Re: [OAUTH-WG] Transaction Authorization with OAuth
Steinar Noem <steinar@udelt.no> Mon, 22 April 2019 08:38 UTC
Return-Path: <steinar@udelt.no>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9427D120059 for <oauth@ietfa.amsl.com>; Mon, 22 Apr 2019 01:38:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.639
X-Spam-Level:
X-Spam-Status: No, score=-1.639 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4_UZ6_W_l0A for <oauth@ietfa.amsl.com>; Mon, 22 Apr 2019 01:38:43 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D2AC120043 for <oauth@ietf.org>; Mon, 22 Apr 2019 01:38:42 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id v7so7968308oie.8 for <oauth@ietf.org>; Mon, 22 Apr 2019 01:38:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=glvGZQg8Q/uEQuQrxiOjy1NCYpSr8om7vh1CzjcNDLU=; b=cHj0mNf7YNr1ZWBe2UjDthl1VyoinPghVYW/BQF/RMvfuA0XIkA+V5ijP75AJJgdX5 crMQrJVe2HOVbyVSt5ji+Kz1o8/lxhErPX2IJfPAaMFgp0gafTdF7Vt1SkLc7bFH01AB e3dw3zKHzpY5XuJ3j64bYwQSm0Wki9VNqOL6dyE0qqX/PYR/D2wVUe4gE+2Xbs6Xf/4L 0kJ7tSSfSY68TI+ymEew1Ci19yvRCWgXi5CwzhQFo8DpLgMRBLwpYEr8DFbB/g4vrx8R AZSCA2ZanoATmQZqRhbnEgfANpN0+WL+GG8MrUM/akn3lRLCGVCsqirwD2g1aHCD0Ju1 9u/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=glvGZQg8Q/uEQuQrxiOjy1NCYpSr8om7vh1CzjcNDLU=; b=Z7bqEnQTlw5uD0ixA2zIOxAKY+d3aznjn/MyHe6VgD4eRaTz2JV5c+Ull2dAiI73ED oFgL47SANfwzUx+7GO7tHzrsRPg0Ih/6a0+Xk6TB5iyBDL/bn0kaGl3IvX+wvaSeJhrN h/FtV1NLOiz30P5E2mR/McrLyNbDhXLS3y0gYfrVb4/5u7jf6RLpCmXqjhw6lQR8gHCn +3uu/UfEgpntmptGoSTlPYOEvIGXfNCJS+Vz1eFCtJak/HInXm2nI284Ywo6XGsuZcs+ bZco1+7W+MFJSkE6964sETnpUdCrbq+2tnRGGf/PiDUK3o0q9ttARz9oekuqnstmR2Xs s07A==
X-Gm-Message-State: APjAAAXkFAH4iYHpQ5fn/pKWQj8Gok3L5pqVlihUzx6QaqLz1XhRc7TY OKK5p24Xry4bHOUv+/EkkB37kkwdjnUGKD4nhIlnMN9r2u8=
X-Google-Smtp-Source: APXvYqwXQx6XgZ9gvGIZZZ0Uxf7/+ef6OFYf1k2TasybiJlv6R3m50k9S+AxHSEyrWmmf2B8dnPz7+YZJEuc35iuzaw=
X-Received: by 2002:aca:df55:: with SMTP id w82mr9638190oig.113.1555922322003; Mon, 22 Apr 2019 01:38:42 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net>
In-Reply-To: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net>
From: Steinar Noem <steinar@udelt.no>
Date: Mon, 22 Apr 2019 10:38:31 +0200
Message-ID: <CAHsNOKdsdmqK3tCXGyqHtSOY3qtEjbm5UN434y6eTSAwoBiJow@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d2cee05871a656c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7bZ19PqUYjtCMbINbRpKSkWks-k>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 08:38:45 -0000
Hi Torsten, thank you for writing this clarifying article :) In the health sector in Norway we are facing similar challenges regarding the need for contextual information. At the time, our planned solution is to package this information as custom claims in request objects - e.g.: “helse:client/claims/xxxx”, but after reading your article I realize that the structured scope approach makes a lot more sense and, as you stated in the article, pushing the request objects mitigates the issues with request-size and complexity on the client side. In our case we may also have a requirement to encrypt the pushed request object due to potential sensitive content. - Steinar lør. 20. apr. 2019 kl. 20:21 skrev Torsten Lodderstedt < torsten@lodderstedt.net>: > Hi all, > > I just published an article about the subject at: > https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948 > > > I look forward to getting your feedback. > > kind regards, > Torsten. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no |
- [OAUTH-WG] Transaction Authorization with OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Jim Manico
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Dave Tonge
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Nat Sakimura
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt