Re: [OAUTH-WG] Transaction Authorization with OAuth
Brian Campbell <bcampbell@pingidentity.com> Fri, 26 April 2019 17:57 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0F87120320 for <oauth@ietfa.amsl.com>; Fri, 26 Apr 2019 10:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkKU5CNFfEdY for <oauth@ietfa.amsl.com>; Fri, 26 Apr 2019 10:57:42 -0700 (PDT)
Received: from mail-it1-x12e.google.com (mail-it1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6095C12030F for <oauth@ietf.org>; Fri, 26 Apr 2019 10:57:42 -0700 (PDT)
Received: by mail-it1-x12e.google.com with SMTP id a190so7219206ite.4 for <oauth@ietf.org>; Fri, 26 Apr 2019 10:57:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OjjVhIC3eY70rwew+HY/NFryiNttM2qXMahjc5S0hYw=; b=Ese3C1blwpldIkjYcPJwn7YKr8yz+azuoGD+ZCLYT8RGIRBDczYracefu3akdBECq4 cI3++G6Tz4LvgvwPvfEHA5piCSOTOlHFVZ8nllYvP2X6Iiq98N6MDNiGvAJ0HyqkX/24 RVQbbcrQio/cnWcMIj3mZxG+Xq3q1VFofOjYw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OjjVhIC3eY70rwew+HY/NFryiNttM2qXMahjc5S0hYw=; b=NXcrjYFXImU6gTEXrCGwZ4kShnOsTu4dD8XkYP3mFAwgbBRfM1G+wbOnlQewriCgy8 FaGw27scyxG/Ri+n96P/V+9jsXhT7xVc+soH2g+Gtc+24AAFi8q09SOuPka+xz/U/NDN lEQ4JoFaqgUPXjFU9++bgWI+sHs7PSBBX5m/bJHCAyjV0ko4Kk6V8IFyaIKbg6GGqWon ivYQFkCjuRi1YRUXV5KtwUcIizgbNzMlIzOrkmbMOwvPIwktbNjt7OLITDNVxYsmAAKV 9sDk2B/egURglwxASD2DMZim2hPwMDSYtmCJz/HX5ri6ixwvPn4y2jWno2TWZZ3qyyZW 6zIQ==
X-Gm-Message-State: APjAAAXTNoCB680GKYtWXTjjjvsJjsJBWfxGcz1kcN7rsNCnO2bq6DOS CYlN2rCRDVNKLsMVhtUQ4anZBVWipKfUMdk38UA5zcqblUD81w1P+AFjE+rgteXP2IROLKP2bg1 1vS6spdrcgAOGN6MiBbc=
X-Google-Smtp-Source: APXvYqykY/Aj2vs8mYSAlH4d5wU2BhJdH7Ked3t2FbD7RUYGcd2ItHUmNlCjCOq4zbKje9C7s2PMU3blnu252qHOAk0=
X-Received: by 2002:a24:2fc9:: with SMTP id j192mr9220893itj.45.1556301461556; Fri, 26 Apr 2019 10:57:41 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net>
In-Reply-To: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 26 Apr 2019 11:57:14 -0600
Message-ID: <CA+k3eCTqwbXrePrac7UyPQ9VfqdpXtFFKMj7Ji0b-m8duL9MiQ@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7ab1f058772abb2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TXDzNMtVljSpf-i5iVfRyNw5OLk>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 17:57:50 -0000
One thing that I think is missing from the article in the discussion of pros and cons is that in many cases a large or even voluminous request can be sent via auto submitting form post (like https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html but the other way around from client to AS with the auth request), which doesn't then run into the same URI size problem. >From a prospective standardization standpoint, there are really two distinct concepts in the article. One is the "Pushed Request Object" and the other the "Structured Scope". They are certainly complementary things but each could also be useful and used independently of one another. So I'd argue that they should be developed independently too. On Sat, Apr 20, 2019 at 12:21 PM Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi all, > > I just published an article about the subject at: > https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948 > > > I look forward to getting your feedback. > > kind regards, > Torsten. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Transaction Authorization with OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Jim Manico
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Dave Tonge
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Nat Sakimura
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt