Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt
Francis Pouatcha <fpo@adorsys.de> Tue, 09 February 2021 12:53 UTC
Return-Path: <fpo@adorsys.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446183A1A60 for <oauth@ietfa.amsl.com>; Tue, 9 Feb 2021 04:53:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pkYBR9Fnr8a for <oauth@ietfa.amsl.com>; Tue, 9 Feb 2021 04:52:58 -0800 (PST)
Received: from DEU01-FR2-obe.outbound.protection.outlook.com (mail-fr2deu01on2070d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e24::70d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E493A1A61 for <oauth@ietf.org>; Tue, 9 Feb 2021 04:52:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KX4xXVvle4mU13JIkY7T3MIQOkX5qwyOS7f/i02oVbJGmXugWgCIyuWNrcv7esEBj6SphZwGB3NY/hiW25ATCrRxN5ahLJqp8zw+ga1oyNxmUCPVtQyCpks1onWvw2cgZB8iI8z8c8VzkgtKWZcxPPqWC1J9VjGG1I+FgCoRUNEFxTS/Bn3hc12o8Ba2CZiHUxnpOTMYnpLwUS66zUgX5+BhTs1vC2pQNndnfkMUiGJ7dDG4a6Kem7NIQsnyFVJGLzWOFxtFpkQo+WJmUXUzeXEK++iL3xGO0hRjs1a4XzKQ8nRuBsSkymzQG/xYN6bqlCiJb7ZpjBW5lXiOwxzPeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XQWY17zn+Y9aaFId93ZpnfPunOPwGHK++t+/pzVzAKA=; b=VkKKCinzZxPBv2exmWimveLQpuOXakNPMlup1ggU2+baQMO7COpRP6fQSoAy249nYxwg11Ah2bi2KwJUE8ec2sXENB6inN7e1AVOMfpkPctPKBEncacwDldVovh5K1tJOGpmi2vKz+uWIJlPkcSBeZ2uZ8Q0INiN78oBVarfukwqI59XraQ9/++gelIHQXGPMUXC5uxmqAG6okTJGyJAcnEP8XXY3AsDuCZ5DEHdw5ZPWONjqflNThmFH+uHIyB5OIylbVGq89oeDXjSrVcGGux93fE8mhOCdQzmSb5draPs03yavEt+pdiNbEDC9n98g6rVF4h331UeXpmqP9Z/Mg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=adorsys.de; dmarc=pass action=none header.from=adorsys.de; dkim=pass header.d=adorsys.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XQWY17zn+Y9aaFId93ZpnfPunOPwGHK++t+/pzVzAKA=; b=HOA5gX9JPOvHNL48DokYiXUCLqjcNK2Og7wLbUWvGgZ+epZwBwULhp4xpofcaFwZyd9le1tcV0zat19/aCMQ3hF1NxEG6IPfhmyOwHKOJyn+t9s8/VF/Toe11YCIWRTb22W0HCoEaQrCJY5tTr2QW6rLt6vfUijCQhcHiZtqa4PbLwieOL0HxasdAIGO5rjSYdbZ2kTYgZwt8f3Or52Dld+3J3eG0q1ZbRHPoHTsc6lHwlAYmrgVcTrfYZSw0mmFzDlXCv8SGqXvMJsebE5S3SCLfVppZB+qVOUTP5N9Lf3KRwBEYBWjVTqBo4AmkTpm7NBLAlCY/s45ubrjKUlEDQ==
Received: from (2603:10a6:d10:11::11) by FRYP281MB0239.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:7::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.10; Tue, 9 Feb 2021 12:52:48 +0000
Received: from FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM ([fe80::858a:948b:efd1:953e]) by FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM ([fe80::858a:948b:efd1:953e%4]) with mapi id 15.20.3846.025; Tue, 9 Feb 2021 12:52:48 +0000
From: Francis Pouatcha <fpo@adorsys.de>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt
Thread-Index: AQHW/U7BfQWTVVlnJ0OBUvPBsW2f+apMpNCAgAMizBk=
Date: Tue, 09 Feb 2021 12:52:48 +0000
Message-ID: <FR2P281MB01063CE7EE6ECFE8727E58878D8E9@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>
References: <161270175060.8296.1897997883947486904@ietfa.amsl.com>, <06504BA6-6065-4ADD-BE45-5E13DF00DC1A@lodderstedt.net>
In-Reply-To: <06504BA6-6065-4ADD-BE45-5E13DF00DC1A@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=adorsys.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2603:9000:780a:f3b8:d84e:1caa:467b:271]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5a3c1096-6530-443d-fce0-08d8ccf99aae
