Re: [OAUTH-WG] OAuth 2.1 & B2E apps (Jaap Francke)
Jaap Francke <Jaap.Francke@mendix.com> Mon, 17 April 2023 14:14 UTC
Return-Path: <Jaap.Francke@mendix.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD07C15171E for <oauth@ietfa.amsl.com>; Mon, 17 Apr 2023 07:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.086
X-Spam-Level:
X-Spam-Status: No, score=-7.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_MIME_MALF=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mendix.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqL_nwsX4LDX for <oauth@ietfa.amsl.com>; Mon, 17 Apr 2023 07:14:01 -0700 (PDT)
Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03on2060a.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eaf::60a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC620C14CE52 for <oauth@ietf.org>; Mon, 17 Apr 2023 07:14:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pgj4P/oMJT+AGWQWo6bwbP5BooXVYqA+eHFcg2cpc+4U6zdKRBlnNnrMPo7gnG86ib8STrr84lu8jyH++rVy6flkqAGv5aIu4Mfosk8uO7jt8LbuRYlac4qQMzqpVSXnPg7hXjhJXO93Q/roQFs/SFm8YR9kbfFQpi5rjS6pALxidPNZFo9OT74pFENaFTzzavxOcvsHHUKLU+Y31KcY89OmpT8/RhtphjlZcpZr3nATWTAhbRnHUYsKuUjuB2gtrSlhCZVYzBNgauSmTwglFdo8glU67oaSoqute3hi4pxcmBgmhbfaVArpcZWPv1nUbx1givDlcMaGffre1FZYIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eiTU29E8XpE7R0U+ULkl4mFEOGCeujpb+ARaWvHmD9U=; b=ZlFfMjQgioV+Ql+pK+6Qabmy4rf0FW8NP6u8CgngpXu8BZHOeMDRxJ2Pe1haj4DW+mIuAHatKV+zFEiWJ8YEBU+nWO/PEKSfMkvuAy97pjVH7b08SlHhIt6ipdKOpVD56ruFw534UN+yT5xZWYAjS3z6V5CGhfzRP0kEDwwLcQ92JK9qLw9w8uYWpKzpMn1h2n/9s2SxArEWFlXIfbWDlJbhxY2MA4ODwfczrGLM4L1zV2kIcQxH2YJlSKExAiyk0cVJAr9DfjICo90SkAV+8ZUkBQdTOYL0dffCaMAr4ML6602XYGU1Rudt9TUG8S8JW/8K64m5SpIKZvIf9jg52g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mendix.com; dmarc=pass action=none header.from=mendix.com; dkim=pass header.d=mendix.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mendix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eiTU29E8XpE7R0U+ULkl4mFEOGCeujpb+ARaWvHmD9U=; b=eXr+4AfI5qRpFbM3H4nhAqzYhRKZBb4LLKXMLhw690ceOEn+rxdZgxDG11DGv0KIMZIoTiEd+aI7+APXVS/sD7JIDYWaDPccTmcdn7CyY6rQw+0yLQcvE8+tVFPy4ctAqFvxVyRRWLQL44kEypd7z8pYFACsh+8TKBQHWUtUSak=
Received: from AM0PR06MB4180.eurprd06.prod.outlook.com (2603:10a6:208:7a::24) by AM6PR06MB5704.eurprd06.prod.outlook.com (2603:10a6:20b:9e::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.30; Mon, 17 Apr 2023 14:13:55 +0000
Received: from AM0PR06MB4180.eurprd06.prod.outlook.com ([fe80::21ed:5be3:ea95:6506]) by AM0PR06MB4180.eurprd06.prod.outlook.com ([fe80::21ed:5be3:ea95:6506%5]) with mapi id 15.20.6298.045; Mon, 17 Apr 2023 14:13:55 +0000
From: Jaap Francke <Jaap.Francke@mendix.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth 2.1 & B2E apps (Jaap Francke)
Thread-Index: AQHZcTbXeVUxYhVHLU68e4wcxI59uQ==
Date: Mon, 17 Apr 2023 14:13:55 +0000
Message-ID: <AM0PR06MB41804ACDB9824FEB305E9C1FE49C9@AM0PR06MB4180.eurprd06.prod.outlook.com>
References: <mailman.9087.1677783578.24702.oauth@ietf.org>
In-Reply-To: <mailman.9087.1677783578.24702.oauth@ietf.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mendix.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM0PR06MB4180:EE_|AM6PR06MB5704:EE_
x-ms-office365-filtering-correlation-id: da29efc3-96f7-4b49-3a5d-08db3f4dfa7c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lvFn0wrguPZFHUz4b36i1ohgp6dTZleX0wNLUVy9W/UVUlwMYR6hcozAXYDHrj6qeTzOqc5JnOAWmwDE0pLecVo05FAMDN/UE/VTq9dwQ6qW3qnoC5qa8w2Qz2snWwv6JS3KDrTbWYLsFUvUW0a2eb0T/rNviaxw9AW7fFLsqp8/RNxXYG+JzRIPEY9QCl6Y/Gx8T94dc6wNIYEhtNAVoOTJto2rFKCIRzfrI83t/IGKBTtHFWvikB3ACJyzcaXhODPYFXGhCRMeYG+//+39BWd1n7fJGVTemlqrOW4UCKGSgWPwi3RSaREMsTz1KLPKqq8xQSpzpVvzUJgSq+Zhj0o31Ru3IOauY7GOhp+UPEx/2YmAQ5v9gy2mfJ2GRrQ/hf/ZH1Bj2mCK5GYdVJhAHnIWt1V5tDqL9jErjpYGyLqGT4jFacF9aX6yxl9Re8LwP4SelPLTqprXvVHmJPgIDDIGXdBEcqd5oMNQgNPwn25U3xUqOSX5mcNxReBb3Phe99iOJzfQmul+zVYbOQPyWdNNMiC1+Zq8nC66Qs3tYHLde4EWsi+NyHW6/G8E5Wvw3WBRe5XWm2ogHAOtTLaDMKUZ3bKXxEkWccOP0U/UVys=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR06MB4180.