IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 16 May 2019 17:11 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF512120043 for <oauth@ietfa.amsl.com>; Thu, 16 May 2019 10:11:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISfT8IcmmDIN for <oauth@ietfa.amsl.com>; Thu, 16 May 2019 10:11:38 -0700 (PDT)
Received: from smtprelay07.ispgateway.de (smtprelay07.ispgateway.de [134.119.228.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E11612014F for <oauth@ietf.org>; Thu, 16 May 2019 10:10:24 -0700 (PDT)
Received: from [80.187.102.145] (helo=[10.155.44.35]) by smtprelay07.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1hRJta-0001i7-Rj; Thu, 16 May 2019 19:10:19 +0200
Content-Type: multipart/signed; boundary="Apple-Mail-E65621CA-AEDA-424E-8730-16CD4134EA56"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (1.0)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: iPhone Mail (16F156)
In-Reply-To: <10e7ee87-4877-4790-dbdc-8f599d401cbe@aol.com>
Date: Thu, 16 May 2019 19:10:16 +0200
Cc: Dave Tonge <dave.tonge@momentumft.co.uk>, Sascha Preibisch <saschapreibisch@gmail.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <8134EC64-CD0F-4AAE-B406-8F425B41F72D@lodderstedt.net>
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net> <119b93cb-d6c3-18dc-3e10-9ba087e0817e@aol.com> <B5BEEA54-B2B1-468A-AAE7-2B23A400919A@lodderstedt.net> <8c2187bd-3d17-9c9c-2b3c-6f9193ebdcbd@aol.com> <2EDD8634-20D1-40DE-AA0D-A64AB6AEA539@lodderstedt.net> <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com> <CAP-T6TTsHqkyBF8n-x7Bw7kWC6vrEFw+QhyOMHSQ7NoR=xLzMg@mail.gmail.com> <10e7ee87-4877-4790-dbdc-8f599d401cbe@aol.com>
To: George Fletcher <gffletch@aol.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DKW_pF_7RH9dzdDBqb-LNIyDDTo>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 17:11:46 -0000


> Am 10.05.2019 um 22:27 schrieb George Fletcher <gffletch@aol.com>:
> 
> One thing to keep in mind with the "Push Request Object" model and the concept of a more detailed scope structure, if the specified values are not for a single transaction, then the AS will be required to keep the "Pushed Request Object" for the "lifetime" of the access_token and possibly the refresh_token depending on the use case. This could have some implementation issues for the AS.

It’s not necessarily the request object but the client id and the scope. Can you please explain what implementation issue you expect? I don’t see much of a difference between storing/maintaining simple scope values and a JSON document for a grant.


> 
> Thanks,
> George
> 
>> On 5/10/19 9:52 AM, Dave Tonge wrote:
>> Thanks Torsten for this article - it is incredibly helpful.
>> 
>> I'm very much in favour of the "structured_scope" approach. 
>> 
>> While I understand George's point I think the line is very blurred between coarse-grained scopes and fine-grained transaction consent. In addition fine-grained authorisation metadata is needed for ongoing access APIs as well, e.g. how can a client ask for ongoing access to:
>>  - transactions in a users accounts with ids abc123 and abc124
>> 
>> From a UX perspective it is beneficial for the AS to ask the user for consent once. The AS therefore needs to have all the information about relating to the consent available when the user is redirected to the authorization endpoint. There should be a standard way for the Client to pass this data to the AS and I think structured scopes either sent as a query param or in a             request object are a neat way of doing this. 
>> 
>> Dave
>> 
>

v2.23.0 | Report a Bug | By Email