Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Roman Danyliw <rdd@cert.org> Mon, 24 October 2022 11:08 UTC
Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2517AC14CE3D for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2022 04:08:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9RZzEXUKBakx for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2022 04:08:24 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0092.outbound.protection.office365.us [23.103.208.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BC63C14F692 for <oauth@ietf.org>; Mon, 24 Oct 2022 04:07:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=rcw0rgna8fHom/CR97tgpmxAfQWb+5G0/N0twdsTfqryFujdRBT+bHf4dXBerC4g/NKxSg37fVMYc3EOT258yIl2bNnKnsqfZz/XngNmCay3GTLPgvSiO817D5BO6+ZKIkaJADtIfhGQ6euu7A9/ojmQ0RH8ndM/801lWUw0uyyAO2uir5TjNJ/F8YnTYPHaDvGnk7NaeOgsLDYHL55XrGLAJUMA042kv5ZXwqCX1VHAJqjuQUaTt3RpWq1OTZTprirGw1CD68st+wY4p5/0KYVVEtMJh4IQYTP24TqHLmVwzu7CqYp5gwO1iay6U45ERRzl/p3BCkr3h9F+9jrnNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KqmAdzFHFiFD0fFVFD5Jbdk3rUfpQ4/mKS4G6uQXlO4=; b=H1P+6ENehdSm0+grAjWeETopyvEaep1JBCnukatbnl5rhgbGgDD4Mf2cXQBjIBgzqMAu0z8hbxmXQ/yRCWvPUxGqd0P1vh8qrQspKNDBB3hGFaxN/7L2L3VgEcyTM/WDQkH75vaK9l3xxUlmQ9h6OIRershMsXfqqpa1nv3BR8Vr2LRBA1cwHdBItbMpi1yiFcWkRn3RVnWWKxMtNUcdM4cyLNPdu3J6AWYpr3c/j+w4RGUPX5i6gueb58XFWPnE5+2hw+FTiyNsyNXPI0vvGq5fUnsHoDUgk68MY5tK1b/gfBTOZGKnqDpoZxLcWaNsBVCpaWV1MC9zi9EKurKZcg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KqmAdzFHFiFD0fFVFD5Jbdk3rUfpQ4/mKS4G6uQXlO4=; b=c8ZW8E/eEWAP+z9N/4ByeXuBFvs86L5C8fVZLmOw/3VwhlQpLVOgZm0OGsN0nbsLDio4JbDSB59MX1WijXhK9DP+UKvjHplP7G/utBDUyQckqBqEKtvfY6vLOu47JnsqgqoSNv6clgEvgP/+UzVi5fQPAkglNFR9sGN8yyUVHMw=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1764.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:169::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Mon, 24 Oct 2022 11:07:47 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5746.023; Mon, 24 Oct 2022 11:07:47 +0000
From: Roman Danyliw <rdd@cert.org>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: "oauth@ietf.org" <oauth@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, "jricher@mit.edu" <jricher@mit.edu>
Thread-Topic: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Thread-Index: AdjIiWV70TiGp2n1QyK+vwbKisrOXgaaBi8AASnDYJA=
Date: Mon, 24 Oct 2022 11:07:47 +0000
Message-ID: <BN2P110MB1107CE072D8C7CB807D2D23FDC2E9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <EC76A798-8FA9-44D8-A508-952269CFB290@lodderstedt.net>
In-Reply-To: <EC76A798-8FA9-44D8-A508-952269CFB290@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1764:EE_
x-ms-office365-filtering-correlation-id: 88fc648d-58c6-4ac6-c608-08dab5affb99
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GtJKPutoRk7G3V8cpqxuwHw8uuzButqlP09FlEwHnXfVyyMu/3OLjy5yRAQ+riX6ABHyTo9HuhD+7KfKX6Cvckr9hdLbxrIig6zGkMIBwWdRtTWSyVvmkMQ8iTEQrcp9bS8cg7KbqPjpMqcjtF0LBWCUBOrMK71EavDIYBStnnSpNrfEfTACP0XNNjeLF0DCDbAG2N3to486Eu7vIMRBeG0ckKUMlpQg09b4KMgLiTOO+cPYyeAU4PpJFVQgA+CE71yGzK8dtDx0WhDpqUryZ7P7MGnt7zOW4Q+/lCrllrzEO/3+8mPqj/+b5oStrmuDT0Df2k+GNkFev3MfmUziEMmRzxMfZZ+4vbhDLF0XAt8GPVoss4H1H1UORAloVLJNVqTtNhR5JRPHZmxKPjWbnh2A7agu2q1T16EA3qGxdJO69SG2Q6ji3cAIYT1XfjVA21zHbDegnf6l+eRoGAb9xfAiUCfJSfpZOD2RaRmDtNGQR9loPYVDIKoZhtUXqkSFjkzyl4UG3ttjP+qBNdXye9rLLSYA2H3llSeIBDf8pbDlX2UMjwL2mkzShI9S85GkIDO/rQ4Uc/MF4qzPR4AJvFFtjhoWOFwQT19ryYGlqteFBGmDLV2H8trsl0qyupuMHIlCAMnpwRx+ewVkkCEZJJ/aMhT/WyL03LXWxOmExi/1kjPscqWQUoL2n4wSHUBeGFlMOICMQz1h7uhfQ7q+SA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(66899015)(86362001)(33656002)(38070700005)(38100700002)(122000001)(82960400001)(186003)(498600001)(83380400001)(55016003)(2906002)(53546011)(9686003)(7696005)(6506007)(26005)(54906003)(6916009)(66946007)(76116006)(66476007)(66446008)(64756008)(8676002)(4326008)(66556008)(71200400001)(8936002)(966005)(52536014)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: F58mWdysfMaza1vUNAIXhciGS3dXLk29C3wjATdcc1OnR8zv5S9R+mgJSV/aWKp/iWiOR5omH6LEXBGywmihBflOhkfpRfFcs0Ohs/61O0A576FUTPm5419vEMU+B26g89u2jaCuoPNmB6/M2aJnRMWCiGmtWZFxzG2xagiF4TcZ6Ji8DX5EqMvJ1xamFeBkFLO3QBC4C32XCd8ynpDJ++D/J4ovlUN4LGmrxxAjTZ6aTAoq6Gh/+gx945k4oRkgUmnXBKM/YJ2rkTeBehd254GeCFhPGK+zvrgqJKpTnD873UD3b3HSAb5dqHpTNsvqI5WBlP2IUwzdzh7PHxlAlyyNt7DFcLUNMfdnVeRlHxSFVDirbRji3ppfv8FdnVkyMFbnmhK8bv+yvwHaE3mqTQbmqftaNeekSD2ZUthCcH8=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 88fc648d-58c6-4ac6-c608-08dab5affb99
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2022 11:07:47.1096 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1764
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/F1RU-S3qspN9mV8WJwO4jXvzpms>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 11:08:29 -0000
Hi Torsten! Thanks for the response. More inline ... > -----Original Message----- > From: Torsten Lodderstedt <torsten@lodderstedt.net> > Sent: Tuesday, October 18, 2022 9:00 AM > To: Roman Danyliw <rdd@cert.org> > Cc: oauth@ietf.org; Brian Campbell <bcampbell@pingidentity.com>; > jricher@mit.edu > Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12 > > Hi Roman, > > thanks for you review. > > I’m trying to do the next round for the outstanding issues you raised. > > > Am 15.09.2022 um 00:30 schrieb Roman Danyliw <rdd@cert.org>: > > > > Hi! > > > > I performed an AD review of draft-ietf-oauth-rar-12. Thanks for this > document. My feedback is as follows: > > > > ** Section 2. Editorial > > > > This field MUST be compared using an exact byte match of the string > > value against known types by the AS. > > > > Consider if you want to introduce how the lack of match will be handled here > - it is covered later. > > I’m not sure how to handle this as there is no direct consequence (in the sense > of error condition) other then that different byte arrays constitute different > types. > > We could state something like this: "String values with different byte > representations constitute different types.“ ? Works for me. > > > > ** Section 2.2. > > > > All data fields are OPTIONAL for use by a given API > > definition. > > > > I don't follow how this is true in the general case. I was under the impression > that this section defined what is expected to be common fields. Couldn't some > AS with a particular type require their presence? > > > > ** Section 3. Editorial > > > > OLD > > In case of authorization requests as defined in [RFC6749], > > implementors MAY consider to use > > > > NEW > > In case of authorization requests as defined in [RFC6749], > > implementors MAY consider using ... > > > > ** Section 3. Typo. s/intiate/initiate/ > > > > ** Section 5. Typo. > > > > OLD > > authorization details type > > or authorization details > > > > NEW > > authorization_details type > > or authorization_details > > The spec uses authorization details types to refer to the general concept and > authorization_details to refer to the parameter. I think the former is > appropriate at this place. Understood. > > > > ** Section 6.1 > > > > However, when comparing a new request to an existing request, > > authorization servers can use the same processing techniques as used > > in granting the request in the first place to determine if a resource > > owner needs to authorize the request. > > > > Why is it possible to assess two arbitrary requests in this case to determine "if > a resource owner needs to authorize the request", but the prior paragraph > explicitly calls out that comparing two arbitrary requests is not feasible? To me > is seems like comparing two requests to understand if more or less permissions > are being requested is equivalent to determining if a new request exceed the > current request to determine if going back to the resource owner is needed. > > > > ** Section 6.1. Typo. s/isaunce/issuance/ > > > > ** Section 7. > > > > If the client does not specify > > the authorization_details token request parameters, the AS determines > > the resulting authorization details at its discretion. The > > authorization server MAY consider the values of other parameters such > > as resource and scope if they are present during this processing, and > > the details of such considerations are outside the scope of this > > specification. > > > > This guidance seems to indicate the use of the scope parameter is optional in > determining the authorization