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(136003)(39850400004)(346002)(376002)(396003)(451199021)(316002)(38100700002)(6916009)(64756008)(66446008)(82960400001)(66556008)(66946007)(66476007)(76116006)(166002)(5660300002)(52536014)(7696005)(71200400001)(45080400002)(86362001)(966005)(41300700001)(9686003)(53546011)(6506007)(186003)(66899021)(38070700005)(2906002)(8676002)(83380400001)(8936002)(55016003)(478600001)(33656002)(122000001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fTxce8Et82BZ290ubnXY/4o6nKIHDCqKTMkK/69k19YmrVoX6aMOJp9GVtVnky0A4lvP3hC2+gvwGCGAnUkrGeEyFpOSMPpINlqPZ4N2znHQKTkj1yvn+0FzYBmusXMvxt7YdXQX1rBWRvHfYMb3EITXrhGMCVaE++qSMRQnnzpOjTNGH7TMu1KA0gMMKjK37W/vnN3NMrpFnFJHGPuRIK4brRsPft3Vryl+0lmBVCTuySIlaw4jsDUWJAjJnKeWJ83C7UwKAj0MRnV/9/doHHZsnzm403Pz9776xmFQlf0Xq/jMkdmKvbj5yWurVAdu65U9k8I/l+dreNP/D4xzEcf7t+gZEe67avhsknEkYB5aqRnrdlk5q/obGyMxiL0+RjIwz+yMH0y/Or9HK4jpM2gqtfoVzvQtVxLRH0kT/Sr5TGOttY16UAbBn6P7tXTOl9LezaCaT2KdGWyn/KY+Q3aM9zUeFt43dJrqeSylm06+H8PROy3FA5IvKKfs4G52bpUVo1PmDNJgFe56MXCFm0nH2QyvVJzgnd51Z3GwvNTOX//j79LyBC6Tt1+dl3DWNE0ZVJb3KAMHScXHAQJ+JvkvjNZl/BiLwLY4KBvXQ7fKH46HopQRqHZFfC5xsyosIUG2szG9795BhJom+7ipehMe1b4o81TAPw2fjcOMwoJFFJa2KCCyoRzDQm1rsxXU8hLmklmFIAoCajSOAzFcgeuH7RZ7A7EgWaN8tDo9dmrG6jAbklnsHqSVibW4AQWG3BiGMvYhuFT6EkgakY2mvl6R6y+b9xm1lyMHz85/qYqBAREUe1ZR/FWqWNHV0AVTi0oCXbG6NAJmEa8StGG2gDUH+IdQWhJS7QKF6He03SVPqATI+xVcHffWrffw9MXbwUZKDXlwM2FlR9bz0mA1ZjCNfyGx2JezT18HhkPYchX+u7wu1qvM1jUNSY4U9l/ybwHRaStBzPx7yG4dEPECFbuT1ZgoHJ7JikZjVt59aOXOq2l0LSKVLhacC729IWOJuKY6bz2dIijHjeeqFHNoG8z5BvwfUC4ViP96ZcCe+fR+RkWdlQnfeJoKBLYgvmQuZwl0KS3fHJm8qiskgoA4hh/fr6/poFFI+ExcWiCKuhurUulefh7eG7ROWt72Bk4bO8THBK/OwyQp32hW+iT2GJf/GSPdAQBQi43n33Xh9tK1xGEHCSnNURVZUxTRQ5mX9w/CbFueMaWiTU9AgfyycQatrQC4ZAKxy9wcz/92T212Tsr0r4IEduUN4MxxbfOcUD9ktF9FRZ04fJihaA/caWJjzPyQWhqBNp9FcHbK0mkEYVU1QRe4sIBzbzj1H1Hh7aTsgTgy3YJIkFtcAzX9ho+G95mXJre4ZuUzrEp2zvlgJxi9JKIU36I7GPat/iCgfwNJzlE7C4zfVFQNfM7RfBPTD7Bee1fScGWR40YJAfIFrRbdhxtPUs41GuvEsQnjAfetpBF4iuSEcaXnNn4QWExfU7mLZoMSosRxJG0EmTb6kjzvP304vTHeovcoB8aDIRwuSsUULzaRhkJz7bVylVkoPjARfrec/3/oHuH8K8KE23tQyT7ugd3Ciq8yjIozZiGm/KIMTlSi+A032RL2dz08mBOcKI7XGWEMBeT9OVafvHo2LOEFj7Q6HbAbAGrp1327ATiJ1t2fkwPkIELvUQ==
Content-Type: multipart/alternative; boundary="_000_AM0PR06MB41804ACDB9824FEB305E9C1FE49C9AM0PR06MB4180eurp_"
MIME-Version: 1.0
X-OriginatorOrg: mendix.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR06MB4180.eurprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: da29efc3-96f7-4b49-3a5d-08db3f4dfa7c
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2023 14:13:55.0350 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b4e3c78d-8e3b-46d8-bc56-5540da23ba4d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +IlZb3VJu5a+HSp71YOmr2Q4AUuRdpOgWexHLpOtyYAT3VJQeuDEpcrr4FWB8R6eBfuh8e3qIGBy18g9QmCipw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR06MB5704
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7HtJGifW6TdNYFX344CVL20Y-9k>
Subject: Re: [OAUTH-WG] OAuth 2.1 & B2E apps (Jaap Francke)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2023 14:14:05 -0000
Hi all, Early March I shared the suggestion to make the abstract OAuth protocol description a bit more generic so it would not only have a fit with B2C use cases but would suit B2E use cases as well. I haven’t seen any response from you – I find myself wondering why. As my suggestion still makes sense to me, I’d appreciate a response. Thanks in advance! Cheers, Jaap From: OAuth <oauth-bounces@ietf.org> on behalf of oauth-request@ietf.org <oauth-request@ietf.org> Date: Thursday, 2 March 2023 at 20:00 To: oauth@ietf.org <oauth@ietf.org> Subject: OAuth Digest, Vol 173, Issue 7 Send OAuth mailing list submissions to oauth@ietf.org To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/oauth or, via email, send a message with subject or body 'help' to oauth-request@ietf.org You can reach the person managing the list at oauth-owner@ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of OAuth digest..." Today's Topics: 1. Artart last call review of draft-ietf-oauth-step-up-authn-challenge-12 (Robert Sparks via Datatracker) 2. OAuth 2.1 & B2E apps (Jaap Francke) ---------------------------------------------------------------------- Message: 1 Date: Thu, 02 Mar 2023 10:41:34 -0800 From: Robert Sparks via Datatracker <noreply@ietf.org> To: <art@ietf.org> Cc: draft-ietf-oauth-step-up-authn-challenge.all@ietf.org, last-call@ietf.org, oauth@ietf.org Subject: [OAUTH-WG] Artart last call review of draft-ietf-oauth-step-up-authn-challenge-12 Message-ID: <167778249416.23678.7058306125542432959@ietfa.amsl.com> Content-Type: text/plain; charset="utf-8" Reviewer: Robert Sparks Review result: Ready with Issues Summary: essentially ready but with issues to consider before being published as a proposed standard RFC. Issues: I expected to find some discussion of considerations of avoiding "step down" given the intuitive appeal to "step up". Can the client or Authorization server notice if the resource server has through whatever fault asserted that it will only accept the use of an authentication context class that is blatantly inferior to what has already been provided? And if they notice, what is expected to happen? Or is it expected that this is allowed, particularly when a short max_age is also supplied? The document also suggests that the client hold on to, and possibly re-use in the future, access tokens that have been challenged as having insufficient user authorization. Is this behavior something that follows a well-known and well-implemented pattern documented elsewhere? If so, a pointer would be useful. If not, this seems like something that deserves more discussion if not more definition. Nits: The reference to abr-twitter-reply will go away with the changelog when the RFC Editor removes it. It would be kind to acknowledge that in the note to the RFC Editor so that they know it's expected and don't have to ask. ------------------------------ Message: 2 Date: Thu, 2 Mar 2023 18:59:26 +0000 From: Jaap Francke <Jaap.Francke@mendix.com> To: "oauth@ietf.org" <oauth@ietf.org> Subject: [OAUTH-WG] OAuth 2.1 & B2E apps Message-ID: <AM0PR06MB418002174BF153ED05D93839E4AD9@AM0PR06MB4180.eurprd06.prod.outlook.com> Content-Type: text/plain; charset="windows-1252" Hi all, I?d like to pitch the idea of changing the abstract OAuth description to incorporate how OAuth is used in many B2E applications. In my view, OAuth 2.1 is a great opportunity to do so, without the need to make any changes in the core protocol itself, so nothing gets ?broken?. The 2.1 RFC would be just acknowledging how OAuth is already used widely today. To the best of my understanding, OAuth (as per RFC6749) originated from a Business-to-Consumer (B2C) context. The typical example that is frequently used to explain OAuth is about an enduser (resource owner) that can grant a printing service (client) access to their protected photos stored at a photo sharing service (resource server). What I see in everyday practice in the IAM field, is that OAuth is used for Business-to-employee (B2E) applications (often in combination with the OIDC extension). In this context, the enduser is not the resource owner. Instead, the company is owning the resources stored at its resource servers and employees (or other type of endusers) are granted access based on roles/rules implemented at the resource server. One may say that OAuth was not designed for such B2E scenarios, but I would say that the protocol is perfectly suitable. Practice proves this. I don?t have hard data to further prove my point but I expect OAuth is worldwide being used more often for B2E like applications than it is for B2C applications. The good news is that the narrative around the core specs can be re-written to make it more generally applicable without changing the protocol itself. I think this will be beneficial to anyone working with OAuth, newbies or experienced IAM workforce. In my view things will be easier to understand and closer to daily practice. The main changes I?m proposing for section 1 are the following. Changes in the rest of the draft RFC follow naturally. 