x-ms-traffictypediagnostic: FRYP281MB0239:
x-microsoft-antispam-prvs: <FRYP281MB0239AB8B2783A3D4F177B807CD8E9@FRYP281MB0239.DEUP281.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: v+V4X+ffmet9SjrF2NjvuX8feZfLgG8VR7xi/ThZeXBzyUDz0bryKvTt4U88qNEj67FrQSmhedQ8F+Z95L2Hdhcb/0H2BcXSnVzL6RFX7pYcigL5sSqI689ap4PvU+CHZOzEBYvrYzjCmqVB1LjIXbZo4cUie9HhwjADxeiYYTSUb3ZpjTXYcLpuhKZ1r+y566H8vLr+QahBe5h7OYiE/kX3PsGkQZz+Yde6V+nYZrS+wJs1p5/18Yeq8OYx4/4zq0uq40IqkFR4VIPiKCgJ0QtuLyGG+nOCoKE81tI3VhzJU/9q1CiuYDuNbi/sc7EWDhgFZ1CNUbTlrEQy0PEqM4TYS4TuAhgKNVH3CEvjz+MmciM/u9MuCRMLkQ/xw0+6Y0lNU+pc0SU1JNTA3ABYSKMGQna8mB9BmRY/rMiTJoAqPzd7TnYnGuEBz+irLvkK/33o0yvZHIdfThaR+h1jHDRQtQjeBInxetndCo+Fo1Egu9Fbq7nYwzGKNDTchFD2mUaFoPgzxC2JMYyxj698XEE3xdbxwLqVtvDGWF6OL9Jw/D0vKn4xD/nqJ7zeJ9+tjJyzfz8RHIdCVuLWnHxPoTm/i+aFi2xCparN31SlowD6XO14yER5TeSK0/m0wq8u8FngjoKx+9Y2krO23zkr/IUH7ydoy9m5lQDGdBmylxo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(346002)(39830400003)(366004)(396003)(376002)(136003)(2906002)(478600001)(9686003)(66574015)(76116006)(66556008)(66946007)(91956017)(6506007)(64756008)(66446008)(66476007)(316002)(53546011)(71200400001)(19627405001)(8936002)(166002)(186003)(83380400001)(8676002)(55016002)(33656002)(86362001)(5660300002)(966005)(7696005)(110136005)(52536014)(133740200002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: cl3VZ1NRX78NDPVPU4v1/giQSZrluDxVBSY2l8MD/6OevE4PKo0Zf8qLkrVn7gxCtrAICfZNu44ALbPeUqqUKFSKb0iq/9Tf+8q8CzabHXOktKiBORxu/VIpzBsmG+faeFyWAvKB2v+xjiGc6YfrDB7xUEldbl0XWWTIfRNPVYCOkKYmbdCZTltPDokg58ipDz1eeSL0p0FGynOR59x2OqKV7toeVNYjgzhQUmRw+5QUr+ouBGw0cg+PA43R0fS8ER4HNB4oJ3z/c8wSXhpI4f9zOSMb1Y1IsaE5yfe+5+D17VSMnonToscKJupWJpqzkIqN8bC+YmZ+LkkPeOX8mULV3fWjnYSjfcnj2FM4KdMd4027uHy75h2RZzCMulmYruJB22ntb1l6jak6GPbHV8I+Kn2+4mavuih8y5N+YFhGrVEW7WAhQP8xLzNkRgP7W4eSfiAq9r9D2Rukv1o1jRyybAGc56FVwA3Cn4eZ5WElgRSvIrHLKH2qia8SwCQ49uLBm+FeiN0/ntEaiyNOmI8T0/c6am7SnUEIjtxUTuAgdRkOEey5w8TIHm19nj1rQdqdx56w9Od6PV8E+lRilAESmFboDfBsYXBZtnoSYuuzeng/XEA4wFAGYJTrvA0sf7AyJldjOiDEMU7XEzrt60xSxkjMXyIAsonTNZ7G+pQIbI6pK4+nL3ywy7p2YADQsrBIMARn+snChgs/qQyqvW15QxuE59SkM/MlvutdEIaggL6H4qofKrfJt6tnAsKzO3q3Y0E1wf8BNR1yoH15Jz53MzYY/cPZ2oiYxQAG9BDEVdQ7irUOH3m09z7fbwBe9jChWsIF9aqAyebfwhzPjAYiXHJJ3hBrTznZp7m70timkI2uZVC8zOi9idtIVcw4keArhaODMz+MUhZ2nnb+L85DKtw4ZCL9GE1EAyE08rPLHTtDoPE2RmQKBJm7wVPu8Dm0ab5fA8dOh/PTEXPFGZ9PoSvsSoQdIOtFMXEJxkMTDWhUHxq0auNRzIq2wyu47UkQjkdzBe0itkUDilGfKQWY7RJrR85VjJmeg2chREzEXPSIcR8TyIF8BqwdRok8TwYVM5HkV86e5Pm5ace1iWDJon4+IK+ELM/yezLkMI8YIgxWf/b9GM5atp4zfhYfKSuawhzGDob0aR/yCe/QF/y4J0pRySoGtLWd7Rzo4RUvK6OSlFa6Q5kAYQFII9eea1ZzhZ4GbwdTka8ltqHryPUyfqbIaIeJs9Bj3g4pRiY=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_FR2P281MB01063CE7EE6ECFE8727E58878D8E9FR2P281MB0106DEUP_"
MIME-Version: 1.0
X-OriginatorOrg: adorsys.de
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a3c1096-6530-443d-fce0-08d8ccf99aae
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2021 12:52:48.6639 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5e2c5484-e522-479d-91ca-515d6e0ce228
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NoZOmUyuneBauXVH/uGk4INiSQLE6eL3akphmFppEthmUQ3EcLLTKye7+Af+/3g0p2XyTH1taCpUAMWztFEu55/c7FIPqi0Cfm0p6U7cBcg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FRYP281MB0239
