IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

George Fletcher <gffletch@aol.com> Tue, 23 April 2019 11:33 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63261120049 for <oauth@ietfa.amsl.com>; Tue, 23 Apr 2019 04:33:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d44lezP6e773 for <oauth@ietfa.amsl.com>; Tue, 23 Apr 2019 04:33:27 -0700 (PDT)
Received: from sonic314-13.consmr.mail.bf2.yahoo.com (sonic314-13.consmr.mail.bf2.yahoo.com [74.6.132.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9F681201EF for <oauth@ietf.org>; Tue, 23 Apr 2019 04:33:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1556019204; bh=J45ltvZo9XpFa/m9ZQCNGCDT37oh1rykGy0J93rR/do=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=cI0qskMfRC+G1k6Kg8a6Jl/0GInmS9FfpR+IhkyWNYCK8HDOujbHjj2hhBfy0uCCRx1aqd89H7u+8YVEjigSz68iRHpGHD1YWjV4rPHXeHd9muClv4poZdeh5N5nMuY9a6yppyTHvdS0V1yIw5svi1UoJIaGg7TwWvyU2iin4H3RJqKBvUNuSoF4g+GDvOqkbGEkiUupqyzhAgTjAIOVNlA3QVbpXQXgrHLEwAfscdtSNxQ/NEjL260CWuyjeCA7llnwjWZCQ4yzd87t9PBJQ8DLatVesFiQlYoI62BRnaP/PWQMovA7wDsQ9uV9kC8uK3VyrSk3RMn7Z4u7KntAgQ==
X-YMail-OSG: CyZkfF8VM1mXI05MIDAUkQgswTz9eaV.ya1GBq1GYt1fSsa7CFoMUL4IN4__VRt INcaxcX47b9Pi4OzT5yFkR4Hyw0HGNc4wB0THOWF3VfDOS6cDvIs_yyRScxIM8J5zGKeP2xe0XC0 fsK03ERx3F7BgCOtpWy4qZY8HmqNWzmszMyquU5z5rDiTXzqfusYLzCUosufJObkKey2ioE8amGg _TJVjkclMgcpaC5V0nkb4_JH.PuLhq22erSLOeE57hbHQBOMPKNwNHI9Yee.QB1Hg8a_YS9eTmt6 A4s2ljS2t4OJ.dhBkeard9jtTIbb.lJ27ea.Bpr0TXreH3FMcuIrjFvtq6WNMi2.VBCvFrFnp.dU w5K1WSFGd1wzI1CZXECNQVvH0PyEUA0CvYRwMcpO1Lb6u.xCZAbuwcsAcZEMzCsLM.GFi3CS7Fjm 1ZVwYBn_3aAzMPiEsyPkLfSgeikXpN7mWbGMY6RTqwDmGNMkySn5xnyqCfwwa5e3r9VCqKTLDZaS o1O_u4NzCZbU1eVqFMfckD7Kqa.IiHFJlUmqn7VZ8yejyjk8IHTLcKFZLxyOMJ0.DmbHshQL7jzQ dSc9RD3Z__erZ6NbhRtMdtILFP0jslLlYu0TiOpE8L6Ex7dYygdS_LWgTbF2ebnw_Nt2FJEuZP7M CvotG4u0qLml5v1EL6mUqURVBcvupQg2KRxC6ip.R7hh_DsFkBH1nu7xjqqp9BqYdShhq95a5x7B xCmTjnVZVayuaSIPFbsp6xEezxUwd8IRRW3ndeMchdsPCQGysxrY623nbdYe9qlaDKtZDFkmxRTV 6GpUn8hT1B3z.tQPfITZmKRHId1xA8dHKF8j5jrahPNcOSfphTlZ8H1UNIHc.ytO09WQKOcx3Lk5 xqKkwqn9GW0ReKUg7IQ24Buof9m0Y.UNuurRf.XRQnxqv4_lTMT6k0zpI9VBOAvQPr6bLvdQY4Qx QkwQH9AYLihXrYmf_rKlU5xR9qv__HnHKE_sMRRvUP77Wyxzf16c60onfe27f4ODdUixYdLk.AhM nihjl9_y9uwU.6gLuajRB2JQ9OiwgMvD0CKID09oV2VhJBVGdlRcWvB3b02iTn9ejYRaBnuMXTHV 8XCEra4uoRwPIugIqRpbu_hxedmMXBE3E2Is8Wg--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.bf2.yahoo.com with HTTP; Tue, 23 Apr 2019 11:33:24 +0000
Received: from nat-vpn-users2.cfw-a-gci.net.buffalo.office.oath (EHLO [172.135.130.101]) ([184.165.8.97]) by smtp407.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID bf97ab0bfffcd458df8bb70ac799e258; Tue, 23 Apr 2019 11:33:21 +0000 (UTC)
To: Pedro Igor Silva <psilva@redhat.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAJrcDBfmhR5Fx1okJv7xdgATytDTA8rhBZNJJviY39WGK06uPw@mail.gmail.com> <2261EA43-063D-4EA5-A55B-15235D5E525E@lodderstedt.net> <CAJrcDBcm0x6zzWYBxjh4B8EJQozFC1ciyx5_j2rnW8DBLGqUCg@mail.gmail.com> <B41AFDAE-CE92-4477-8489-F47C05A4DD3E@lodderstedt.net> <7483a5f0-b3c1-c944-02fa-79e5a1ecc490@aol.com> <CAJrcDBeHHymY_Lk-oJV+M+S3Hvsw=CLBZMbeStk7Gm55ecYBuw@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <8387b896-fa89-940f-6dc3-95bd04388bab@aol.com>
Date: Tue, 23 Apr 2019 07:33:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAJrcDBeHHymY_Lk-oJV+M+S3Hvsw=CLBZMbeStk7Gm55ecYBuw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------14622AB43B5C75BEE25533A0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EKPQAK7P3Sm65SE4eAH0JcC_Icg>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 11:33:31 -0000

