IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

Nat Sakimura <sakimura@gmail.com> Fri, 22 June 2018 16:56 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57AA130EAF for <oauth@ietfa.amsl.com>; Fri, 22 Jun 2018 09:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zIVciR0UeB1 for <oauth@ietfa.amsl.com>; Fri, 22 Jun 2018 09:56:43 -0700 (PDT)
Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9C86130EAC for <oauth@ietf.org>; Fri, 22 Jun 2018 09:56:42 -0700 (PDT)
Received: by mail-wr0-x229.google.com with SMTP id y12-v6so2368948wrs.2 for <oauth@ietf.org>; Fri, 22 Jun 2018 09:56:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JgSpjUsOprMoNP6miArQDbGYQomIIBegmMFQuo3COEg=; b=o0fglJEhCnEHLiOhzO6HbBl6F4Mtt5/fMCVFyoG9E8AGM4JrzBkuOXwIMIhbh3ant1 aHKPUHjzwbk1ynAJfM/eqI5xe4ATvEJYiLMnKZUF5MVFldZJn3po9M1mEJTWC5SDVR0b MBh6sPp8JAmUATxOl880k3BLGuCMZsfcM5eAIpWbsmPRky0+nai7dytEbrXYrNUKysRw 4fdKFJ6sO9CbTPXRIOzN3sb6w5U2q19yXuD4iu3wGpNp08PXnk20AqKtu3KUJCq50KJW E760j5t0rdfTBvsnP/RobybqyCCfdYtj68nL2vk0UbYWM55nGGMDjSa3zTXOkEekPSB4 WUxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JgSpjUsOprMoNP6miArQDbGYQomIIBegmMFQuo3COEg=; b=uVN5uOHKHLlvt7Mzo3UpX9LIzBISF2nmNqZ3UU7IRKKpdUvuuwFcuB/YIIKRyytvSD Lph04rZ3Kzy+9NfLMaPEulE+47uoyPEC5Q1T1wVM01mzfqX5dvstx0O8bebwbkZGd1Fq VoHwzVRMOn0w0x2Bhx7+RJ4ilYIRm5kJQ+x6RYu3yzjqB5t1LWZtoeIYT26qYKPpL6GG 37yiSX/2EyAvLIXzv665kwul50Wdhp312SkY+aMDcozh07j3riT67QkZlIjkOlJ/eoDD oSLAk0MqPpU7EOx43or1ZHBnNY8PjMKyx908zHpI59xzNzj9zB4gAR2s55eiZzc0IboC ybuA==
X-Gm-Message-State: APt69E3zok3AZhA1KDSX6617mixPyjp62Mf4hOpksJM52fdCzgohdAA5 TGAIvLph+vBEulnR/zEYMfY4wuiPSWfjxVTUagmaqg==
X-Google-Smtp-Source: AAOMgpez5/YI2ooQD9Xp7Qeu7bIr6Rl5bxP5MaQeP19K5D2qIYDpn1ViY8qh/zVmJIkj8JEee3tAxPUQzbD7wJDdWwU=
X-Received: by 2002:adf:c4f7:: with SMTP id o52-v6mr2239474wrf.173.1529686600950; Fri, 22 Jun 2018 09:56:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1c:bbc3:0:0:0:0:0 with HTTP; Fri, 22 Jun 2018 09:56:39 -0700 (PDT)
In-Reply-To: <42293014-1A1C-42BC-AE5B-A4E10B4FB2EC@lodderstedt.net>
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com> <CABzCy2CxXW7PnDCdHC_pdB6ZK86WDqaUh1Okn9ojKe1eh2sZiQ@mail.gmail.com> <42293014-1A1C-42BC-AE5B-A4E10B4FB2EC@lodderstedt.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 22 Jun 2018 12:56:39 -0400
Message-ID: <CABzCy2BNm_UhA58aY-KvELGXOTJx1=R6Zt49C7DJm0T8=EspzA@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000077ac3a056f3dea4f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RMmZB4PyJKcGn-yccbnBZSn_BUQ>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 16:56:49 -0000

Hi Torsten,

Re: using request object

Carrying the scope parameter in the request object solves the integrity
issue. However, it does not solve the confidentiality issue unless you also
encrypt it, and encryption is not so easy.

Re: 2 extra roundtrips
You can actually cut the extra roundtrips to one. In fact, you probably
want to have the staging object to be signed to have it work as an evidence
when something goes wrong, so you could rely on that for the client
authentication purpose and that will be more efficient, IMHO. Yes, that
will become essentially the request_uri model.

Cheers,

Nat

2018年6月22日金曜日、Torsten Lodderstedt<torsten@lodderstedt.net>さんは書きました:

> Hi Nat,
>
> > Am 21.06.2018 um 10:35 schrieb Nat Sakimura <sakimura@gmail.com>:
> >
> > It depends on the use case but if you are talking about payment etc.,
> putting the transaction details in the scope and sending it over the
> regular RFC6749 redirect to the authorization server is inherently a bad
> idea, as it is not protected.
>
> Good point. One could carry the scope parameter as part of a signed
> request object to cope with that issue. What do you think about that?
>
> >
> > My preference by far is to set up a staging endpoint and push the
> transaction intent into there. Then, do the authorization on that staged
> transaction. Once that's done. I am OK with putting the reference to the
> staged transaction in the scope parameter.
> >
> > The beauty of the "staging" strategy is that:
> >
> > 1) You can push pretty big payload to the staging endpoint as it is a
> server to server thing;
> > 2) You can do the "auth" and then later "capture" after shipping the
> product strategy using the access token the client has obtained;
> > 3) The content of the transaction is not exposed via URL nor referrers.
>
> I agree. That’s really powerful. But one should also admit the client
> needs to prepare and send two more requests. In OB UK the client first
> obtains an access token using the client credentials grant and then creates
> the payment/account information resource.
>
> best regards,
> Torsten.
>
> >
> > Best,
> >
> > Nat
> >
> >
> >
> > On Thu, Jun 21, 2018 at 6:59 AM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
> > In my own personal and humble opinion, Torsten, what you describe as
> "(1) Parameter is part of the scope value" is the most natural approach and
> works without needing changes to, or going outside of, RFC6749 The OAuth
> 2.0 Authorization Framework. There may be AS implementations that have made
> assumption about scope values being static (I know of at least one!) but
> that's an implementation/feature issue, which can change, and not a spec
> issue.
> >
> > The OIDC "claims" parameter is already a bit of a hairy beast and I
> think using it and the ID Token to convey more dynamic access/authorization
> is blurring the line between authorization and authentication a bit much.
> Also, as others have pointed out, OIDC isn't always in play - particularly
> for regular old authorization cases.
> >
> > An additional query parameter might be simple for a one-off case but
> it's nonstandard and not very repeatable.
> >
> >
> > On Mon, Jun 18, 2018 at 9:34 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
> > Hi all,
> >
> > I have been working lately on use cases where OAuth is used to authorize
> transactions in the financial sector and electronic signing. What I learned
> is there is always the need to pass resource ids (e.g. account numbers) or
> transaction-specific values (e.g. amount or hash to be signed) to the OAuth
> authorization process to further qualify the scope of the requested access
> token.
> >
> > It is obvious a static scope value, such as „payment“or „sign“, won’t do
> the job. For example in case of electronic signing, one must bind the
> authorization/access token to a particular document, typically represented
> by its hash.
> >
> > I would like to get your feedback on what you consider a good practice
> to cope with that challenge. As a starting point for a discussion, I have
> assembled a list of patterns I have seen in the wild (feel free to extend).
> >
> > (1) Parameter is part of the scope value, e.g.
> „sign:<hash_to_be_signed>“ or "payments:<payment_resource_id>" - I think
> this is an obvious way to represent such parameters in OAuth, as it extends
> the scope parameter, which is intended to represent the requested scope of
> an access token. I used this pattern in the OAuth SCA mode in Berlin
> Group's PSD API.
> >
> > (2) One could also use additional query parameter to add further details
> re the requested authorization, e.g.
> >
> > GET /authorize?
> > .....
> > &scope=sign
> > .....
> >
> > &hash_to_be_signed=<hash_to_be_signed>
> >
> > It seems to be robust (easier to implement?) but means the scope only
> represents the static part of the action. The AS needs to look into a
> further parameter to fully understand the requested authorization.
> >
> > (3) Open Banking UK utilizes the (OpenID Connect) „claims“ parameter to
> carry additional data.
> >
> > Example:
> >
> > "claims": {
> >     "id_token": {
> >         "acr": {
> >             "essential": true,
> >             "value": "..."
> >           },
> >         "hash_to_be_signed": {
> >             "essential": true,
> >             "value": "<hash_to_be_signed>"
> >         }
> >     },
> >     "userinfo": {
> >         "hash_to_be_signed": {
> >             "essential": true,
> >             "value": "<hash_to_be_signed>"
> >         }
> >     }
> >   }
> >
> > I‘m looking forward for your feedback. Please also indicated whether you
> think we should flush out a BCP on that topic.
> >
> > kind regards,
> > Torsten.
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> >
> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you._______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> > --
> > Nat Sakimura
> >
> > Chairman of the Board, OpenID Foundation
> >
>
>

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email