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EK016UbkDUPRPqG-rHf9q0Wknzo>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 12:53:00 -0000
Find bellow my review of the draft: 1. Redactional changes: 2.2. Authorization Data Types Interpretation of the value of the "type" parameter, and the object elements that the "type" parameter allows => allowed 9. Metadata which is an JSON array. => which is a JSON array 1. Application to existing APIs reason-1: Current open banking initiatives are built on the of existing Data Standards like ISO20022 (PAIN, CAMT) which are XML's that do not provide direct translation to JSON. Some authorization server's might even be able to parse an ISO PAIN file to display the proper authorization request to the user. reason-2: In some situation, it might be more privacy preserving to have the authorization request content negotiated between the AS and the RS. In this case the "scope" parameter shall only carry some sort of "grant-id" (known in the Berlin Group spec as consent-id). This will allow the AS to negotiate the data to be displayed directly with the RS. Any idea how to consider these two edge cases? Best regards. /Francis ________________________________ From: OAuth <oauth-bounces@ietf.org> on behalf of Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> Sent: Sunday, February 7, 2021 12:49 PM To: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt Hi all, here is the list of changes in revision -04: * restructured draft for better readability * simplified normative text about use of the resource parameter with authorization_details * added implementation considerations for deployments and products * added type union language from GNAP * added recommendation to use PAR to cope with large requests and for request protection Your feedback is highly appreciated. best regards, Torsten. Am 07.02.2021 um 13:42 schrieb internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename : draft-ietf-oauth-rar-04.txt Pages : 36 Date : 2021-02-07 Abstract: This document specifies a new parameter "authorization_details" that is used to carry fine grained authorization data in the OAuth authorization request. The IETF datatracker status page for this draft is: https://www.google.com/url?q=https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/&source=gmail-imap&ust=1613306557000000&usg=AOvVaw3-4SmuMFgxbz-cDK2Ir_a7 There is also an HTML version available at: https://www.google.com/url?q=https://www.ietf.org/archive/id/draft-ietf-oauth-rar-04.html&source=gmail-imap&ust=1613306557000000&usg=AOvVaw1J52xGTvk1ZAuBC_fUAIjJ A diff from the previous version is available at: https://www.google.com/url?q=https://www.ietf.org/rfcdiff?url2%3Ddraft-ietf-oauth-rar-04&source=gmail-imap&ust=1613306557000000&usg=AOvVaw0TYqmFwryvAYznR2Ho5Oj6 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1613306557000000&usg=AOvVaw06g1z6o36BkkaqkiWc1Lw9
- [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-0… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-0… Francis Pouatcha
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-0… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-0… Torsten Lodderstedt