[OAUTH-WG] Rich Authorization Requests feedbacks on implementation
Nicolas Mora <nicolas@babelouest.org> Mon, 11 January 2021 01:36 UTC
Return-Path: <nicolas@babelouest.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 244B43A146D for <oauth@ietfa.amsl.com>; Sun, 10 Jan 2021 17:36:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=babelouest.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvL4m30wG2VZ for <oauth@ietfa.amsl.com>; Sun, 10 Jan 2021 17:36:41 -0800 (PST)
Received: from perceval.babelouest.org (perceval.babelouest.org [5.135.181.15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE9483A146C for <oauth@ietf.org>; Sun, 10 Jan 2021 17:36:40 -0800 (PST)
Received: from [192.168.1.50] (bras-base-qubcpq0634w-grc-10-70-51-43-204.dsl.bell.ca [70.51.43.204]) by perceval.babelouest.org (Postfix) with ESMTPSA id 3BAEE2032B for <oauth@ietf.org>; Sun, 10 Jan 2021 20:36:38 -0500 (EST)
Authentication-Results: OpenDMARC; dmarc=fail (p=quarantine dis=none) header.from=babelouest.org
Authentication-Results: OpenDMARC; spf=fail smtp.mailfrom=nicolas@babelouest.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=babelouest.org; s=mail; t=1610328998; bh=hbh2Zysal+zJ9WYHX2d5xKZf7rphxixQ8qKHrTLvyso=; h=To:From:Subject:Date:From; b=kGCR7ZjJiYwxrnX1jtp+JPTE0CpzA2xoWOvYxDW8fEqiby/uxRJAigf0t81d6lZXJ GHG/DGR8E7q1pN+ZsnV3ssYaTcf0c7hpAs+zBRgrPhGe8w7WyR5IP3xKCJfWuL9EAE SnffW8SWrEiwZXgyhRTS5pxi21Ad/aC9WG1VZY9GA1sklhsruaPeKmWXHo+Met+TzO 0yP9C2HxNkvWYKxyPvqzL3S4lI7YlD5M9SVPwxNJDhagtvk/MiULWT4kVbK2gnT15i l3B1rVTsgFmi7P7J/R0mqY2SRe+k8W6iZCq5qsiuU2tsmrJjIOItQ5sc5fEWq3SRmf 5aBLdRTxyqxQA==
To: oauth <oauth@ietf.org>
From: Nicolas Mora <nicolas@babelouest.org>
Message-ID: <511128bf-348f-fc92-ddf1-9598502a20a9@babelouest.org>
Date: Sun, 10 Jan 2021 20:36:36 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XQdPVthKdCUQDyEt0AVg35Ro5jI>
Subject: [OAUTH-WG] Rich Authorization Requests feedbacks on implementation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2021 01:36:43 -0000
Hello, I've implemented Rich Authorization Requests defined in draft-ietf-oauth-rar-03 for Glewlwyd soon-to-be-released 2.5 [1], and I humbly wanted to write my feedback about this implementation to share my experience. For starters, this implementation and my following feedbacks are based on the prism of Glewlwyd's implementation and philosophy, and my limited experience on OAuth2, so I appologize in advance if I write non-sense or big mistakes. 1 - Design The way I saw it, there are 2 different approaches to implement oauth2 rar: either to get a token with a more detailed scope, or to get a one-time token with extra grants. Both are not exclusive, but a big difference I see between those 2 approaches is the grant access from the user part. The second approach would require the user to know what extra grant is asked by the client every time the client asks for it, i.e. when the client redirects the user to the /authorization endpoint. To be more consistent with Glewlwyd's philosophy, I chose the first approach, with those rules. The AS administrator declares what rar types are allowed [2] - a rar type has a defined set of locations, actions, datatypes and enriched authorization details that the client can ask for - the client must be explicitly allowed to add a rar type in the authorization request - a rar type can be linked to one or more scope. In that case, the authorization request must include at least one of the linked scope, and the scope must be available for the user and the scope must be granted to the client - the client can add as many properties as required in the rar type, those extra properties are not verified by the AS, on access granted, the extra properties will be present in the "authorization_details" result. On first use of a rar type by a client for a user, the user must grant to the client the rar access [3]. That's why the grant message will show to the user ALL access possible via this rar type Once this access is granted or not, the user will not be asked again on another authorization request by the client (but is can be changed at any time, as a scope grant). 2 - Limitations In this design, the AS has a limited control over the authorization_details content, and the trust between the AS and the client must be high enough so if a rar type can gain access to sensitive actions or information, the user should know about it. Also, in the draft specification, the only mandatory element type in a rar is the "type" element. In my point of view, this means that the business logic is mostly defined by the RS, rather than the AS. Therefore, for a client implementation to be compliant with the specs, there's not much to do: add as a parameter a JSON array with objects containing at least one "type" string property in it. 3 - Extensions I believe one way to mitigate these limitations is to allow extensions to be defined on top of the rar specifications. An extension can be declared like this: "RAR Extension XYZ: A rar whose type is XXX - Actions available: YYY, ZZZ or AAA - datatypes possibles: BBB, CCC, DDD or EEE - additional elements mandatory: an array of FFF and an object of GGG to represent access to some" Like this, if the AS, the RS and the client agree on using a rar extension, they can have at least a detailed pattern on what to expect in the rar type. Any thoughts? /Nicolas [1] https://github.com/babelouest/glewlwyd [2] https://raw.githubusercontent.com/babelouest/glewlwyd/master/docs/screenshots/plugin-oidc-rar.png [3] https://raw.githubusercontent.com/babelouest/glewlwyd/master/docs/screenshots/login-rar-grant.png
- [OAUTH-WG] Rich Authorization Requests feedbacks … Nicolas Mora
- Re: [OAUTH-WG] Rich Authorization Requests feedba… Justin Richer
- Re: [OAUTH-WG] Rich Authorization Requests feedba… Nicolas Mora