Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-02.txt

Justin Richer <jricher@mit.edu> Thu, 10 October 2019 01:15 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85543120044 for <oauth@ietfa.amsl.com>; Wed, 9 Oct 2019 18:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUmgmTk6D2Cq for <oauth@ietfa.amsl.com>; Wed, 9 Oct 2019 18:15:01 -0700 (PDT)
Received: from outgoing-exchange-5.mit.edu (outgoing-exchange-5.mit.edu [18.9.28.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F5CC120020 for <oauth@ietf.org>; Wed, 9 Oct 2019 18:15:01 -0700 (PDT)
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) by outgoing-exchange-5.mit.edu (8.14.7/8.12.4) with ESMTP id x9A1FT8U030813; Wed, 9 Oct 2019 21:15:41 -0400
Received: from w92expo18.exchange.mit.edu (18.7.74.72) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Wed, 9 Oct 2019 21:14:40 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by w92expo18.exchange.mit.edu (18.7.74.72) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 9 Oct 2019 21:14:42 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Wed, 9 Oct 2019 21:14:42 -0400
From: Justin Richer <jricher@mit.edu>
To: George Fletcher <gffletch@aol.com>
CC: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-02.txt
Thread-Index: AQHVeKhAROPC6SDTRkqA/kQ9Ac2qtadHwoAAgAlebICAAkECAA==
Date: Thu, 10 Oct 2019 01:14:42 +0000
Message-ID: <4276332C-C858-4D4D-907D-0139A9A42415@mit.edu>
References: <156907504831.22964.1710780113673136607.idtracker@ietfa.amsl.com> <A82AA337-86BF-485D-901B-3A3C73C6177B@lodderstedt.net> <e4427073-f995-4337-ca7c-99a92c745bf2@aol.com> <CBCF41AA-CADB-4CF9-8BB4-172E4571B655@bspk.io> <CA+k3eCS1Zgoj6UStsQDu=8y5EZioqU5hTysokYPpkZr0dAxhPA@mail.gmail.com> <5AD68F4C-837A-4532-97D1-1FE65FEC32D2@mit.edu> <CA+k3eCT=YGspG9sgXnV1B+6ZMJCQGUJiuWW0L12tPoddqHnrvg@mail.gmail.com> <14e645b7-3667-5cd6-5480-d9b7bbeaf888@aol.com>
In-Reply-To: <14e645b7-3667-5cd6-5480-d9b7bbeaf888@aol.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [71.174.62.56]
Content-Type: multipart/alternative; boundary="_000_4276332CC8584D4D907D0139A9A42415mitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XtatS6QJ_XatiyTBg4cRVKW1V7w>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 01:15:05 -0000

+1, that’s the idea — schema by fiat at the very least. This structure should be a flexible JSON object that can take whatever shape its attendant API would need it to have. The goal of the “common data elements” is to provide just enough structure to be generally useful, and it’s based on what dimensions I’ve seen “scope” used for in the wild most often. If you’ve got your own fields and dimensions, then those definitely should be their own space and not crammed into the existing ones. But if you’ve got something that feels like an “action”? Use that space.


— Justin

On Oct 8, 2019, at 10:49 AM, George Fletcher <gffletch@aol.com<mailto:gffletch@aol.com>> wrote:

In general, it's difficult to determine how to extend for new types or if they should be wrapped up in "data" somehow.


{
    "type":"https://example.com/my_field"<https://example.com/my_field>,
    "actions":[
        "read"
    ],
    "my_field": {
        "id": "<id_value>"
    }
}

I'm assuming the above is perfectly legit and the intended way for the spec to be extended? If not, what is the expected extension mechanism?

Thanks,
George

On 10/2/19 11:45 AM, Brian Campbell wrote:
I guess we differ in our opinion of how remiss that would be. But given what you've got in there now, the more narrow point I was trying to make was to say that I don't think "data" is defined or explained well enough to be helpful.

