Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 24 October 2022 16:18 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7F3C14CE22 for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2022 09:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxEdmpwMHVci for <oauth@ietfa.amsl.com>; Mon, 24 Oct 2022 09:18:31 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02F35C14EB1E for <oauth@ietf.org>; Mon, 24 Oct 2022 09:18:30 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id y14so6179127ejd.9 for <oauth@ietf.org>; Mon, 24 Oct 2022 09:18:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=rmx2uXhFbqGNkBl5nKmc5o+uh/a+ot2U1ct2tEBQ53A=; b=z8hPQPTtUmNxrgq7kos74fYEqPscp2Cb4MHaIY/5YuaXbygIkJi0WKkGZrBBdu2MFY 8iqpvo2M4Uur3aryC67ylvNjpVr+r9QLXFiVwPmPPQs54JsK2v7g6Xu+jmbU/xj2Ocka 8o3+TI0MuoKGeCXltAnOhJoEBFtYTFLeIELnx5ijZRakMMLnWRc7+td0ojGVupIQ/1Wo TpDCMW2DyUFukh00ys0uFTe8RhThk7vXiUnyL/zlF/CkXbeHOF8FrcaqzH90/CV1f9BM RsSikQW1cgeXHu4+E4QK2+6AGJ6yZnoDxyjZNVRxCdW/cK45bh6QEPeEdhGx6BUMspFT nLnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rmx2uXhFbqGNkBl5nKmc5o+uh/a+ot2U1ct2tEBQ53A=; b=O+vSEk4SVSPpTcr+3uzdKXwmulJ9/adkLcbn6zit7w79YGklAYpm8ZtSXjYA4L9fG8 Jm5W7kpaKztk0CKn0JpPMALziqbIycEGBqIs+6EcJ9IGrd81L9QbJU2CiP/xBfcBfJTR 7qEmCr60ZaW3/ZNUnbEVM0cR1I1GT3PauhUYA0UADDga25ybxr1b6r4QiWftBQ2Sw/Lx 2fuUGn2dhI9ZMcaZQBFwMpbXkFk7gHS4aCl8ddo0idTuwXg+7+39GBBhCKr0fp03w1o1 R/krjWBcNMWgCxlj+Vr07FOHbNgu9jAgEtJzAg9CJjUAix3bFr7TYkHH/P7Azavw3ToW uesQ==
X-Gm-Message-State: ACrzQf3O2luEQeqrFqdZTLtL8QgtLpjicFYYUZ7LxsGK08TN7RgitEgI UWzV5/vzeAlUVVPLmZcHNtrNeQ==
X-Google-Smtp-Source: AMsMyM4RItA9uiO9lnAtX12oT1iZzBpopOjrbNqHVrsBrx4nYoOtIo252BEK19CqbmTkkwp0Eg1unw==
X-Received: by 2002:a17:907:161f:b0:78e:11b3:8962 with SMTP id hb31-20020a170907161f00b0078e11b38962mr28853927ejc.0.1666628309336; Mon, 24 Oct 2022 09:18:29 -0700 (PDT)
Received: from smtpclient.apple ([213.182.142.66]) by smtp.gmail.com with ESMTPSA id op21-20020a170906bcf500b0078082f95e5csm61645ejb.204.2022.10.24.09.18.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Oct 2022 09:18:28 -0700 (PDT)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <8A472C89-AE85-4623-8656-B280F3DF197C@lodderstedt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EBCB3F19-19AC-4B75-AFCB-04BA89116E23"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Mon, 24 Oct 2022 18:18:27 +0200
In-Reply-To: <BN2P110MB1107CE072D8C7CB807D2D23FDC2E9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Cc: "oauth@ietf.org" <oauth@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, "jricher@mit.edu" <jricher@mit.edu>
To: Roman Danyliw <rdd@cert.org>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <EC76A798-8FA9-44D8-A508-952269CFB290@lodderstedt.net> <BN2P110MB1107CE072D8C7CB807D2D23FDC2E9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/L__qC0JAi9gTCGmOiIjIoUH-DwM>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 16:18:35 -0000
Hi Roman, I just published revision -14 with the all the agreed changes. https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html best regards, Torsten. > Am 24.10.2022 um 13:07 schrieb Roman Danyliw <rdd@cert.org>: > > Hi Torsten! > > Thanks for the response. More inline ... > >> -----Original Message----- >> From: Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> >> Sent: Tuesday, October 18, 2022 9:00 AM >> To: Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>> >> Cc: oauth@ietf.org <mailto:oauth@ietf.org>; Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>; >> jricher@mit.edu <mailto:jricher@mit.edu> >> Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12 >> >> Hi Roman, >> >> thanks for you review. >> >> I’m trying to do the next round for the outstanding issues you raised. >> >>> Am 15.09.2022 um 00:30 schrieb Roman Danyliw <rdd@cert.org>: >>> >>> Hi! >>> >>> I performed an AD review of draft-ietf-oauth-rar-12. Thanks for this >> document. My feedback is as follows: >>> >>> ** Section 2. Editorial >>> >>> This field MUST be compared using an exact byte match of the string >>> value against known types by the AS. >>> >>> Consider if you want to introduce how the lack of match will be handled here >> - it is covered later. >> >> I’m not sure how to handle this as there is no direct consequence (in the sense >> of error condition) other then that different byte arrays constitute different >> types. >> >> We could state something like this: "String values with different byte >> representations constitute different types.“ ? > > Works for me. > >>> >>> ** Section 2.2. >>> >>> All data fields are OPTIONAL for use by a given API >>> definition. >>> >>> I don't follow how this is true in the general case. I was under the impression >> that this section defined what is expected to be common fields. Couldn't some >> AS with a particular type require their presence? >>> >>> ** Section 3. Editorial >>> >>> OLD >>> In case of authorization requests as defined in [RFC6749], >>> implementors MAY consider to use >>> >>> NEW >>> In case of authorization requests as defined in [RFC6749], >>> implementors MAY consider using ... >>> >>> ** Section 3. Typo. s/intiate/initiate/ >>> >>> ** Section 5. Typo. >>> >>> OLD >>> authorization details type >>> or authorization details >>> >>> NEW >>> authorization_details type >>> or authorization_details >> >> The spec uses authorization details types to refer to the general concept and >> authorization_details to refer to the parameter. I think the former is >> appropriate at this place. > > Understood. > >>> >>> ** Section 6.1 >>> >>> However, when