IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

George Fletcher <gffletch@aol.com> Fri, 22 June 2018 21:08 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508C2130EF2 for <oauth@ietfa.amsl.com>; Fri, 22 Jun 2018 14:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9QjIjvwIqJ1 for <oauth@ietfa.amsl.com>; Fri, 22 Jun 2018 14:08:10 -0700 (PDT)
Received: from sonic311-14.consmr.mail.bf2.yahoo.com (sonic311-14.consmr.mail.bf2.yahoo.com [74.6.131.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0892130EEB for <oauth@ietf.org>; Fri, 22 Jun 2018 14:08:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1529701688; bh=pIcWKu/NxkDgTVyJCPwPImVTi77E8nBvrb0FHtSCzuI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=n+YekMO/DP0QEp7xhiQn3x/a2eJPvPW0frdJGzjGAQ8FKyw8w9FCtAZlD2TyennkgquMPK/Zl1wM20ykKX/w0drFTNsA9pyOzQgYskQBN41kxP/DUYUHNXQRQssR4Hi22q2aNCozcvGc4uwLB5FaPr/6Nz2JMNgNOopXES+Qb1+4ZJqvgwJszio6Yq/Ndgei8pK3XMR6dkeF5cXB0knne7+byDtQGc6X6CQWJPTxQv+R51lq0C+juIf2tlfkWTRL/1XiY1TvT80KHvVSeML7VCZw9h8IPkLbWEfIHoBRUO4ziDlg8+xphIDN0a0P1zyM/bAvpayyJmqVqY8/67HuQQ==
X-YMail-OSG: qGkg2gMVM1nb9rd6VIm8rCdTfyQsTnGph16acJe0k4s0iKC1VeZ83dXIfzVZLKu JqHVYmQYYFYiJZ4OtJmKkZRQIcFOgRCUgyX885zsIMpOHPcZINvsFZ5J3IXGbgniI0fMKBEBvN9E ntGBEQiW4hCdqdLF01YG1OOAoFMPrQ1B52GVzx_pJ0M1wDzs09p78ydYqCTrCtw0FQuKKe1fdJbn LAcdm09ibi7uTkjsoicMqMXDFLVy.OYAjbhj8wix3F4enbUL.HAqPFOgIjFxCxuy0EK4f6VBr_Ec 59cx9YgqnKUpty9422bbvBaUdskYQxupcIfD5wwrpqwjBEhmbpKYi0nLY50GYqzHCS7JOCDhI1Ie zpNoo1w_zGUZsI_uJHECucTavRWALY6mEbXc..j5BJeYaUl20mqm.dsD_54igoiu0rDDiu8_lcaR d8Jscv.g_miOQNqEUzfF_LmIDhvYwpxy5JYfusrge6oWvj_1hZKzsuZpDDYTVTrfvEyhLqc2Rt3T PAVAMLZ_ElhmhxHWwe2JMdIzKZF2MFcNJIAzgblrAgAS3cdaojltkj_Sc32H6MuaoJAlPlFAqBzG XLAbC8rBIXQnQSsNusPXoeximljbC36_0Sy8RmuY6HzqleOA.YrbO_GBxUad0WhFdOUw4.YnvZDZ dfCL3njCKoMNwUQUeP6OykTxi3WwqlGo3bxmWL3G0Lx11MeKsKdshTwqK1V_l.13gGXjNaVtX9yZ L9MGSFRqgqqc1jCY4CXq4P6VCe3GuHoJJnttYvqbu3ME.xoy4Szdndrv0e0iwu438KSF6Nr7Wzat G7m8OmImLXklxfFOgWcS9dxHmbL6TsMlVZ.uKTZFNnj3yZQnEvfYFO0o1Nms6QO4KKkVpM_m06nM iImBe1MdbA06gWB_o945q0iCpZwSQDfR4lA2jEXKzbtxTaKniaV68XOt8Or69ZMH.jM0X8IiCI3t xfpb7OVN8PxLLrl90YmtVuQ--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.bf2.yahoo.com with HTTP; Fri, 22 Jun 2018 21:08:08 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp402.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID bc016fc0fa25fa709a75572ea1f44247; Fri, 22 Jun 2018 21:08:05 +0000 (UTC)
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com> <b9e4115a-512d-3155-9023-604566d7190f@aol.com> <00432150-20C0-4B5F-AB4E-92F96B968A3A@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <01e15dff-2bef-831f-0b00-f64137ccc80e@aol.com>
Date: Fri, 22 Jun 2018 17:08:04 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <00432150-20C0-4B5F-AB4E-92F96B968A3A@lodderstedt.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PbNUUA2KhBGfoSTEmwIkRqYx-ow>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 21:08:12 -0000


On 6/22/18 4:31 PM, Torsten Lodderstedt wrote:
> Hi George,
>
>> Is the goal to bind an access token to a particular transaction? If this is the case, would it not be better to either extend the refresh_token flow or may better yet, create a new grant_type that takes the refresh_token and additional "binding" parameters and then have that return the "bound" access token to be used for the transaction.
