IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Steinar Noem <steinar@udelt.no> Mon, 22 April 2019 08:38 UTC

Return-Path: <steinar@udelt.no>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9427D120059 for <oauth@ietfa.amsl.com>; Mon, 22 Apr 2019 01:38:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.639
X-Spam-Level:
X-Spam-Status: No, score=-1.639 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4_UZ6_W_l0A for <oauth@ietfa.amsl.com>; Mon, 22 Apr 2019 01:38:43 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D2AC120043 for <oauth@ietf.org>; Mon, 22 Apr 2019 01:38:42 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id v7so7968308oie.8 for <oauth@ietf.org>; Mon, 22 Apr 2019 01:38:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=glvGZQg8Q/uEQuQrxiOjy1NCYpSr8om7vh1CzjcNDLU=; b=cHj0mNf7YNr1ZWBe2UjDthl1VyoinPghVYW/BQF/RMvfuA0XIkA+V5ijP75AJJgdX5 crMQrJVe2HOVbyVSt5ji+Kz1o8/lxhErPX2IJfPAaMFgp0gafTdF7Vt1SkLc7bFH01AB e3dw3zKHzpY5XuJ3j64bYwQSm0Wki9VNqOL6dyE0qqX/PYR/D2wVUe4gE+2Xbs6Xf/4L 0kJ7tSSfSY68TI+ymEew1Ci19yvRCWgXi5CwzhQFo8DpLgMRBLwpYEr8DFbB/g4vrx8R AZSCA2ZanoATmQZqRhbnEgfANpN0+WL+GG8MrUM/akn3lRLCGVCsqirwD2g1aHCD0Ju1 9u/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=glvGZQg8Q/uEQuQrxiOjy1NCYpSr8om7vh1CzjcNDLU=; b=Z7bqEnQTlw5uD0ixA2zIOxAKY+d3aznjn/MyHe6VgD4eRaTz2JV5c+Ull2dAiI73ED oFgL47SANfwzUx+7GO7tHzrsRPg0Ih/6a0+Xk6TB5iyBDL/bn0kaGl3IvX+wvaSeJhrN h/FtV1NLOiz30P5E2mR/McrLyNbDhXLS3y0gYfrVb4/5u7jf6RLpCmXqjhw6lQR8gHCn +3uu/UfEgpntmptGoSTlPYOEvIGXfNCJS+Vz1eFCtJak/HInXm2nI284Ywo6XGsuZcs+ bZco1+7W+MFJSkE6964sETnpUdCrbq+2tnRGGf/PiDUK3o0q9ttARz9oekuqnstmR2Xs s07A==
X-Gm-Message-State: APjAAAXkFAH4iYHpQ5fn/pKWQj8Gok3L5pqVlihUzx6QaqLz1XhRc7TY OKK5p24Xry4bHOUv+/EkkB37kkwdjnUGKD4nhIlnMN9r2u8=
X-Google-Smtp-Source: APXvYqwXQx6XgZ9gvGIZZZ0Uxf7/+ef6OFYf1k2TasybiJlv6R3m50k9S+AxHSEyrWmmf2B8dnPz7+YZJEuc35iuzaw=
X-Received: by 2002:aca:df55:: with SMTP id w82mr9638190oig.113.1555922322003; Mon, 22 Apr 2019 01:38:42 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net>
In-Reply-To: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net>
From: Steinar Noem <steinar@udelt.no>
Date: Mon, 22 Apr 2019 10:38:31 +0200
Message-ID: <CAHsNOKdsdmqK3tCXGyqHtSOY3qtEjbm5UN434y6eTSAwoBiJow@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d2cee05871a656c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7bZ19PqUYjtCMbINbRpKSkWks-k>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 08:38:45 -0000

Hi Torsten, thank you for writing this clarifying article :)

In the health sector in Norway we are facing similar challenges regarding
the need for contextual information.
At the time, our planned solution is to package this information as custom
claims in request objects - e.g.: “helse:client/claims/xxxx”, but after
reading your article I realize that the structured scope approach makes a
lot more sense and, as you stated in the article, pushing the request
objects mitigates the issues with request-size and complexity on the client
side.
In our case we may also have a requirement to encrypt the pushed request
object due to potential sensitive content.

- Steinar


lør. 20. apr. 2019 kl. 20:21 skrev Torsten Lodderstedt <
torsten@lodderstedt.net>:

> Hi all,
>
> I just published an article about the subject at:
> https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
>
>
> I look forward to getting your feedback.
>
> kind regards,
> Torsten.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler

| steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no |

v2.23.0 | Report a Bug | By Email