Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-02.txt

[Torsten Lodderstedt <torsten@lodderstedt.net>]

Hi Janak, 

thanks for your feedback. 

> On 22. Sep 2019, at 09:45, Janak Amarasena <janakama360@gmail.com> wrote:
> 
> Hi,
> 
> Since the "authorization_details" parameter is newly introduced I feel it would be better to show how this is used with the existing authorization request at the beginning of the specification. Maybe a small sample of the complete authorization request in the "introduction" section.

Sounds reasonable, I put it on the list for the next revision. 

> 
> Also, in the "Security Considerations" section it says 
> Authorization details are sent through the user agent in case of an
> OAuth authorization request, which makes them vulnerable to
> modifications by the user.
> 
> Do we really need to worry that the "authorization_details" could be manipulated by the user(Resource Owner) as the client is trying to access the users' resources which the user is giving consent to? Also, the resulting token will contain the given permissions as well. 

I understand. I think the more general case of modifying the Authorization Request content, e.g. PKCE challenge, and swapping such parameters between different devices is the important attack vector. I will improve the text.

best regards,
Torsten. 

> 
> Best Regards,
> Janak Amarasena
> 
> On Sat, Sep 21, 2019 at 11:21 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> Hi all, 
> 
> I just published a draft about “OAuth 2.0 Rich Authorization Requests” (formerly known as “structured scopes”). 
> 
> https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02
> 
> It specifies a new parameter “authorization_details" that is used to carry fine grained authorization data in the OAuth authorization request. This mechanisms was designed based on experiences gathered in the field of open banking, e.g. PSD2, and is intended to make the implementation of rich and transaction oriented authorization requests much easier than with current OAuth 2.0.
> 
> I’m happy that Justin Richer and Brian Campbell joined me as authors of this draft. We would would like to thank Daniel Fett, Sebastian Ebling, Dave Tonge, Mike Jones, Nat Sakimura, and Rob Otto for their valuable feedback during the preparation of this draft.
> 
> We look forward to getting your feedback. 
> 
> kind regards,
> Torsten. 
> 
>> Begin forwarded message:
>> 
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-lodderstedt-oauth-rar-02.txt
>> Date: 21. September 2019 at 16:10:48 CEST
>> To: "Justin Richer" <ietf@justin.richer.org>, "Torsten Lodderstedt" <torsten@lodderstedt.net>, "Brian Campbell" <bcampbell@pingidentity.com>
>> 
>> 
>> A new version of I-D, draft-lodderstedt-oauth-rar-02.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to the
>> IETF repository.
>> 
>> Name:		draft-lodderstedt-oauth-rar
>> Revision:	02
>> Title:		OAuth 2.0 Rich Authorization Requests
>> Document date:	2019-09-20
>> Group:		Individual Submission
>> Pages:		16
>> URL:            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt
>> Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
>> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar
>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02
>> 
>> Abstract:
>>   This document specifies a new parameter "authorization_details" that
>>   is used to carry fine grained authorization data in the OAuth
>>   authorization request.
>> 
>> 
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> The IETF Secretariat
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth