IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

George Fletcher <gffletch@aol.com> Sat, 23 June 2018 19:08 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09133130EEA for <oauth@ietfa.amsl.com>; Sat, 23 Jun 2018 12:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.834
X-Spam-Level:
X-Spam-Status: No, score=-0.834 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_NUMERIC_HELO=1.164, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VktXljNMyrO9 for <oauth@ietfa.amsl.com>; Sat, 23 Jun 2018 12:08:03 -0700 (PDT)
Received: from sonic310-14.consmr.mail.bf2.yahoo.com (sonic310-14.consmr.mail.bf2.yahoo.com [74.6.135.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 266BF130EB9 for <oauth@ietf.org>; Sat, 23 Jun 2018 12:08:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1529780882; bh=M8mUixzGwHKKl815SC79Hex8LduLmdG5C+ZVDZ//aD8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Ku+SughMCbT7a8RuDAtRrAD9b/tIZ+SCGjaBzVp6SSySgeDWnzi15lmjYsKNkNLkSMX2LL9dN0LbWKjOe27TwFskIm5aGX6N4b8zWA3NeYaDhoQVo4wqUamZTIkG2bF3HJnCN5ctjN+abMdsGmmiaLbF+rm2k3qwzPJRl8ajaZ9areReV/XlnxvFKvQF+r0BbKUciqB9o5303dntley8iJy6um4n/gab9vKF2qEeIaX/usBAfmgiE71Q8xeWr8nmoOsGIHV8hEvZZscXdizgxmPkymwz/Y9ctEK8uW/WbScAsx0rr9j/dFJRduRU5F/+jdRo3nzvSpqS3mXL0UZAYw==
X-YMail-OSG: bYTDzKUVM1kdT6iLDeycKeFaCV3nDs0goZQf8YQvNB5pNORH0mVJva1QQqLFAA0 dE04Apk8q4fO313xItKQA3ve84agib7snKPSRKeCTo31OjTcPGfTY0OE23HeGLxW5Ab7nYk2KsHY KYdRYPk4qZmURL_6cmsXWsYAQ_M_hWRzXmwgz72xAZZs7b2bgQOmuHnsLei5Inhc3_ul58B4PIZh DTALkiaScbsmwEG7X2WoaJADpda2sORGgLlAKmTreF6EfxECK48y0.KmdVdPT_vrMmL1IjBEB0mw IZwMyVrDB3h10EP4knQiRxR3MEV7L2L8Sl9jIx0gU.FNh_7f_KjpwiWW0XUbtYSvAKasMsojEAjS nyTMY_fGLzPy241HxHf0bVCmuHOnH2V1OZjzBg5iV4HVl9LRGiuMdyYEsVQ2GDC0d1ur1MS.GJJM uf3xmEdWXC6KYJXw.VRjJhsTxwcfsmY1KyaNvz9XoaTNVKqD7Ex5.HVx999ICKNIqLg9yA93uDZ. RwuxXPQ74.OXlzVeJL2Uv39eIz3ow3KGa6WBFL0bL5RMB6YJ8TFdAzZI.S2jwIaaI3LNqCLsmFQr CHobrtnOvEsIkGD_Dr67Tq7u4VenCNJqc8Fldfadw8bqDez2IFaGOnpgxGviRvbQwf7B7efXZGcN zTMruzpML_U7Ohb5SGYWRSambwdu7s5labmfA.SwC3bhmSJPMuq9SEfQ.NTTp8pR6OEDv03XZWfX RbFkNWiQJbl3MrMAi2p6kHA3NMJ7RF67b4q2SHQcmUoDEiwQw6DnjYSjcXNWeWw7UfJhNPt9rWme dX.bAkX08fTuee0fNXmTdwHpcjpD1SJbsMKsAZv28BbF8sBrax527H2V6wk6whcEfDi9K._38Q_L E50FItiNWORc5Xmr29feSkgcsODB4IhFSG9mp3AQh.FOgYuT_bJTzycqSjB8mZ4CgTYyMt.uw_ph Tp2y6CGTvJDgq_t9_dF1tpLnO1bL6zUcI2loO0rh_M20-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Sat, 23 Jun 2018 19:08:02 +0000
Received: from 98.139.248.67 (EHLO [10.89.80.30]) ([98.139.248.67]) by smtp428.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 2c90f8fb50b74a797b54899b9c6e543f; Sat, 23 Jun 2018 19:07:59 +0000 (UTC)
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com> <b9e4115a-512d-3155-9023-604566d7190f@aol.com> <00432150-20C0-4B5F-AB4E-92F96B968A3A@lodderstedt.net> <01e15dff-2bef-831f-0b00-f64137ccc80e@aol.com> <0EF040C2-F0C2-4586-828A-A809A0373F40@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <f0d8b95a-738f-0b92-e888-6f1970048505@aol.com>
Date: Sat, 23 Jun 2018 15:07:58 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <0EF040C2-F0C2-4586-828A-A809A0373F40@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------AFCB0018BBC6254A1338B34C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VfkPJhFYqR2-XgIERF9Lb1t-Hzo>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2018 19:08:06 -0000

Thanks Torsten.

I think I have a solution :) Just to make sure I have the flow correct...

Assumption: Using a mobile client

1. User (using their mobile client) attempts to sign a document with the 
insurance company
2. Insurance company redirects the user to their Bank asking for 
identity proof, and signing of specific documents
3. User interacts with Bank to get authorization for the specific 
transaction
4. Mobile client submits request to insurance company using token that 
is specific to the user, document etc.

This is effectively the UMA 2.0 flow [1]

1. Mobile client attempts to invoke resource at the insurance company
2. Insurance company registers the request with UMA AS (the bank in this 
case) and gets a permissions ticket
3. Insurance company instructs mobile client to contact the bank
4. Mobile client contacts the bank specifying the permissions ticket
5. User meets banks requirements for the specific transaction (claims 
interaction)
6. Bank issues mobile client the RPT (token)
7. Mobile client invokes resource at insurance company with RPT

Note that the insurance company can specify the necessary bits that need 
to be in the token when it interacts with the Bank (as the UMA AS). 
[There might be some profiling required here]

I think it's worth exploring whether UMA will solve this use case.

Thanks,
George

[1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-08.html

On 6/23/18 3:43 AM, Torsten Lodderstedt wrote:
>
>> Am 22.06.2018 um 23:08 schrieb George Fletcher <gffletch@aol.com>:
>>
>> I would think that the scope issued to the refresh_token could represent the category or class of authorizations the refresh_token should be able to perform. For example, the kind of transactions that can be bound to access tokens. The scope issued into the access_token could be one of the "parameterized" ones. But maybe I'm not fully understanding the use case :)
> Let me try to explain ;-)
>
> The client is an issuance company wanting the customer to electronically sign a new contract (legally binding!). Signing in the end means to send a request containing the hash of the document to an API. The API will respond with an CM/S Object containing signature, certificate etc that the client will embedded in the contract document (typical PDF).
>
> We want the user to authorize the signing request using their bank as IDP/AS. Therefore the client sends the OAuth authorization request to the AS. The actual signing request needs to be bound to client, user AND hash (document) in order to prevent fraud. Regulation (eIDAS) requires to always demonstrate the sole control of the user over the whole process. The AS therefore binds (scopes) the access token to exactly this single document/signing request. If the client wants the user to sign another document, it needs to got through the whole process again.
>
> One could think about a general signing permission represented by a refresh token, but not in the high assurance level cases I‘m looking into.
>
> Hope that helps,
> Torsten.
>
>

v2.23.0 | Report a Bug | By Email