Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-02.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 23 September 2019 18:08 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78882120939 for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2019 11:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id soWpQmK5iObf for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2019 11:08:38 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 418171208DE for <oauth@ietf.org>; Mon, 23 Sep 2019 11:08:38 -0700 (PDT)
Received: from [91.13.158.20] (helo=[192.168.71.123]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) (envelope-from <torsten@lodderstedt.net>) id 1iCSlH-0005vY-1w; Mon, 23 Sep 2019 20:08:35 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <1B3E385A-93B4-4C45-8926-A6822CDDB122@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_5A6B4976-3D17-4B64-9383-1933623E2DEB"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 23 Sep 2019 20:08:33 +0200
In-Reply-To: <CAM7dPt1vUQhFd0uMMS7e=WvzkiRP9UAuEcO7uGANTz-4qL58ug@mail.gmail.com>
Cc: oauth <oauth@ietf.org>, Justin Richer <justin@bspk.io>
To: Janak Amarasena <janakama360@gmail.com>
References: <156907504831.22964.1710780113673136607.idtracker@ietfa.amsl.com> <A82AA337-86BF-485D-901B-3A3C73C6177B@lodderstedt.net> <CAM7dPt1vUQhFd0uMMS7e=WvzkiRP9UAuEcO7uGANTz-4qL58ug@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WM32xnknNkz0h5t2arbriRt6HDA>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 18:08:54 -0000

Hi Janak, 

thanks for your feedback. 

> On 22. Sep 2019, at 09:45, Janak Amarasena <janakama360@gmail.com>; wrote:
> 
> Hi,
> 
> Since the "authorization_details" parameter is newly introduced I feel it would be better to show how this is used with the existing authorization request at the beginning of the specification. Maybe a small sample of the complete authorization request in the "introduction" section.

Sounds reasonable, I put it on the list for the next revision. 

> 
> Also, in the "Security Considerations" section it says 
> Authorization details are sent through the user agent in case of an
> OAuth authorization request, which makes them vulnerable to
> modifications by the user.
> 
> Do we really need to worry that the "authorization_details" could be manipulated by the user(Resource Owner) as the client is trying to access the users' resources which the user is giving consent to? Also, the resulting token will contain the given permissions as well. 

I understand. I think the more general case of modifying the Authorization Request content, e.g. PKCE challenge, and swapping such parameters between different devices is the important attack vector. I will improve the text.

best regards,
Torsten. 

> 
> Best Regards,
> Janak Amarasena
> 
> On Sat, Sep 21, 2019 at 11:21 PM Torsten Lodderstedt <torsten@lodderstedt.net>; wrote:
> Hi all, 
> 
> I just published a draft about “OAuth 2.0 Rich Authorization Requests” (formerly known as “structured scopes”). 
> 
> https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02
> 
> It specifies a new parameter “authorization_details" that is used to carry fine grained authorization data in the OAuth authorization request. This mechanisms was designed based on experiences gathered in the field of open banking, e.g. PSD2, and is intended to make the implementation of rich and transaction oriented authorization requests much easier than with current OAuth 2.0.
> 
> I’m happy that Justin Richer and Brian Campbell joined me as authors of this draft. We would would like to thank Daniel Fett, Sebastian Ebling, Dave Tonge, Mike Jones, Nat Sakimura, and Rob Otto for their valuable feedback during the preparation of this draft.
> 
> We look forward to getting your feedback. 
> 
> kind regards,
> Torsten. 
> 
>> Begin forwarded message:
>> 
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-lodderstedt-oauth-rar-02.txt
>> Date: 21. September 2019 at 16:10:48 CEST
>> To: "Justin Richer" <ietf@justin.richer.org>;, "Torsten Lodderstedt" <torsten@lodderstedt.net>;, "Brian Campbell" <bcampbell@pingidentity.com>;
>> 
>> 
>> A new version of I-D, draft-lodderstedt-oauth-rar-02.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to the
>> IETF repository.
>> 
>> Name:		draft-lodderstedt-oauth-rar
>> Revision:	02
>> Title:		OAuth 2.0 Rich Authorization Requests
>> Document date:	2019-09-20
>> Group:		Individual Submission
>> Pages:		16
>> URL:            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt
>> Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
>> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar
>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02
>> 
>> Abstract:
>>   This document specifies a new parameter "authorization_details" that
>>   is used to carry fine grained authorization data in the OAuth
>>   authorization request.
>> 
>> 
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> The IETF Secretariat
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth