IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Nat Sakimura <sakimura@gmail.com> Mon, 13 May 2019 12:20 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 472E51200EB for <oauth@ietfa.amsl.com>; Mon, 13 May 2019 05:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jUJLSzzXBX6W for <oauth@ietfa.amsl.com>; Mon, 13 May 2019 05:20:29 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D14361200E0 for <oauth@ietf.org>; Mon, 13 May 2019 05:20:28 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id x64so2413524wmb.5 for <oauth@ietf.org>; Mon, 13 May 2019 05:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=+ABXOWYjmd7Y6C4nS1vCUrptxdgCkbW0D8c51gZVr70=; b=egTdpuwVHCIRhGv7s14vwWd5cXp8LftD0s8Fij5rJX5/+kRKV7dV63EgUtpy0NQAOG tgaWGqOUCFN5w9CX6Kv97n/LTbjZnSeynGjw99rJEAYKoj2dGkEwkZWDlOQXNfNHZa6T J1guogzw6DC7OPmvWfurlXN/m9OGwwQ+iAkuWlMIfUw/3m11OyGalgaO8xL/smWpfkXU 3WRD8BQKAFmvttSQq0EZM5JTp7gg6WSRn/C+9i9Nf5B1cUzOqX2oJ8/lFDbPmXwLdojB 2aDyMY9HC97OivWQ1idDHPWDQEmbU4PHM9/11tTq3PF57sfzsUjHNEefRjW8mH10xJDm unow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=+ABXOWYjmd7Y6C4nS1vCUrptxdgCkbW0D8c51gZVr70=; b=ecNZuRyhkePs/0m1TF82QqW+oQ1heZ/wEFyLjwLiLAQWFbVe7j9L7xPOD8StWXN7ib RRzCASMnQASWONM5QqJo/Pm2doLg6BXrOE7v6D4S6qfkbxMJFF4OhKRvNeFsp4FuLz// hB7DFgyRq3dzw9C9Q7kq/jV2/zgNB0tk6TT1wZWIRSkwI4+dl6Y3t5K0eY45FFev/agl QRD8gLOj4JgQnGzUbr5qdRLuipCKq3lVvpBEvj9ONGwRujtgRveDfm6kP1roRZCizByy VsCCsO/zPYmbhY3n64RBLLGLO7ICzq4CJx9Zs7qiOgBxHSffMSnOSSTwz5ei0xZ3beSP j2Jg==
X-Gm-Message-State: APjAAAUytdTViEX+cwcRi0MgDNTJ5o8zZCOQ2Wnig1ZQogAAtYvUFFfm Fj7/CTWr2ycc1n5K0w8KkCbQHoyv5CV/wMCxEPs=
X-Google-Smtp-Source: APXvYqz9hXgvjHLKGaLwjssaYaF5G7PuFK6kTsRk0iMLFdgzx0JHQpuIrTDfODJw1Lu+3Hdbu62mLn4oI2+mISABe40=
X-Received: by 2002:a1c:2245:: with SMTP id i66mr282311wmi.19.1557750026885; Mon, 13 May 2019 05:20:26 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net> <119b93cb-d6c3-18dc-3e10-9ba087e0817e@aol.com> <B5BEEA54-B2B1-468A-AAE7-2B23A400919A@lodderstedt.net> <8c2187bd-3d17-9c9c-2b3c-6f9193ebdcbd@aol.com> <2EDD8634-20D1-40DE-AA0D-A64AB6AEA539@lodderstedt.net> <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com> <CAP-T6TTsHqkyBF8n-x7Bw7kWC6vrEFw+QhyOMHSQ7NoR=xLzMg@mail.gmail.com> <10e7ee87-4877-4790-dbdc-8f599d401cbe@aol.com>
In-Reply-To: <10e7ee87-4877-4790-dbdc-8f599d401cbe@aol.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Mon, 13 May 2019 14:20:15 +0200
Message-ID: <CABzCy2CigZmEJqp=ZtVM8V8Dcen8v6mos6Q9WLi0f3FAcRv5aA@mail.gmail.com>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
Cc: Dave Tonge <dave.tonge@momentumft.co.uk>, Sascha Preibisch <saschapreibisch@gmail.com>, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mavYwU-rxBu9O5JvtFqgFH6EdWg>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 May 2019 12:20:31 -0000

Indeed but at the same time, it may be needed for the AS to keep it
anyways for compliance purposes.

I have not gone through the thread yet, but here is my brief response
to Torsten's post.

https://nat.sakimura.org/2019/05/12/comments-back-to-transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-by-torsten/

Cheers,

Nat Sakimura

On Fri, May 10, 2019 at 10:27 PM George Fletcher
<gffletch=40aol.com@dmarc.ietf.org> wrote:
>
> One thing to keep in mind with the "Push Request Object" model and the concept of a more detailed scope structure, if the specified values are not for a single transaction, then the AS will be required to keep the "Pushed Request Object" for the "lifetime" of the access_token and possibly the refresh_token depending on the use case. This could have some implementation issues for the AS.
>
> Thanks,
> George
>
> On 5/10/19 9:52 AM, Dave Tonge wrote:
>
> Thanks Torsten for this article - it is incredibly helpful.
>
> I'm very much in favour of the "structured_scope" approach.
>
> While I understand George's point I think the line is very blurred between coarse-grained scopes and fine-grained transaction consent. In addition fine-grained authorisation metadata is needed for ongoing access APIs as well, e.g. how can a client ask for ongoing access to:
>  - transactions in a users accounts with ids abc123 and abc124
>
> From a UX perspective it is beneficial for the AS to ask the user for consent once. The AS therefore needs to have all the information about relating to the consent available when the user is redirected to the authorization endpoint. There should be a standard way for the Client to pass this data to the AS and I think structured scopes either sent as a query param or in a request object are a neat way of doing this.
>
> Dave
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email