IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

Jacob Ideskog <jacob.ideskog@curity.io> Tue, 19 June 2018 06:16 UTC

Return-Path: <jacob.ideskog@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B57A01310AB for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2018 23:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PD4ghR07KTq for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2018 23:16:54 -0700 (PDT)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05E27128CF3 for <oauth@ietf.org>; Mon, 18 Jun 2018 23:16:53 -0700 (PDT)
Received: by mail-wr0-x230.google.com with SMTP id f16-v6so19192061wrm.3 for <oauth@ietf.org>; Mon, 18 Jun 2018 23:16:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xVwPnwSlsOHFLCXMA60DlElWWeDMa+NUprjMoVp++lY=; b=Zoct/yrqjo0W0dEOyXlwBDHqLEraECxWDYntszdG1OzYyfx469GUKcwOz8jFl1cHow vmSXLIADIbIKdtLkkhLvxtm5HW35claIT5lwmbz1UBV1Z6kA9jhuwpjY0hgtG40kjwAd tm+x6mon+LqLgGj2YIAngjqVm34o6nm8F3WII8Lf4PfozQcbTCFo3iNrU9lFSXAPfO50 zjkMe1sRLkYfB8rReTXtPj3L7WWHnsD0m6birLEpNwcn7xTYhXn6U8zsXyJGMVsDolJE ImbE+Uf2B5aUBdwSYGnREcTLC4CbUvdoh1UF4Mm9g95CdFgNRuPPryxWPco99IDQ+ejs PYDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xVwPnwSlsOHFLCXMA60DlElWWeDMa+NUprjMoVp++lY=; b=AUyKZgXtr1OYPd1FTRqkU6K/o18t/weQL81VW6ZaGk1oxOhtjQLm83+xrI7ZqbWkt1 NVSL+9B6nG08YXiEkCi5NrTGcIW6SRwvw8LnEYTGkD21u+2on0iaIcOoA/M3ekPSf6hI 8lvdtBuxf9xrwd9obfYCUT07BnmGlhw0CredLkRMtvtik9dC4uAzj41niEuhLVHqc/xd DsgP/p5rNZtZFikxN+0bIfG54PXFmiuOLI63nQcyH/3yXQcBeFk07WGb4MjkKmgc5w9Y lcNgs0LlS29ZBwqlMy563D26XoC5pWpe6p9+kLZN70WlVzb/5fBSu16e7+y4zSNY1pXt HGKA==
X-Gm-Message-State: APt69E18m/UKdACufBpAwCP8As8PVD0a7KwFdpSxMisMpM2g7/voGSkl Ct0fmXrUUQOS75ByrvKFqzg12NgZ4O6wcmLrpZMjLvmq
X-Google-Smtp-Source: ADUXVKJcQ95cf7e3LNJ0G/YUssa+k1rmv+Q0zRFdQMOnvuUdY9UqL/dQB+dNcb+Rp4/j80qPKN9hEmqC/gYzFyILSdk=
X-Received: by 2002:adf:93c6:: with SMTP id 64-v6mr12661100wrp.119.1529389012344; Mon, 18 Jun 2018 23:16:52 -0700 (PDT)
MIME-Version: 1.0
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <E540DC60-1FDD-4BF8-A1DF-8FF8348760A1@alkaline-solutions.com>
In-Reply-To: <E540DC60-1FDD-4BF8-A1DF-8FF8348760A1@alkaline-solutions.com>
From: Jacob Ideskog <jacob.ideskog@curity.io>
Date: Tue, 19 Jun 2018 08:16:39 +0200
Message-ID: <CAKL4o=EO0_NU+VGmhO=ojxS5w8MCNP2h7hGmQ5E1z7f59Jz76w@mail.gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cdf2af056ef8a05c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Xi8JqOoJ5Amtxy41zrrPt2KMNe0>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 06:16:58 -0000

This borderlines another problem we've been adressing which is when a
client needs to pass on the request to an asyncronous queue. In that case
the client can request the AS to "downscope" it's token, and include a
signature of the request in the token. (simplified).

The dynamic scope approach would help in this case also, i.e. have a
dynamic scope "sign:" which lets the client downscope it by adding the
actual signature/hash of the request to the token endpoint in a refresh
(sign:<hash>). Since we then consider sign:<hash> to be the downscoped
version of sign:, thus allowing the AS to issue this AT.

Also, one-off scopes are useful in services like pay per view etc, where
you can purchase say a single movie, game etc. Then the dynamic scope can
be decided to be issued by the AS rathern than specifically asked for by
the client. Example client asks for games: and gets
games:world-cup-2018-06-15 etc.

