Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

"Richard Backman, Annabelle" <richanna@amazon.com> Sat, 09 November 2019 00:19 UTC

Return-Path: <prvs=2093a0bae=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA2012022C for <oauth@ietfa.amsl.com>; Fri, 8 Nov 2019 16:19:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IfUVaQV4_XD6 for <oauth@ietfa.amsl.com>; Fri, 8 Nov 2019 16:19:16 -0800 (PST)
Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01970120047 for <oauth@ietf.org>; Fri, 8 Nov 2019 16:19:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1573258756; x=1604794756; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Duswh7DSgad4fEgDQgvAEf2a6Dlbo0z3WJbynqgNj9U=; b=NAl96/Bkk4aJ/SqEhg0o4RVclVX0SQ6YQpWjCIWLq6VHr54b7E9xYIwF 6FcLU9GxnyVfaL1CQ2jgteXo8+AbDQ+NSIiEenziHX2SKv9+ISZ7BG4vs w1ptwCNzj9si+JC+cHJtK1l3wA8JD7qAqCnkWS04WYXY42UgLrl5Euv69 Q=;
IronPort-SDR: q+17cYoO90lusga61WP1hp5ZHmuk92Osr2E4ki62iaL9IbX61el94mbGzQ1t1TGk4OKKhhynx7 +AC2O0TevFtQ==
X-IronPort-AV: E=Sophos;i="5.68,283,1569283200"; d="scan'208,217";a="5418804"
Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-2a-8549039f.us-west-2.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-9102.sea19.amazon.com with ESMTP; 09 Nov 2019 00:19:13 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2a-8549039f.us-west-2.amazon.com (Postfix) with ESMTPS id 290E1A1EF2; Sat, 9 Nov 2019 00:19:13 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sat, 9 Nov 2019 00:19:12 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sat, 9 Nov 2019 00:19:12 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Sat, 9 Nov 2019 00:19:12 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, "William Denniss" <wdenniss=40google.com@dmarc.ietf.org>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01
Thread-Index: AdVogknoAnP654JhQ3S9QtbLhNiL0gA8kmmAAADNjSACnxMgAAhFKkYAAF8HVwD//5bJAA==
Date: Sat, 9 Nov 2019 00:19:12 +0000
Message-ID: <E996A4E7-5F72-485D-AB67-652BDA2B9C94@amazon.com>
References: <VI1PR08MB5360BBDDDF8362B40C97AF18FAB10@VI1PR08MB5360.eurprd08.prod.outlook.com> <736340BF-B33D-4407-81AF-532C947F1243@xmlgrrl.com> <AM0PR08MB5345B19B0AF2304AE8E110CAFAB00@AM0PR08MB5345.eurprd08.prod.outlook.com> <CA+k3eCR_ga1c1Cts0RY6Vy8AEgwjD2TaqOeWStkwQ6udqnkn2Q@mail.gmail.com> <CAAP42hCf2fQO29q3vCH8U7sJWpQ94AiE4BCvMWqYxqxe-erYyw@mail.gmail.com> <CA+k3eCRZ8ySJYFDTb=NbMZ=oVuFrMr5h82uazPsOmjD=XDY6Xg@mail.gmail.com>
In-Reply-To: <CA+k3eCRZ8ySJYFDTb=NbMZ=oVuFrMr5h82uazPsOmjD=XDY6Xg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1b.0.190715
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.174]
Content-Type: multipart/alternative; boundary="_000_E996A4E75F72485DAB67652BDA2B9C94amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/j5sSy5FiuJ1aWuqYexDXpUQzFAM>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Nov 2019 00:19:19 -0000

A few issues I noticed:


  1.  There is no normative text describing AS behavior when include_granted_scopes is “false” or omitted. I suggest adding the following to the parameter’s definition in section 4:

When “false” or omitted, the authorization server SHOULD NOT include scopes that were not explicitly specified in the authorization request.

     *   Having written the above, I realize it conflicts with Section 3.3 of 6749, which states “[t]he authorization server MAY fully or partially ignore the scope requested by the client….” I’m not sure offhand how to resolve that.


  1.  Regarding section 6.1, I don’t think we can assume that an access_denied just indicates a rejection of the incremental request. Depending on the consent interface presented to the end user, it may make more sense for the AS to interpret the denial as a retraction of the existing grant as well. End users may expect that to be the case, particularly if the existing scopes are listed in the consent display alongside the additional ones being requested. I’m not sure we need normative changes, but some non-normative guidance highlighting this would be helpful.

  2.  [NIT] Extra “should” in the 4th sentence of 6.1.

  3.  I disagree with the first sentence of section 8.2. If the process of requesting consent is particularly expensive (e.g., if the client is an IoT device or otherwise has limited input/output and is using the device authorization grant), then it may be appropriate for the client to determine which features the end user wants to enable and make a single authorization request for all of the necessary scopes.

  4.  There is no guarantee that the resource owner in the incremental authorization grant is the same as the resource owner in the original authorization grant. For example, the end user may log into Account A originally, but Account B for the incremental authorization, either intentionally or by accident. As it stands, the client has no way of knowing that this has happened. I don’t think there is a normative fix for this, but it should be called out as a new failure mode that gets introduced when switching from bulk to incremental authorization.

–
Annabelle Richard Backman
AWS Identity


From: OAuth <oauth-bounces@ietf.org> on behalf of Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Date: Friday, November 8, 2019 at 2:36 PM
To: William Denniss <wdenniss=40google.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

You are welcome. I'm always happy to be able to help with a major contribution such as this one :)

I did read through the draft for WGLC back in September though and that was the only issue that jumped out at me.


On Wed, Nov 6, 2019 at 6:15 PM William Denniss <wdenniss=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>> wrote:

On Wed, Sep 25, 2019 at 3:54 PM Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org<mailto:40pingidentity.com@dmarc.ietf.org>> wrote:
Just noticed that something is missing in https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-02#section-5 where it has just, "(Section 4.1.4 of )"

Thank you for catching this Brian. It was meant to read Section 4.1.4 of RFC 6749.

I've updated this in my local copy, will get posted in version 04.


On Thu, Sep 12, 2019 at 8:40 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Thanks for the correction; yes – the most recent version is -02 and I posted an old link.


From: Eve Maler <eve@xmlgrrl.com<mailto:eve@xmlgrrl.com>>
Sent: Donnerstag, 12. September 2019 16:16
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-incremental-authz-01

I think you mean https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-02?
Eve Maler (sent from my iPad) | cell +1 425 345 6756<tel:(425)%20345-6756>

On Sep 11, 2019, at 4:22 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes....Tschofenig@arm.com>> wrote:
Hi all,

We are starting a WGLC on the "OAuth 2.0 Incremental Authorization" draft. You can find the document here:
https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-01

Please review the document and provide feedback.

The WGLC will end September 25th, 2019.

Ciao
Hannes & Rifaat
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited...  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.