IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Scopes

George Fletcher <gffletch@aol.com> Sun, 24 June 2018 20:02 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6AC130E65 for <oauth@ietfa.amsl.com>; Sun, 24 Jun 2018 13:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.533
X-Spam-Level: *
X-Spam-Status: No, score=1.533 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, RCVD_HELO_IP_MISMATCH=2.368, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_NUMERIC_HELO=1.164, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79CYXDg4_1T4 for <oauth@ietfa.amsl.com>; Sun, 24 Jun 2018 13:02:02 -0700 (PDT)
Received: from sonic304-12.consmr.mail.bf2.yahoo.com (sonic304-12.consmr.mail.bf2.yahoo.com [74.6.128.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14B20130E5B for <oauth@ietf.org>; Sun, 24 Jun 2018 13:02:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1529870521; bh=fVosZQoKjnJOhGbugIeAybFL/2WJ3Mn6lMIs7DNOCP4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=uNPWbhrIS01Urhpx3cr1efeynqxs0OtKxa28mrKaZJ6+hb6WkWMGXEeD5k+PJUADCLY0sxdYqMrriiI+yvg6bNbYbBadzFnTjYcwNtqVzjdvuu4d1Qn1KoEb5cv5XTx5vRTUF2xY48Q3eZsTlrigD1Te5F+talVkHezweYz+sVdGViu5pXMRheU5eUamf8KK5iXh/zQR2/3BHBcB1EFzy3u3f+BVR9yX6MV58XxMUq5Tb0BzOICHMV4gU/l+q04+SJYNGa0FjSwUjEZnHvL4yWm0BsKCCLBYYb+2F4kH/IeVBu22XVGlJplptfpoxxskMgetqjZ7QU543WVnkQ4mvg==
X-YMail-OSG: UQRXG_kVM1nV9S_RwgwrErsArF0eBA_.4vSFRKzU7t_HUchgbOHmhTzBNqW1XkO ol.Ae_53RlIXuPVbLimkul3tXQBybhiGCiZejYzJ2fwP6CUYIQLwSrkqVTcyThKp7lnwbf_s9up7 hsZjzTwu3WlDjFnDZsfWkAJCFasRgA4ihV47TtFBpXhe4ZBHdkGEWSH0XWThB8EmevMNaS8ky9Gg 2UzI4ljJ_itT1zaeJtOV.PRkMEYbCOTvvbLrNco22nv2.KxReHm1jqBD_FhpEimxmlYYCZAq.bwo o0_V.Ed2zJnvGabyNsaC9Bx2NSyEgcjaZucPfVnFdBJTsoNj.4NIF0BkKyWwYWylXWpayQ5_zWX0 UKpCc1hcTtgVMagW6LaY0MX4n_hTB1s0wFaCRbgnqR4HI3lUXNKJTJ0RMOrI9Is6ykRgkRzbTVP9 oIg8GQ1BIAe7bRlsrwfx__3EQAFdI4yirpoU9NjO8NJaZaLFHFhhtf_KOsnjHdn02.Y.j72gtb1w o41DWUMiGjw7a7w7ydHv8S4wA.OLcM0ljQpjAVYNlOeD2rj4LWzn1PuFvfUl6TiFJS9sux7iv1Dj JDWV3W.SaQZ1ohf.ouid.u.Z2Lh2MF6ebvj7C5EXrm.wM8ebwXa9kYmu.xUTEpHmKB5E2U6OtJJh hQzkX18zBFuO_Mcqu.nJmpr.MW0t_5PfIx9z.V9ZR024DVGglJ48wjENko0bq
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.bf2.yahoo.com with HTTP; Sun, 24 Jun 2018 20:02:01 +0000
Received: from 98.139.248.67 (EHLO [172.135.128.181]) ([98.139.248.67]) by smtp402.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 22a574bb8a5cc0151c504f13be7e505a; Sun, 24 Jun 2018 20:01:57 +0000 (UTC)
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
References: <291DC85D-66B4-403F-8159-52D0091F7631@lodderstedt.net> <CA+k3eCQMCJv3NcSnBDKBUVcm131oMAdnbopSeAaD75acAqUMwg@mail.gmail.com> <b9e4115a-512d-3155-9023-604566d7190f@aol.com> <00432150-20C0-4B5F-AB4E-92F96B968A3A@lodderstedt.net> <01e15dff-2bef-831f-0b00-f64137ccc80e@aol.com> <0EF040C2-F0C2-4586-828A-A809A0373F40@lodderstedt.net> <f0d8b95a-738f-0b92-e888-6f1970048505@aol.com> <9007FECD-C700-4314-B990-3B5B5414F540@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <4cf7f274-ceb8-1734-6e83-1f83766e8061@aol.com>
Date: Sun, 24 Jun 2018 16:01:56 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <9007FECD-C700-4314-B990-3B5B5414F540@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------871AF0412CC34429D28BDB28"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hr2AkC8HeggC-iwu8KoTBLJYy8E>
Subject: Re: [OAUTH-WG] Dynamic Scopes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jun 2018 20:02:06 -0000

Not sure I have the flow exactly correct... here is an attempt to define 
a flow based on UMA. It's a little difficult to label which flows are 
which parts of the specs. Specifically I am using...

https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-05.html
https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html

If you want the see the image... take the following text and load it 
into https://www.websequencediagrams.com/

title Signing Sequence

participant "Browser" as B
participant "Insurer" as I
participant "Signer" as S
participant "Bank\n(UMA AS)" as A

B->I: complete process
I->S: sign doc\n(required params)
S->A: permission req\n(what the signer needs)
A->S: permission ticket
S->I: Not authorized\n(AS + permission tckt)
I->A: request RPT\n(permission tckt)
A->I: need_info
I-->B: redirect
B->A: claims interaction endpoint
A->B: user verification & consent
B->A: user meets required claims
A-->B: redirect
B->I: user met claimns\n(permission tckt)
I->A: request RPT\n(permission tckt)
A->I: RPT issued
I->S: sign doc\n(RPT)
S->A: introspect\n(RPT)
A->S: permissions\n(required params)
S->I: Signed doc



On 6/24/18 4:27 AM, Torsten Lodderstedt wrote:
> Hi George,
>
> how is the dynamic nature (hash) of the authorization request handled 
> in your solution?
>
> Note: the signing service is not provided by the insurance company but 
> a third party, a sol-called trusted service provider. The insurance 
> company as the client in this flow sends the request to this provider.
>
> best regards,
> Torsten.
>
> Am 23.06.2018 um 21:07 schrieb George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>>:
>
>> Thanks Torsten.
>>
>> I think I have a solution :) Just to make sure I have the flow correct...
>>
>> Assumption: Using a mobile client
>>
>> 1. User (using their mobile client) attempts to sign a document with 
>> the insurance company
>> 2. Insurance company redirects the user to their Bank asking for 
>> identity proof, and signing of specific documents
>> 3. User interacts with Bank to get authorization for the specific 
>> transaction
>> 4. Mobile client submits request to insurance company using token 
>> that is specific to the user, document etc.
>>
>> This is effectively the UMA 2.0 flow [1]
>>
>> 1. Mobile client attempts to invoke resource at the insurance company
>> 2. Insurance company registers the request with UMA AS (the bank in 
>> this case) and gets a permissions ticket
>> 3. Insurance company instructs mobile client to contact the bank
>> 4. Mobile client contacts the bank specifying the permissions ticket
>> 5. User meets banks requirements for the specific transaction (claims 
>> interaction)
>> 6. Bank issues mobile client the RPT (token)
>> 7. Mobile client invokes resource at insurance company with RPT
>>
>> Note that the insurance company can specify the necessary bits that 
>> need to be in the token when it interacts with the Bank (as the UMA 
>> AS). [There might be some profiling required here]
>>
>> I think it's worth exploring whether UMA will solve this use case.
>>
>> Thanks,
>> George
>>
>> [1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-08.html
>>
>> On 6/23/18 3:43 AM, Torsten Lodderstedt wrote:
>>>> Am 22.06.2018 um 23:08 schrieb George Fletcher<gffletch@aol.com>:
>>>>
>>>> I would think that the scope issued to the refresh_token could represent the category or class of authorizations the refresh_token should be able to perform. For example, the kind of transactions that can be bound to access tokens. The scope issued into the access_token could be one of the "parameterized" ones. But maybe I'm not fully understanding the use case :)
>>> Let me try to explain ;-)
>>>
>>> The client is an issuance company wanting the customer to electronically sign a new contract (legally binding!). Signing in the end means to send a request containing the hash of the document to an API. The API will respond with an CM/S Object containing signature, certificate etc that the client will embedded in the contract document (typical PDF).
>>>
>>> We want the user to authorize the signing request using their bank as IDP/AS. Therefore the client sends the OAuth authorization request to the AS. The actual signing request needs to be bound to client, user AND hash (document) in order to prevent fraud. Regulation (eIDAS) requires to always demonstrate the sole control of the user over the whole process. The AS therefore binds (scopes) the access token to exactly this single document/signing request. If the client wants the user to sign another document, it needs to got through the whole process again.
>>>
>>> One could think about a general signing permission represented by a refresh token, but not in the high assurance level cases I‘m looking into.
>>>
>>> Hope that helps,
>>> Torsten.
>>>
>>>
>>

-- 
Distinguished Engineer
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography

v2.23.0 | Report a Bug | By Email