IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12

Roman Danyliw <rdd@cert.org> Fri, 14 October 2022 16:53 UTC

Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0C5C14F735 for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2022 09:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wr2DCUFHvjOE for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2022 09:53:48 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0107.outbound.protection.office365.us [23.103.209.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35E6CC14E514 for <oauth@ietf.org>; Fri, 14 Oct 2022 09:53:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=DvaS/Sr30EVAr3Mo2dM5rSn9TIozwWTSZMIAVx8nlbHQQ2zSJMvxfx6NBapBndSyDyaylTEwRdVhHosVneRqN01vHX/+qMIRF5xmmkksOFrbuSiDJSXqTzJTWDLXuy8EMO7pztzCljBRPJasxXkxSOyceWUzKjuCpKCqxbhlO8b/7TA+S27p2YEugUqwOy8n/L4IpwHxwo7kEyR9iajcXirVySC2Yz43052YnYG3tJy1xqbgd4jYrmQLT+saTWr7j5E+kNm8CQsAGMq1mN7X0QOvim8lBm/QVkt237MRpp3XhHTjT2ncPe+llCs+xL/w8gXJ6bAEPooySi+ajmJvMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tNYUdxCyTNT0E+AbRZrhAKS7pCAlYJ+5YPfQnbJjNkk=; b=zW3DZG51507Z7SfkUSfK8Hf6NXm+m5ygeCrOgiL6iq78er98QuwsCtiDid0aQtJUQ2MAel1wo3qba6W2rbHOegsRWR+p1Tc9HTGnc5MSt7j1LooBCix8F3N0zSE+98IIoZb3uJqzD5o59XV3RRRaJYf5+TrPy575Qu02Q/d1XKogucWTxHKvddUX5yfIb+wJJY6DBye82rxFKZFHMOh3N3GR+w4El6eZTRQ2McdLUL/HppA2y7dfYm+elTg+n9150vJKETsk6oLwEBDQhB9gFx9TlPSrWgM/gSLohmLTbI6BgJotNdTYQKobKtYRiTFNQbJvVk4PutvtEC57TTXEBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tNYUdxCyTNT0E+AbRZrhAKS7pCAlYJ+5YPfQnbJjNkk=; b=B375nz22TXD0f1lvyIFxQy24PGw2SnSsqAQATRcjsQYsC/FzkjSc6rTc+yJKpjs4MWDia3mUYje2okEGwrYXZ74opfB5mgr3RRFFkLcsKTpOX4lbVw64rRdX+GhBfXSUTLdTKj6ibY6sdSN5gnLstk7FISvBiT3OwUv6wDIWO7I=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1715.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5709.21; Fri, 14 Oct 2022 16:53:45 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1%7]) with mapi id 15.20.5709.022; Fri, 14 Oct 2022 16:53:45 +0000
From: Roman Danyliw <rdd@cert.org>
To: Brian Campbell <bcampbell@pingidentity.com>, Justin Richer <jricher@mit.edu>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Thread-Index: AdjIiWV70TiGp2n1QyK+vwbKisrOXgAjS6wAAAMnDAAFspNlwA==
Date: Fri, 14 Oct 2022 16:53:45 +0000
Message-ID: <BN2P110MB110706103B23CAB7A29CF873DC249@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <3496F95F-14DE-4A66-90BD-4246ABB1AC20@mit.edu> <CA+k3eCSxTALhP3pt-NjoLPw6g-K9TQ=ngzDFgUzC678EnU7gwA@mail.gmail.com>
In-Reply-To: <CA+k3eCSxTALhP3pt-NjoLPw6g-K9TQ=ngzDFgUzC678EnU7gwA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1715:EE_
x-ms-office365-filtering-correlation-id: 15d1514b-5910-4166-e5f1-08daae04a867
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ctl03Q5IFKI3Gtno+wiUkE/53K9+lpctP4Rx8WldoaIYN/XNvLBJB9Sl+IEqSse7a/FL7qwm510dCCRyK4Z8HaFUD7DhMy7Dv+KFH1yc0fSvuqY2hFKr/oTSUJOQTdGbwlmNOlSCpzcyr+JmHtoafSKyD4U1rzFIfv3mBtE6vWGxZSrshbttNWK1Tz6GG/DaRbhW0Z+EYFDBfNf7lY552l5GHXMRviQ9jdUG8DTWvQWirVsG1wWsubFvOjIIB4I7Mx4fScYUdo2g++ZlONmdxrHpEZAzmsKGhlkCBem4/vMM2RrwVCSn6zXWD4rxIa/gzIWuLcJqG3ufOYs4V/9XNkOZaRA839WS1yU9FYsp6zU+e82CpPMkpWmnTJP0ydpzHq0AZvvNn1Y+gek9rSuwX5XDVxAwLHkJ44O3dQuvl2gBZyL0ed3eaugQc2Rg5xIfDyQ94S0Ke81h6TMK+LG+undYicH55bFO2wBbyEX6TcHZCHpFm4nVtKFT5JTDUZtYB8JAEsDN2uQ2nWSUwZ2qh+pAe9LCeo7PrrbdXUqG0iCzoTgo29K6/5dgffn2rGH5vUneRZwtOh1OUA64EBHdxWYWkov9Oxi94Sb/ijU2TcJpKQYWDCzptps9OFKCgiRY36c7XQUDbwe54OQaj6hfMehiemwRhtCeHALBH0LTqjjN91SBrjlxXlEqYtOVHnY8OMdX314WXx/aSb4NGqVGkw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(66899015)(33656002)(122000001)(38070700005)(38100700002)(166002)(5660300002)(2906002)(186003)(82960400001)(86362001)(8676002)(64756008)(66556008)(53546011)(6506007)(66476007)(66446008)(9686003)(26005)(498600001)(76116006)(7696005)(4326008)(66946007)(83380400001)(110136005)(71200400001)(55016003)(8936002)(52536014)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +WkLrOkInlj1uZKqbrRA9OwYApbbQNOdOtMHWvtmpOHsniZKZpNaVU5wVesYk2rB45ZKymRoNoaRHmdn7KQ5IeJ839+/s37uVzrKc/g5kQN/430HncJdGAOiNt3l9DBz0F/MilAcCGg67caBzEFYTWv6icvcmrOq0x3DTuBY/Lv1+2hDw8QaIwvdZ1DmNdmL639bk+PP0mNXWmqcNYo+XyP79P7+s+Q4b6tuI72FbpM8OFOPk5nWqwlHQ23Et+uInS5JAZaFd9PAJqeAmMHuvLx7QDE/U0ivM4vH7ujVkXK5AZ1TGEj9PbY4RKiDtdlkh6NdgbSZgxKKY02PqQ96eP10fIAaHMZXFOu0y8JJG/LFOI+4i/+rlvvV0kKwvFeRVUiXROeZ0f8DdDSnmN2ytYUWMZZCByyY+JuOADyzJ5E=
Content-Type: multipart/alternative; boundary="_000_BN2P110MB110706103B23CAB7A29CF873DC249BN2P110MB1107NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 15d1514b-5910-4166-e5f1-08daae04a867
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2022 16:53:45.4361 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1715
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NFESzWO3TpA9oBeLC1lT3Pajfw8>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 16:53:52 -0000