> What would be the scope of such a refresh token?
I would think that the scope issued to the refresh_token could represent 
the category or class of authorizations the refresh_token should be able 
to perform. For example, the kind of transactions that can be bound to 
access tokens. The scope issued into the access_token could be one of 
the "parameterized" ones. But maybe I'm not fully understanding the use 
case :)
>> On 6/20/18 5:58 PM, Brian Campbell wrote:
>>> In my own personal and humble opinion, Torsten, what you describe as "(1) Parameter is part of the scope value" is the most natural approach and works without needing changes to, or going outside of, RFC6749 The OAuth 2.0 Authorization Framework. There may be AS implementations that have made assumption about scope values being static (I know of at least one!) but that's an implementation/feature issue, which can change, and not a spec issue.
>>>
>>> The OIDC "claims" parameter is already a bit of a hairy beast and I think using it and the ID Token to convey more dynamic access/authorization is blurring the line between authorization and authentication a bit much. Also, as others have pointed out, OIDC isn't always in play - particularly for regular old authorization cases.
>>>
>>> An additional query parameter might be simple for a one-off case but it's nonstandard and not very repeatable.
>>>
>>>
>>> On Mon, Jun 18, 2018 at 9:34 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>> Hi all,
>>>
>>> I have been working lately on use cases where OAuth is used to authorize transactions in the financial sector and electronic signing. What I learned is there is always the need to pass resource ids (e.g. account numbers) or transaction-specific values (e.g. amount or hash to be signed) to the OAuth authorization process to further qualify the scope of the requested access token.
>>>
>>> It is obvious a static scope value, such as „payment“or „sign“, won’t do the job. For example in case of electronic signing, one must bind the authorization/access token to a particular document, typically represented by its hash.
>>>
>>> I would like to get your feedback on what you consider a good practice to cope with that challenge. As a starting point for a discussion, I have assembled a list of patterns I have seen in the wild (feel free to extend).
>>>
>>> (1) Parameter is part of the scope value, e.g. „sign:<hash_to_be_signed>“ or "payments:<payment_resource_id>" - I think this is an obvious way to represent such parameters in OAuth, as it extends the scope parameter, which is intended to represent the requested scope of an access token. I used this pattern in the OAuth SCA mode in Berlin Group's PSD API.
>>>
>>> (2) One could also use additional query parameter to add further details re the requested authorization, e.g.
>>>
>>> GET /authorize?
>>> .....
>>> &scope=sign
>>> .....
>>> &hash_to_be_signed=<hash_to_be_signed>
>>>
>>> It seems to be robust (easier to implement?) but means the scope only represents the static part of the action. The AS needs to look into a further parameter to fully understand the requested authorization.
>>>
>>> (3) Open Banking UK utilizes the (OpenID Connect) „claims“ parameter to carry additional data.
>>>
>>> Example:
>>>
>>> "claims": {
>>>      "id_token": {
>>>          "acr": {
>>>              "essential": true,
>>>              "value": "..."
>>>            },
>>>          "hash_to_be_signed": {
>>>              "essential": true,
>>>              "value": "<hash_to_be_signed>"
>>>          }
>>>      },
>>>      "userinfo": {
>>>          "hash_to_be_signed": {
>>>              "essential": true,
>>>              "value": "<hash_to_be_signed>"
>>>          }
>>>      }
>>>    }
>>>
>>> I‘m looking forward for your feedback. Please also indicated whether you think we should flush out a BCP on that topic.
>>>
>>> kind regards,
>>> Torsten.
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>>
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email