IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

George Fletcher <gffletch@aol.com> Fri, 10 May 2019 20:27 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46B7D1200B8 for <oauth@ietfa.amsl.com>; Fri, 10 May 2019 13:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUkKT13OQrgs for <oauth@ietfa.amsl.com>; Fri, 10 May 2019 13:27:11 -0700 (PDT)
Received: from sonic316-12.consmr.mail.bf2.yahoo.com (sonic316-12.consmr.mail.bf2.yahoo.com [74.6.130.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A5DD1200F4 for <oauth@ietf.org>; Fri, 10 May 2019 13:27:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1557520030; bh=3FS8QtBJtXUcwQTfOajDjwBVW42JWX7ictGCOrsL3tk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=RkKm0zi+vMjIJ1a3hRlwZuapDnaAm0Di3Ls3rtQ3gwC7Bgfr6DHEJdLUG6gknJYWgsTDbwm/CzgzlOM6t7aTApjWH108vmacuq5wnpDVMIkzVPb4qzikU/tXcnzAkO95ojk/uzH5fF8MDumzSlQmomW+121ds/D+UKmX6ftg6ky1lxnXLV4Fl+Memd9c/OO0FkqwsvnqJpO8R5oKREqvPGYdO77oWIWL/8Jm8xcgQLeLnhTBpXE3sT4DCO+ZXwGkzi+ORKHBlKPl6Q86M3QIZbSkYbj6QOB9FKLMm47OwSHzmv54J8PrjAi4sHiy1C9kFZ3sdXeIjympW/FpYxjKjw==
X-YMail-OSG: MvknDbsVM1kxfBGvWH6W9po_xocwr9grl7pnj8c4EooGdWtsXCFVOrxWmv.1pg7 oQiYqd3uJYLac7ZOC12FexYGajyfp3fYXOHEreRgqiEyOTQNcRiMtoogiDKGiXR2HBJsjtGYgnfP 0zplJh7TN6YE8ZrHm3o91tVkHvO58xSA2F5xP1Yh9EFiqVNplm51GoQaVJ11FXXDF2GuwaaFvHh4 KPXy8kDaiMQi_KrI5sELdgLHnoe.bLJnnu5FNOfmtCmR7SJfPewGkOOllvIEOeDIOpkdLII2GqTe hJkgZCz94h9u0KoFkxNm0rlrp.V8OuZsMaUrWiSMxFq2xwnXl0CoEpb3uADp1JiimTACZih_5qdF q7UgQPxb8Jca0W4M2.CRNYkjSsZUOEGGRMNHiTB215ahQA2J3wmD7OS3EXLNmscTl_ja2JOzNdJ8 _.Eprh2iWsDzZ3uYF_a04WGZf5d97xkudKXpJJM9Wu5fadegaPliB8W6u2aejHImmFDTCiZENfJr BexFhtN2U0dEW4vWfdLIik3E0u4sZ.tAHUd7NkQTfLR1f1U10DmQVLrVxCdgdKw2PRGWiyBEpFNV t_jwwxAnQ4.80cqAMJG6C45L4xu7INhZhaT52JxdGCiUL8hICJWVa.X_pWyRa2JnLOUUrmagziag etFdAwdh0TuO.5ctmPP.TGH.dkvvv.Lx_JW4M_Kd9CvNFygw9fTkbCDMdPYq.K1RspN836t1Mdmj jM3r4vwGFPL2b6Fzz_oFTQNTwPFDljUExq4z9C81HS.n5U3Sb0G_IuM_d7xZMgU1LEkfKdoBeSnE .YrFrCm_bqmJS3eMiNSafcezasGJgc37_p.dj7BJ.jQZfpggxT4CkLpxuz7sC8Sb.p2ZLcUGo5RM c29ASfGpHdz3GbwH1Bt_mGHKIXmsihCcK5PoBS3mqGeNaF5r4WrEs2lSiF_XM2IoAdPzo.53k.55 dETlhPTdiq99Y43Raup3p8UWsVirtFxArsU5g3VSZbh06nS9ynxOTEytDoPMRkig.n_jwl_OAgkV zQmZAohbX2BAAgidfdQ._WOjT8PuQNvlxL__Sg9z61CNCBC9wVqCKCQ_G8VMC_u.aybySxk_iHH6 ryk.AU4mKvPvmUBGnVP3OmypYL1oNQkN20MLcbDX9qjjzHs1Ey9eAGU9XE3sbZvwp.2E-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Fri, 10 May 2019 20:27:10 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp423.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 96bcd5ad374cd04c0d8ea177f35be65d; Fri, 10 May 2019 20:27:07 +0000 (UTC)
To: Dave Tonge <dave.tonge@momentumft.co.uk>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Sascha Preibisch <saschapreibisch@gmail.com>, oauth <oauth@ietf.org>
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net> <119b93cb-d6c3-18dc-3e10-9ba087e0817e@aol.com> <B5BEEA54-B2B1-468A-AAE7-2B23A400919A@lodderstedt.net> <8c2187bd-3d17-9c9c-2b3c-6f9193ebdcbd@aol.com> <2EDD8634-20D1-40DE-AA0D-A64AB6AEA539@lodderstedt.net> <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com> <CAP-T6TTsHqkyBF8n-x7Bw7kWC6vrEFw+QhyOMHSQ7NoR=xLzMg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <10e7ee87-4877-4790-dbdc-8f599d401cbe@aol.com>
Date: Fri, 10 May 2019 16:27:06 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAP-T6TTsHqkyBF8n-x7Bw7kWC6vrEFw+QhyOMHSQ7NoR=xLzMg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------E489D4CD099C2C0BB3CC9F2B"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IxNW0HUauY1NCNErr4P5t0Ni72U>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 20:27:13 -0000

One thing to keep in mind with the "Push Request Object" model and the 
concept of a more detailed scope structure, if the specified values are 
not for a single transaction, then the AS will be required to keep the 
"Pushed Request Object" for the "lifetime" of the access_token and 
possibly the refresh_token depending on the use case. This could have 
some implementation issues for the AS.

Thanks,
George

On 5/10/19 9:52 AM, Dave Tonge wrote:
> Thanks Torsten for this article - it is incredibly helpful.
>
> I'm very much in favour of the "structured_scope" approach.
>
> While I understand George's point I think the line is very blurred 
> between coarse-grained scopes and fine-grained transaction consent. In 
> addition fine-grained authorisation metadata is needed for ongoing 
> access APIs as well, e.g. how can a client ask for ongoing access to:
>  - transactions in a users accounts with ids abc123 and abc124
>
> From a UX perspective it is beneficial for the AS to ask the user for 
> consent once. The AS therefore needs to have all the information about 
> relating to the consent available when the user is redirected to the 
> authorization endpoint. There should be a standard way for the Client 
> to pass this data to the AS and I think structured scopes either sent 
> as a query param or in a request object are a neat way of doing this.
>
> Dave
>

v2.23.0 | Report a Bug | By Email