IETF Logo Mail Archive

[OAUTH-WG] For review/discussion: Cedar profile of OAuth Rich Authorization Requests

"Cecchetti, Sarah" <sarahcec@amazon.com> Wed, 21 February 2024 22:06 UTC

Return-Path: <prvs=7742c567b=sarahcec@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEA4BC14F60A for <oauth@ietfa.amsl.com>; Wed, 21 Feb 2024 14:06:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PuTB2j98lcLK for <oauth@ietfa.amsl.com>; Wed, 21 Feb 2024 14:06:11 -0800 (PST)
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAC43C14F5FE for <oauth@ietf.org>; Wed, 21 Feb 2024 14:06:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1708553171; x=1740089171; h=from:to:subject:date:message-id:mime-version; bh=6Krhtwt2xBUAvsy4lrK/PbTYMELMwSbnT5LHI72ILGk=; b=ISxsl+4Zk11MYsj5ZjHGnsaYdr0I/VfO9/asnb5xIFvMlKIknooig12r 8TfamkCk28K2J1K0S+YrmB6L66zxzlJEbYxoHk/4lgFVMCNk8i+A7Xi+e ugepqEy7YeWuIZ//nYvOK2h8kqAzEKjnYiv5juUXDNemXIeXUZN5+cL0z E=;
X-IronPort-AV: E=Sophos;i="6.06,176,1705363200"; d="scan'208,217";a="388249960"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Feb 2024 22:06:10 +0000
Received: from EX19MTAUWA002.ant.amazon.com [10.0.38.20:2118] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.51.182:2525] with esmtp (Farcaster) id cb9e0a4c-d5b5-4efe-96f4-17c38b33a781; Wed, 21 Feb 2024 22:06:09 +0000 (UTC)
X-Farcaster-Flow-ID: cb9e0a4c-d5b5-4efe-96f4-17c38b33a781
Received: from EX19D024UWB001.ant.amazon.com (10.13.138.14) by EX19MTAUWA002.ant.amazon.com (10.250.64.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Wed, 21 Feb 2024 22:06:09 +0000
Received: from EX19D024UWB002.ant.amazon.com (10.13.138.19) by EX19D024UWB001.ant.amazon.com (10.13.138.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Wed, 21 Feb 2024 22:06:08 +0000
Received: from EX19D024UWB002.ant.amazon.com ([fe80::5515:c4cc:a1c7:ac5f]) by EX19D024UWB002.ant.amazon.com ([fe80::5515:c4cc:a1c7:ac5f%6]) with mapi id 15.02.1118.040; Wed, 21 Feb 2024 22:06:08 +0000
From: "Cecchetti, Sarah" <sarahcec@amazon.com>
To: oauth <oauth@ietf.org>
Thread-Topic: For review/discussion: Cedar profile of OAuth Rich Authorization Requests
Thread-Index: AQHaZQ4cW3N0LiMaZkuc+tmme/CzyA==
Date: Wed, 21 Feb 2024 22:06:08 +0000
Message-ID: <05d124f46a7f400195076ec95686b794@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.13.139.52]
Content-Type: multipart/alternative; boundary="_000_05d124f46a7f400195076ec95686b794amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ue_GYOP9c1gXzY2h_ITHU7vtvs8>
Subject: [OAUTH-WG] For review/discussion: Cedar profile of OAuth Rich Authorization Requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 22:09:17 -0000

I have submitted a new draft:


https://datatracker.ietf.org/doc/html/draft-cecchetti-oauth-rar-cedar


This is intended to be a profile of RFC 9396 OAuth 2.0 Rich Authorization Requests (OAuth RAR). OAuth RAR defines an authorization_details parameter, but leaves the format of the parameter open. This profile defines a rarFormat parameter to further constrain authorization_details to use a specific format called "cedar."

The use case for this draft is the same as the OAuth RAR use case - i.e. open banking specifically, and fine-grained authorization generally. The intent is to make the standard more interoperable by specifying the policy language which will be used to communicate the authorization request and response. The language used in these examples is Cedar, an open-source policy language - https://www.cedarpolicy.com/en. Putting Cedar policy sets within an OAuth token enables the client and RS to conduct transactions which conform to specific fine-grained policies which have been blessed(signed) by the AS.

Open Questions:

  1.  Should we create a separate informational draft defining the Cedar language itself within the universe of the IETF? Or is it fine to leave that undefined?
  2.  Is rarFormat the right name for this parameter?
  3.  Should policySet be required?
  4.  I tried to keep this draft fairly simple and duplicate examples in the OAuth RAR RFC without redundantly stating what is already defined there. Did I include too little? Too much?

This is my first draft submission, so any and all feedback is welcome, and apologies if my xml is incorrectly formatted. I'm ignorant about many things in the standards process. :)


Sarah Cecchetti

v2.23.0 | Report a Bug | By Email