IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 15 February 2021 17:18 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 788F03A0E00 for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 09:18:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWzTlJ7R0NQB for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 09:17:58 -0800 (PST)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 918173A0DFE for <oauth@ietf.org>; Mon, 15 Feb 2021 09:17:58 -0800 (PST)
Received: by mail-wr1-x434.google.com with SMTP id v15so9837729wrx.4 for <oauth@ietf.org>; Mon, 15 Feb 2021 09:17:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fBwYw/oJEwicc/GHtLoO7gXezMP2qJhCG3XneOTyEHY=; b=S03uXg8R2cUDLBkQwXx4QrVi1cUTazr6MxcNDxwV7L95j9WlAv5W5l91UYh6qFUchl AnbfAgMz9+RooFgqMO6fubXOYR7c90MIc/8hCTRAU5n3UvqaQqVMeXvU7vKSlGRiXcWu FPsPjDPdBWSOeiLBHWw6AJFQMhaZhkBDF31+u0zpI1iCZfbZubsGK+c+Q/IArCyeRj3r hxpSD82ux867+1qqX0Aze+oH+JIh+PN7mDj5hXQ/B/sluXOtwoP+PQcLDu506cezb43x MDYoxd56IaaNHrL46PD+Mz1MkwwrCaL6TrtBe/fyqDxuyJS7syPRlltgByaKpFBEqDAw wufg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fBwYw/oJEwicc/GHtLoO7gXezMP2qJhCG3XneOTyEHY=; b=D92Hjanke6oA8TGdkcrJvXvc9t8i3ey27gW0vRhR3l98ip6IAGZMOW2UUrYzNSB/mt YOOwAh3dLfaSZnoZV5AjiMW0/BlrmCGA/296vX3+EA1/5eBE6T5mHOGde6nnGRW8tdbf JbuU5S417lglXCWMFYaPWz8/eDY6PyzpjMaHoOMK3DMs3VzLuQOC63qlWeGsVpxO9++f PF3s7hYvdbBB3F7ThBNfAMDlKjyZv5ajEnao/04uGrlI8a3+G5s3DgvAFErG8/J/Ccwk Qn5O0yXZAQBjZYlXtVrFsP3vZgdqF9Py9tJW670CttyW5ndWZzW75MJMsk66d/b9hv1h MHIg==
X-Gm-Message-State: AOAM531EOMujsoUdTAP4BXB97X6Oc+f+gXgse3BE4iyd7v5o4EXY2rdq V7JKAXljeqPfFsgRK2arI9rn+A==
X-Google-Smtp-Source: ABdhPJy+LZvHGA9I04wbPOoYCbBGAJa92rf/Y9oha/nr2wTb042FTRsM7O4KrJDDRGN85BcLJbGLkg==
X-Received: by 2002:a5d:50c8:: with SMTP id f8mr6119839wrt.69.1613409476929; Mon, 15 Feb 2021 09:17:56 -0800 (PST)
Received: from p200300eb8f0611668d558860be74ade1.dip0.t-ipconnect.de (p200300eb8f0611668d558860be74ade1.dip0.t-ipconnect.de. [2003:eb:8f06:1166:8d55:8860:be74:ade1]) by smtp.gmail.com with ESMTPSA id u7sm23956996wrt.67.2021.02.15.09.17.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Feb 2021 09:17:56 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CA+k3eCR2VBKWgvjEvTzOQOkROBBPJxySBjT==p5EAqG31mhp9w@mail.gmail.com>
Date: Mon, 15 Feb 2021 18:17:55 +0100
Cc: Francis Pouatcha <fpo@adorsys.de>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F14B61F0-9D46-453E-952C-A2E32D4CEE66@lodderstedt.net>
References: <161270175060.8296.1897997883947486904@ietfa.amsl.com> <06504BA6-6065-4ADD-BE45-5E13DF00DC1A@lodderstedt.net> <FR2P281MB01063CE7EE6ECFE8727E58878D8E9@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <CA+k3eCR2VBKWgvjEvTzOQOkROBBPJxySBjT==p5EAqG31mhp9w@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/df5xq-eMVI24L1oF4dXIMPBzhG4>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 17:18:01 -0000


> Am 13.02.2021 um 00:38 schrieb Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>:
> 
> 
> 
> On Tue, Feb 9, 2021 at 5:53 AM Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org> wrote:
> Find bellow my review of the draft:
> 
> 	• Redactional changes:
> 2.2.  Authorization Data Types
> 
> Interpretation of the value of the "type" parameter, and the object
>    elements that the "type" parameter allows => allowed
> 
> 
> The "allows" seems correct there. 
> 
>  
> 
> 9.  Metadata
> which is an
>    JSON array. => which is a JSON array
> 
> Fixed this in the document source. Thanks!
>  
> 	• Application to existing APIs
> reason-1: Current open banking initiatives are built on the of existing Data Standards like ISO20022 (PAIN, CAMT) which are XML's that do not provide direct translation to JSON. Some authorization server's might even be able to parse an ISO PAIN file to display the proper authorization request to the user.
> 
> That the APIs are XML doesn't necessarily mean that the details of the authorization can't be represented in JSON. And, if really need be, XML can be included as the value of some member in the authorization details and defined as such by the type. 
> 
>  
> reason-2: In some situation, it might be more privacy preserving to have the authorization request content negotiated between the AS and the RS. In this case the "scope" parameter shall only carry some sort of "grant-id" (known in the Berlin Group spec as consent-id). This will allow the AS to negotiate the data to be displayed directly with the RS.

I think you are referring to different relationships, namely client to AS vs AS to RS. 

Authorization details carry the client’s request data (e.g. amount to be transferred) to the AS. Whatever the AS wants to negotiate with the RS to be displayed by the AS can be negotiated between AS and RS if needed via a suitable interface. However, I would assume this negotiation is informed by the client’s request data.  So both concepts are complementary in my opinion.  

> 
> RAR probably just isn't applicable in that kind of case. 


 
> 
>  
> 
> Any idea how to consider these two edge cases?
> 
> 
>  
> Best regards.
> /Francis
> 
> 
> From: OAuth <oauth-bounces@ietf.org> on behalf of Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
> Sent: Sunday, February 7, 2021 12:49 PM
> To: oauth <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt
>  
> Hi all,
> 
> here is the list of changes in revision -04:
> 
> 	• restructured draft for better readability
> 	• simplified normative text about use of the resource parameter with authorization_details 
> 	• added implementation considerations for deployments and products
> 	• added type union language from GNAP  
> 	• added recommendation to use PAR to cope with large requests and for request protection
> 
> Your feedback is highly appreciated.
> 
> best regards,
> Torsten. 
> 
>> Am 07.02.2021 um 13:42 schrieb internet-drafts@ietf.org:
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>> 
>>        Title           : OAuth 2.0 Rich Authorization Requests
>>        Authors         : Torsten Lodderstedt
>>                          Justin Richer
>>                          Brian Campbell
>> Filename        : draft-ietf-oauth-rar-04.txt
>> Pages           : 36
>> Date            : 2021-02-07
>> 
>> Abstract:
>>   This document specifies a new parameter "authorization_details" that
>>   is used to carry fine grained authorization data in the OAuth
>>   authorization request.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://www.google.com/url?q=https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/&source=gmail-imap&ust=1613306557000000&usg=AOvVaw3-4SmuMFgxbz-cDK2Ir_a7
>> 
>> There is also an HTML version available at:
>> https://www.google.com/url?q=https://www.ietf.org/archive/id/draft-ietf-oauth-rar-04.html&source=gmail-imap&ust=1613306557000000&usg=AOvVaw1J52xGTvk1ZAuBC_fUAIjJ
>> 
>> A diff from the previous version is available at:
>> https://www.google.com/url?q=https://www.ietf.org/rfcdiff?url2%3Ddraft-ietf-oauth-rar-04&source=gmail-imap&ust=1613306557000000&usg=AOvVaw0TYqmFwryvAYznR2Ho5Oj6
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1613306557000000&usg=AOvVaw06g1z6o36BkkaqkiWc1Lw9
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.20.3 | Report a Bug | By Email