IETF Logo Mail Archive

Re: [OAUTH-WG] [JAR] scope parameter outside request object of OIDC request

Justin Richer <jricher@mit.edu> Wed, 23 September 2020 20:27 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34E4D3A0CB3 for <oauth@ietfa.amsl.com>; Wed, 23 Sep 2020 13:27:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMKqJL0heQ8q for <oauth@ietfa.amsl.com>; Wed, 23 Sep 2020 13:27:21 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB1AF3A0BDE for <oauth@ietf.org>; Wed, 23 Sep 2020 13:27:20 -0700 (PDT)
Received: from [192.168.1.15] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08NKRFDQ014365 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Sep 2020 16:27:15 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <9B976E13-D442-402C-ACF2-D40DCAC6591A@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A165004A-8B48-40F8-A32D-57D67DC782FB"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Wed, 23 Sep 2020 16:27:14 -0400
In-Reply-To: <CAHdPCmPmABt6PyupuGZaofwp+jKy7aVEvUO488NdDzVFsD18BA@mail.gmail.com>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth <oauth@ietf.org>
To: Takahiko Kawasaki <taka@authlete.com>
References: <CAHdPCmOPwqbemgKsEALA0OvP+6z58N5eNA9WA_AsvDESNhE1kg@mail.gmail.com> <2cd8bfd1-f491-0086-979f-0527ccf16281@connect2id.com> <CAHdPCmPmABt6PyupuGZaofwp+jKy7aVEvUO488NdDzVFsD18BA@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WD9OekIty3yWiQ2mbTKNsi8zuZI>
Subject: Re: [OAUTH-WG] [JAR] scope parameter outside request object of OIDC request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 20:27:23 -0000

In my opinion, all parameters should be able to be passed inside the request object, including `scope`. 

We couldn’t do that kind of thing in OIDC because that would be a breaking change to existing requirements in OAuth 2. JAR is taking the step of overriding those requirements, and so it should do so with all parameters.

There are a lot of things in OIDC that are a little wonky like this, where the general solution turned out to be slightly different than the tightly fit solution that OIDC pioneered. Discovery and issuer URLs are another notable example beyond this one.

In my view, OIDC should be updated to redefine its behavior in light of the family of new general purpose protocol extensions, including JAR. This could probably be done in a way that an IdP could support both the “classic” way of doing request objects as well as the “new” way, but likely for different clients. In which case, I think the behavior switch would be similar to what Vladimir describes.

 — Justin

> On Sep 23, 2020, at 7:58 AM, Takahiko Kawasaki <taka@authlete.com> wrote:
> 
> Hi Vladimir,
> 
> Thank you for your reply. It sounds that your opinion is "`scope` request parameter must exist outside the request object even if JAR applies if the authorization request is an OIDC request". I'm on the fence on this topic and just wondered whether those who had wanted to remove `response_type` outside the request object (although doing it was a breaking change) would want to remove `scope` outside the request object too with the same motivation (although I don't remember well what was the motivation). JAR dares to drop `response_type`, so it would not be surprising to see that JAR dares to drop `scope` (including `openid`) too.
> 
> OIDC Core 1.0 requires `response_type`, but JAR allows omission of the parameter if the parameter is included in the request object.
> 
> If we applied the same logic, we would be able to state:
> 
> OIDC Core 1.0 requires `scope` (including `openid`), but JAR allows omission of the parameter if the parameter is included in the request object.
> 
> In terms of `response_type`, practically speaking, JAR has modified OIDC Core 1.0. Because JAR has already been allowed to go so far as that point, I would say it is difficult to find a convincing reason not to allow omission of `scope`.
> 
> AFAIK, in the context of OIDC Core 1.0, parameters that are required to exist outside a request object even if they are included in the request object are `client_id`, `response_type` and `scope`. Because `client_id` is mandatory in JAR (it has become mandatory after long discussion), discussion for the parameter is not needed. Because the community has already reached consensus that `response_type` can be omitted, discussion for the parameter is not needed, either. What I've brought here is discussion for `scope`, hopefully the last parameter that is affected by JAR.
> 
> Again, I'm on the fence on this topic. However, because logical conclusion (at least of mine) is that JAR should allow omission of `scope` (it also should be noted that JAR's basic rule prohibits referring to request parameters outside a request object), I want to see explicit consensus if `scope` (including `openid`) outside a request object is still required even after JAR is enabled.
> 
> In short, my question is "Should `scope` be omitted?" I guess that the conclusion will affect the official conformance suite.
> 
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
> 
> 
> 
> On Tue, Sep 22, 2020 at 5:59 AM Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote:
> Hi Taka,
> 
> On 21/09/2020 20:12, Takahiko Kawasaki wrote:
>> If we allow JAR (JWT Secured Authorization Request) to relax the requirement of `response_type` request parameter (outside a request object) from mandatory to optional, should we relax the following requirement of `scope` request parameter stated in OIDC Core 1.0 Section 6.1, too?
>> 
>> ----------
>> Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request.
>> ----------
>> 
>> Otherwise, an authorization request like "client_id=...&request(_uri)=..." fails if the request object represents an OIDC request. An authorization request has to look like "client_id=...&request(_uri)=...&scope=openid" (`scope` including `openid` has to be given) even if the authorization server conforms to JAR and allows omission of `response_type` request parameter.
> The bottom of section 5 has normative text which allows a JAR compliant server to also comply with the OIDC spec with its own style of request / request_uri parameter handling insofar as to not reject other query params (such as scope, etc). The difference is that according to JAR their values cannot be used or merged (as in OIDC). But what can be reasonably done is to detect scope=openid as you say and then switch to OIDC style request object behavior.
> 
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5 <https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5>
> 
>>    The client MAY send the parameters included in the request object
>>    duplicated in the query parameters as well for the backward
>>    compatibility etc.  However, the authorization server supporting this
>>    specification MUST only use the parameters included in the request
>>    object.
> 
> The confusion between the two specs clears when it's seen that the request objects in OIDC and JAR have different objectives.
> 
> In OIDC the objective is to enable securing of selected parameters.
> 
> In JAR the objective is to secure the entire authz request.
> 
> 
> 
>> 
>> I think that implementers want to know consensus on this because it affects implementations. Has this been discussed yet?
>> 
>> Best Regards,
>> Takahiko Kawasaki
>> Authlete, Inc.
> 
> Vladimir
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email