IETF Logo Mail Archive

Re: [OAUTH-WG] New OAuth I-D: Incremental Auth

William Denniss <wdenniss@google.com> Thu, 13 July 2017 18:08 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0FD4129B10 for <oauth@ietfa.amsl.com>; Thu, 13 Jul 2017 11:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRRY21gLWgoW for <oauth@ietfa.amsl.com>; Thu, 13 Jul 2017 11:08:22 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF7D4129AD7 for <oauth@ietf.org>; Thu, 13 Jul 2017 11:08:21 -0700 (PDT)
Received: by mail-qk0-x232.google.com with SMTP id v17so51420765qka.3 for <oauth@ietf.org>; Thu, 13 Jul 2017 11:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mlLMokB6/ndZwrcpiBjoNvViF5feElhBFfA96dYqBUw=; b=F4r+kk8HZ9Sm3hEgISlqGx0lkHqL98o/1sQzOxFimGIwV82cx/J/MBn9jx1OaJRopP ZrxMVghgbbKy3/84aPGZQae3yPkotISrTRd6MXokNoC4EEfze2RJX7kXQsR4tGh/oLdg NaY93v4UEHFQoJIvD6CQmjV/OmfRn9mlgp5i7fH7YwEf+ukvl7JWDPvJsvFcmCi8looy yeXizdrQ9u9+NLgTJaKTquiMUd6d6AZwQ+47mG/EuH7kdOuR3ZYicXvl/xnAE05KGly7 uoPa8nPniG23AR+T/D/A7JZX15jEoKsRfSP5eQI6xOxanIbYO7IL9CbjxJXhoO3d3MVr pqhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mlLMokB6/ndZwrcpiBjoNvViF5feElhBFfA96dYqBUw=; b=FNk1kVb3L1864J8MdrUtFq+UDqu9gRdrcdpHJoJiOdAMxOISpCKhn9qJamCGGO1FBY lzEc58W/kOvE/y4HRF/5Ok0fODrhrdKuXL7WQBYR3DLxrUwmqnGLuxaf/jfhk4fBZGaw gs/UP5TVqU9Lr/IvyL2VV3bplikBaezUdqE/VLY85r+873b2j0uPoTo2+cd+GMf7WRZv CAyMbVdETg07kfEQvQPf6sMg0ULC7K1Da31jCWqLPNjPcdzTLRY7pPfv1I0Xv01Wdkl1 cuy1R1gtql71jDQtmotiY2/27uOWQVlh/0aW7IqGyN2mZk/hrBm2nxLzaBofvqFJ5Jbr HKQg==
X-Gm-Message-State: AIVw113Q+8hpwQ7sE0BxKP82vueS/IGFJrQBi6zM/c66OwySqWJ8X1wy VCc/vHeGM/6Aau/pxPepp5C5ixOtsyTLU2Y=
X-Received: by 10.233.239.1 with SMTP id d1mr6064434qkg.126.1499969300656; Thu, 13 Jul 2017 11:08:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.92.147 with HTTP; Thu, 13 Jul 2017 11:08:00 -0700 (PDT)
In-Reply-To: <CAB3ntOvsgoak_=2T58o-b4Sm++muWdWhu5R8ZxtiYU+2bvm2sA@mail.gmail.com>
References: <CAAP42hA5BzSAsszX5hYTCc075eE_HNy7XHwWHKu2mgNhwsXsZg@mail.gmail.com> <59d3c1f5-01de-e419-4c4c-3115ed35e451@gmail.com> <CAAP42hBzsjjw1Za8KS3E-wOi76n5SKm=jF9fhiDgCw-PsM7HtQ@mail.gmail.com> <eb7d8a29-568c-b598-b152-7b7767a0be9e@gmail.com> <CAAP42hDk-ZbFNjk71aEybT9G-NdPPmP5efPSg_fZeht9SE5pCg@mail.gmail.com> <CAB3ntOvsgoak_=2T58o-b4Sm++muWdWhu5R8ZxtiYU+2bvm2sA@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 13 Jul 2017 11:08:00 -0700
Message-ID: <CAAP42hBG3OwXsx12YZ60W+M9axZ3peqLWwL5re-W7=0O05t=dg@mail.gmail.com>
To: Jim Willeke <jim@willeke.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1101b257ab77055436d1ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/e5aaa-F98W_QBXBA8SH7GMrQ7K4>
Subject: Re: [OAUTH-WG] New OAuth I-D: Incremental Auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2017 18:08:25 -0000

Thanks everyone for your reviews and feedback so far!

I'm bumping this thread one last time before IETF99. Would be great if
enough people have some knowledge of the draft to put it to an adoption
call :-)  Once again, doc is here and it's a fairly light read!
https://tools.ietf.org/html/draft-wdenniss-oauth-incremental-auth

I look forward to presenting it to you all in Prague.

On Mon, Jul 10, 2017 at 9:15 AM, Jim Willeke <jim@willeke.com> wrote:

> I know we add scopes based on the Authorization Server determining that
> the Resource Owner is also a "Paying Customer". (Well using OIDC so we KNOW
> they are a paying customer.)
>
> --
> -jim
> Jim Willeke
>
> On Fri, Jul 7, 2017 at 9:03 PM, William Denniss <wdenniss@google.com>
> wrote:
>
>>
>> On Fri, Jul 7, 2017 at 1:50 PM, Sergey Beryozkin <sberyozkin@gmail.com>
>> wrote:
>>
>>> Hi
>>> On 07/07/17 18:56, William Denniss wrote:
>>>
>>>> What you describe is incremental auth.
>>>>
>>>> Thanks... FYI, I thought of doing some work around it after browsing
>>> through the Google docs; the line about the "asking to approve the purchase
>>> of the kitchen sink at the authentication time is a death of the modern
>>> web" (or something similar that I read on this list) was even more
>>> convincing :-)
>>>
>>
>> I hear ya :-)
>>
>> We ended up requiring that apps *don't* ask for the kitchen sink upfront
>> in our API policies https://developers.google.com/
>> terms/api-services-user-data-policy#request-relevant-permissions .
>> Definitely makes for a bad user experience if users don't know why they are
>> being asked to approve the request's scope.
>>
>>
>>
>>>
>>> Aside: Do you return the "scope" in the token response as required when
>>>> the scope in the response is not identical to the request (§ 5.1 <
>>>> https://tools.ietf.org/html/rfc6749#section-5.1>, parameter: scope)?
>>>>
>>>> Yes, the token service is doing it by default for all the returned
>>> access tokens
>>>
>>> My only question is: does the client expect this?  The spec talks about
>>>> the authorization server *reducing* scope in a few places (in § 3.3 <
>>>> https://tools.ietf.org/html/rfc6749#section-3.3>, "The authorization
>>>> server MAY fully or partially ignore the scope requested by the client" and
>>>> § 10.3 <https://tools.ietf.org/html/rfc6749#section-10.3> "The
>>>> authorization server SHOULD take the client identity into account when
>>>> choosing how to honor the requested scope and MAY issue an access token
>>>> with less rights than requested.").  It never talks about *increasing*
>>>> scope (other than it can't be done during refresh).
>>>>
>>>> So I think some normative language around the potential to increase the
>>>> scope of the request for confidential clients (in either the way you
>>>> describe, or the way I described in the draft) is warranted.
>>>>
>>>> Open question: should we require an indication from the client if they
>>>> *want* the scope increase? That's what include_granted_scopes was designed
>>>> to do. To allow clients to specify if this is behavior they desire.
>>>>
>>> Right, I see how a proposed "include_granted_scopes" can make it non
>>> ambiguous
>>>
>>>>
>>>>
>>>> The more innovative part of the spec I think is the public (native app)
>>>> client incremental auth – as native apps cannot use the methods you
>>>> discuss, or the ones Google has supported for a while for confidential
>>>> clients. That said, if we write this – I think we may as well formally
>>>> document approaches for confidential clients too.
>>>>
>>>>
>>> thanks, Sergey
>>>
>>>>
>>>> On Fri, Jul 7, 2017 at 9:24 AM, Sergey Beryozkin <sberyozkin@gmail.com
>>>> <mailto:sberyozkin@gmail.com>> wrote:
>>>>
>>>>     Hi
>>>>
>>>>     Re the confidential client: let me explain please how we
>>>>     experimented with this feature when the code flow is used.
>>>>
>>>>     1. Client requests a scope 'a' for a given User, it gets approved by
>>>>     the user, the clients gets a code and exchanges it for a token.
>>>>
>>>>     2. At some later stage Client requests a scope 'b' for the same user
>>>>     and if an access token for a given Client + User combination exists
>>>>     and the incremental authorization is supported (we use a different
>>>>     term for now) than the service finds out from this token that 'a'
>>>>     has already been approved and offers a consent screen where a user
>>>>     sees 'a' being selected and needs to approve 'b'.
>>>>
>>>>     3. User approves 'b'. The client gets a new code back and exchanges
>>>>     it for a new token which now has "a" and "b".
>>>>
>>>>     At this point a client has 2 tokens, one with the "a" scope and
>>>>     another with the "a" and "b" scopes and the assumption was that the
>>>>     client would itself remove the now redundant token with the scope
>>>>     "a" only.
>>>>
>>>>     I've just updated the code for the service itself do it on the
>>>>     client's behalf, optionally remove the scope "a" token so that the
>>>>     client can simply replace a reference to its scope "a" token with
>>>>     the new one (scopes "a" and "b") it will get after exchanging a code
>>>>     grant.
>>>>
>>>>     Is it an incremental authorization or something else completely :-)
>>>> ?
>>>>
>>>>     One obvious difference, apart from the lower level implementation
>>>>     details, is that it is not a client which requests to include the
>>>>     already authorized scopes but the service does it itself if the
>>>>     configuration allowing for it is enabled
>>>>
>>>>     Thanks, Sergey
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>     On 05/07/17 18:17, William Denniss wrote:
>>>>
>>>>         Earlier this week I submitted the following I-D:
>>>>         https://tools.ietf.org/html/draft-wdenniss-oauth-incremental
>>>> -auth <https://tools.ietf.org/html/draft-wdenniss-oauth-incrementa
>>>> l-auth>
>>>>
>>>>         The topic is incremental authentication (or incremental auth for
>>>>         short).  Incremental auth is used to enable clients to request
>>>>         just the scopes they need when they need them – rather than all
>>>>         upfront – while still only a maintaining a single authorization
>>>>         grant.
>>>>
>>>>         The I-D details two techniques used at Google, one that has been
>>>>         used for a while in confidential clients, and one that we
>>>>         launched recently as a new solution to deliver incremental auth
>>>>         for public clients.
>>>>
>>>>         I look forward to discussing this proposal with the working
>>>>         group. I plan to present this draft at IETF99, hope you can be
>>>>         there or watching the livestream!
>>>>
>>>>         I plan to ask for a call for adoption after that presentation.
>>>>         If you're interested in this topic I'd encourage you to read the
>>>>         draft (it's fairly concise!).
>>>>
>>>>         Best,
>>>>         William
>>>>
>>>>
>>>>
>>>>         _______________________________________________
>>>>         OAuth mailing list
>>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>>         <https://www.ietf.org/mailman/listinfo/oauth>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     OAuth mailing list
>>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>     <https://www.ietf.org/mailman/listinfo/oauth>
>>>>
>>>>
>>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

v2.23.0 | Report a Bug | By Email