Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-00.txt

Janak Amarasena <janakama360@gmail.com> Sun, 22 September 2019 19:52 UTC

Return-Path: <janakama360@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1137D120090 for <oauth@ietfa.amsl.com>; Sun, 22 Sep 2019 12:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.747
X-Spam-Level:
X-Spam-Status: No, score=-1.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFPC17u8ual7 for <oauth@ietfa.amsl.com>; Sun, 22 Sep 2019 12:52:34 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50D0512002E for <oauth@ietf.org>; Sun, 22 Sep 2019 12:52:34 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id i1so11657829wro.4 for <oauth@ietf.org>; Sun, 22 Sep 2019 12:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ze/qqS8jQr4bzHcL9IWY1Vmm7/QXOlHswtJ+VSlfXLk=; b=MbHG2bjPhetitdZOnTrYdnxUylnRXPDkUfDcBNEVmAFzeUSPwMwgk6LHBj544LDLrH z++u1ceqAvFEbk2YgeCiXCopTm2TM4Evn4F2P4Ee0w0TMvEICohslkVl4TRyk6TndFvA ys7HExJtPvLl8Whnyl9Ke+hT4II2hMBsM7vvghiYCXb6ONdv1EidahOJ6jqC56s/B/6A uman8H0l0ptuoZKXfK3awBQFOGRC1HHhwOQWKN6yP9zEoE1SkmQV6ba/puIYxeSbxS+I 5PJHESQ6oRNHLQ1gWBpLdSa8kzPYdUHAKQFOfdsN+ytoWX313ECWP49+De8NGQqVPTcl Ap3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ze/qqS8jQr4bzHcL9IWY1Vmm7/QXOlHswtJ+VSlfXLk=; b=GmcO+zekknzXrG2GlaMuNO1qM65nbalrtN3W5nXDXo3kAyBKf61E+FDGKVXwUEkvxY znnlt0DbJDZRcBUQHdHwU9FeUCtyGGnYiZR/B0LnBlaIncn5AHA0A9dNsbLFAS1v+7Bw rvqJI8RNy2DWLcHaITnWNMr5ImzvTe9gvaoJnQzrdvezaYVz3xe0iuFX7kS4cy3AM30d GGWzgzdx6/0B5ms1Mn+MRRu8MpUqlPNpGITOJefvsVmim40jzcZse1aiHOv4JwQqC2bh hNUZ/nubWnF01Uo0Ag87UchbLFjo/mgBXdn8N+p1rSvFiRwlhctKRBlW+w3y3HH07erG 8/IQ==
X-Gm-Message-State: APjAAAUAcJUl8L19t9oiHEjpnKY56f8CHPmUSQZAwPK4vwTWObrXpHgw j+cN5mxVTbgsIgfOXtpTD8YMe1a0nt1QIWBuO/Q=
X-Google-Smtp-Source: APXvYqzbVKxWhi4DUAEm7GzDWPUYiYAKSeKiFKFKZIBJDqj/5g3sKkunEgU5FEHCDs126DH13JpJkImCt6sKI7WFHtk=
X-Received: by 2002:adf:ff91:: with SMTP id j17mr18167810wrr.5.1569181952784; Sun, 22 Sep 2019 12:52:32 -0700 (PDT)
MIME-Version: 1.0
References: <156906284888.22977.8893219801768603786.idtracker@ietfa.amsl.com> <1842D9CD-1B5B-420A-AA43-7B30F3CE13B8@lodderstedt.net>
In-Reply-To: <1842D9CD-1B5B-420A-AA43-7B30F3CE13B8@lodderstedt.net>
From: Janak Amarasena <janakama360@gmail.com>
Date: Mon, 23 Sep 2019 01:21:58 +0530
Message-ID: <CAM7dPt0Urr1H=ThKsG27Xt+woCqwj0Ue2b5Of1CcSd3=9pO_4g@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e2407d059329a4ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P5C4dU_8wYaktG5NX-oMoaMIMus>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2019 19:52:37 -0000

Hi,

Since the */as/par* endpoint is intended to be used to store the actual
authorization request I feel that validating the authorization request as
mentioned in *point 2 *section 2.1(Request) should not be a
responsibility of the /as/par endpoint and that it should not validate
the authorization request. Also, the majority case could be the endpoint
receiving valid requests and the validation process will be duplicated at
the authorization endpoint.

Also since section 2.2 (Successful Response) states;

The "request URI" MUST be bound to the "client_id" of the client that
posted the authorization request.

Wouldn't it be good to enforce the use of the clientId in section 4
(Authorization Request) when the authorization request is made with the "
request_uri" parameter?

GET /authorize?request_uri=urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2*&client_id=s6BhdRkqt3*
HTTP/1.1



Best Regards,
Janak Amarasena

On Sat, Sep 21, 2019 at 4:32 PM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> Hi all,
>
> I just published a new draft that Brian Campbell, Dave Tonge, Filip
> Skokan, Nat Sakimura and I wrote.
>
> https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00
>
> It proposes a new endpoint, called "pushed authorization request
> endpoint”, that allows the client to push the Authorization Request payload
> with the AS on a backchannel connection instead of a front channel
> interaction. The AS provides the client with a request URI (according to
> draft-ietf-oauth-jwsreq) that the client uses in a subsequent authorization
> requests to refer to the pushed request data.
>
> We believe this simple mechanism will significantly increase
> OAuth security and robustness since any application can use it by just
> sending the parameters in the same encoding as used
> at the authorisation endpoint over a HTTPS-protected and
> (for confidential clients) mutually authenticated connection to the AS. It
> can also be used to push signed and encrypted request objects to the AS,
> i.e. it provides an interoperable way to use request objects managed at the
> AS for use cases requiring an even higher security level.
>
> We look forward to getting your feedback.
>
> kind regards,
> Torsten.
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **New Version Notification for
> draft-lodderstedt-oauth-par-00.txt*
> *Date: *21. September 2019 at 12:47:28 CEST
> *To: *"Nat Sakimura" <nat@sakimura.org>, "Brian Campbell" <
> bcampbell@pingidentity.com>, "Torsten Lodderstedt" <
> torsten@lodderstedt.net>, "Dave Tonge" <dave@tonge.org>, "Filip Skokan" <
> panva.ip@gmail.com>
>
>
> A new version of I-D, draft-lodderstedt-oauth-par-00.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
>
> Name: draft-lodderstedt-oauth-par
> Revision: 00
> Title: OAuth 2.0 Pushed Authorization Requests
> Document date: 2019-09-21
> Group: Individual Submission
> Pages: 12
> URL:
> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-par-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/
> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-par
>
>
> Abstract:
>   This document defines the pushed authorization request endpoint,
>   which allows clients to push the payload of an OAuth 2.0
>   authorization request to the authorization server via a direct
>   request and provides them with a request URI that is used as
>   reference to the data in a subsequent authorization request.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>