Re: [OAUTH-WG] Transaction Authorization with OAuth
Steinar Noem <steinar@udelt.no> Fri, 26 April 2019 19:23 UTC
Return-Path: <steinar@udelt.no>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85CDC120117 for <oauth@ietfa.amsl.com>; Fri, 26 Apr 2019 12:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvLQ7wNRz-Ro for <oauth@ietfa.amsl.com>; Fri, 26 Apr 2019 12:23:49 -0700 (PDT)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E010B1200EA for <oauth@ietf.org>; Fri, 26 Apr 2019 12:23:48 -0700 (PDT)
Received: by mail-oi1-x232.google.com with SMTP id a6so3823982oie.5 for <oauth@ietf.org>; Fri, 26 Apr 2019 12:23:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FkFe5nYK3jxoEj0Scb8Pz0rF7wUQWUEnynxdBazW6uQ=; b=QnfSSalED6gWdUKe+dsqmHLC4v4mRd5ULSzqwZvBA5gjAzIeIXkmb4iSh8ts6AEmxG 073URX+9SYJmy/7UpPlDhlG4e0kmY2BIZnPjkDdyH4fr4nbdOkK3YOyRtA9pA6T3fNbH QzSkWVBpXqpjWufvRRT1R6dXvI0d4ahA/NUT3jcFSIkri4noIlCDDuWBKq6l5N8FTJs5 3FFQJI2zoQI8sgrs4ZfZG+sxFQRRdaVDKE9IRmEPEViTQJoecXzCuTm+Gk14wl2C7WT2 7f80H4mXzggRNqygR8XppCNqSE+yPRgWYKj9ihlB08H0Jjh5J+/NyLgaJWq121RuhVcf 0KWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FkFe5nYK3jxoEj0Scb8Pz0rF7wUQWUEnynxdBazW6uQ=; b=ff03WlZlWTrycG+ITj6dSDUrVnuZmb/R3R2Eh2UQw6MgEOTRPU2OeuVGOwSaZiwUiM giR9NlyrITwJE97qrHuENm2IoUovPF6xmm9wLAYtqK2VQBXx0hpu+D84r3ReaLeYTYkK fIE6kdLCoBuwL8vl3VawAE00EBKaJyEGjwpehG2tYIvnREi+NFGcpJ4LoFVKCpJywJsm UGjXHMjSlAawRyC1RRHkzSStBLo4ZcFxRCkCbhdlHQXrKU2jgBsc9Y2OQfPww6AuIJVh 2/dY0Fd4JYfij9btv4YgRLBLxq+lpPrRTYZ+w32UGzKCuvr25D4abOWcxCsAzEky/uGs f/UA==
X-Gm-Message-State: APjAAAXib9mWjgIa/lX6BDYJLBIN2Yvk94favn+GioFDjb/jq26lQDdl CODpYPWMNVw/cf1WWWSLC4caTbv19oxprUA9wUS6ItK0Z28rFg==
X-Google-Smtp-Source: APXvYqy/2kaJpKd2A5LnMV3nTVT1S8OKaJfFYP9I8ncM671KHgx341taTKMVTItwjpEzTtwYAgAEwyO5CKGDy1HD8iU=
X-Received: by 2002:aca:df55:: with SMTP id w82mr8213483oig.113.1556306627442; Fri, 26 Apr 2019 12:23:47 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CA+k3eCTqwbXrePrac7UyPQ9VfqdpXtFFKMj7Ji0b-m8duL9MiQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTqwbXrePrac7UyPQ9VfqdpXtFFKMj7Ji0b-m8duL9MiQ@mail.gmail.com>
From: Steinar Noem <steinar@udelt.no>
Date: Fri, 26 Apr 2019 21:23:30 +0200
Message-ID: <CAHsNOKdvgRpj0kq3jy8y+jj54aXm6HqpiSVLbQdpRYb8yz6-ZQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b0d48a058773df27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JVMGKgf4Lrbu8n0NNpGsbsp3H50>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 19:23:53 -0000
I do not have the depth of understanding of OAuth as you guys, so forgive me if I'm missing the discussion completely. For me this sort of boils down to how we establish trust between the different roles in OAuth. For an API the trust lies between the AS and itself. The API may have no trust in the clients directly, but relies on the AS to provide the user consent, client authentication but also e.g. the use of request objects. At least in my domain, the API might not trust "claims" as parameters in a request from the client, but will trust the "claims" in an access token. In my domain the trust established between the client and the AS is an important part of the ability to interact across security domains. It also provides a way for us to establish domain standards for representing different types of authoritative information. For instance, we have a legal requirement to log certain types of information about the user when exchanging sensitive information. This information is usually tied to a OAuth scope, e.g. "get patient records". The suggested use of "structured_scope" not only gives us an opportunity to convey contextual information that can be shown in the user consent, it also gives us a way of enforcing national domain-specific standards of expressing different types of information tied to the scope (e.g. prescription, sick note, patient records etc) which would make interoperability within the health sector easier. Also, the health sector in Norway has a strict legislation regarding privacy and patient rights,, so we would actually log the issued access tokens with structured_scopes to fulfil some of the legal requirements. Personally I'm not sure what makes more sense, the "structured_scope" or "transaction_scope" name - but "transaction_scope" is more semantically loaded. I also agree with mr. Campbell that the concepts should be treated separately. <mvh>Steinar</mvh> fre. 26. apr. 2019 kl. 19:58 skrev Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org>: > One thing that I think is missing from the article in the discussion of > pros and cons is that in many cases a large or even voluminous request can > be sent via auto submitting form post (like > https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html but > the other way around from client to AS with the auth request), which > doesn't then run into the same URI size problem. > > From a prospective standardization standpoint, there are really two > distinct concepts in the article. One is the "Pushed Request Object" and > the other the "Structured Scope". They are certainly complementary things > but each could also be useful and used independently of one another. So I'd > argue that they should be developed independently too. > > > > On Sat, Apr 20, 2019 at 12:21 PM Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > >> Hi all, >> >> I just published an article about the subject at: >> https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948 >> <https://medium..com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948> >> >> >> I look forward to getting your feedback. >> >> kind regards, >> Torsten. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no |
- [OAUTH-WG] Transaction Authorization with OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Jim Manico
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Dave Tonge
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Nat Sakimura
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt