IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 18 October 2022 12:59 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01ADBC1522A1 for <oauth@ietfa.amsl.com>; Tue, 18 Oct 2022 05:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouge4XObhpDB for <oauth@ietfa.amsl.com>; Tue, 18 Oct 2022 05:59:48 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0948C14F612 for <oauth@ietf.org>; Tue, 18 Oct 2022 05:59:48 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id fy4so31934843ejc.5 for <oauth@ietf.org>; Tue, 18 Oct 2022 05:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=NLXz+VzR8IA3bPOrHwswBP3ohml/yW4GsWtTGB5ZYY8=; b=Lk5UmCvPpOdgraPazB+573ZyQRFj7QPs7JrG9YNOsUdAw7ZgCgDl/8bEPnQ3JmVgOu q4o5E53zkjdfpJm1qLMRjYGamsIvddEgC4ov1up2u5La/ooHJIUdDr8PZKpwnSky++sU qSnbOmiq0YhV9zv7ozcd+8W5QgXaqrZWAqnm04U3SpddW+CkmjsqdHFJrnuE891HTk5S H9EJHGbX8D8c+qTR/umtHW+a6fyFQgqv7WzgkibsdHXDY6PsVVl4R6Vg6DuV1n6KYbCx oMJtAwVqHyf0VcnaS62qLOTE7+Cqj6hstWwx5ou+uAyld/xgdc4wVTWU1Mwn/J/UBbIh TAxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NLXz+VzR8IA3bPOrHwswBP3ohml/yW4GsWtTGB5ZYY8=; b=E1AJayZvef0AHWZ+AncFk7je/yUQqXWCxR5lRdRZFLcsjxanPM83hKWjToyfZc9Frj lyWNN+gDPQ4kpWOkiYwrmIzm1TiUUnmRZFJf5LCbUjBb6TVTcC/K7b06m+GCxfTKb0fG HbkgYRcJJjR7i0/jeaj6/T8IMTi7yNfthoT6KuTTDsHcdLubkfROhO5xrlsfMLGFgx/C MaWkKiXQtgXnYhG0llN6zEC7XC9+1jt4ijO3RbRxJpQTNvo4wkYJz2rDeoAUvP2o4xoA w31RRXJYCeb9SZzVtk9VGCqrHhJrzZJLvns73OIvBG0VOsOIpH/QrJi0HcaHONFq9mXn Cevw==
X-Gm-Message-State: ACrzQf1PGemgcTNfSRIPo5PSkS4OxfTs51B4z124Qq7WmBUsoOxJGtv6 x6m7Vud1qurdtTjflu4JjguHHg==
X-Google-Smtp-Source: AMsMyM5ChPxIqSV8L6ieG+Uhz0nqhBQCyyfiiNyBhpKgY9bCdIvDrkRcf74+kPYdDWhvZTxqCCDO+w==
X-Received: by 2002:a17:906:9c82:b0:781:5752:4f2b with SMTP id fj2-20020a1709069c8200b0078157524f2bmr2208420ejc.561.1666097986756; Tue, 18 Oct 2022 05:59:46 -0700 (PDT)
Received: from smtpclient.apple (p200300eb8f0b25dee94f5bc5d4d77cb8.dip0.t-ipconnect.de. [2003:eb:8f0b:25de:e94f:5bc5:d4d7:7cb8]) by smtp.gmail.com with ESMTPSA id p13-20020a17090653cd00b0078d175d6dc5sm7446409ejo.201.2022.10.18.05.59.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Oct 2022 05:59:46 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Date: Tue, 18 Oct 2022 14:59:44 +0200
Cc: "oauth@ietf.org" <oauth@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, jricher@mit.edu
Content-Transfer-Encoding: quoted-printable
Message-Id: <EC76A798-8FA9-44D8-A508-952269CFB290@lodderstedt.net>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Fvjon4KT2GxrWJWvJfXINf44Q6g>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2022 12:59:53 -0000

Hi Roman, 

thanks for you review. 

I’m trying to do the next round for the outstanding issues you raised.

> Am 15.09.2022 um 00:30 schrieb Roman Danyliw <rdd@cert.org>:
> 
> Hi!
> 
> I performed an AD review of draft-ietf-oauth-rar-12.  Thanks for this document.  My feedback is as follows:	
> 
> ** Section 2. Editorial
> 
> This field MUST be compared using an exact byte match of the string
>   value against known types by the AS.
> 
> Consider if you want to introduce how the lack of match will be handled here - it is covered later.

I’m not sure how to handle this as there is no direct consequence (in the sense of error condition) other then that different byte arrays constitute different types. 

We could state something like this: "String values with different byte representations constitute different types.“ ? 