details. Section 3.1 says "The AS MUST consider > both sets of requirements in combination with each other for the given > authorization request." My read is that this is conflicting guidance and Section > 3.1 is correct. > > Justin: „You aren’t required to use “scope” in order to use > “authorization_details”, but we do want to say that the AS is allowed to (or > even is supposed to) consider both “scope” and “authorization_details” when > determining the resulting access for any given request that might have both. > The guidance in 3.1 should probably say “the AS MUST consider all > requirements present on a request” or something like that?“ > > Section 3 already states that the AS must consider scope and resource in > addition to authorisation details. I suggest to drop that sentence entirely. Works for me. > > > > ** Figure 15. The text prior to this figure says that for "For our running > example, this would look like this" indicating that this figure is similar to > previous examples. There is one key different - this is the first use of a > "payment_initiator" type with the API URL prepended. > > > > ** Section 7.1. Typo. s/sub set/subset/ > > > > ** Section 8. What is the difference between this section and Section 5 > beyond this text explicitly stating the name of the error value > (invalid_authorization_details). I'd recommend stating the normative behavior > twice; that is, why are both sections needed? > > 5 and 8 define the error behaviour of different endpoint. But you are right, the > text is the same (with 5 being even more detailed). Suggest to remove the text > in 8 with a reference to 5. Works for me. Thanks, Roman > best regards, > Torsten. > > > > > ** Section 9.2. Editorial. There is some kind of rendering issues in the > RFC7622 reference. It reads "[!@RFC7662]". > > > > ** Section 11.2. > > > > Products supporting this specification should provide the following > > basic functions: > > > > Should this section be more tightly scoped to AS behavior instead of a > "products"? > > > > ** Section 11.2. > > > > Accept authorization_details parameter in authorization requests > > including basic syntax check for compliance with this > > specification > > > > Why only "basic syntax checking"? Perhaps "syntax checking"? > > > > ** Section 11.2 > > > > One option would be to have a mechanism allowing the registration of > > extension modules, each of them responsible for rendering the > > respective user consent and any transformation needed to provide the > > data needed to the resource server by way of structured access tokens > > or token introspection responses. > > > > I don't follow the flexibility being described here. "One option ..." with > respect to what? > > > > ** Section 11.3. Could this section provide an example of what it would > mean to use JSON schema ids in the type value. > > > > ** Section 12. Please note that the Security Considerations of RFC6749, > RFC7662, and RFC8414 apply. > > > > ** Section 13. > > > > Implementers MUST design and use authorization details in a privacy- > > preserving manner. > > > > I completely agree with the principle, but this design guidance cannot be > enforced without specifics. I recommend s/MUST/must/. The more specific > text in this section can use the normative MUST statements. > > > > ** Section 13. > > > > Any sensitive personal data included in authorization details MUST be > > prevented from leaking, e.g., through referrer headers. > > > > Is "leaking" the same as being sent unencrypted? Recommend being clear. > > > > ** Section 13. > > > > The AS SHOULD share this data with those parties on a "need to know" > > basis. > > > > Completely agree. Consider ending this sentence with "... as determined by > local policy", or the equivalent to make it clear that it will not be document in > this specification. > > > > Thanks, > > Roman > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] AD review of draft-ietf-oauth-rar-12 Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Brian Campbell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Brian Campbell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer