Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01

Torsten Lodderstedt <> Wed, 08 July 2020 16:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D59633A0F03 for <>; Wed, 8 Jul 2020 09:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3LaDYSp4tDSN for <>; Wed, 8 Jul 2020 09:20:16 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CA36C3A0EEF for <>; Wed, 8 Jul 2020 09:20:15 -0700 (PDT)
Received: by with SMTP id dm19so36051461edb.13 for <>; Wed, 08 Jul 2020 09:20:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=AJi2q1FIPvS7pPKFfp7NJFmH6Xql34tCFbnBoW/nFmo=; b=HkSz92CK1y3fDua4UnPpFZTDi16Ua6tFi0kFdGhPia05OZE58yTsYE1KccSfgm3CYv UkkOauGE8e64ctOsQRXZyko6drjbPh5CAJkBuNbQzCz7+r/7NYOYyyqr1sSGMxJpRxBB 3xoi33LKiuSpaTINM3uxCa4Z2YBdexQV2pmZCvitMPyJzANnvsdeqvrCMbbN69W5RZoj ENDy7KF+sX5SAbxLABZsGW4Yw/w3a9xO7m/r09Io7fIwI1IRY08dwBzJuLef1BxTrmqP IdBSOzwe6vc2QE+Wez0lSKISMps/C3YrR36c6AmZsqIYX8UR0aQHu/jDziJu5xpMRxCH LOcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=AJi2q1FIPvS7pPKFfp7NJFmH6Xql34tCFbnBoW/nFmo=; b=jbFY+C1Tfzk/L2R5RfFC4fxQiz8hZwEYQL3j0zjmTmaeItc7CbKM2lG6Kc+zzpN/OS CEzOlkvdbCJqQhivJyBWAETrwTEwQ5TFIi4VHMddDVJjPUisS5hVDqYhjabUGd/5Uy7d CnO0JK2rw40lTc0VmycMtbdxbTyXkPTI8uNk/V2ZlS4EJWKirkiZJQdHhHIF5gKMKNBA qU1I9L/UYcvv6H1Q4hQ1u9YeSP4+BG3s3AJwrcbb4SIuwSdND5+1CConN58X/vGlpv6B WVmg8oj9FRlSIt0Gkwm0KvjPoWufdrv/7I1fGPlz0IiFh27crWLxiYr6j48CaorXA4kW IoRQ==
X-Gm-Message-State: AOAM532cQUrIbMb88mfPcgz2nBN3McqlqffKq0V3TyT9MNLhzta0EVlb iwgd+5x9PbDPrwmi8PTH8OwMKw==
X-Google-Smtp-Source: ABdhPJy3/hZWuNrssPt1DcdannooO+uv3glC5QMlER2b4OowIRREhvZmHQwu+c63Uzyc6U0ekGfQAA==
X-Received: by 2002:aa7:d1c8:: with SMTP id g8mr68400815edp.337.1594225214085; Wed, 08 Jul 2020 09:20:14 -0700 (PDT)
Received: from ( [2003:eb:8f01:3880:e468:71ec:ac2f:b6f0]) by with ESMTPSA id di20sm28745edb.26.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2020 09:20:13 -0700 (PDT)
From: Torsten Lodderstedt <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_651C02CB-CD56-4B79-A765-C347E61045A1"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Wed, 08 Jul 2020 18:20:10 +0200
In-Reply-To: <>
Cc: oauth <>, Justin Richer <>
To: Neil Madden <>
References: <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jul 2020 16:20:18 -0000

