Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01

Neil Madden <> Wed, 08 July 2020 16:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA41E3A0F47 for <>; Wed, 8 Jul 2020 09:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Atf_IZ1NDGee for <>; Wed, 8 Jul 2020 09:59:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 921073A0F46 for <>; Wed, 8 Jul 2020 09:59:49 -0700 (PDT)
Received: by with SMTP id l17so4024263wmj.0 for <>; Wed, 08 Jul 2020 09:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=y4Lwk7SAkFBDlPO4jx1k3a9rs9jPu3f3wG0SFaF1o/A=; b=B25NzBIlTtO3H83Pbw0umdLTL+YNEx9gra/OI/cgwjtdm9UP74WhO92xNdu1XL4SRk 9FYUpa0O1A4E7TVe8qBjpFLOpSSWVquECV+TbJ912MsTTCjjZjwZWDo+x9omO4/GpYyJ p4yH1dPkk3eX4H9gB1SA/xMIBWrwBmZbxAkWo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=y4Lwk7SAkFBDlPO4jx1k3a9rs9jPu3f3wG0SFaF1o/A=; b=jsiW6E0VJl5LkFzATGAxmjxVg1rWCnxJwPQp8bpOnUeFh0VOB2q/Q6WSLmN753hBNu dCE8A19fGBQmIIhdchREMPfZTNWANI6VvtaznYh5bKzw6DDi17J2dgMzgpG5v8x5eQIz zWTaD8vxQArwF4TijCtypuqBS6LPZHRhNQzOoS52VWaxy11dW13zub6IGPdjAJOEEmsN 9cp/nt7AxEyyy6MTZ9UbQwbXBpUiFslGmQ+GUneVUQJyp+uxSc29VFnlFYcYLGDvxMeM zhuGtDMTPcoNg1I2MMTtNcBtAQO2Qg/9k0bSmJ4jbzpi8ZsvdyT0ki6kE5blor4wDSSF +uBg==
X-Gm-Message-State: AOAM533yJ8vYL3qouUvQ9oCdzc7ibKOcwD2M2LCbd3ZPsbWhWz8v3uCf CKFGNTmaG7UXkOU0ZzMBBTamqw==
X-Google-Smtp-Source: ABdhPJwX8J3T8ou9VaLszhtTf0U55XFHc4sn+R/Jiys/4sVWfmFq+i/NuPUB5i+xrJ2vY9F4+Matpw==
X-Received: by 2002:a1c:f60d:: with SMTP id w13mr10854274wmc.51.1594227587808; Wed, 08 Jul 2020 09:59:47 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id r11sm543066wmh.1.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jul 2020 09:59:47 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Neil Madden <>
Mime-Version: 1.0 (1.0)
Date: Wed, 08 Jul 2020 17:59:46 +0100
Message-Id: <>
References: <>
Cc: Justin Richer <>, oauth <>
In-Reply-To: <>
To: Torsten Lodderstedt <>
X-Mailer: iPhone Mail (17F80)
Archived-At: <>
Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jul 2020 16:59:52 -0000

> On 8 Jul 2020, at 17:21, Torsten Lodderstedt <> wrote:
>> On 8. Jul 2020, at 18:17, Neil Madden <> wrote:
>>> On 8 Jul 2020, at 15:40, Justin Richer <> wrote:
>>> The two-phase approach is exactly what OBUK does, where you get one access token using client credentials before getting a more specific one in context of the user’s consent. This ends up being awkward to implement at best, since OAuth involves the user too early in the process to allow for this kind of thing. PAR might help address this dichotomy, but RAR can provide places for this to fill in.
>> I’m not sure how client credentials would help here. The point I’m making is that the _user_ needs to consent to two separate things:
>> 1. An initial consent to allow this app/service to initiate payment requests on my behalf.
> What in particular should the use consent with in this step?

“FooPay would like to:
 - initiate payments from your account (you will be asked to approve each one)”

The point is that a client that I don’t have any kind of relationship with can’t just send me a request to transfer $500 to some account. 

>> 2. Consent to individual transactions.
>> RAR (and open banking?) completely omits step 1 at the moment, which seems crucial. Especially if you’re doing something like CIBA backchannel where step 1 is effectively consent for this app to spam my phone with payment approval requests.
>>> With XYZ, I tried to design for that kind of multi-stage transaction pattern more explicitly, with the idea that you could continue your request in context and vary it over time, or even start a new request in the context of an existing one. This is something that I intend to continue with the soon-to-be-formed GNAP working group, if you want to bring this use case there.
>> RAR is adopted by the OAuth WG so I think this needs to be discussed here.
>> — Neil
>> _______________________________________________
>> OAuth mailing list