Re: [OAUTH-WG] New OAuth I-D: Incremental Auth
Jim Willeke <jim@willeke.com> Mon, 10 July 2017 16:15 UTC
Return-Path: <jim@willeke.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25CB1317C4 for <oauth@ietfa.amsl.com>; Mon, 10 Jul 2017 09:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=willeke-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yhEBRW3cOBKp for <oauth@ietfa.amsl.com>; Mon, 10 Jul 2017 09:15:55 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C481317D0 for <oauth@ietf.org>; Mon, 10 Jul 2017 09:15:54 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id a12so37787996ywh.3 for <oauth@ietf.org>; Mon, 10 Jul 2017 09:15:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willeke-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=STwYlbBSAwF/zqJeP5f5GsK1NiwMxVXU3HdRmhMEKUA=; b=e6M2fOt5ZRxHNiBAFkCa50bz+U++uFFmItAXT8nrgnrfxgczawvX4crqp/gv5Q1spD zVdhX0Et9rsYx9x/xWN6dGNtSniLvRpKb1vsvHL2RDDa/11iq5su9eyXQNxdA2iAGKvR qLlY8kTtH/Id72LqDhlm+R1dieOw0tRPzfy+DWdYrhtegAZDJLfYoHC1Ko5nY1bBSGBv T7E5ap4zjXXYJv7ntB9n4FCRkI4nwkRRbIZ8f0xvmFCu4vpMqkeIBG16d8JQ/y3AmQ53 o8CW+Hj/Ocih0r+JZ4SlaK7QB4udz1knb/Arq1V1VmozwDBK7WxLTra1kae/+gy9mRrW bYeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=STwYlbBSAwF/zqJeP5f5GsK1NiwMxVXU3HdRmhMEKUA=; b=adIwZpE+379und2lvoL3ldJF8XOtbHsWnv+223hLcNxV6zN1wZgQzbkdfKUmT1v8Np tqdgn98jxpvVcxbfcax/eugu4ioNNoztWRtitNmc27Fz/Y2ysI4/CAf9HWkv5o8GjPwS EE7uAJ5D0mkMlMteWmRf1XicGJ57ggiMUxut/u3EHUQeKziOz0UGErknfiERcoDAR/Uv G7bz4zveuIK2SkfRhkyjVduK4+1dLgkDrfVp5IdPCuY2FWbJVpdv/q/EPg0fbWKQy1VG WIGsZTec/0MH1wzL1dyMZmEr/8IuyQl/q9qIwkBFluTQUSNgBKjjTbdDlXIx4toEgLmt Tx3g==
X-Gm-Message-State: AIVw111u5H/1W5G764Bz7g7vKhvfaymBTiG/f3+7SqUw3O1LABtyIO6m ez4F4btv2MFWf46vW/uipiWSUPVkspU5J08=
X-Received: by 10.129.40.149 with SMTP id o143mr1403675ywo.10.1499703353679; Mon, 10 Jul 2017 09:15:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.72.193 with HTTP; Mon, 10 Jul 2017 09:15:13 -0700 (PDT)
In-Reply-To: <CAAP42hDk-ZbFNjk71aEybT9G-NdPPmP5efPSg_fZeht9SE5pCg@mail.gmail.com>
References: <CAAP42hA5BzSAsszX5hYTCc075eE_HNy7XHwWHKu2mgNhwsXsZg@mail.gmail.com> <59d3c1f5-01de-e419-4c4c-3115ed35e451@gmail.com> <CAAP42hBzsjjw1Za8KS3E-wOi76n5SKm=jF9fhiDgCw-PsM7HtQ@mail.gmail.com> <eb7d8a29-568c-b598-b152-7b7767a0be9e@gmail.com> <CAAP42hDk-ZbFNjk71aEybT9G-NdPPmP5efPSg_fZeht9SE5pCg@mail.gmail.com>
From: Jim Willeke <jim@willeke.com>
Date: Mon, 10 Jul 2017 12:15:13 -0400
Message-ID: <CAB3ntOvsgoak_=2T58o-b4Sm++muWdWhu5R8ZxtiYU+2bvm2sA@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140865aaa7fd70553f8e5fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SxZCCakp7EZX0ZGFE_LK64ubcHM>
Subject: Re: [OAUTH-WG] New OAuth I-D: Incremental Auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 16:15:58 -0000
I know we add scopes based on the Authorization Server determining that the Resource Owner is also a "Paying Customer". (Well using OIDC so we KNOW they are a paying customer.) -- -jim Jim Willeke On Fri, Jul 7, 2017 at 9:03 PM, William Denniss <wdenniss@google.com> wrote: > > On Fri, Jul 7, 2017 at 1:50 PM, Sergey Beryozkin <sberyozkin@gmail.com> > wrote: > >> Hi >> On 07/07/17 18:56, William Denniss wrote: >> >>> What you describe is incremental auth. >>> >>> Thanks... FYI, I thought of doing some work around it after browsing >> through the Google docs; the line about the "asking to approve the purchase >> of the kitchen sink at the authentication time is a death of the modern >> web" (or something similar that I read on this list) was even more >> convincing :-) >> > > I hear ya :-) > > We ended up requiring that apps *don't* ask for the kitchen sink upfront > in our API policies https://developers.google.com/ > terms/api-services-user-data-policy#request-relevant-permissions . > Definitely makes for a bad user experience if users don't know why they are > being asked to approve the request's scope. > > > >> >> Aside: Do you return the "scope" in the token response as required when >>> the scope in the response is not identical to the request (§ 5.1 < >>> https://tools.ietf.org/html/rfc6749#section-5.1>, parameter: scope)? >>> >>> Yes, the token service is doing it by default for all the returned >> access tokens >> >> My only question is: does the client expect this? The spec talks about >>> the authorization server *reducing* scope in a few places (in § 3.3 < >>> https://tools.ietf.org/html/rfc6749#section-3.3>, "The authorization >>> server MAY fully or partially ignore the scope requested by the client" and >>> § 10.3 <https://tools.ietf.org/html/rfc6749#section-10.3> "The >>> authorization server SHOULD take the client identity into account when >>> choosing how to honor the requested scope and MAY issue an access token >>> with less rights than requested."). It never talks about *increasing* >>> scope (other than it can't be done during refresh). >>> >>> So I think some normative language around the potential to increase the >>> scope of the request for confidential clients (in either the way you >>> describe, or the way I described in the draft) is warranted. >>> >>> Open question: should we require an indication from the client if they >>> *want* the scope increase? That's what include_granted_scopes was designed >>> to do. To allow clients to specify if this is behavior they desire. >>> >> Right, I see how a proposed "include_granted_scopes" can make it non >> ambiguous >> >>> >>> >>> The more innovative part of the spec I think is the public (native app) >>> client incremental auth – as native apps cannot use the methods you >>> discuss, or the ones Google has supported for a while for confidential >>> clients. That said, if we write this – I think we may as well formally >>> document approaches for confidential clients too. >>> >>> >> thanks, Sergey >> >>> >>> On Fri, Jul 7, 2017 at 9:24 AM, Sergey Beryozkin <sberyozkin@gmail.com >>> <mailto:sberyozkin@gmail.com>> wrote: >>> >>> Hi >>> >>> Re the confidential client: let me explain please how we >>> experimented with this feature when the code flow is used. >>> >>> 1. Client requests a scope 'a' for a given User, it gets approved by >>> the user, the clients gets a code and exchanges it for a token. >>> >>> 2. At some later stage Client requests a scope 'b' for the same user >>> and if an access token for a given Client + User combination exists >>> and the incremental authorization is supported (we use a different >>> term for now) than the service finds out from this token that 'a' >>> has already been approved and offers a consent screen where a user >>> sees 'a' being selected and needs to approve 'b'. >>> >>> 3. User approves 'b'. The client gets a new code back and exchanges >>> it for a new token which now has "a" and "b". >>> >>> At this point a client has 2 tokens, one with the "a" scope and >>> another with the "a" and "b" scopes and the assumption was that the >>> client would itself remove the now redundant token with the scope >>> "a" only. >>> >>> I've just updated the code for the service itself do it on the >>> client's behalf, optionally remove the scope "a" token so that the >>> client can simply replace a reference to its scope "a" token with >>> the new one (scopes "a" and "b") it will get after exchanging a code >>> grant. >>> >>> Is it an incremental authorization or something else completely :-) ? >>> >>> One obvious difference, apart from the lower level implementation >>> details, is that it is not a client which requests to include the >>> already authorized scopes but the service does it itself if the >>> configuration allowing for it is enabled >>> >>> Thanks, Sergey >>> >>> >>> >>> >>> >>> >>> On 05/07/17 18:17, William Denniss wrote: >>> >>> Earlier this week I submitted the following I-D: >>> https://tools.ietf.org/html/draft-wdenniss-oauth-incremental >>> -auth <https://tools.ietf.org/html/draft-wdenniss-oauth-incremental-auth >>> > >>> >>> The topic is incremental authentication (or incremental auth for >>> short). Incremental auth is used to enable clients to request >>> just the scopes they need when they need them – rather than all >>> upfront – while still only a maintaining a single authorization >>> grant. >>> >>> The I-D details two techniques used at Google, one that has been >>> used for a while in confidential clients, and one that we >>> launched recently as a new solution to deliver incremental auth >>> for public clients. >>> >>> I look forward to discussing this proposal with the working >>> group. I plan to present this draft at IETF99, hope you can be >>> there or watching the livestream! >>> >>> I plan to ask for a call for adoption after that presentation. >>> If you're interested in this topic I'd encourage you to read the >>> draft (it's fairly concise!). >>> >>> Best, >>> William >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth Sergey Beryozkin
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth Sergey Beryozkin
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth Jim Willeke
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss