Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

William Denniss <wdenniss@google.com> Sun, 03 May 2020 22:53 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFFDB3A090E for <oauth@ietfa.amsl.com>; Sun, 3 May 2020 15:53:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sgSY7ic2Yhb for <oauth@ietfa.amsl.com>; Sun, 3 May 2020 15:53:24 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5BF13A090C for <oauth@ietf.org>; Sun, 3 May 2020 15:53:23 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id m18so7371500otq.9 for <oauth@ietf.org>; Sun, 03 May 2020 15:53:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=pX94PtaGpM37LkGKycYebA8fQJ4bwaUpQFTYEikevM0=; b=Uzm7SmfLu/ihBnceMHcINyWSFP0QFcTdfxzJNR/k7yoqkHuc9f+Y9Zg2zjnOydL7lb /s/Okp50Ux8nSeXOfR/VxVTrxwVbgG6nGo8dKnJZ6/4pDEO8oRyknpq0JjOCnMU/t2xD sVuxFwWP/P3eumQY6rv1lqwK5gfU5pjtbLMA5lIbhDn/PdgtORAm1nEZ365J5s1pMEcT 2hlU2pUGcefKtIQFjWdN3xUjA6OAeFmgznEagoUrDzvsoxRKc5PMHFTmIf+v2xlYxbcR NoXWTj4eOuaDhlacXU6FAC2Y5+ETFqw91NHcOy/GEtqCCYkabEighf//l0UK2QJaXJUk yWog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=pX94PtaGpM37LkGKycYebA8fQJ4bwaUpQFTYEikevM0=; b=B7EWEiulvRUpgBwFH9VbsDDmIj90+MSgXc7+h2BpoZejrExrS70oXbnCYgiH+iaA5u MusE+jWxWXpsXfBq1aPIJ/jo7OPPF0XmgKVUPh3kPUwywJ9d9E+5s5DKr8U7edqLfvvF AtkFDEgVM0vT6tynl3QohgUN11EtRt0qttaTKFQa3uzH9YvW57eH28RH8XZC7qn0h4Vb fq6LFDcCiPYrT8Po1+T4M5rLCsPUShy5PBDDZ5BTD4ALZYjX8DevKX1DiyPDeHmlj04X lRqVXjLdI8GYQj8zTWwLH7uGQYNIOxqvV+rx2weqePR/1x0a07dOi6Q3cZaXFAWDxXWR bRuA==
X-Gm-Message-State: AGi0PuY2A6J8M/owsIrZ8p6dnsvLQzrsgs8S+zoqBmU8GFBpk92r7S00 isKnrMyeObHA+JdG1HqGmeqSihEvAV4/ZrJrHKU6vj+ZFY0=
X-Google-Smtp-Source: APiQypITFf5D++BTX8eeoEHeVAbX7fuxVawJlaNBY7k11mO87OiX+rSqfzI19b0tUQ3HYwZ6dNkP0KwlUhMqVYQmvs0=
X-Received: by 2002:a9d:7ada:: with SMTP id m26mr11577787otn.181.1588546402803; Sun, 03 May 2020 15:53:22 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR08MB5360BBDDDF8362B40C97AF18FAB10@VI1PR08MB5360.eurprd08.prod.outlook.com> <736340BF-B33D-4407-81AF-532C947F1243@xmlgrrl.com> <AM0PR08MB5345B19B0AF2304AE8E110CAFAB00@AM0PR08MB5345.eurprd08.prod.outlook.com> <CA+k3eCR_ga1c1Cts0RY6Vy8AEgwjD2TaqOeWStkwQ6udqnkn2Q@mail.gmail.com> <CAAP42hCf2fQO29q3vCH8U7sJWpQ94AiE4BCvMWqYxqxe-erYyw@mail.gmail.com> <CAKtfFtdT=1pNk9tWrV47KjJeV0B98FEA8ttMHup+Hex6C6SARg@mail.gmail.com>
In-Reply-To: <CAKtfFtdT=1pNk9tWrV47KjJeV0B98FEA8ttMHup+Hex6C6SARg@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Sun, 3 May 2020 15:53:10 -0700
Message-ID: <CAAP42hB1MrOB0seS-6gxSvfxtEQCNhPfpnAU5XxD-3QyVPb9jA@mail.gmail.com>
To: Naveen Agarwal <na@ohauth.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000cada705a4c64800"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OzG-dBKwpbrvF-WFw5ot2hmQFlQ>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2020 22:53:26 -0000

Posting this to the list with Naveen's permission, see his comment below,
and my response:

On Thu, Nov 7, 2019 at 12:51 AM Naveen Agarwal <na@ohauth.com> wrote:

> Hi William,
>
> One nit.. on page 5 I think "requires" should be "required"
>
> "If later the user interacts with
>    the calendar or contacts features then, and only then, should the
>    require*s* scopes be requested. "
>
>
I've fixed this in my staged copy, will land in version 05.