So, the scope approach seems like a more general approach for both the
authorize endpoint as well as the token endpoint. With that said, it will
probably make it hard to narrow down dynamic scopes to single particular
usecase. It would mean that

1. If a dynamic scope is requested on  the Authorize endpoint it's a
consentable request that the user needs to sign
2. If a dynamic scope is requested on the Token endpoint, the AS determines
what the end result might be. Seems a bit vague perhaps.

For OpenID I still think the signed claims parameters make a more flexible
approach, but OpenID isn't always in play.

Just my 5-cents

/Jacob Ideskog
Curity


mån 18 juni 2018 kl 21:00 skrev David Waite <david@alkaline-solutions.com>:

> One of the reasons I hear for people wanting parameterized scopes is to
> deal with transactions. I’d love to hear thoughts from the group on if/how
> OAuth should be used to authorize a transaction, vs authorize access to
> information/actions for a period of time. This approach for instance sounds
> like it is trying to scope down access to a single resource representing a
> transaction to be performed?
>
> I also hear people wanting dynamic scopes to support a finer-grained
> access control, for instance not ‘allow moderation of chat rooms’ but
> rather the list of *specific* rooms. There is sometimes a case to be made
> that this would be better served as local state in the resource, or as the
> result of an API call, but there is value in some use cases to represent
> this as a finer-grained consent to the user.
>
> I’ve seen parameterized scopes take the form of colon-deliminated
> name:param, as a function name(param), or as a URL
> https://nameurl?param=value.  The latter is recommended sometimes in
> specs like opened connect as a way to prevent conflicting vendor extensions.
>
> In terms of requesting a parameterized scope - I prefer overloading scope
> (or perhaps claims when using connect) vs adding a new authorization
> request parameter - for one, use of authorization request parameters limits
> your grant type options unless you also define them as token request
> parameters for the other types. Second, the consent/business logic for
> determining which scopes a client get should already be a customization
> point for a reusable AS.
>
> -DW
>
> > On Jun 18, 2018, at 9:34 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
> >
> > Hi all,
> >
> > I have been working lately on use cases where OAuth is used to authorize
> transactions in the financial sector and electronic signing. What I learned
> is there is always the need to pass resource ids (e.g. account numbers) or
> transaction-specific values (e.g. amount or hash to be signed) to the OAuth
> authorization process to further qualify the scope of the requested access
> token.
> >
> > It is obvious a static scope value, such as „payment“or „sign“, won’t do
> the job. For example in case of electronic signing, one must bind the
> authorization/access token to a particular document, typically represented
> by its hash.
> >
> > I would like to get your feedback on what you consider a good practice
> to cope with that challenge. As a starting point for a discussion, I have
> assembled a list of patterns I have seen in the wild (feel free to extend).
> >
> > (1) Parameter is part of the scope value, e.g.
> „sign:<hash_to_be_signed>“ or "payments:<payment_resource_id>" - I think
> this is an obvious way to represent such parameters in OAuth, as it extends
> the scope parameter, which is intended to represent the requested scope of
> an access token. I used this pattern in the OAuth SCA mode in Berlin
> Group's PSD API.
> >
> > (2) One could also use additional query parameter to add further details
> re the requested authorization, e.g.
> >
> > GET /authorize?
> > ....
> > &scope=sign
> > ....
> > &hash_to_be_signed=<hash_to_be_signed>
> >
> > It seems to be robust (easier to implement?) but means the scope only
> represents the static part of the action. The AS needs to look into a
> further parameter to fully understand the requested authorization.
> >
> > (3) Open Banking UK utilizes the (OpenID Connect) „claims“ parameter to
> carry additional data.
> >
> > Example:
> >
> > "claims": {
> >    "id_token": {
> >        "acr": {
> >            "essential": true,
> >            "value": "..."
> >          },
> >        "hash_to_be_signed": {
> >            "essential": true,
> >            "value": "<hash_to_be_signed>"
> >        }
> >    },
> >    "userinfo": {
> >        "hash_to_be_signed": {
> >            "essential": true,
> >            "value": "<hash_to_be_signed>"
> >        }
> >    }
> >  }
> >
> > I‘m looking forward for your feedback. Please also indicated whether you
> think we should flush out a BCP on that topic.
> >
> > kind regards,
> > Torsten._______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
---
Jacob Ideskog
Curity AB

M: +46(0)70 22 33 664
E: jacob.ideskog@curity.io <malina@curity.io>
W: curity.io

*Curity AB is the leading supplier of API-driven identity
management, providing unified security for digital services. Curity
Identity Server is the world’s most powerful OAuth and OpenID Connect
Server; it is used for logging in and securing millions of users’ access to
web and mobile apps over APIs and microservices. We enjoy the trust of
large organizations in financial services, telecom, retail, energy and
government services with operations across many countries which have chosen
Curity for their enterprise-grade API security needs. *

*More information about us can be found at: https://curity.io
<https://curity.io/> *

v2.23.0 | Report a Bug | By Email