[OAUTH-WG] Comments on draft-ietf-oauth-jwsreq-22 (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request))

Denis <denis.ietf@free.fr> Wed, 27 May 2020 17:20 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D1823A09AB for <oauth@ietfa.amsl.com>; Wed, 27 May 2020 10:20:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.378
X-Spam-Level:
X-Spam-Status: No, score=0.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, SPOOFED_FREEMAIL=1.999] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xb_PXKEMbTU8 for <oauth@ietfa.amsl.com>; Wed, 27 May 2020 10:20:33 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06D383A0889 for <oauth@ietf.org>; Wed, 27 May 2020 10:20:31 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d59 with ME id jtLV2200Y4FMSmm03tLVF8; Wed, 27 May 2020 19:20:30 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Wed, 27 May 2020 19:20:30 +0200
X-ME-IP: 86.238.65.197
To: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <ead54f3c-48ac-d5c1-a903-38fcb3330740@free.fr>
Date: Wed, 27 May 2020 19:20:29 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------9D2E07AF638E073C82EAC6B1"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HYWszubxMdHFuFsjRpYJdBN3gak>
Subject: [OAUTH-WG] Comments on draft-ietf-oauth-jwsreq-22 (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request))
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 17:20:34 -0000

As indicated in the abstract:

    "This document introduces the ability to send request parameters in
    a JSON Web Token (JWT) instead,
       which allows the request to be signed with JSON Web Signature (JWS)".

This approach has a major consequence which is not indicated in the 
"Privacy Considerations section:
the AS will have the knowledge of these request parameters such as 
"please let me make a payment with the amount of 45 Euros"
or "please give me read access to folder A and write access to file X".

Such an approach has privacy issues which are currently not documented 
in the Privacy Considerations section.

The AS would be in a position to know, not only which resources servers 
are going to be accessed, but also what kind of operations
are going to be performed by its clients on the resource servers. With 
such an approach, ASs will have a deep knowledge of every
operation that can be performed by a user on every RS.

As a consequence, the AS would also be in a position to trace the 
actions performed by its users on the resources servers.

Other approaches that are more "privacy friendly" should be considered 
to address the initial problem.

Denis

PS. This email closely relates to the previous email sent on the WG 
mailing list with the following topic:
        Comments on OAuth 2.0 Rich Authorization Requests 
(draft-ietf-oauth-rar-01)