Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
Brian Campbell <bcampbell@pingidentity.com> Wed, 17 July 2019 20:35 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7364120018 for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2019 13:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTeQEtpJifDM for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2019 13:35:45 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52496120086 for <oauth@ietf.org>; Wed, 17 Jul 2019 13:35:45 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id h18so24792303qtm.9 for <oauth@ietf.org>; Wed, 17 Jul 2019 13:35:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NnCI2OA58G6mTOihK1Hk3/ZGsBsUiOWWpX2Kl9ib0A0=; b=A+PwggcE33/xCZJG7Tf7SSsUrzVRYsBGVNch6XGgyJVeD22JXtfplYwiEzTtvancqE kyWYR0iEkOPEz9cDv0HGWG6DnL1WBpRKs5/si848gM5Jr6tysoDI1rYp0mjjr11CN4kk mqlvVwCk2kFnHUp5AiD6yrL6+Jf8dfbXz8g0g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NnCI2OA58G6mTOihK1Hk3/ZGsBsUiOWWpX2Kl9ib0A0=; b=DmWRV2CbL96+J6EFPUzJu6ADNIi3FRaanSPIbWLETuI/UZawY+TEqvy5zO51Emt6yy iVSukF4RyVji6OwIxSBuJ3MS8FUFQXeHWQWx6uyviQNzEiN89uEW5WBhxOU8BOO7Xhfe BYb5NL4l9DovD4Ib8+nWDNIOxra+G5bjB8GGHMIw+4Q5IOyhU5Gdz93D+aZDMP3M8ZEo +Ego2P8QLDuJa1IHVuUElmuFJiNl55Lsz5VTwKSxM/yYAWraFcn1CMcxhMBYIAVknya1 YQdPC5uvnn6Sejj98PKSp3H+NMcrgOyqt9Gda0TuwcN19NK/zf1uer6Zzth5+sFulRM0 gj+Q==
X-Gm-Message-State: APjAAAUDw3Jb8qwaD4VKhegRFA10GhkZtSVZqwcEH7GD7QQXaGEnsALA m8SdW0mHZbUbgJFYbQ0A141A+msdEW8WNAw6RAk7mPlggHXbSF8XzOvRZGLZu6nos20Wy+ObAG7 DLD719sKogvsQRw==
X-Google-Smtp-Source: APXvYqxssnbFwRn8K/2Mk1LfExrdwDdyht8/VWfzMyTLDZOCIHPyyIAaBaoC9AwO/KD22zU8zThT5a1gcUoVk8hFJlw=
X-Received: by 2002:a0c:b786:: with SMTP id l6mr30173382qve.148.1563395744171; Wed, 17 Jul 2019 13:35:44 -0700 (PDT)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC01B33D6046@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33D6046@marchand>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 17 Jul 2019 14:35:17 -0600
Message-ID: <CA+k3eCRS2HKDUWkHQzwoMVauUK7UBadw_pWdF6cXh0+BSZTbBA@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f9a785058de66f4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IMRVPcwWNM8iKBXQNaxMVG2DZUc>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 20:35:48 -0000
Thank you, Roman, for the review. Some replies are inline below. I'll aim to push out a -03 addressing this stuff sometime not too long after the I-D submission embargo is lifted next week. On Tue, Jul 16, 2019 at 5:23 PM Roman Danyliw <rdd@cert.org> wrote: > Hi! > > The following is my AD review of draft-ietf-oauth-resource-indicators-02. > The document is in good shape. > That's always nice to hear :-) > > (1) Section 2. Per "The parameter can carry the location of a protected > resource, typically as an https URL, or a more abstract identifier", is > this "abstract identifier" still an absolute URI per Section 4.3 of RFC3986? > Absolutely (see what I did there? sigh...). Syntactically it's an absolute URI. Semantically, while it might be an actual network addressable location identified by an HTTPS URL, it might also be a URN or something that more abstractly indicates a resource or grouping of resources. But its format is an absolute URI regardless. I'm not sure what, if anything, can be added or changed here to help clarify. But I'm happy to entertain suggestions, if you've got em and/or think something is needed. > (2) Section 2.2. in the sentence "To the extent possible, when issuing > access tokens, the authorization server should adapt the scope value > associated with an access token to the value the respective resource is > able to process and needs to know": > > -- is this language suggesting that the authorization server is modifying > the scope value based on the resource it sees? I'm trying to understand > what "adapt" means, especially in relation to the improved security and > privacy the subsequent sentence suggests. > Perhaps "adapt" wasn't the best choice of word but it's meant to say that an authorization server with sufficient understanding of what scopes are applicable to what resources (which won't always be the case or even possible but sometimes) could limit the scope associated with an access token (downscoping really) to only the scope that is applicable to the resource. Some of the examples (figures 2 - 6) attempt to show, among other things, a hypothetical case of how this might go down. In Figure 2 the initial authorization request that's approved has scope of calendar & contacts and resources https://contacts.example.com/ & https://cal.example.com/ A subsequent access token request (Figure 3) has resource https://cal.example.com/ and the issued access token scope (Figure 4) is "adapted" to that resource to be only calendar Another subsequent access token request (Figure 5) has resource https://contacts.example.com/ and the issued access token scope (Figure 6) is downscoped based on that resource to be only contacts Would it be easier to understand if the word "downscope" was used rather than "adapt"? > > -- (Depending on the above) Is there a security consideration here for the > server relative to confidential scope values and how they might be modified? > I'm not sure, to be honest. Downscopping when possible and to the extent possible is usually a good idea (least privilege and all that) but I think maybe I'm missing your point/question. > > (3) Editorial > ** Section 1 and 2.1. Multiple Typo. s/the the/the/g > Apparently I'm fond of the double "the" and have a hard time spotting it myself. I think this is the second review in as many weeks that you've caught a few of those. Will fix. > > ** Section 2. Editorial. s/resource at which/resource to which/ > Okay. > > ** Section 2. Editorial. > s/ And can also be used to inform the client that it has requested an > invalid combination of resource and scope./ > It can also be used to inform the client that it has requested an > invalid combination of resource and scope./ > Yup. > > ** Section 2.1. Multiple Typo. s/an an/an/g > Again with the double words. Sigh. A double double even. > ** Section 2.2. Editorial. s/token request and response/token request > (Figure 3) and response (Figure 4)/ > Makes sense. > ** Section 3. Typo. s/a invalid/an invalid/ > Of course. > > ** Section 3. Missing words. "A bearer token that has multiple intended > recipients (audiences) can be used by any one of those recipients at any > other." Is it protected resource? > Well, those are all the words that I'd intended to be there :/ But it does read a little curtly. How about the following instead? "A bearer token that has multiple intended recipients (audiences) indicating that the token is valid at more than one protected resource can be used by any one of those protected resources to access any of the other protected resources." -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] AD Review: draft-ietf-oauth-resource-i… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw