Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02

[Roman Danyliw <rdd@cert.org>]

Hi Brian!

Thanks for the update in -03.  The item below is the only thing that remains outstanding.

Thanks,
Roman


From: Roman Danyliw
Sent: Wednesday, July 17, 2019 6:05 PM
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth@ietf.org
Subject: RE: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02


From: Brian Campbell [mailto:bcampbell@pingidentity.com]
Sent: Wednesday, July 17, 2019 4:35 PM
To: Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02

[snip]

(2) Section 2.2.  in the sentence "To the extent possible, when issuing access tokens, the authorization server should adapt the scope value associated with an access token to the value the respective resource is able to process and needs to know":

--  is this language suggesting that the authorization server is modifying the scope value based on the resource it sees?  I'm trying to understand what "adapt" means, especially in relation to the improved security and privacy the subsequent sentence suggests.

Perhaps "adapt" wasn't the best choice of word but it's meant to say that an authorization server with sufficient understanding of what scopes are applicable to what resources (which won't always be the case or even possible but sometimes) could limit the scope associated with an access token (downscoping really) to only the scope that is applicable to the resource.

Some of the examples (figures 2 - 6) attempt to show, among other things, a hypothetical case of how this might go down.

In Figure 2 the initial authorization request that's approved has scope of calendar & contacts and resources https://contacts.example.com/ & https://cal.example.com/

A subsequent access token request (Figure 3) has resource https://cal.example.com/ and the issued access token scope (Figure 4) is "adapted" to that resource to be only calendar

Another subsequent access token request (Figure 5) has resource https://contacts.example.com/ and the issued access token scope (Figure 6) is downscoped based on that resource to be only contacts

Would it be easier to understand if the word "downscope" was used rather than "adapt"?

[Roman] Using “downscope” does work for me.  It captures that the server is going to reduce the scope (and certainly not expand it).


-- (Depending on the above) Is there a security consideration here for the server relative to confidential scope values and how they might be modified?

I'm not sure, to be honest. Downscopping when possible and to the extent possible is usually a good idea (least privilege and all that) but I think maybe I'm missing your point/question.

[Roman] Yes, least privilege was part of it and I think the text above gets at it.  However, the other part is the relationship with the next sentence in the paragraph, “This further improves privacy as scope values give an indication of what services the resource owner uses and it improves security as scope values may contain confidential data”.  If the initial request was notionally a scope of “all the houses on the block”, but the server knew that this request was too broad and down-scoped to “only the corner house”, wouldn’t this actually be worse for privacy?  I also don’t follow how reducing the scope impacts confidential data.