IETF Logo Mail Archive

Re: [OAUTH-WG] New OAuth I-D: Incremental Auth

William Denniss <wdenniss@google.com> Sat, 08 July 2017 01:03 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15807131719 for <oauth@ietfa.amsl.com>; Fri, 7 Jul 2017 18:03:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3GQ6DHfeqD37 for <oauth@ietfa.amsl.com>; Fri, 7 Jul 2017 18:03:31 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 239B412EC33 for <oauth@ietf.org>; Fri, 7 Jul 2017 18:03:31 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id v143so40240307qkb.0 for <oauth@ietf.org>; Fri, 07 Jul 2017 18:03:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NhrcuHgrHlxprvVwm+ixmGKVCAmPRYE9P9mA8fVYSIk=; b=AjsI5pKfDOBlL0KPhFgtZTJ7imH5tdhcrV/dhZFHryiejGP0TraPW/wIBK1KBVctGh W7PVPdw5ZxvhRP3CmDfQBYNjMjuCElrZTVFE9C1YXwKt2Dd3x8M/oTo0g2u+ZmVKKpkK /qKMIfQZXhFTxlgg5GCFWUKumwp2yzhNbdfPXMaLWsCOEPRN0rKzrXBtr/umCgT21pnm 00kaoS0hWXb5Ng+Y+0uOkSNe4C+mZmRIrWMQCcKhkr/5isA4oEOpaBW7hERBzzFb+E6f ztQGF41oDOk9JYdexaJDS11t7lJwVYvRuCjeh3NBurbxIzx0A7iI8Xzct05WmniSV+vY LTpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NhrcuHgrHlxprvVwm+ixmGKVCAmPRYE9P9mA8fVYSIk=; b=bbIGc+zFZaPCLVSbb7XTKfWnejByyJknw58eedYQKBmCL83yu8Y3AEvflj9VUibb7h hqUEhr89gC3rOL6PstO5jHnpWQmcWnemzauGEQTG4iAXRlCe8y7jlVncpLD3cBcVRXT7 IE2swLUJdI+3DbSdw40wBuF6ZQ/svQbF81ah9TeuBIROTGegv8OPUUAh64IEoXOnWr5R w7KQJKz2T7kAKTS56/ulPG3Wlz3ilZAjoKvMbRQklbRJzmIMS6etoiPv5FAzgRPhH1ew bS3OZGl+b7ihUHiv5Ufkp/WmURFp19Nn3l/e0a/+7vU8fuz0QQ+EDOFkRb8GTqKaTX4i cP4A==
X-Gm-Message-State: AKS2vOxSVlnyajkRshod6I+V28frn5LQCfd+DVxdzuHrLTptd5xQ81TQ f2mquuhTZcYj0iic6tINubntiMm6pytn2c/r8Q==
X-Received: by 10.55.7.8 with SMTP id 8mr66065451qkh.124.1499475810115; Fri, 07 Jul 2017 18:03:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.17.242 with HTTP; Fri, 7 Jul 2017 18:03:09 -0700 (PDT)
In-Reply-To: <eb7d8a29-568c-b598-b152-7b7767a0be9e@gmail.com>
References: <CAAP42hA5BzSAsszX5hYTCc075eE_HNy7XHwWHKu2mgNhwsXsZg@mail.gmail.com> <59d3c1f5-01de-e419-4c4c-3115ed35e451@gmail.com> <CAAP42hBzsjjw1Za8KS3E-wOi76n5SKm=jF9fhiDgCw-PsM7HtQ@mail.gmail.com> <eb7d8a29-568c-b598-b152-7b7767a0be9e@gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 07 Jul 2017 18:03:09 -0700
Message-ID: <CAAP42hDk-ZbFNjk71aEybT9G-NdPPmP5efPSg_fZeht9SE5pCg@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a114c46f40370a50553c3eba1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SqykSFkocGOaUI6xYlLrMOaSmdk>
Subject: Re: [OAUTH-WG] New OAuth I-D: Incremental Auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jul 2017 01:03:34 -0000

On Fri, Jul 7, 2017 at 1:50 PM, Sergey Beryozkin <sberyozkin@gmail.com>
wrote:

> Hi
> On 07/07/17 18:56, William Denniss wrote:
>
>> What you describe is incremental auth.
>>
>> Thanks... FYI, I thought of doing some work around it after browsing
> through the Google docs; the line about the "asking to approve the purchase
> of the kitchen sink at the authentication time is a death of the modern
> web" (or something similar that I read on this list) was even more
> convincing :-)
>

I hear ya :-)

We ended up requiring that apps *don't* ask for the kitchen sink upfront in
our API policies
https://developers.google.com/terms/api-services-user-data-policy#request-relevant-permissions
. Definitely makes for a bad user experience if users don't know why they
are being asked to approve the request's scope.



>
> Aside: Do you return the "scope" in the token response as required when
>> the scope in the response is not identical to the request (§ 5.1 <
>> https://tools.ietf.org/html/rfc6749#section-5.1>, parameter: scope)?
>>
>> Yes, the token service is doing it by default for all the returned access
> tokens
>
> My only question is: does the client expect this?  The spec talks about
>> the authorization server *reducing* scope in a few places (in § 3.3 <
>> https://tools.ietf.org/html/rfc6749#section-3.3>, "The authorization
>> server MAY fully or partially ignore the scope requested by the client" and
>> § 10.3 <https://tools.ietf.org/html/rfc6749#section-10.3> "The
>> authorization server SHOULD take the client identity into account when
>> choosing how to honor the requested scope and MAY issue an access token
>> with less rights than requested.").  It never talks about *increasing*
>> scope (other than it can't be done during refresh).
>>
>> So I think some normative language around the potential to increase the
>> scope of the request for confidential clients (in either the way you
>> describe, or the way I described in the draft) is warranted.
>>
>> Open question: should we require an indication from the client if they
>> *want* the scope increase? That's what include_granted_scopes was designed
>> to do. To allow clients to specify if this is behavior they desire.
>>
> Right, I see how a proposed "include_granted_scopes" can make it non
> ambiguous
>
>>
>>
>> The more innovative part of the spec I think is the public (native app)
>> client incremental auth – as native apps cannot use the methods you
>> discuss, or the ones Google has supported for a while for confidential
>> clients. That said, if we write this – I think we may as well formally
>> document approaches for confidential clients too.
>>
>>
> thanks, Sergey
>
>>
>> On Fri, Jul 7, 2017 at 9:24 AM, Sergey Beryozkin <sberyozkin@gmail.com
>> <mailto:sberyozkin@gmail.com>> wrote:
>>
>>     Hi
>>
>>     Re the confidential client: let me explain please how we
>>     experimented with this feature when the code flow is used.
>>
>>     1. Client requests a scope 'a' for a given User, it gets approved by
>>     the user, the clients gets a code and exchanges it for a token.
>>
>>     2. At some later stage Client requests a scope 'b' for the same user
>>     and if an access token for a given Client + User combination exists
>>     and the incremental authorization is supported (we use a different
>>     term for now) than the service finds out from this token that 'a'
>>     has already been approved and offers a consent screen where a user
>>     sees 'a' being selected and needs to approve 'b'.
>>
>>     3. User approves 'b'. The client gets a new code back and exchanges
>>     it for a new token which now has "a" and "b".
>>
>>     At this point a client has 2 tokens, one with the "a" scope and
>>     another with the "a" and "b" scopes and the assumption was that the
>>     client would itself remove the now redundant token with the scope
>>     "a" only.
>>
>>     I've just updated the code for the service itself do it on the
>>     client's behalf, optionally remove the scope "a" token so that the
>>     client can simply replace a reference to its scope "a" token with
>>     the new one (scopes "a" and "b") it will get after exchanging a code
>>     grant.
>>
>>     Is it an incremental authorization or something else completely :-) ?
>>
>>     One obvious difference, apart from the lower level implementation
>>     details, is that it is not a client which requests to include the
>>     already authorized scopes but the service does it itself if the
>>     configuration allowing for it is enabled
>>
>>     Thanks, Sergey
>>
>>
>>
>>
>>
>>
>>     On 05/07/17 18:17, William Denniss wrote:
>>
>>         Earlier this week I submitted the following I-D:
>>         https://tools.ietf.org/html/draft-wdenniss-oauth-incremental-auth
>> <https://tools.ietf.org/html/draft-wdenniss-oauth-incremental-auth>
>>
>>         The topic is incremental authentication (or incremental auth for
>>         short).  Incremental auth is used to enable clients to request
>>         just the scopes they need when they need them – rather than all
>>         upfront – while still only a maintaining a single authorization
>>         grant.
>>
>>         The I-D details two techniques used at Google, one that has been
>>         used for a while in confidential clients, and one that we
>>         launched recently as a new solution to deliver incremental auth
>>         for public clients.
>>
>>         I look forward to discussing this proposal with the working
>>         group. I plan to present this draft at IETF99, hope you can be
>>         there or watching the livestream!
>>
>>         I plan to ask for a call for adoption after that presentation.
>>         If you're interested in this topic I'd encourage you to read the
>>         draft (it's fairly concise!).
>>
>>         Best,
>>         William
>>
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>         <https://www.ietf.org/mailman/listinfo/oauth>
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>     <https://www.ietf.org/mailman/listinfo/oauth>
>>
>>
>>

v2.23.0 | Report a Bug | By Email