Re: [OAUTH-WG] Benjamin Kaduk's Yes on draft-ietf-oauth-token-exchange-17: (with COMMENT)

[Benjamin Kaduk <kaduk@mit.edu>]

On Sun, Jul 07, 2019 at 09:32:15AM -0400, Brian Campbell wrote:
> On Sat, Jul 6, 2019 at 2:42 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> >
> > > Not to my recollection. I'm honestly not even sure what an array would
> > mean
> > > for "may_act". Do you mean for "act"?
> >
> > Currently we can say that admin@example.com "may act" as user@example.com.
> > But IIUC we don't have a way to say that either admin1@example.com or
> > admin2@example.com may do so.  An array would let us indicate multiple
> > authorized parties.  I'm reluctant to actually make such a change at this
> > point, though, since this is already deployed some places, right?
> >
> 
> Okay, sorry, I'm a bit slow but I follow you now.
> 
> Indeed this has been deployed in a number of places already. I'd honestly
> don't know if anyone is making use of this particular claim but changing
> from an object to array of objects would be a breaking change. And a
> breaking change is something I'd really like to avoid unless there's a very
> compelling reason to do so.  And while your point here is taken, I don't
> think it rises to that level of compelling.
> 
> I see two options at this point:
> 1) leave it as is
> 2) adjust the language around  "may_act" such that it could also identify
> an eligible group - this would allow for it to indicate multiple authorized
> parties but just not by one by one name, which is maybe more desirable
> anyway
> 
> What do you think?

Either option is fine with me.  I don't remember how much precedent we have
in the OAuth ecosystem for groups that are  identified in  this manner, but
if it's a fairly common thing that seems to be slighly preferred.
(Even if we go with (1) and this does become an issue at some point, it
shouldn't be too hard to add a "may_also_act" or similar with the array
semantics.)

-Ben