IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 24 October 2022 16:18 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7F3C14CE22 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2022 09:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxEdmpwMHVci for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2022 09:18:31 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02F35C14EB1E for <oauth@ietf.org>; Mon, 24 Oct 2022 09:18:30 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id y14so6179127ejd.9 for <oauth@ietf.org>; Mon, 24 Oct 2022 09:18:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=rmx2uXhFbqGNkBl5nKmc5o+uh/a+ot2U1ct2tEBQ53A=; b=z8hPQPTtUmNxrgq7kos74fYEqPscp2Cb4MHaIY/5YuaXbygIkJi0WKkGZrBBdu2MFY 8iqpvo2M4Uur3aryC67ylvNjpVr+r9QLXFiVwPmPPQs54JsK2v7g6Xu+jmbU/xj2Ocka 8o3+TI0MuoKGeCXltAnOhJoEBFtYTFLeIELnx5ijZRakMMLnWRc7+td0ojGVupIQ/1Wo TpDCMW2DyUFukh00ys0uFTe8RhThk7vXiUnyL/zlF/CkXbeHOF8FrcaqzH90/CV1f9BM RsSikQW1cgeXHu4+E4QK2+6AGJ6yZnoDxyjZNVRxCdW/cK45bh6QEPeEdhGx6BUMspFT nLnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rmx2uXhFbqGNkBl5nKmc5o+uh/a+ot2U1ct2tEBQ53A=; b=O+vSEk4SVSPpTcr+3uzdKXwmulJ9/adkLcbn6zit7w79YGklAYpm8ZtSXjYA4L9fG8 Jm5W7kpaKztk0CKn0JpPMALziqbIycEGBqIs+6EcJ9IGrd81L9QbJU2CiP/xBfcBfJTR 7qEmCr60ZaW3/ZNUnbEVM0cR1I1GT3PauhUYA0UADDga25ybxr1b6r4QiWftBQ2Sw/Lx 2fuUGn2dhI9ZMcaZQBFwMpbXkFk7gHS4aCl8ddo0idTuwXg+7+39GBBhCKr0fp03w1o1 R/krjWBcNMWgCxlj+Vr07FOHbNgu9jAgEtJzAg9CJjUAix3bFr7TYkHH/P7Azavw3ToW uesQ==
X-Gm-Message-State: ACrzQf3O2luEQeqrFqdZTLtL8QgtLpjicFYYUZ7LxsGK08TN7RgitEgI UWzV5/vzeAlUVVPLmZcHNtrNeQ==
X-Google-Smtp-Source: AMsMyM4RItA9uiO9lnAtX12oT1iZzBpopOjrbNqHVrsBrx4nYoOtIo252BEK19CqbmTkkwp0Eg1unw==
X-Received: by 2002:a17:907:161f:b0:78e:11b3:8962 with SMTP id hb31-20020a170907161f00b0078e11b38962mr28853927ejc.0.1666628309336; Mon, 24 Oct 2022 09:18:29 -0700 (PDT)
Received: from smtpclient.apple ([213.182.142.66]) by smtp.gmail.com with ESMTPSA id op21-20020a170906bcf500b0078082f95e5csm61645ejb.204.2022.10.24.09.18.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Oct 2022 09:18:28 -0700 (PDT)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <8A472C89-AE85-4623-8656-B280F3DF197C@lodderstedt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EBCB3F19-19AC-4B75-AFCB-04BA89116E23"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Mon, 24 Oct 2022 18:18:27 +0200
In-Reply-To: <BN2P110MB1107CE072D8C7CB807D2D23FDC2E9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Cc: "oauth@ietf.org" <oauth@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, "jricher@mit.edu" <jricher@mit.edu>
To: Roman Danyliw <rdd@cert.org>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <EC76A798-8FA9-44D8-A508-952269CFB290@lodderstedt.net> <BN2P110MB1107CE072D8C7CB807D2D23FDC2E9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/L__qC0JAi9gTCGmOiIjIoUH-DwM>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 16:18:35 -0000

Hi Roman, 

I just published revision -14 with the all the agreed changes.

https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html

best regards,
Torsten. 

> Am 24.10.2022 um 13:07 schrieb Roman Danyliw <rdd@cert.org>:
> 
> Hi Torsten!
> 
> Thanks for the response.  More inline ...
> 
>> -----Original Message-----
>> From: Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>
>> Sent: Tuesday, October 18, 2022 9:00 AM
>> To: Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>>
>> Cc: oauth@ietf.org <mailto:oauth@ietf.org>; Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>;
>> jricher@mit.edu <mailto:jricher@mit.edu>
>> Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
>> 
>> Hi Roman,
>> 
>> thanks for you review.
>> 
>> I’m trying to do the next round for the outstanding issues you raised.
>> 
>>> Am 15.09.2022 um 00:30 schrieb Roman Danyliw <rdd@cert.org>:
>>> 
>>> Hi!
>>> 
>>> I performed an AD review of draft-ietf-oauth-rar-12.  Thanks for this
>> document.  My feedback is as follows:
>>> 
>>> ** Section 2. Editorial
>>> 
>>> This field MUST be compared using an exact byte match of the string
>>>  value against known types by the AS.
>>> 
>>> Consider if you want to introduce how the lack of match will be handled here
>> - it is covered later.
>> 
>> I’m not sure how to handle this as there is no direct consequence (in the sense
>> of error condition) other then that different byte arrays constitute different
>> types.
>> 
>> We could state something like this: "String values with different byte
>> representations constitute different types.“ ?
> 
> Works for me.
> 
>>> 
>>> ** Section 2.2.
>>> 
>>> All data fields are OPTIONAL for use by a given API
>>>  definition.
>>> 
>>> I don't follow how this is true in the general case.  I was under the impression
>> that this section defined what is expected to be common fields.  Couldn't some
>> AS with a particular type require their presence?
>>> 
>>> ** Section 3.  Editorial
>>> 
>>> OLD
>>> In case of authorization requests as defined in [RFC6749],
>>>  implementors MAY consider to use
>>> 
>>> NEW
>>> In case of authorization requests as defined in [RFC6749],
>>>  implementors MAY consider using ...
>>> 
>>> ** Section 3.  Typo. s/intiate/initiate/
>>> 
>>> ** Section 5.  Typo.
>>> 
>>> OLD
>>> authorization details type
>>>  or authorization details
>>> 
>>> NEW
>>> authorization_details type
>>>  or authorization_details
>> 
>> The spec uses authorization details types to refer to the general concept and
>> authorization_details to refer to the parameter. I think the former is
>> appropriate at this place.
> 
> Understood.
> 
>>> 
>>> ** Section 6.1
>>> 
>>> However, when comparing a new request to an existing request,
>>>  authorization servers can use the same processing techniques as used
>>>  in granting the request in the first place to determine if a resource
>>>  owner needs to authorize the request.
>>> 
>>> Why is it possible to assess two arbitrary requests in this case to determine "if
>> a resource owner needs to authorize the request", but the prior paragraph
>> explicitly calls out that comparing two arbitrary requests is not feasible?  To me
>> is seems like comparing two requests to understand if more or less permissions
>> are being requested is equivalent to determining if a new request exceed the
>> current request to determine if going back to the resource owner is needed.
>>> 
>>> ** Section 6.1.  Typo. s/isaunce/issuance/
>>> 
>>> ** Section 7.
>>> 
>>>  If the client does not specify
>>>  the authorization_details token request parameters, the AS determines
>>>  the resulting authorization details at its discretion.  The
>>>  authorization server MAY consider the values of other parameters such
>>>  as resource and scope if they are present during this processing, and
>>>  the details of such considerations are outside the scope of this
>>>  specification.
>>> 
>>> This guidance seems to indicate the use of the scope parameter is optional in
>> determining the authorization details.  Section 3.1 says "The AS MUST consider
>> both sets of requirements in combination with each other for the given