> Separately I think it may be worth adding  somewhere (with more privacy conscious users and awareness)
>
> that if authorization server does not show currently granted scopes, then a user may assume that the current set of scopes
>
> are all they are granting to this client. Leading to privacy issues.
>
>
Thank you for your review Naveen, I appreciate your feedback.

I added a section to address this topic, "Previously Granted Scopes" (in
version 04). One challenge is that this advice can only apply to clients
that can't be impersonated (like confidential clients), as otherwise the
display could be inaccurate.


> Also a server could revalidate existing scopes and a user could deny them. A client should be able to handle that.
>
>
It would be good to guide clients on this possibility, I agree. I added a
new section "Handling Scope Reductions" (in version 04) to discuss some of
these possibilities and how they should be handled.

Regards,
William


> Thanks
>
>
> Naveen
>
>



> On Wed, Nov 6, 2019 at 5:15 PM William Denniss <wdenniss=
> 40google.com@dmarc.ietf.org> wrote:
>
>>
>> On Wed, Sep 25, 2019 at 3:54 PM Brian Campbell <bcampbell=
>> 40pingidentity.com@dmarc.ietf.org> wrote:
>>
>>> Just noticed that something is missing in
>>> https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-02#section-5
>>> where it has just, "(Section 4.1.4 of )"
>>>
>>
>> Thank you for catching this Brian. It was meant to read Section 4.1.4 of
>> RFC 6749.
>>
>> I've updated this in my local copy, will get posted in version 04.
>>
>>
>>>
>>> On Thu, Sep 12, 2019 at 8:40 AM Hannes Tschofenig <
>>> Hannes.Tschofenig@arm.com> wrote:
>>>
>>>> Thanks for the correction; yes – the most recent version is -02 and I
>>>> posted an old link.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* Eve Maler <eve@xmlgrrl.com>
>>>> *Sent:* Donnerstag, 12. September 2019 16:16
>>>> *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>
>>>> *Subject:* Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01
>>>>
>>>>
>>>>
>>>> I think you mean
>>>> https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-02?
>>>>
>>>> Eve Maler (sent from my iPad) | cell +1 425 345 6756 <(425)%20345-6756>
>>>>
>>>>
>>>> On Sep 11, 2019, at 4:22 AM, Hannes Tschofenig <
>>>> Hannes.Tschofenig@arm.com <Hannes....Tschofenig@arm.com>> wrote:
>>>>
>>>> Hi all,
>>>>
>>>>
>>>>
>>>> We are starting a WGLC on the "OAuth 2.0 Incremental Authorization"
>>>> draft. You can find the document here:
>>>>
>>>> https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-01
>>>>
>>>>
>>>>
>>>> Please review the document and provide feedback.
>>>>
>>>>
>>>>
>>>> The WGLC will end September 25th, 2019.
>>>>
>>>>
>>>>
>>>> Ciao
>>>>
>>>> Hannes & Rifaat
>>>>
>>>> IMPORTANT NOTICE: The contents of this email and any attachments are
>>>> confidential and may also be privileged. If you are not the intended
>>>> recipient, please notify the sender immediately and do not disclose the
>>>> contents to any other person, use it for any purpose, or store or copy the
>>>> information in any medium. Thank you.
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>> IMPORTANT NOTICE: The contents of this email and any attachments are
>>>> confidential and may also be privileged. If you are not the intended
>>>> recipient, please notify the sender immediately and do not disclose the
>>>> contents to any other person, use it for any purpose, or store or copy the
>>>> information in any medium. Thank you.
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly
>>> prohibited....  If you have received this communication in error, please
>>> notify the sender immediately by e-mail and delete the message and any file
>>> attachments from your computer. Thank you.*
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>