On Tue, Oct 1, 2019 at 4:33 PM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
I think that we need to define :some: common set to data elements in this spec, in order to help people who are using this and trying to apply it to their APIs do so in vaguely consistent ways. The details of which parts we standardize on are still, I think, up for grabs. I’d be happy to have a better name than “data” for this aspect, but I think there’s value in defining this kind of thing. Like in the financial space, it’s the difference between “transactions” and “accounts”. Or in the medical space, there’s “demographics” and “appointments” and “testResults”. This is a very, very, very common way to slice up OAuth-protected resources, and we’d be remiss to leave it undefined and just have every API developer need to come up with their own version of the same thing.

— Justin

On Oct 1, 2019, at 2:40 PM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:

I'm not entirely sold on the draft attempting to define this set of common data elements in the first place. But that said, I think (similar to George?) I'm struggling with "data" more than the others. The definition in the -02 draft is an "array of strings representing the kinds of data being requested from the resource" and I'm honestly having a hard time understanding what that actually means or how it would be used in practice. And I'm not sure roughly equating it to “what kind of thing I want” helped me understand any better.

On Tue, Sep 24, 2019 at 5:34 PM Justin Richer <justin@bspk.io<mailto:justin@bspk.io>> wrote:
The idea behind the “locations”, “actions”, “data”, and “identifier” data element types mirrors what I’ve seen “scope” used for in the wild. They roughly equate to “where something is”, “what I want to do with it”, “what kind of thing I want”, and “the exact thing I want”, respectively. I’m completely open for better names, and have even been thinking “datatype” might be better than just “data” for the third one.

As for encoding, I think that form encoding makes sense because it’s the simplest possible encoding that will work. I personally don’t see a need to armor this part of the request with base64, as it is in JOSE, and doing so would make it one more step removed from easy developer understanding.

-- Justin Richer

Bespoke Engineering
+1 (617) 564-3801
https://bspk.io/



On Sep 24, 2019, at 1:45 PM, George Fletcher <gffletch@aol.com<mailto:gffletch@aol.com>> wrote:

Just two questions...

1. What is the rationale that 'data' is really an array of arbitrary top-level claims? I find looking at the spec and not finding a 'data' section a little confusing.

2. What is the rationale for sending the JSON object as a urlencoded JSON string rather than a base64url encoded JSON string? The later would likely be smaller and easier to read:)

Thanks,
George

On 9/21/19 1:51 PM, Torsten Lodderstedt wrote:
Hi all,??

I just published a draft about ???OAuth 2.0 Rich Authorization Requests??? (formerly known as ???structured scopes???).??

https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02

It specifies a new parameter?????authorization_details"??that is used to carry fine grained authorization data in the OAuth authorization request. This mechanisms was designed based on experiences gathered in the field of open banking, e.g. PSD2, and is intended to make the implementation of rich and transaction oriented authorization requests much easier than with current OAuth 2.0.

I???m happy that Justin Richer and Brian Campbell joined me as authors of this draft. We would would like to thank Daniel Fett, Sebastian Ebling, Dave Tonge, Mike Jones, Nat Sakimura, and Rob Otto for their valuable feedback during the preparation of this draft.

We look forward to getting your feedback.??

kind regards,
Torsten.??

Begin forwarded message:

From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-lodderstedt-oauth-rar-02.txt
Date: 21. September 2019 at 16:10:48 CEST
To: "Justin Richer" <ietf@justin.richer.org<mailto:ietf@justin.richer.org>>, "Torsten Lodderstedt" <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>>, "Brian Campbell" <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>


A new version of I-D, draft-lodderstedt-oauth-rar-02.txt
has been successfully submitted by Torsten Lodderstedt and posted to the
IETF repository.

Name: draft-lodderstedt-oauth-rar
Revision: 02
Title: OAuth 2.0 Rich Authorization Requests
Document date: 2019-09-20
Group: Individual Submission
Pages: 16
URL: ??????????????????????https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt
Status: ????????????????https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
Htmlized: ????????????https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02
Htmlized: ????????????https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar
Diff: ????????????????????https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02

Abstract:
????This document specifies a new parameter "authorization_details" that
????is used to carry fine grained authorization data in the OAuth
????authorization request.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>;.

The IETF Secretariat





_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.