>> authorization request."  My read is that this is conflicting guidance and Section
>> 3.1 is correct.
>> 
>> Justin: „You aren’t required to use “scope” in order to use
>> “authorization_details”, but we do want to say that the AS is allowed to (or
>> even is supposed to) consider both “scope” and “authorization_details” when
>> determining the resulting access for any given request that might have both.
>> The guidance in 3.1 should probably say “the AS MUST consider all
>> requirements present on a request” or something like that?“
>> 
>> Section 3 already states that the AS must consider scope and resource in
>> addition to authorisation details. I suggest to drop that sentence entirely.
> 
> Works for me.
> 
>>> 
>>> ** Figure 15.  The text prior to this figure says that for "For our running
>> example, this would look like this" indicating that this figure is similar to
>> previous examples.  There is one key different - this is the first use of a
>> "payment_initiator" type with the API URL prepended.
>>> 
>>> ** Section 7.1. Typo. s/sub set/subset/
>>> 
>>> ** Section 8.  What is the difference between this section and Section 5
>> beyond this text explicitly stating the name of the error value
>> (invalid_authorization_details).  I'd recommend stating the normative behavior
>> twice; that is, why are both sections needed?
>> 
>> 5 and 8 define the error behaviour of different endpoint. But you are right, the
>> text is the same (with 5 being even more detailed). Suggest to remove the text
>> in 8 with a reference to 5.
> 
> Works for me.
> 
> Thanks,
> Roman
> 
>> best regards,
>> Torsten.
>> 
>>> 
>>> ** Section 9.2.  Editorial.  There is some kind of rendering issues in the
>> RFC7622 reference.  It reads "[!@RFC7662]".
>>> 
>>> ** Section 11.2.
>>> 
>>>  Products supporting this specification should provide the following
>>>  basic functions:
>>> 
>>> Should this section be more tightly scoped to AS behavior instead of a
>> "products"?
>>> 
>>> ** Section 11.2.
>>> 
>>> Accept authorization_details parameter in authorization requests
>>>     including basic syntax check  for compliance with this
>>>     specification
>>> 
>>> Why only "basic syntax checking"?  Perhaps "syntax checking"?
>>> 
>>> ** Section 11.2
>>> 
>>>  One option would be to have a mechanism allowing the registration of
>>>  extension modules, each of them responsible for rendering the
>>>  respective user consent and any transformation needed to provide the
>>>  data needed to the resource server by way of structured access tokens
>>>  or token introspection responses.
>>> 
>>> I don't follow the flexibility being described here.  "One option ..." with
>> respect to what?
>>> 
>>> ** Section 11.3.  Could this section provide an example of what it would
>> mean to use JSON schema ids in the type value.
>>> 
>>> ** Section 12.  Please note that the Security Considerations of RFC6749,
>> RFC7662, and RFC8414 apply.
>>> 
>>> ** Section 13.
>>> 
>>>  Implementers MUST design and use authorization details in a privacy-
>>>  preserving manner.
>>> 
>>> I completely agree with the principle, but this design guidance cannot be
>> enforced without specifics.  I recommend s/MUST/must/.  The more specific
>> text in this section can use the normative MUST statements.
>>> 
>>> ** Section 13.
>>> 
>>> Any sensitive personal data included in authorization details MUST be
>>>  prevented from leaking, e.g., through referrer headers.
>>> 
>>> Is "leaking" the same as being sent unencrypted?  Recommend being clear.
>>> 
>>> ** Section 13.
>>> 
>>> The AS SHOULD share this data with those parties on a "need to know"
>>>  basis.
>>> 
>>> Completely agree.  Consider ending this sentence with "... as determined by
>> local policy", or the equivalent to make it clear that it will not be document in
>> this specification.
>>> 
>>> Thanks,
>>> Roman
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email