IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

George Fletcher <gffletch@aol.com> Fri, 22 June 2018 17:51 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02111130EBA for <oauth@ietfa.amsl.com>; Fri, 22 Jun 2018 10:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1EVs9IF1jcAs for <oauth@ietfa.amsl.com>; Fri, 22 Jun 2018 10:51:13 -0700 (PDT)
Received: from sonic310-14.consmr.mail.bf2.yahoo.com (sonic310-14.consmr.mail.bf2.yahoo.com [74.6.135.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F989130EB9 for <oauth@ietf.org>; Fri, 22 Jun 2018 10:51:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1529689872; bh=4JDshtI8nMTXvNQWKHMp4M6GqR4/zHdTYrfUhwL4GNo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=F5et6O6cHcJeLIM/rF108jW1KfNp5HuH4qxnGIe2UE4cx9x+ziDdelKNDRtEfFBMm65ieT15PTRJ+RI/JU6zKUMQDaMqMrbJFc06xws9Jx3jov5NW750df55TZLmv0DOmvmxvmEnt7n7nVJtLoL5veJVy+1VTpqRIEOVuqkD2fvQKvhcQ1Z0RIqHxGvkO0+WNec1M+oJaEtECBmvNXyHociofp5Jgwjta9pPE9D5iRenB8qmw171W2A4h8MfpSveptc1PK6xOl02YQbgTGPLBgY40A4LLU4pfpNXnRz1+Cgn2bgFd6ixb2dAFFgGMcTlqmcqN6KiaYxIA57gfALZ3g==
X-YMail-OSG: m5YW91cVM1nuLSoK7ggSGNfHTxMX2.VOX6n1ANnu5ZiKpBe0lOmZ7jycqpE90Ia R_5_NPDvw5kXOiGjjGOiVdaEmmrhxX7sESeqna6kLfcolcjiZY36005f6fmW8X05GRnO0H1MCtg6 n0bNz8j_UVnuQRJr92TuLBSX9q.DDJsWxZM03xcz5u_gmdhKrcKca_4MU6HQjvpNbe36r8feDnrH hEXG6AhN1uyf6iiwzY.yMnwQ0kiei9iwDarV2Y3DYPqLOfs8w0UmwT0A78wpq2mD0jcrdD4FkZbA FPF3D7V0npN1.flgXXeqau2.j4i1w42Pz_GvYORNsjHh2ShITQqvbGw1wiykeUVLnzlEmOX8f.57 UWKrEZmT6OSrWsgc6HW5yhv0bjmG2sFnkHK0ILnudJrRA05.XJBxuf8U5bXjaJ5n0rGN1H6cNRQF ZAuUEJ0W269TrcXRnS7YhFPJh4eWgpwqAbLPiPngDSWxWcmA1Yg.TlTm1CyPekTMYBxR8grLRQ4g 3ZQCv6CIQpNHE1STeSpM_ALLQU_96.kaQsuutaDyqTjE2dZ1y9YA5x0v3P9lngHUFWnyMs_OTZxm zpceZDc5Lysbtg2u9TPl2eMFch_hJKQvX8hcDj4oX5KBm6YEar71_kqqrNJqzbMlORzxo7D_uYHf AneBmUcRwPXYfiseaPYvjKnM6LbWNtt3tWEQM_kvEIlHhmNysUaN0zsEZ13X17.WCpOipYRFSsxi VAkDI9QjJtQjSn3LyUZvr6UFjaRALp4MPK.s_eOlOaZnYHs3nOSRH7oIzb5hx7wS_ILBqMy0hFxf CCuzpwgR0qXw0vK4mRc30ZILQoO8OLAjrQTYRL5j9GqT4TA1HB4UsHe_fTbLJ5gWDLHQF1TNbNly 4dDKTKvofSPq45rexzByXN8AuOX0ZdV9wVXfx0EpA_aNtqeB9pnjOhzkCZiaT7Uc0cwSc2bTXFdr 2MDp45OlL1h9TKMEI6zhRIVbBeS96
Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Fri, 22 Jun 2018 17:51:12 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp411.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 8c63dc04a98f25548b6175346e6a43e7; Fri, 22 Jun 2018 17:51:08 +0000 (UTC)
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <b9e4115a-512d-3155-9023-604566d7190f@aol.com>
Date: Fri, 22 Jun 2018 13:51:07 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------2CB4B739AA28B7337007EA68"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/APWR59awssoBxgPYyw40U4pxbFI>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 17:51:25 -0000

I like the concept of parameterized scopes but I'm not sure they should 
be used for per-transaction use cases. It seems like the use cases 
presented are about operating on parameters specific to the transaction. 
Why are these part of the authorization flow?