1. In the introduction I would add: ?A different example is: an employee (enduser) can use an application (client) to access resources that are under control of his employer (resource owner).? 2. I would also add: ?Besides delegating user authentication to the authorization server, the authorization server can arrange for an authorization decision through a process that involves neither client application nor service. If the enduser is the resource owner, the authorization server obtains an authorization grant from the enduser. If a different entity is the resource owner, the authorization server may make an authorization decision based on prearranged rules or roles.? 3. In section 1.1, I would propose to define 5 roles instead of 4. OAuth defines five roles: ?enduser?: Person that uses a client application to access protected resources on their behalf. "resource owner": An entity capable of granting access to a protected resource. The resource owner may be the enduser or it may be a different person or it may be an organization. This is sometimes abbreviated as "RO". "resource server": The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. The resource server is often accessible via an API. This is sometimes abbreviated as "RS". "client": An application making protected resource requests on behalf of the enduser and with the resource owner?s authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices). "authorization server": The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization from the resource owner or making an authorization decision on behalf of the RO. This is sometimes abbreviated as "AS". 1. Mostly the term resource owner needs to be replaced with ?enduser? except when it is about authorization. 2. In section 1.2, I propose to revise the abstract protocol flow description to say that it?s the authorization server that somehow obtains/makes an authorization decision. In the current abstract description of the OAuth flow it is the client that obtains the authorization. However in the actual grant flows there is never such interaction between client and resource owner. Neither in the Authorization Code flow nor the Client Credential flow. In fact it?s always the AS that somehow arranges for an authorization decision: in AC flow, the AS may get consent from the enduser/RO and in the CC flow it is based on a previous arrangement. I think the following alternate abstraction would have a better fit with the various grant flows: ?1. The client requests authorization from the authorization server. 2. The authorization server obtains an authorization decision from the resource owner. This decision can be obtained by interaction with the resource owner or can be made made using logic that was pre-arrenged with the resource owner. 3. The client receives [?etc?]? Furthermore, I think that my proposal opens up OAuth for more scenarios, such as one consumer may granting another consumer access to its resources (UMA-like) and the AS would have a match with the concept of a Policy Decision Point (as per XACML specs). I?m very curious to see your feedback on my proposal. Do you agree with my point of generalizing beyond B2C? Do you agree that Oauth 2.1 is the right opportunity to generalize OAuth from B2C to a wider set of scenarios? Kind regards, Jaap Francke Product Manager IAM +31(0)641495324 mendix.com [signature_827714327]<http://www.mendix.com/> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20230302/6a18cfb7/attachment.htm> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 9766 bytes Desc: image001.png URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20230302/6a18cfb7/attachment.png> ------------------------------ Subject: Digest Footer _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------------------------------ End of OAuth Digest, Vol 173, Issue 7 *************************************
- Re: [OAUTH-WG] OAuth 2.1 & B2E apps (Jaap Francke) Jaap Francke
- Re: [OAUTH-WG] OAuth 2.1 & B2E apps (Jaap Francke) Warren Parad