Hi Neil, 

> On 8. Jul 2020, at 16:40, Justin Richer <> wrote:
> The two-phase approach is exactly what OBUK does, where you get one access token using client credentials before getting a more specific one in context of the user’s consent. This ends up being awkward to implement at best, since OAuth involves the user too early in the process to allow for this kind of thing. PAR might help address this dichotomy, but RAR can provide places for this to fill in.
> With XYZ, I tried to design for that kind of multi-stage transaction pattern more explicitly, with the idea that you could continue your request in context and vary it over time, or even start a new request in the context of an existing one. This is something that I intend to continue with the soon-to-be-formed GNAP working group, if you want to bring this use case there.
>  — Justin
>> On Jul 6, 2020, at 12:32 PM, Neil Madden <> wrote:
>> I’m reading draft-ietf-oauth-rar-01 in a bit more detail now I have some time, and I have a few comments.
>> An assumption in the draft appears to be that the client knows ahead of time what it wants to gain access to and can describe it in detail. For example, the last example in section 2.1 is a client requesting access to particular files, which assumes that the client already knows the paths of the files it wants to access. This in turn seems to imply that the client already has some level of access to be able to determine this, e.g. to list directories, which may not be desirable. In many cases like this I think it’s more natural for the client to not know exactly what it is asking for but instead to want access to *some* file, chosen by the user. An example of this is the Dropbox Chooser [1] and Saver [2] APIs, which notably are not built on top of OAuth. In these cases it would be more natural for the client to send a more generic request and for the details to be filled in by the user as part of the consent process.

That’s a very good point.

There are scenarios where the client knows the resources it wants to interact with in advance, potentially from another transaction (e.g. first access to account list, payment initiation afterwards). 

The scenario you are describing is viable as well. In such a case, the request would be fairly generic but the AS (or the RS) would need to make transparent to the client what resources it just obtained access for. Interestingly, this might also happen if the client wants to access accounts. It could just request access to accounts and the user, in the consent, selects the accounts to disclose to the client. In our design at yes, we reflect this in an augmented authorization_details object in the token response (an addition for the spec I have on my list). 

>> Another issue is that as far as I can see in the current draft, any client can initiate a rich authorization request at any time without any kind of prior approval. This seems problematic for the main example in the draft, i.e. payment initiation. As an attacker, if I can get a consent screen up on a user’s device requesting to move money around then it seems like half my job is already done - some fraction of users will probably approve such a transaction without properly checking it. It feels like the ability to ask for transaction approval should already be a privileged operation that should require consent and approval.

I think RAR will almost always be used in conjunction with PAR. This means the client is authenticated before the user interaction starts preventing the attack you mentioned. I think we should at least recommend this in the draft. 

>> A related issue is that each approval is in effect a completely isolated incident. In a normal OAuth2 interaction I would grant an app some longish-term access to data and it would get an access token and optionally a refresh token. At some later point I can go to the AS and see that I have granted this access and revoke it if I choose. With RAR there is no representation of a long-term relationship between the RO and the client and each transaction starts from fresh. Again, this seems potentially problematic and not quite in keeping with how OAuth currently operates. Each grant of access is ephemeral. (Do refresh tokens make sense in the context of RAR?)

Some of the use cases initially causing the development of RAR are transactional (as pointed out by Vladimir) others are not. RAR is about a richer vocabulary for describing the scope of access.

In the beforementioned account information scenario, the client would, for example, ask for read access to several accounts. Access to balance for one and access to balance & transaction history for another account. This could easily be expressed using RAR and would be a long term grant. If the client for the same user asks for access to another account (and the user approves), the AS should add this to the same underlying grant. This effectively means, the client could use the same token (refresh and access token) to access all accounts. 

>> I think a better approach would be a two-phase authorization process:
>> 1. In step 1 an app gets a normal long-lived access and/or refresh token that grants it permissions to ask to initial transactions (RARs) - e.g. with scope initiate_payments

I agree. This is PAR. PAR + RAR is in the end a generalised version of the UK OB consent pattern. 

>> 2. In step 2 the app requests authorization for individual RARs/transactions using some proof of its grant from step 1
>> I have ideas for how this could be achieved, but I’d prefer to see what others think of this general idea rather than getting bogged down in specific details.

best regards,

>> [1]:
>> [2]: 
>> — Neil
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list