Looks good to me.  Thank you Brian!

From: Brian Campbell <bcampbell@pingidentity.com>
Sent: Thursday, September 15, 2022 12:50 PM
To: Justin Richer <jricher@mit.edu>
Cc: Roman Danyliw <rdd@cert.org>; oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12

Thanks for the review Roman and thanks Justin for the responses.

I took the liberty of going ahead and making some of the more straightforward changes suggested by the review in the document source https://github.com/oauthstuff/draft-oauth-rar/commit/575f21bf6369c609f673062ec2083215c797b4c2 so as to hopefully free up this thread to focus on the things that need more discussion.

On Thu, Sep 15, 2022 at 9:20 AM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
Hi Roman, some responses inline.

> On Sep 14, 2022, at 6:30 PM, Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>> wrote:
>
> Hi!
>
> I performed an AD review of draft-ietf-oauth-rar-12.  Thanks for this document.  My feedback is as follows:
>
> ** Section 2. Editorial
>
> This field MUST be compared using an exact byte match of the string
>   value against known types by the AS.
>
> Consider if you want to introduce how the lack of match will be handled here - it is covered later.
>
> ** Section 2.2.
>
> All data fields are OPTIONAL for use by a given API
>   definition.
>
> I don't follow how this is true in the general case.  I was under the impression that this section defined what is expected to be common fields.  Couldn't some AS with a particular type require their presence?

Yes — a particular “type” value can require any of these fields, but a type is itself not *required* to use any of these fields. That’s what we were trying to convey with the OPTIONAL here. Is there a better way to communicate this? Maybe we should just leave off the “OPTIONAL” flag here, but we wanted people to realize that the common elements don’t have to be used by each “type”, while every request needs to have a “type”.

