Re: [OAUTH-WG] [EXTERNAL] RAR & multiple resources?

"Richard Backman, Annabelle" <richanna@amazon.com> Tue, 14 January 2020 02:09 UTC

Return-Path: <prvs=275f11436=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63441120026 for <oauth@ietfa.amsl.com>; Mon, 13 Jan 2020 18:09:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.799
X-Spam-Level:
X-Spam-Status: No, score=-11.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDRh4aZQQw3r for <oauth@ietfa.amsl.com>; Mon, 13 Jan 2020 18:09:45 -0800 (PST)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57E27120048 for <oauth@ietf.org>; Mon, 13 Jan 2020 18:09:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1578967786; x=1610503786; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=GXFl1BFKThUtMSgLY5eS5UrsxH2OM1IrQzl+jSm3t8Y=; b=DLfpti1Epr3ZppyeZOKzuOmRjGyhcUxAaAxNAyBVJLFrnJcY32K5Hfz9 l/uomGKSMSmKGQvKwmNAB2pIxSbwmI/Zj9L19QGylblZDpyHX0Clngz4g XMDcTk/ch0L97IAFoNxrlHVh9vFbLekU3yHHxt4VKMGR3ZlBBJu75qsdU I=;
IronPort-SDR: Tz8eS/ijdYUx4DdhC+ZdIyZ7CvDP4QzNYBrYEp60EIQFpX85I6GOJbXgI4pH8AW9FPjuhLyQ95 cgEpH6o2rSgw==
X-IronPort-AV: E=Sophos; i="5.69,431,1571702400"; d="scan'208,217"; a="12828599"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-168cbb73.us-west-2.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP; 14 Jan 2020 02:09:36 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2c-168cbb73.us-west-2.amazon.com (Postfix) with ESMTPS id 3BE34A2122; Tue, 14 Jan 2020 02:09:35 +0000 (UTC)
Received: from EX13D11UWC003.ant.amazon.com (10.43.162.162) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 14 Jan 2020 02:09:34 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC003.ant.amazon.com (10.43.162.162) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 14 Jan 2020 02:09:34 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Tue, 14 Jan 2020 02:09:34 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Dick Hardt <dick.hardt@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, Brian Campbell <bcampbell@pingidentity.com>, Justin Richer <jricher@mit.edu>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] [EXTERNAL] RAR & multiple resources?
Thread-Index: AQHVynzVrMmun4veJUOgrsyG+tQzM6fo5D4A
Date: Tue, 14 Jan 2020 02:09:34 +0000
Message-ID: <52ED8810-3FFF-4512-BB36-B80D93033FFD@amazon.com>
References: <CAD9ie-uEuvWv4Z1y-+JcebWcX69UMTN2ZNOQKWiQVOa=j8wtVg@mail.gmail.com> <CH2PR00MB08433246E309260C650727C1F5340@CH2PR00MB0843.namprd00.prod.outlook.com>
In-Reply-To: <CH2PR00MB08433246E309260C650727C1F5340@CH2PR00MB0843.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.162.95]
Content-Type: multipart/alternative; boundary="_000_52ED88103FFF4512BB36B80D93033FFDamazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/THN_iYwsY-vWvbV3tc1taLP14kY>
Subject: Re: [OAUTH-WG] [EXTERNAL] RAR & multiple resources?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 02:09:49 -0000

+1 to Mike’s comment. These are independent issues; one could use RAR with one access token or multiple access tokens, and one could use multiple access tokens with or without RAR.

–
Annabelle Richard Backman
AWS Identity


From: OAuth <oauth-bounces@ietf.org> on behalf of Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Date: Monday, January 13, 2020 at 5:49 PM
To: Dick Hardt <dick.hardt@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, Brian Campbell <bcampbell@pingidentity.com>, Justin Richer <jricher@mit.edu>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [EXTERNAL] RAR & multiple resources?

Please don’t use RAR as a pandora’s box to introduce unrelated new semantics, including issuing multiple access tokens.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
Sent: Monday, January 13, 2020 5:32 PM
To: Torsten Lodderstedt <torsten@lodderstedt.net>; Brian Campbell <bcampbell@pingidentity.com>; Justin Richer <jricher@mit.edu>
Cc: oauth@ietf.org
Subject: [EXTERNAL] [OAUTH-WG] RAR & multiple resources?

Torsten / Justin / Brian

In my reading of the ID, it appears that there is a request for just one access token, and the authorization_details array lists one or more resources that the one access token will provide access to. Correct?

I have heard anecdotally that there is interest in granting access to multiple resources, and having multiple access tokens, which would enable different components of a client to have different access tokens.

Do you consider multiple access tokens out of scope of RAR?

/Dick