IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

Nat Sakimura <sakimura@gmail.com> Thu, 21 June 2018 08:35 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 943A4130DC1 for <oauth@ietfa.amsl.com>; Thu, 21 Jun 2018 01:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dX5ZYPPrxCr6 for <oauth@ietfa.amsl.com>; Thu, 21 Jun 2018 01:35:44 -0700 (PDT)
Received: from mail-wr0-x22a.google.com (mail-wr0-x22a.google.com [IPv6:2a00:1450:400c:c0c::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A064128CF3 for <oauth@ietf.org>; Thu, 21 Jun 2018 01:35:43 -0700 (PDT)
Received: by mail-wr0-x22a.google.com with SMTP id w10-v6so2214111wrk.9 for <oauth@ietf.org>; Thu, 21 Jun 2018 01:35:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5mMHVoCb9/7elHQNQLiRzBlPbv4LntQo5eQfLiV+k6I=; b=iF1Ds+W1MyfL3JLy0CR56vFRf/GnlddLUdlR7YI5oE9tEpUvE3st7q/r1SLeiXBaGb TdusRAn7Xo7UmHhP8gv+3oKIgcDFs9UPmfyWGxZxU80//w4TVzrfuo1jlcrFDDKWvEfp j/h8Df/21D+ksDjQBr0oTjL3IRGHHMtQhVh/yEcqjWzzN/HhO1Yy1L8aeS84HwzP02o6 OSWFwH+RpPnLL2kYF0rQLVzQU/FH8qp/Zq5Cgig0KmID1M1lGwZshqhM7K+UAA0uTR6W 77/634dDQYe7Z8GNgA43eLxNfyjTrSzKZExP4CLM1HiGNicrThIqydI8KgoHb1WJi+pr aA0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5mMHVoCb9/7elHQNQLiRzBlPbv4LntQo5eQfLiV+k6I=; b=BreNoCgV1Zx5OylHNqgondCQx6RSgAOlOC1FvGZhQKk9wmW38iYdkgUHqjcPdJrKlZ Z74fzPwGtCNTKpDRTaPTfJ/agMEDyp9JAwjxKxbrq4E1m3Yi37BOrTl2h9exVA73YyvE emNi6OoWcPoconK9S4BZFhX8hwPNvZJLxIMp22+yEbrkePlDA+YY6ZgIk52mw3mHDvPM lxI5vjvAYN8eX7uxz85TxnFG8OcO2PGOAJjrPOof1ERJZ0IDk+i27FY8MJAdstT3iZgY ey/lMP+geYsYTlkS4uap6DWwrAOxS2OilBrVhzZTmD4ittuaEX21KpcwG1ksD7wxzlVb fNtQ==
X-Gm-Message-State: APt69E3xBqmaz50UJjvItybBZwlWuzOoSsH6yIlUq5ltD1q4voNFTvJk JtD/lcXJKL0UlcrBX6R3544B06bDlymaFkeXJSI=
X-Google-Smtp-Source: ADUXVKLCK36cq3wH3PTVKZHmcLWulwaiclZV0PV/CMBgcbODkcWqQ9D8L2tuc4OTTCnTM8BCF5RCDimvNmxGBGDDTq4=
X-Received: by 2002:adf:edc6:: with SMTP id v6-v6mr20085576wro.264.1529570141771; Thu, 21 Jun 2018 01:35:41 -0700 (PDT)
MIME-Version: 1.0
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com>
In-Reply-To: <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 21 Jun 2018 17:35:29 +0900
Message-ID: <CABzCy2CxXW7PnDCdHC_pdB6ZK86WDqaUh1Okn9ojKe1eh2sZiQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f59d9e056f22cccf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Stfs_TuOdm2RGLQeiIW7TZuEyBw>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 08:35:47 -0000

It depends on the use case but if you are talking about payment etc.,
putting the transaction details in the scope and sending it over the
regular RFC6749 redirect to the authorization server is inherently a bad
idea, as it is not protected.

My preference by far is to set up a staging endpoint and push the
transaction intent into there. Then, do the authorization on that staged
transaction. Once that's done. I am OK with putting the reference to the
staged transaction in the scope parameter.

The beauty of the "staging" strategy is that:

1) You can push pretty big payload to the staging endpoint as it is a
server to server thing;
2) You can do the "auth" and then later "capture" after shipping the
product strategy using the access token the client has obtained;
3) The content of the transaction is not exposed via URL nor referrers.

Best,

Nat



On Thu, Jun 21, 2018 at 6:59 AM Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

> In my own personal and humble opinion, Torsten, what you describe as "(1)
> Parameter is part of the scope value" is the most natural approach and
> works without needing changes to, or going outside of, RFC6749 The OAuth
> 2.0 Authorization Framework. There may be AS implementations that have made
> assumption about scope values being static (I know of at least one!) but
> that's an implementation/feature issue, which can change, and not a spec
> issue.
>
> The OIDC "claims" parameter is already a bit of a hairy beast and I think
> using it and the ID Token to convey more dynamic access/authorization is
> blurring the line between authorization and authentication a bit much.
> Also, as others have pointed out, OIDC isn't always in play - particularly
> for regular old authorization cases.
>
> An additional query parameter might be simple for a one-off case but it's
> nonstandard and not very repeatable.
>
>
> On Mon, Jun 18, 2018 at 9:34 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>> Hi all,
>>
>> I have been working lately on use cases where OAuth is used to authorize
>> transactions in the financial sector and electronic signing. What I learned
>> is there is always the need to pass resource ids (e.g. account numbers) or
>> transaction-specific values (e.g. amount or hash to be signed) to the OAuth
>> authorization process to further qualify the scope of the requested access
>> token.
>>
>> It is obvious a static scope value, such as „payment“or „sign“, won’t do
>> the job. For example in case of electronic signing, one must bind the
>> authorization/access token to a particular document, typically represented
>> by its hash.
>>
>> I would like to get your feedback on what you consider a good practice to
>> cope with that challenge. As a starting point for a discussion, I have
>> assembled a list of patterns I have seen in the wild (feel free to extend).
>>
>> (1) Parameter is part of the scope value, e.g. „sign:<hash_to_be_signed>“
>> or "payments:<payment_resource_id>" - I think this is an obvious way to
>> represent such parameters in OAuth, as it extends the scope parameter,
>> which is intended to represent the requested scope of an access token. I
>> used this pattern in the OAuth SCA mode in Berlin Group's PSD API.
>>
>> (2) One could also use additional query parameter to add further details
>> re the requested authorization, e.g.
>>
>> GET /authorize?
>>
> .....
>> &scope=sign
>> .....
>
>
>> &hash_to_be_signed=<hash_to_be_signed>
>>
>> It seems to be robust (easier to implement?) but means the scope only
>> represents the static part of the action. The AS needs to look into a
>> further parameter to fully understand the requested authorization.
>>
>> (3) Open Banking UK utilizes the (OpenID Connect) „claims“ parameter to
>> carry additional data.
>>
>> Example:
>>
>> "claims": {
>>     "id_token": {
>>         "acr": {
>>             "essential": true,
>>             "value": "..."
>>           },
>>         "hash_to_be_signed": {
>>             "essential": true,
>>             "value": "<hash_to_be_signed>"
>>         }
>>     },
>>     "userinfo": {
>>         "hash_to_be_signed": {
>>             "essential": true,
>>             "value": "<hash_to_be_signed>"
>>         }
>>     }
>>   }
>>
>> I‘m looking forward for your feedback. Please also indicated whether you
>> think we should flush out a BCP on that topic.
>>
>> kind regards,
>> Torsten.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation

v2.23.0 | Report a Bug | By Email