I can see use cases where both approaches are useful. I was just 
pointing out that while the RS might not be told the context of the 
request from the client's perspective, the client still knows it's own 
context and can leverage that with UMA at the RS to reduce the need to 
request multiple tokens (which is the issue I understood Torsten to be 
making).

I would also say that in UMA there is some desire to reduce the work the 
RS has to do as well where in Torsten's use case, the RS may be managing 
all the responsibility (for good or ill:)

On 4/22/19 3:36 PM, Pedro Igor Silva wrote:
> I think this knowledge by clients of the ecosystem is something that a 
> transactional authorization could avoid. Both UMA and ACE have 
> solutions that make clients really dumb about what they need to send 
> to the AS in regards to scopes. IMO, the RS should have the 
> possibility to tell clients the scope they need, making a lot easier 
> to change RS's access constraints as well as pushing contextual 
> information that could eventually enrich the authorization process.
>
> On Mon, Apr 22, 2019 at 4:04 PM George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>     Speaking just to the UMA side of things...
>
>     ...it's possible in UMA 2 for the client to request additional
>     scopes when interacting with the token endpoint specifically to
>     address cases where the client knows it's going to make the
>     following requests and wants to obtain a token with sufficient
>     privilege for those requests. This requires a fair amount of
>     knowledge by the client of the ecosystem but that is sometimes the
>     case and hence this capability exists :)
>
>     On 4/22/19 1:18 PM, Torsten Lodderstedt wrote:
>>     The problem from my perspective (and my understanding of UMA) is the RS does not have any information about the context of the request. For example, the client might be calling a certain resource (list of accounts) and immediately afterwards wants to obtain the balances and initiate a payment. I think the UMA case the RS either predicts this based on policy or past behaviour of the client OR the client will need to issue several token requests. That might not be a problem in 1st party scenarios but it is in 3rd party scenarios if the AS gathers consent.
>

v2.23.0 | Report a Bug | By Email