comparing a new request to an existing request, >>> authorization servers can use the same processing techniques as used >>> in granting the request in the first place to determine if a resource >>> owner needs to authorize the request. >>> >>> Why is it possible to assess two arbitrary requests in this case to determine "if >> a resource owner needs to authorize the request", but the prior paragraph >> explicitly calls out that comparing two arbitrary requests is not feasible? To me >> is seems like comparing two requests to understand if more or less permissions >> are being requested is equivalent to determining if a new request exceed the >> current request to determine if going back to the resource owner is needed. >>> >>> ** Section 6.1. Typo. s/isaunce/issuance/ >>> >>> ** Section 7. >>> >>> If the client does not specify >>> the authorization_details token request parameters, the AS determines >>> the resulting authorization details at its discretion. The >>> authorization server MAY consider the values of other parameters such >>> as resource and scope if they are present during this processing, and >>> the details of such considerations are outside the scope of this >>> specification. >>> >>> This guidance seems to indicate the use of the scope parameter is optional in >> determining the authorization details. Section 3.1 says "The AS MUST consider >> both sets of requirements in combination with each other for the given >> authorization request." My read is that this is conflicting guidance and Section >> 3.1 is correct. >> >> Justin: „You aren’t required to use “scope” in order to use >> “authorization_details”, but we do want to say that the AS is allowed to (or >> even is supposed to) consider both “scope” and “authorization_details” when >> determining the resulting access for any given request that might have both. >> The guidance in 3.1 should probably say “the AS MUST consider all >> requirements present on a request” or something like that?“ >> >> Section 3 already states that the AS must consider scope and resource in >> addition to authorisation details. I suggest to drop that sentence entirely. > > Works for me. > >>> >>> ** Figure 15. The text prior to this figure says that for "For our running >> example, this would look like this" indicating that this figure is similar to >> previous examples. There is one key different - this is the first use of a >> "payment_initiator" type with the API URL prepended. >>> >>> ** Section 7.1. Typo. s/sub set/subset/ >>> >>> ** Section 8. What is the difference between this section and Section 5 >> beyond this text explicitly stating the name of the error value >> (invalid_authorization_details). I'd recommend stating the normative behavior >> twice; that is, why are both sections needed? >> >> 5 and 8 define the error behaviour of different endpoint. But you are right, the >> text is the same (with 5 being even more detailed). Suggest to remove the text >> in 8 with a reference to 5. > > Works for me. > > Thanks, > Roman > >> best regards, >> Torsten. >> >>> >>> ** Section 9.2. Editorial. There is some kind of rendering issues in the >> RFC7622 reference. It reads "[!@RFC7662]". >>> >>> ** Section 11.2. >>> >>> Products supporting this specification should provide the following >>> basic functions: >>> >>> Should this section be more tightly scoped to AS behavior instead of a >> "products"? >>> >>> ** Section 11.2. >>> >>> Accept authorization_details parameter in authorization requests >>> including basic syntax check for compliance with this >>> specification >>> >>> Why only "basic syntax checking"? Perhaps "syntax checking"? >>> >>> ** Section 11.2 >>> >>> One option would be to have a mechanism allowing the registration of >>> extension modules, each of them responsible for rendering the >>> respective user consent and any transformation needed to provide the >>> data needed to the resource server by way of structured access tokens >>> or token introspection responses. >>> >>> I don't follow the flexibility being described here. "One option ..." with >> respect to what? >>> >>> ** Section 11.3. Could this section provide an example of what it would >> mean to use JSON schema ids in the type value. >>> >>> ** Section 12. Please note that the Security Considerations of RFC6749, >> RFC7662, and RFC8414 apply. >>> >>> ** Section 13. >>> >>> Implementers MUST design and use authorization details in a privacy- >>> preserving manner. >>> >>> I completely agree with the principle, but this design guidance cannot be >> enforced without specifics. I recommend s/MUST/must/. The more specific >> text in this section can use the normative MUST statements. >>> >>> ** Section 13. >>> >>> Any sensitive personal data included in authorization details MUST be >>> prevented from leaking, e.g., through referrer headers. >>> >>> Is "leaking" the same as being sent unencrypted? Recommend being clear. >>> >>> ** Section 13. >>> >>> The AS SHOULD share this data with those parties on a "need to know" >>> basis. >>> >>> Completely agree. Consider ending this sentence with "... as determined by >> local policy", or the equivalent to make it clear that it will not be document in >> this specification. >>> >>> Thanks, >>> Roman >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] AD review of draft-ietf-oauth-rar-12 Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Brian Campbell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Brian Campbell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer