IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

George Fletcher <gffletch@aol.com> Thu, 25 April 2019 15:03 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D27D12030E for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2019 08:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJLuFZpkNomZ for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2019 08:03:57 -0700 (PDT)
Received: from sonic308-2.consmr.mail.bf2.yahoo.com (sonic308-2.consmr.mail.bf2.yahoo.com [74.6.130.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0A6E1201EC for <oauth@ietf.org>; Thu, 25 Apr 2019 08:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1556204635; bh=4DXbiKJor+8J1LfmhS2hXlQbfHRA225PbW1LoVx2wPs=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=X8MdTc6w8W/yl6MzMI2K1glRnZHFSo5zn1S9qoV5i2hwAldyuSWgBoNpkqG2TTNV7MNkCUMXGp9uHTlA0FjF9EOeFCcbgsiavrOml96R9Mbd0PO7T5DXaDGsXZHdDVF6wuokTqza6loqeJ4HMX5W8x6aIGKD0kYefJLIXSvLb+y5rfi+Kucj0mjAPwaeIDyDVvqKV+5Jd2VvdVFcQyOo7XHTwpuwCJzPio/VAXcXtntlrWUZkNUw+PNweqNhL/iBWfS6H+QOLVMRfABlyw+jNv7ADEuf1ZRyPoW6C6dRWt0wud6eBGzY7+mOMh81fdmFX1d2/qVrZ8MuX+s81pnm0Q==
X-YMail-OSG: wGBNAAIVM1m5VHZ7BsO8e5UF7HQm7TTVuvjMEnQzFXBC9jm66O9tLiDARQzGc.o ogM3vGAIei9qidgmaFGYizDCc1MIAkmrqfP89Tt4UnCIYXop1AUOCvJiuMcftWrI53K9AlMKy57b 7tb_4vXBT98v5kROkKVN6ppWNLUQwf2aaKUOWolAkptnchE3PORg3QsIWUaKRmh1U5b6CdXIQSvG 484TGXH_1vSNLdBiV_dCjgQdlW2my7.I0FyD3TB1XD6JvDlK9xsMoHnNW.fDJyiHn35mEuN_QiUK nqmlt5yJr.TLwwiOSuBsxTX6UqqbaWVRgh8sE73E8towXjG4SE5inx4SKAZaKcngPv3sCILi_Pso 8ZSGuMzgsEVsB802fb.6L0ZS9wCRNzDs1ow6dHe87KZjS4i5xg.qbvfNN29BNafIhqIuts.IeQs5 fUAFLL4sxe9qvODFibgrF7Gy2RKXJaDZw1jQuCK7HVT_2k9PeTVSIEITIfzOqGOpsTAPRfKuCIbA Ol8C75nHRy794DVR8deAzc981hGvbXF1bN_zYvPcmCpJCWymEVScBTPto8cV90YU3m_1jhnz_OhN SsdT3.zQY2Gt6ON0tJo1bSzs.iqz4WP90OebLK9_ulMQaJxaJZinZSpnjQZE7D4Ef_UDtplj5qBP YgLj1RYYWMBnehrgkmHXZBc6Soe__km1RjznxIvnruQW4QGNmwFTM3i2.uG_cU7pMiwCPe7FOTtL 9Y5KxLzhJRyftRuES89xm520jHqpS.8IsVG8ofmhn_ktJmkhIBAu97zn6mKM0l9Qbkg4Euz9X9En oMG9Tm0P51GL82rJ16OVgHTYqt5Z.LmjZ2iEdt5NKev9JDnoOmhfkr5uaw_N.UTjwTNeBsp5iuUk HE9_lpXApDik64N4U4bgWvIMvuhnOdv7OnSrSenKWgeZsUx0ec_b1MpjFvfyiL.uCoOdwQBk1sHp y.y2HTpw81SpvPymfhtYuB_OgeoJU6VfoYMlHtd3Rletg90U9J_AoXmIS0XQiiiPaGUjNPdgisXb _Hsk6w9MV2gvUO54CxpFKNbb8KL4hvfkfSy2nO4paVl6AgJQX_vs9NR_9uJybJU7t.wLp4cIUkg- -
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.bf2.yahoo.com with HTTP; Thu, 25 Apr 2019 15:03:55 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp409.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID c5cfcfeccccd246a4f7fd575f97a68e3; Thu, 25 Apr 2019 15:03:52 +0000 (UTC)
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Sascha Preibisch <saschapreibisch@gmail.com>
Cc: oauth <oauth@ietf.org>
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <119b93cb-d6c3-18dc-3e10-9ba087e0817e@aol.com>
Date: Thu, 25 Apr 2019 11:03:51 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------E90FE0AEE83E5E1684A14CAC"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NOrXeJPPY8NxHw5KxwndHiRm6g0>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 15:04:07 -0000

A couple of thoughts...

1. It doesn't feel like these are scopes (at least not as scope is 
defined by RFC 6749). It feels like they are more transaction requirements.

2. The schemas are going to be very ecosystem specific, correct?

On 4/24/19 1:08 PM, Torsten Lodderstedt wrote:
> Hi Sascha,
>
> I see. I assume every element within the structured scope element to be an independent scope (value) object and intended to use the name of that object as kind of content type definition.
>
> In my last example, the scope is defined as
>
>     "structured_scope":{
>        "sign":{
>           "credentialID":"qes_eidas",
>           "documentDigests":[
>              {
>                 "hash":
>                   "sTOgwOm+474gFj0q0x1iSNspKqbcse4IeiqlDg/HWuI=",
>                 "label":"Mobile Subscription Contract"
>              }
>           ],
>           "hashAlgorithmOID":"2.16.840.1.101.3.4.2.1"
>        },
>        "payment":{
>           "type":"sepa-credit-transfer",
>           "instructedAmount":{
>              "currency":"EUR",
>              "amount":"123.50"
>           },
>           "debtorAccount":{
>              "iban":"DE40100100103307118608"
>           },
>           "creditorName":"Merchant123",
>           "creditorAccount":{
>              "iban":"DE02100100109307118603"
>           },
>           "remittanceInformationUnstructured":"new Smartphone"
>        }
>
> This means ???sign" and ???payment" would determine the scheme of the respective object.
>
> What do you think?
>
> best regards,
> Torsten.
>
>> On 23. Apr 2019, at 17:14, Sascha Preibisch <saschapreibisch@gmail.com> wrote:
>>
>> Hi Torsten!
>>
>> If 'structured_scope' would become a generic field for application
>> specific content, I believe an indicator for the type of content would
>> be needed on the long run. That is what I meant my 'profile'. I hope
>> this helps!
>>
>> Thank you,
>> Sascha
>>
>> Am Mo., 22. Apr. 2019 um 22:06 Uhr schrieb Torsten Lodderstedt
>> <torsten@lodderstedt.net>:
>>> Hi Sascha,
>>>
>>>> Am 22.04.2019 um 20:34 schrieb Sascha Preibisch <saschapreibisch@gmail.com>:
>>>>
>>>> Thank you for the article, Torsten!
>>> my pleasure :-)
>>>
>>>> I like that 'scope' is out of the game for these kinds of authorizations.
>>>>
>>>> What I can see for the general use case is a required identifier
>>>> within the 'structures_scope' document that identifies the profile it
>>>> should be used for.
>>> What does profile mean in this context?
>>>
>>> best regards,
>>> Torsten.
>>>> Thank you,
>>>> Sascha
>>>>
>>>> Am Sa., 20. Apr. 2019 um 11:21 Uhr schrieb Torsten Lodderstedt
>>>> <torsten@lodderstedt.net>:
>>>>> Hi all,
>>>>>
>>>>> I just published an article about the subject at: https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
>>>>>
>>>>> I look forward to getting your feedback.
>>>>>
>>>>> kind regards,
>>>>> Torsten.
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email