Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt

Francis Pouatcha <fpo@adorsys.de> Fri, 31 July 2020 23:00 UTC

Return-Path: <fpo@adorsys.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9F663A07C2 for <oauth@ietfa.amsl.com>; Fri, 31 Jul 2020 16:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOiElfOH_-Qo for <oauth@ietfa.amsl.com>; Fri, 31 Jul 2020 16:00:57 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13363A07BF for <oauth@ietf.org>; Fri, 31 Jul 2020 16:00:56 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id q76so9336012wme.4 for <oauth@ietf.org>; Fri, 31 Jul 2020 16:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vLKmJwZUuNKi3tSjsFqxPOBOa5tLf41jb9+jFZmPJ4s=; b=SAMS2BgMEwiwmNux/2etInIS5i/pusvXjGH60ScFRIkNI0Vk0SUtUY+9xPcfHVNHok 9C8/JceFvnaV86BXjPacOGjijwHOCDQTF5UdGVjknkv8z4VLLsxvuRq38JUCdVgjd7Y8 8RnyO6VsdMplgQwxo6EWmos0tM3Byff3n79b4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vLKmJwZUuNKi3tSjsFqxPOBOa5tLf41jb9+jFZmPJ4s=; b=qKvjppPKvgvXoEU6sHBSpAhDYWvcK1Sh/b5qTSsbDJP1y1Q3hTUn1RJ9rUi8sq/28g jEmHUARGxjChTZ2XjH9HQjVc3o+TwoeSBFP17O+jfAV8vcs9n4z9GmIE+gXyO2bL5YhW d60aVIEr9fVn2sRPya9FBmSzXOBaqo2OTmZazdbJufhtu6kKIH9WsLmvopoUWReM/m44 URSSko95B3a+9hLMhbJkf+X7WDGpKXmwdlGzKWYb5YLSDXt+E4bFEnYYC8/VrOJjHJsV cJ4XClJ9PWSIXgSQfaL+tccU+Yoid+vO1ZJ+sOiJdYBTzNWmnRq0i4jkhG3gH8BU2neF w+cw==
X-Gm-Message-State: AOAM531WbG8l/lmEFTIwq3Jjj9wd4Di9Yfbq/3F3BGfsPZdGrCcswusz udtSdWbJmxx/+E1EHqmEaq7te+B8+nh9AeLMYGIg3EVylAk=
X-Google-Smtp-Source: ABdhPJw38XCM8xQJ6mhAHHjD1pT5wkbbloW8/gyz5ygQmcQvUxLdDHHS8HEvqf+h3QYEdqtGWIQY0zYSijkrCRZBak8=
X-Received: by 2002:a1c:2bc1:: with SMTP id r184mr5915481wmr.133.1596236454523; Fri, 31 Jul 2020 16:00:54 -0700 (PDT)
MIME-Version: 1.0
References: <159620115034.32558.6249632084531225541@ietfa.amsl.com>
In-Reply-To: <159620115034.32558.6249632084531225541@ietfa.amsl.com>
From: Francis Pouatcha <fpo@adorsys.de>
Date: Fri, 31 Jul 2020 19:00:43 -0400
Message-ID: <CAOW4vyO5v_b5_3QOKfhXupwbTk19GrpCitKfbGnff_NwYAs_+A@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d98a9b05abc4c2a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CrbL69yhc-2oadjFpVe8V16Tp3k>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-par-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 23:00:59 -0000

Bellow is the only remark I found from reviewing the draft draft:

2.1.  Request:

requires the parameters "code_challenge" and "code_challenge_method" but
https://openid.net/specs/openid-financial-api-part-2-ID2.html#confidential-client
mentions
that RFC7636 is not required for confidential clients. I guess those two
parameters have to be taken off the mandatory list and pushed to the list
below.

- Using jwsreq, non repudiation is provided as request is signed (jws).
This section also mentions that the request can be sent as form url
encoded (x-www-form-urlencoded). In this case, there is no way to provide
non repudiation unless we mention that request can be signed by client
using signature methods declared by the AS (AS metadata).

Best regards
/Francis


On Fri, Jul 31, 2020 at 9:12 AM <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>         Title           : OAuth 2.0 Pushed Authorization Requests
>         Authors         : Torsten Lodderstedt
>                           Brian Campbell
>                           Nat Sakimura
>                           Dave Tonge
>                           Filip Skokan
>         Filename        : draft-ietf-oauth-par-03.txt
>         Pages           : 19
>         Date            : 2020-07-31
>
> Abstract:
>    This document defines the pushed authorization request endpoint,
>    which allows clients to push the payload of an OAuth 2.0
>    authorization request to the authorization server via a direct
>    request and provides them with a request URI that is used as
>    reference to the data in a subsequent authorization request.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-par/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-par-03
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par-03
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-par-03
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/