the security issues of protecting the > communication through the user agent. > JAR is really the one that solved that. PAR provides a simple interoperable way for a client to use JAR's request_uri by 'pushing' the content of an authorization request directly to the AS and getting a request_uri reference value in exchange. > > > Is this a correct summary? > I think so, yes, along with my notes/clarifications. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] PAR Shepherd Review Hannes Tschofenig
- Re: [OAUTH-WG] PAR Shepherd Review Brian Campbell