IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 30 April 2019 11:03 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1BF12008C for <oauth@ietfa.amsl.com>; Tue, 30 Apr 2019 04:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fryn69NUE9_C for <oauth@ietfa.amsl.com>; Tue, 30 Apr 2019 04:03:23 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.18.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 208931202A9 for <oauth@ietf.org>; Tue, 30 Apr 2019 04:03:23 -0700 (PDT)
Received: from [84.158.239.111] (helo=[192.168.71.123]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1hLQXg-0001Ad-Iq; Tue, 30 Apr 2019 13:03:20 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CA+k3eCTqwbXrePrac7UyPQ9VfqdpXtFFKMj7Ji0b-m8duL9MiQ@mail.gmail.com>
Date: Tue, 30 Apr 2019 13:03:19 +0200
Cc: oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4303D8E2-DC2A-4359-B07D-6078E8FD6FFD@lodderstedt.net>
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CA+k3eCTqwbXrePrac7UyPQ9VfqdpXtFFKMj7Ji0b-m8duL9MiQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EsZV3n90vU9upc8QxRcfEGiW3Ho>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 11:03:26 -0000


> On 26. Apr 2019, at 19:57, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> One thing that I think is missing from the article in the discussion of pros and cons is that in many cases a large or even voluminous request can be sent via auto submitting form post (like https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html but the other way around from client to AS with the auth request), which doesn't then run into the same URI size problem. 

Thanks for pointing this out! Is the response mode often used in the wild for OAuth?

> 
> From a prospective standardization standpoint, there are really two distinct concepts in the article. One is the "Pushed Request Object" and the other the "Structured Scope". They are certainly complementary things but each could also be useful and used independently of one another. So I'd argue that they should be developed independently too.

I agree. I’m considering two separate drafts.

> 
> 
> 
> On Sat, Apr 20, 2019 at 12:21 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> Hi all, 
> 
> I just published an article about the subject at: https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948  
> 
> I look forward to getting your feedback.
> 
> kind regards,
> Torsten. 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email