Is the goal to bind an access token to a particular transaction? If this 
is the case, would it not be better to either extend the refresh_token 
flow or may better yet, create a new grant_type that takes the 
refresh_token and additional "binding" parameters and then have that 
return the "bound" access token to be used for the transaction.

Maybe this is similar to what Nat is describing with the staging API?

Thanks,
George

On 6/20/18 5:58 PM, Brian Campbell wrote:
> In my own personal and humble opinion, Torsten, what you describe as 
> "(1) Parameter is part of the scope value" is the most natural 
> approach and works without needing changes to, or going outside of, 
> RFC6749 The OAuth 2.0 Authorization Framework. There may be AS 
> implementations that have made assumption about scope values being 
> static (I know of at least one!) but that's an implementation/feature 
> issue, which can change, and not a spec issue.
>
> The OIDC "claims" parameter is already a bit of a hairy beast and I 
> think using it and the ID Token to convey more dynamic 
> access/authorization is blurring the line between authorization and 
> authentication a bit much. Also, as others have pointed out, OIDC 
> isn't always in play - particularly for regular old authorization cases.
>
> An additional query parameter might be simple for a one-off case but 
> it's nonstandard and not very repeatable.
>
>
> On Mon, Jun 18, 2018 at 9:34 AM, Torsten Lodderstedt 
> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>
>     Hi all,
>
>     I have been working lately on use cases where OAuth is used to
>     authorize transactions in the financial sector and electronic
>     signing. What I learned is there is always the need to pass
>     resource ids (e.g. account numbers) or transaction-specific values
>     (e.g. amount or hash to be signed) to the OAuth authorization
>     process to further qualify the scope of the requested access token.
>
>     It is obvious a static scope value, such as „payment“or „sign“,
>     won’t do the job. For example in case of electronic signing, one
>     must bind the authorization/access token to a particular document,
>     typically represented by its hash.
>
>     I would like to get your feedback on what you consider a good
>     practice to cope with that challenge. As a starting point for a
>     discussion, I have assembled a list of patterns I have seen in the
>     wild (feel free to extend).
>
>     (1) Parameter is part of the scope value, e.g.
>     „sign:<hash_to_be_signed>“ or "payments:<payment_resource_id>" - I
>     think this is an obvious way to represent such parameters in
>     OAuth, as it extends the scope parameter, which is intended to
>     represent the requested scope of an access token. I used this
>     pattern in the OAuth SCA mode in Berlin Group's PSD API.
>
>     (2) One could also use additional query parameter to add further
>     details re the requested authorization, e.g.
>
>     GET /authorize?
>     .....
>     &scope=sign
>     .....
>     &hash_to_be_signed=<hash_to_be_signed>
>
>     It seems to be robust (easier to implement?) but means the scope
>     only represents the static part of the action. The AS needs to
>     look into a further parameter to fully understand the requested
>     authorization.
>
>     (3) Open Banking UK utilizes the (OpenID Connect) „claims“
>     parameter to carry additional data.
>
>     Example:
>
>     "claims": {
>         "id_token": {
>             "acr": {
>                 "essential": true,
>                 "value": "..."
>               },
>             "hash_to_be_signed": {
>                 "essential": true,
>                 "value": "<hash_to_be_signed>"
>             }
>         },
>         "userinfo": {
>             "hash_to_be_signed": {
>                 "essential": true,
>                 "value": "<hash_to_be_signed>"
>             }
>         }
>       }
>
>     I‘m looking forward for your feedback. Please also indicated
>     whether you think we should flush out a BCP on that topic.
>
>     kind regards,
>     Torsten.
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited..  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email