[OAUTH-WG] Can the repeated authorization of scopes be avoided ?

Sergey Beryozkin <sberyozkin@gmail.com> Mon, 18 January 2016 10:59 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id CABD31B34A7 for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 02:59:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WpHayRda2DXR for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 02:59:55 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64F141B34A6 for <oauth@ietf.org>; Mon, 18 Jan 2016 02:59:55 -0800 (PST)
Received: by mail-wm0-x231.google.com with SMTP id b14so116670822wmb.1 for <oauth@ietf.org>; Mon, 18 Jan 2016 02:59:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=6l1yERMNXTU7lfrPmgVLuys+/aKo/vCwK6du7gDj56c=; b=xYwpGJ1QVugFL6jlucnmkVD818egO/YDhj+bDKWDh50dWkwd62AsWGHgJyzmFb2i5G aI/YxHSbDC4FAPftp57/K6pma8eFtbrqW7LbjswZC/7BbsbE76t/2vgk1JQUCXbWJIjY ag/BgVRZNt2QYSSedCvyqwK/hgzU8Y6j6haYpbeAUFQHeFbIexxlGowVRcmo4WI9WI6Y Q7Np+1xZCwW4w28r/gEdQltgnq/1FP8hGU8xJJfKgy7QT0+HpgLAuRa+p0S2olH3svdS ThdWY56ECLYhtYkpSVpTGeZIfXd0a3hkctS2rHsjd4UpZmBspl1kobjh6ExqA1gVZdcd 0hmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=6l1yERMNXTU7lfrPmgVLuys+/aKo/vCwK6du7gDj56c=; b=nBv+uQZrHnWJ4ypH1bjE9knmvvM9P8Rg0ULj1dcqMddzMJAlMH6W/SyLy2u91qjCIk PY1EINWeCOs0Zej6d8c2d3i6HspE9zh3NzcTzuyaP8z9KbVCvYVfcvZxRPk2b7w/A//K z44Q1o601OCLrI9E9rLIrXy+QrAlTpMa4+u7RybCAmNGZ+7ylocA7KH4Fnd6ft60AGxz egY7vM9h9b4b5HwmYvFnPXDGUaehmuqox9aM7pgH8JTqZXEKA+mhpG54drKB1H4QKHCN Yo3aVk7S+mVw8rzRGG2OJNgaYspAArlnmLnjQFyr/gHiIl490bsJD0G6U2i3LlJSSutl pWMQ==
X-Gm-Message-State: AG10YOR9O3f0rIxEdo2llswx5AoNsLZx5n6qzUosT68TYDGdnJmlSiiChU0ICGe/pr/2zg==
X-Received: by with SMTP id i130mr11907797wmf.96.1453114793776; Mon, 18 Jan 2016 02:59:53 -0800 (PST)
Received: from [] ([]) by smtp.googlemail.com with ESMTPSA id qs1sm23288267wjc.2.2016. for <oauth@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Jan 2016 02:59:52 -0800 (PST)
To: oauth@ietf.org
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <569CC5A8.6050501@gmail.com>
Date: Mon, 18 Jan 2016 10:59:52 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hzNLju0j_k7oE4uUjSB6QMw11yw>
Subject: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jan 2016 10:59:57 -0000

Hi All

The question relates to the process of showing the authorization 
code/implicit flow consent screen to a user.

I'm discussing with my colleagues the possibility of avoiding asking the 
same user whose session has expired and who is re-authenticating with AS 
which scopes should be approved.

For example, suppose the OAuth2 client redirects a user with the 
requested scope 'a'. The user signs in to AS and is shown a consent 
screen asking to approve the 'a' scope. The user approves 'a' and the 
flow continues.

Some time later, when the user's session has expired, the user is 
redirected to AS with the same 'a' scope.

Would it be a good idea, at this point, not to show the user the consent 
screen asking to approve the 'a' scope again ? For example, AS can 
persist the fact that a given user has already approved 'a' for a given 
client earlier, so when the user re-authenticates, AS will use this info 
and will avoid showing the consent screen.

That seems to make sense, but I'm wondering, can there be some security 
implications associated with it, any recommendations/advices will be welcome