[OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Roman Danyliw <rdd@cert.org> Wed, 14 September 2022 22:30 UTC
Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA6BC14F742 for <oauth@ietfa.amsl.com>; Wed, 14 Sep 2022 15:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NcOgORxq65SJ for <oauth@ietfa.amsl.com>; Wed, 14 Sep 2022 15:30:21 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0094.outbound.protection.office365.us [23.103.209.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FBDC14F738 for <oauth@ietf.org>; Wed, 14 Sep 2022 15:30:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=G7Cwo6syQ/1OQKVFJ+TCXTy2aoY1gkyhUwEWVEjaA8IwqX76H///BktWMI6UMKS19ASG9ANhHfUtD4nCzutwN3gTcgMg5rxIfu5QjtjhjooelD3e9WIr304RLUwRbddckY+adLr05r/ADfmCxetFqWnXg7OJOCAJ3oKL8dKb+T3PaewKNH8011SacAGdSKSFnO4OO/DR46oXD7lxKhVotLXEpL/hMb7EdoSFXakDw4BRnWWy+PF7PqtWDHouyVBqym8YohLrMazCLzaWwFjjwqJ4FQ7yJwNmoVixcnMFTYmp96CzPyWuIspXfu+159aIQCmtDwLTKH77/4ReS40hnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0Plt1P0zr/2/6AAah9FBAcEYzEXM0zfaLimRmBI9jxY=; b=RCIr32/guEQvNsn7p2eMYDki4GN92lpi/FArvStJ+dyKUipSnrR+rxCJ5LYJJ7Yv1j7wgj1TVPoNgL0TP2EetVZLZrxOTjNAWlF8DLzZ6DFhf505Zis7eV+g3bz1O5so4oNoCfetThshe57LzTv5E1/ZXLk+v93PS//rar2Jp97tNQI1gcPMPsTgsgapF1FCRv+wyLZ2H+3DaycAv18FC085hhfW5aCvzNZeqomLEcb0z5MoZZ6+Mq6HoIoMMbczVlG6XlIGmGL6ScRTCd/pxQhrHbA/Bhlop0V8ea7skXeZCXTlOSZTdbaMfuj2cr7NGik04mgAsDU32LQtOG58UA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0Plt1P0zr/2/6AAah9FBAcEYzEXM0zfaLimRmBI9jxY=; b=KmnzHB9876o5+HezY0IleUt/3wYr9bTEXAPrwsney5R6P9D8suFEIasPLhSFoiU/ztTWsw2dZZHd2ovTlpLPJP1d+un9hNDp3MAW2gmrUdVt+gUwphzxDVrVhdl6Z2QthSAGNFnX7dEUyRlNiHpYdiUXaAubkTjq+iACiAosdYY=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1732.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:169::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.22; Wed, 14 Sep 2022 22:30:17 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::2531:868b:fc1a:3716]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::2531:868b:fc1a:3716%5]) with mapi id 15.20.5566.028; Wed, 14 Sep 2022 22:30:17 +0000
From: Roman Danyliw <rdd@cert.org>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: AD review of draft-ietf-oauth-rar-12
Thread-Index: AdjIiWV70TiGp2n1QyK+vwbKisrOXg==
Date: Wed, 14 Sep 2022 22:30:17 +0000
Message-ID: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 48d4e354-a5c5-4ec5-366e-08da96a0b321
x-ms-traffictypediagnostic: BN2P110MB1732:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OsaI0Km5xpiNRVr46rDoTvDUxE4M2U/sWPWeNierxk7SrmeetzFD33AVAyhQsUa+wU+ymrS1pJED0C5av3iBXth7AyWg+X1eRuJIL0EIUjWwDQsoNt7cquOPI4p3OkCo7+saZ/bXqGyPxaW/1C8pFaCXQdQZ8kjT1eaXqyhQAUE+stnkN9uCgWOr/fvw0+O5aFWvlTXSvVOpduazPeafQK3gvsLs2jO10ZE2JbRb82IO4G2cGe3aQl3UHtiwknqNp/nIOHFlROEhy0U47Ao5pE4M7KjwPjo9ExSv4rim+5yLZrr8r+4X+xe78slgc9MkgY2ew4x3IcoRTfTpHYp5CFcZBnccKU6GzioDyCEXHkuz9fhwYF7vmad/rHDyWLBILMQmRYHYkPwuOXln2ppZrvWCw7yUyHf/CMoRxz5WcYGXVBVKhUdFQKM9+Vni0N9D0E2k03QSPyx7F7Hl/egE5Bn0RV+O/7E6nXFTgDzxZqx+EHX/kuNpDi6aQFM/g4tf14/2I5C1SXu6UPX/ZL1azW46AR1u7T1pubESMKaTc31Z3oQ/00fVS8Tq+esBnrQwWrAuDwGpPH5A75/S8Vj7MUUzl5W75bmfUUSUU00yXQMjSG8AlhOFRCMsOKtj4iVBkAG9h8lNKTyGWZe1Z9pfIL8px8CdeYQwAWs3wmYEfiOIsJ1uVCxeb/F05FsX5IwN
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(9686003)(82960400001)(8936002)(71200400001)(83380400001)(38100700002)(8676002)(55016003)(6916009)(26005)(38070700005)(7696005)(66946007)(6506007)(86362001)(66476007)(66446008)(64756008)(186003)(76116006)(66556008)(122000001)(5660300002)(52536014)(33656002)(2906002)(498600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UXF6EJWA83UDe9+7zQjlwQTEIqQMvI4HQib0nPYFob/yjHmYccwXI/77Aj/DECQGfLMTb8M2OuniCp50DtF+pn+RRwRM6FTMyrlqrbrSgShMhmhxV1XXX8+o0XsmdLA5FBC7NgrXQkrGY9teL1P+2TsJwC1JYaVMrXSrJXFxz2S/HCiJ82BHjyy/4EKQEkv7IZCWzAdyXokMT2Nlv0ja+mSUP6QtJ0Gh3RTXdCO/b7wmWu7K4y+V88LvBDwVRWv7cNWmhJE3/BIkJXywPpsKy+NHny1gSUr99Y0Z3sgY0NY9VjugsCflADziVwFOr3bBnu0/jD2goUsLvzG2qTQcM42UnG7TGGVybxCzIsXYviP236Dew5X+1BeVLGTm10PlCWb2H/bRU4cgQMea35pNJ6G9273VHHDvCToQ2NtYtqc=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 48d4e354-a5c5-4ec5-366e-08da96a0b321
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2022 22:30:17.0422 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1732
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/h5mKmRtBTW93E4AUW53n-FR8KpY>
Subject: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2022 22:30:22 -0000
Hi!
I performed an AD review of draft-ietf-oauth-rar-12. Thanks for this document. My feedback is as follows:
** Section 2. Editorial
This field MUST be compared using an exact byte match of the string
value against known types by the AS.
Consider if you want to introduce how the lack of match will be handled here - it is covered later.
** Section 2.2.
All data fields are OPTIONAL for use by a given API
definition.
I don't follow how this is true in the general case. I was under the impression that this section defined what is expected to be common fields. Couldn't some AS with a particular type require their presence?
** Section 3. Editorial
OLD
In case of authorization requests as defined in [RFC6749],
implementors MAY consider to use
NEW
In case of authorization requests as defined in [RFC6749],
implementors MAY consider using ...
** Section 3. Typo. s/intiate/initiate/
** Section 5. Typo.
OLD
authorization details type
or authorization details
NEW
authorization_details type
or authorization_details
** Section 6.1
However, when comparing a new request to an existing request,
authorization servers can use the same processing techniques as used
in granting the request in the first place to determine if a resource
owner needs to authorize the request.
Why is it possible to assess two arbitrary requests in this case to determine "if a resource owner needs to authorize the request", but the prior paragraph explicitly calls out that comparing two arbitrary requests is not feasible? To me is seems like comparing two requests to understand if more or less permissions are being requested is equivalent to determining if a new request exceed the current request to determine if going back to the resource owner is needed.
** Section 6.1. Typo. s/isaunce/issuance/
** Section 7.
If the client does not specify
the authorization_details token request parameters, the AS determines
the resulting authorization details at its discretion. The
authorization server MAY consider the values of other parameters such
as resource and scope if they are present during this processing, and
the details of such considerations are outside the scope of this
specification.
This guidance seems to indicate the use of the scope parameter is optional in determining the authorization details. Section 3.1 says "The AS MUST consider both sets of requirements in combination with each other for the given authorization request." My read is that this is conflicting guidance and Section 3.1 is correct.
** Figure 15. The text prior to this figure says that for "For our running example, this would look like this" indicating that this figure is similar to previous examples. There is one key different - this is the first use of a "payment_initiator" type with the API URL prepended.
** Section 7.1. Typo. s/sub set/subset/
** Section 8. What is the difference between this section and Section 5 beyond this text explicitly stating the name of the error value (invalid_authorization_details). I'd recommend stating the normative behavior twice; that is, why are both sections needed?
** Section 9.2. Editorial. There is some kind of rendering issues in the RFC7622 reference. It reads "[!@RFC7662]".
** Section 11.2.
Products supporting this specification should provide the following
basic functions:
Should this section be more tightly scoped to AS behavior instead of a "products"?
** Section 11.2.
Accept authorization_details parameter in authorization requests
including basic syntax check for compliance with this
specification
Why only "basic syntax checking"? Perhaps "syntax checking"?
** Section 11.2
One option would be to have a mechanism allowing the registration of
extension modules, each of them responsible for rendering the
respective user consent and any transformation needed to provide the
data needed to the resource server by way of structured access tokens
or token introspection responses.
I don't follow the flexibility being described here. "One option ..." with respect to what?
** Section 11.3. Could this section provide an example of what it would mean to use JSON schema ids in the type value.
** Section 12. Please note that the Security Considerations of RFC6749, RFC7662, and RFC8414 apply.
** Section 13.
Implementers MUST design and use authorization details in a privacy-
preserving manner.
I completely agree with the principle, but this design guidance cannot be enforced without specifics. I recommend s/MUST/must/. The more specific text in this section can use the normative MUST statements.
** Section 13.
Any sensitive personal data included in authorization details MUST be
prevented from leaking, e.g., through referrer headers.
Is "leaking" the same as being sent unencrypted? Recommend being clear.
** Section 13.
The AS SHOULD share this data with those parties on a "need to know"
basis.
Completely agree. Consider ending this sentence with "... as determined by local policy", or the equivalent to make it clear that it will not be document in this specification.
Thanks,
Roman
- [OAUTH-WG] AD review of draft-ietf-oauth-rar-12 Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Brian Campbell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Brian Campbell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Roman Danyliw
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-… Justin Richer