[OAUTH-WG] Potential for an OAuth POST-Initiated Framework
Aaron Parecki <aaron@parecki.com> Fri, 02 February 2024 16:53 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01A54C14F70D for <oauth@ietfa.amsl.com>; Fri, 2 Feb 2024 08:53:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjyTdmZ292WM for <oauth@ietfa.amsl.com>; Fri, 2 Feb 2024 08:53:34 -0800 (PST)
Received: from mail-vk1-xa2f.google.com (mail-vk1-xa2f.google.com [IPv6:2607:f8b0:4864:20::a2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 335E5C14F6B4 for <oauth@ietf.org>; Fri, 2 Feb 2024 08:53:33 -0800 (PST)
Received: by mail-vk1-xa2f.google.com with SMTP id 71dfb90a1353d-4bff041ebb9so823264e0c.3 for <oauth@ietf.org>; Fri, 02 Feb 2024 08:53:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1706892812; x=1707497612; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=E8r8n1e36KhTJidqE9tYgPYxK4rjALhTuf0HTIfdhis=; b=V/CG8KGZW+6aLxUCUMsF9O1jnUsKRSvWSYHpUvpTkzk7c59xVziKAYtLbRysqOW2Ev dH+pOSjjvs6z6yFnhZ+WbsQtXAEG9+ZSlZl4dbl/6wIJA9qntRXI5cY4W0Dd9K9wl/oe mvCDVkozOkH5P926789XXISc84gPCg9IQA+w6M6XvgPUQP3dr4t427J50HS93Xi4FSUc lpf1rRNVqxHgwwR1OxntGJaekmHmG6jeNxIfmwQQfJ/AtnW1Hs7sA+eN8wQKq7lErxBm 0GGw3ln0gHWx/crsVaYFtxD9MNsMRGQJr9mUCk92ZG/fPGJ0yPLPH3o/uyc/VBNfNzEl 5QBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706892812; x=1707497612; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=E8r8n1e36KhTJidqE9tYgPYxK4rjALhTuf0HTIfdhis=; b=b0xkt01PCa7JqZl8duAxZ5Xx+f8xmAfG/eC5E/8aIlQwO0gCj87S/wzXqI79yD25lt 189jYFTqwALgXCBr/riwkzbputUJz0Dm6SounWpgCVga+5KI8FBoEwe9xeRPm8RkPkF6 2IXk59JBqtI55fcJ4DmCYZXIuN329qhcxM6q+AsEHFtOu/zLKOAUlfFNhrkwm/mfbnPV M2a+dn9Y5KMQQ55MHXJo07XIhWxhl+u3SZFh95NS+ftfuRF1Z4TnZn6cTKQuWLWbsEgZ 7OC/ZaSGOXuyOBgtJmj+lMJl1UFbY2LVNFB9a0KqRLngYg9n+64DOuOkppcW5H1Nrf4V YyWg==
X-Gm-Message-State: AOJu0YxcolfIi6YZqt/kzUByq2qRjuowZGhPACyYQZFt+RQIYkcO/LWg bCJhAbnL3DseqLsBPqOgS1KRsIJwK+SvcjGAp+fupdm/p2enxe2fV2bBRvqOyfnUdt8QhkaX6wA =
X-Google-Smtp-Source: AGHT+IFTB8kAENmE0tmzVkGSciPgl6P3x//1ie6Va21EXgcuwdw+XqzbAnBv+550YW636XqAjwpfIQ==
X-Received: by 2002:a05:6122:2010:b0:4b6:ce08:cc64 with SMTP id l16-20020a056122201000b004b6ce08cc64mr8552557vkd.12.1706892811770; Fri, 02 Feb 2024 08:53:31 -0800 (PST)
Received: from mail-ua1-f42.google.com (mail-ua1-f42.google.com. [209.85.222.42]) by smtp.gmail.com with ESMTPSA id er12-20020a0561221b0c00b004b6cb51f001sm312749vkb.30.2024.02.02.08.53.30 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 02 Feb 2024 08:53:31 -0800 (PST)
Received: by mail-ua1-f42.google.com with SMTP id a1e0cc1a2514c-7d5bbbe57b9so1072338241.3 for <oauth@ietf.org>; Fri, 02 Feb 2024 08:53:30 -0800 (PST)
X-Received: by 2002:a05:6102:3114:b0:46d:b91:df09 with SMTP id e20-20020a056102311400b0046d0b91df09mr591046vsh.5.1706892810388; Fri, 02 Feb 2024 08:53:30 -0800 (PST)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 02 Feb 2024 08:53:19 -0800
X-Gmail-Original-Message-ID: <CAGBSGjq9VTdTZLYu1TT=C7vno2D+P4GR2TWQd=cKHSNBoabuxw@mail.gmail.com>
Message-ID: <CAGBSGjq9VTdTZLYu1TT=C7vno2D+P4GR2TWQd=cKHSNBoabuxw@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a2172c061068f376"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q8O7ITOyAsx_wlgVctsltcheaNM>
Subject: [OAUTH-WG] Potential for an OAuth POST-Initiated Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 16:53:38 -0000
Hi all,
As discussed at IETF 118 during the "First-Party Apps" session, there was
some interest in genericizing the idea of starting an OAuth flow with a
POST request, which could be used by this draft and would look similar
to PAR. This would essentially define a common way to start an OAuth
authorization request with a client-initiated POST request, but would
enable further types of uses beyond the single request_uri response defined
by PAR.
The framework would define:
• request_type = {extension-defined}
• Sending the authorization request parameters in the request body (with
similar language as used by PAR
https://datatracker.ietf.org/doc/html/rfc9126#name-request)
• How to layer on client authentication, attestation, etc
• The response of the request would be defined by extensions
It would also establish a registry of request types, input parameters and
response body values.
We would then rewrite the First-Party Apps draft as an extension of this
framework.
Before I go to write this up, I wanted to check if anyone has other
concrete extensions they might want to define? If there is at least one,
then it's worth it to me, but if this first-party apps would be the only
one for the foreseeable future then I'd like to continue working on the
draft as is.
So please let me know if you have anything in mind that could leverage
client-initiated POST requests. Thanks!
---
Aaron Parecki
- [OAUTH-WG] Potential for an OAuth POST-Initiated … Aaron Parecki