>
> ** Section 3.  Editorial
>
> OLD
> In case of authorization requests as defined in [RFC6749],
>   implementors MAY consider to use
>
> NEW
> In case of authorization requests as defined in [RFC6749],
>   implementors MAY consider using ...
>
> ** Section 3.  Typo. s/intiate/initiate/
>
> ** Section 5.  Typo.
>
> OLD
> authorization details type
>   or authorization details
>
> NEW
> authorization_details type
>   or authorization_details
>
> ** Section 6.1
>
>  However, when comparing a new request to an existing request,
>   authorization servers can use the same processing techniques as used
>   in granting the request in the first place to determine if a resource
>   owner needs to authorize the request.
>
> Why is it possible to assess two arbitrary requests in this case to determine "if a resource owner needs to authorize the request", but the prior paragraph explicitly calls out that comparing two arbitrary requests is not feasible?  To me is seems like comparing two requests to understand if more or less permissions are being requested is equivalent to determining if a new request exceed the current request to determine if going back to the resource owner is needed.
>

It might be possible to do such a comparison in a specific case, but we can’t add logic in the general case. In OAuth, scopes are supposed to be purely additive, so if you have another scope it’s for “more” things. We know in practice that that’s not always how it works. Things get much more complex with RAR because you could have an object with :more: fields in it that makes things more :strict: by the presence of those fields. That’s all going to be up to the “type” definition though, so if you understand the “type” definition you could do a comparison based on that. To me the text is clear, can you suggest how we could clarify this?

> ** Section 6.1.  Typo. s/isaunce/issuance/
>
> ** Section 7.
>
>   If the client does not specify
>   the authorization_details token request parameters, the AS determines
>   the resulting authorization details at its discretion.  The
>   authorization server MAY consider the values of other parameters such
>   as resource and scope if they are present during this processing, and
>   the details of such considerations are outside the scope of this
>   specification.
>
> This guidance seems to indicate the use of the scope parameter is optional in determining the authorization details.  Section 3.1 says "The AS MUST consider both sets of requirements in combination with each other for the given authorization request."  My read is that this is conflicting guidance and Section 3.1 is correct.

You aren’t required to use “scope” in order to use “authorization_details”, but we do want to say that the AS is allowed to (or even is supposed to) consider both “scope” and “authorization_details” when determining the resulting access for any given request that might have both. The guidance in 3.1 should probably say “the AS MUST consider all requirements present on a request” or something like that?

>
> ** Figure 15.  The text prior to this figure says that for "For our running example, this would look like this" indicating that this figure is similar to previous examples.  There is one key different - this is the first use of a "payment_initiator" type with the API URL prepended.
>
> ** Section 7.1. Typo. s/sub set/subset/
>
> ** Section 8.  What is the difference between this section and Section 5 beyond this text explicitly stating the name of the error value (invalid_authorization_details).  I'd recommend stating the normative behavior twice; that is, why are both sections needed?
>
> ** Section 9.2.  Editorial.  There is some kind of rendering issues in the RFC7622 reference.  It reads "[!@RFC7662]".
>
> ** Section 11.2.
>
>   Products supporting this specification should provide the following
>   basic functions:
>
> Should this section be more tightly scoped to AS behavior instead of a "products"?
>
> ** Section 11.2.
>
> Accept authorization_details parameter in authorization requests
>      including basic syntax check  for compliance with this
>      specification
>
> Why only "basic syntax checking"?  Perhaps "syntax checking"?

I’m not positive, but I think the guidance here is meant for “basic” to mean more like “make sure it’s a JSON object and that it has a type field” as opposed to “check the type field’s value and run it against a JSON Schema definition”.

>
> ** Section 11.2
>
>   One option would be to have a mechanism allowing the registration of
>   extension modules, each of them responsible for rendering the
>   respective user consent and any transformation needed to provide the
>   data needed to the resource server by way of structured access tokens
>   or token introspection responses.
>
> I don't follow the flexibility being described here.  "One option ..." with respect to what?

With respect to having certain types hard-coded (like someone like Facebook or GitHub might do because their API is specific) or having some kind of mechanism that just prints out the RAR objects verbatim.

>
> ** Section 11.3.  Could this section provide an example of what it would mean to use JSON schema ids in the type value.
>
> ** Section 12.  Please note that the Security Considerations of RFC6749, RFC7662, and RFC8414 apply.
>
> ** Section 13.
>
>   Implementers MUST design and use authorization details in a privacy-
>   preserving manner.
>
> I completely agree with the principle, but this design guidance cannot be enforced without specifics.  I recommend s/MUST/must/.  The more specific text in this section can use the normative MUST statements.
>
> ** Section 13.
>
> Any sensitive personal data included in authorization details MUST be
>   prevented from leaking, e.g., through referrer headers.
>
> Is "leaking" the same as being sent unencrypted?  Recommend being clear.

Not just that, but anything that shows up as a URL parameter (which this can) has the ability to be unwittingly transmitted to third parties in weird ways — thus the referrer example. This is in line with other OAuth security recommendations, do you have any suggestions to make this advice more clear?

>
> ** Section 13.
>
> The AS SHOULD share this data with those parties on a "need to know"
>   basis.
>
> Completely agree.  Consider ending this sentence with "... as determined by local policy", or the equivalent to make it clear that it will not be document in this specification.
>
> Thanks,
> Roman
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth


 — Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email