> 
> ** Section 2.2.
> 
> All data fields are OPTIONAL for use by a given API
>   definition.  
> 
> I don't follow how this is true in the general case.  I was under the impression that this section defined what is expected to be common fields.  Couldn't some AS with a particular type require their presence?
> 
> ** Section 3.  Editorial
> 
> OLD
> In case of authorization requests as defined in [RFC6749],
>   implementors MAY consider to use
> 
> NEW
> In case of authorization requests as defined in [RFC6749],
>   implementors MAY consider using ...  
> 
> ** Section 3.  Typo. s/intiate/initiate/
> 
> ** Section 5.  Typo.
> 
> OLD
> authorization details type
>   or authorization details
> 
> NEW
> authorization_details type
>   or authorization_details

The spec uses authorization details types to refer to the general concept and authorization_details to refer to the parameter. I think the former is appropriate at this place. 

> 
> ** Section 6.1
> 
>  However, when comparing a new request to an existing request,
>   authorization servers can use the same processing techniques as used
>   in granting the request in the first place to determine if a resource
>   owner needs to authorize the request.   
> 
> Why is it possible to assess two arbitrary requests in this case to determine "if a resource owner needs to authorize the request", but the prior paragraph explicitly calls out that comparing two arbitrary requests is not feasible?  To me is seems like comparing two requests to understand if more or less permissions are being requested is equivalent to determining if a new request exceed the current request to determine if going back to the resource owner is needed.
> 
> ** Section 6.1.  Typo. s/isaunce/issuance/
> 
> ** Section 7.
> 
>   If the client does not specify
>   the authorization_details token request parameters, the AS determines
>   the resulting authorization details at its discretion.  The
>   authorization server MAY consider the values of other parameters such
>   as resource and scope if they are present during this processing, and
>   the details of such considerations are outside the scope of this
>   specification.
> 
> This guidance seems to indicate the use of the scope parameter is optional in determining the authorization details.  Section 3.1 says "The AS MUST consider both sets of requirements in combination with each other for the given authorization request."  My read is that this is conflicting guidance and Section 3.1 is correct.

Justin: „You aren’t required to use “scope” in order to use “authorization_details”, but we do want to say that the AS is allowed to (or even is supposed to) consider both “scope” and “authorization_details” when determining the resulting access for any given request that might have both. The guidance in 3.1 should probably say “the AS MUST consider all requirements present on a request” or something like that?“

Section 3 already states that the AS must consider scope and resource in addition to authorisation details. I suggest to drop that sentence entirely.    

> 
> ** Figure 15.  The text prior to this figure says that for "For our running example, this would look like this" indicating that this figure is similar to previous examples.  There is one key different - this is the first use of a "payment_initiator" type with the API URL prepended.
> 
> ** Section 7.1. Typo. s/sub set/subset/
> 
> ** Section 8.  What is the difference between this section and Section 5 beyond this text explicitly stating the name of the error value (invalid_authorization_details).  I'd recommend stating the normative behavior twice; that is, why are both sections needed?

5 and 8 define the error behaviour of different endpoint. But you are right, the text is the same (with 5 being even more detailed). Suggest to remove the text in 8 with a reference to 5.

best regards,
Torsten. 

> 
> ** Section 9.2.  Editorial.  There is some kind of rendering issues in the RFC7622 reference.  It reads "[!@RFC7662]".
> 
> ** Section 11.2.  
> 
>   Products supporting this specification should provide the following
>   basic functions:
> 
> Should this section be more tightly scoped to AS behavior instead of a "products"?
> 
> ** Section 11.2. 
> 
> Accept authorization_details parameter in authorization requests
>      including basic syntax check  for compliance with this
>      specification
> 
> Why only "basic syntax checking"?  Perhaps "syntax checking"?
> 
> ** Section 11.2
> 
>   One option would be to have a mechanism allowing the registration of
>   extension modules, each of them responsible for rendering the
>   respective user consent and any transformation needed to provide the
>   data needed to the resource server by way of structured access tokens
>   or token introspection responses.
> 
> I don't follow the flexibility being described here.  "One option ..." with respect to what?
> 
> ** Section 11.3.  Could this section provide an example of what it would mean to use JSON schema ids in the type value.
> 
> ** Section 12.  Please note that the Security Considerations of RFC6749, RFC7662, and RFC8414 apply.
> 
> ** Section 13.  
> 
>   Implementers MUST design and use authorization details in a privacy-
>   preserving manner. 
> 
> I completely agree with the principle, but this design guidance cannot be enforced without specifics.  I recommend s/MUST/must/.  The more specific text in this section can use the normative MUST statements.
> 
> ** Section 13.
> 
> Any sensitive personal data included in authorization details MUST be
>   prevented from leaking, e.g., through referrer headers.
> 
> Is "leaking" the same as being sent unencrypted?  Recommend being clear.
> 
> ** Section 13.
> 
> The AS SHOULD share this data with those parties on a "need to know"
>   basis.
> 
> Completely agree.  Consider ending this sentence with "... as determined by local policy", or the equivalent to make it clear that it will not be document in this specification.
> 
> Thanks,
> Roman
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email