Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 3327A120088
 for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2019 11:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.627
X-Spam-Level: 
X-Spam-Status: No, score=-2.627 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H2=-0.026, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id HasKpXjvdvQJ for <oauth@ietfa.amsl.com>;
 Mon, 23 Sep 2019 11:17:06 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de
 [80.67.31.31])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 68DB012004D
 for <oauth@ietf.org>; Mon, 23 Sep 2019 11:17:06 -0700 (PDT)
Received: from [91.13.158.20] (helo=[192.168.71.123])
 by smtprelay04.ispgateway.de with esmtpsa
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2)
 (envelope-from <torsten@lodderstedt.net>)
 id 1iCStT-000680-HM; Mon, 23 Sep 2019 20:17:03 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <DF0F96CC-109E-40F9-A2B2-9DC6F108B0BA@lodderstedt.net>
Content-Type: multipart/signed;
 boundary="Apple-Mail=_7E0DB8C1-AF81-489A-9B0C-EF0F24F86AFE";
 protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 23 Sep 2019 20:17:02 +0200
In-Reply-To: <CAM7dPt0Urr1H=ThKsG27Xt+woCqwj0Ue2b5Of1CcSd3=9pO_4g@mail.gmail.com>
Cc: oauth <oauth@ietf.org>,
 Filip Skokan <panva.ip@gmail.com>
To: Janak Amarasena <janakama360@gmail.com>
References: <156906284888.22977.8893219801768603786.idtracker@ietfa.amsl.com>
 <1842D9CD-1B5B-420A-AA43-7B30F3CE13B8@lodderstedt.net>
 <CAM7dPt0Urr1H=ThKsG27Xt+woCqwj0Ue2b5Of1CcSd3=9pO_4g@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mmj-Ml3rEmfK7FaVI0fwlpYSbwU>
Subject: Re: [OAUTH-WG] New Version Notification for
 draft-lodderstedt-oauth-par-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 18:17:09 -0000


--Apple-Mail=_7E0DB8C1-AF81-489A-9B0C-EF0F24F86AFE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Janak,

thanks for your feedback to PAR as well.=20

> On 22. Sep 2019, at 21:51, Janak Amarasena <janakama360@gmail.com> =
wrote:
>=20
> Hi,
>=20
> Since the /as/par endpoint is intended to be used to store the actual =
authorization request I feel that validating the authorization request =
as mentioned in point 2 section 2.1(Request) should not be a =
responsibility of the /as/par endpoint and that it should not validate =
the authorization request.

Why do you think so?

Validating the request data at the pushed authorisation request endpoint =
has the advantage that the AS can refuse the process early. It also =
means the authorisation endpoint of the AS can safely assume all request =
URIs sent in Authorization Request that are minted by the same AS (which =
is detected based on its structure), are pre-checked and can be trusted =
(regarding the input validation). =20

> Also, the majority case could be the endpoint receiving valid requests =
and the validation process will be duplicated at the authorization =
endpoint.

I would assume the same core service is used to check the payload, so no =
code duplication required.

>=20
> Also since section 2.2 (Successful Response) states;
> The "request URI" MUST be bound to the "client_id" of the client that =
posted the authorization request.
> Wouldn't it be good to enforce the use of the clientId in section 4 =
(Authorization Request) when the authorization request is made with the =
"request_uri" parameter?
> GET =
/authorize?request_uri=3Durn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2&clien=
t_id=3Ds6BhdRkqt3 HTTP/1.1

There is no need for an additional client id since the request URI is =
already bound to the client_id passed to and, in case of a confidential =
client, authenticated in the pushed authorization request.

best regards,
Torsten.
=20
>=20
>=20
> Best Regards,
> Janak Amarasena
>=20
> On Sat, Sep 21, 2019 at 4:32 PM Torsten Lodderstedt =
<torsten@lodderstedt.net> wrote:
> Hi all,=20
>=20
> I just published a new draft that Brian Campbell, Dave Tonge, Filip =
Skokan, Nat Sakimura and I wrote.=20
>=20
> https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00
>=20
> It proposes a new endpoint, called "pushed authorization request =
endpoint=E2=80=9D, that allows the client to push the Authorization =
Request payload with the AS on a backchannel connection instead of a =
front channel interaction. The AS provides the client with a request URI =
(according to draft-ietf-oauth-jwsreq) that the client uses in a =
subsequent authorization requests to refer to the pushed request data.=20=

>=20
> We believe this simple mechanism will significantly increase OAuth =
security and robustness since any application can use it by just sending =
the parameters in the same encoding as used at the authorisation =
endpoint over a HTTPS-protected and (for confidential clients) mutually =
authenticated connection to the AS. It can also be used to push signed =
and encrypted request objects to the AS, i.e. it provides an =
interoperable way to use request objects managed at the AS for use cases =
requiring an even higher security level.
>=20
> We look forward to getting your feedback.=20
>=20
> kind regards,
> Torsten.=20
>=20
>> Begin forwarded message:
>>=20
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for =
draft-lodderstedt-oauth-par-00.txt
>> Date: 21. September 2019 at 12:47:28 CEST
>> To: "Nat Sakimura" <nat@sakimura.org>, "Brian Campbell" =
<bcampbell@pingidentity.com>, "Torsten Lodderstedt" =
<torsten@lodderstedt.net>, "Dave Tonge" <dave@tonge.org>, "Filip Skokan" =
<panva.ip@gmail.com>
>>=20
>>=20
>> A new version of I-D, draft-lodderstedt-oauth-par-00.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to =
the
>> IETF repository.
>>=20
>> Name:		draft-lodderstedt-oauth-par
>> Revision:	00
>> Title:		OAuth 2.0 Pushed Authorization Requests
>> Document date:	2019-09-21
>> Group:		Individual Submission
>> Pages:		12
>> URL:            =
https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-par-00.txt
>> Status:         =
https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/
>> Htmlized:       =
https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00
>> Htmlized:       =
https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-par
>>=20
>>=20
>> Abstract:
>>   This document defines the pushed authorization request endpoint,
>>   which allows clients to push the payload of an OAuth 2.0
>>   authorization request to the authorization server via a direct
>>   request and provides them with a request URI that is used as
>>   reference to the data in a subsequent authorization request.
>>=20
>>=20
>>=20
>>=20
>> Please note that it may take a couple of minutes from the time of =
submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>=20
>> The IETF Secretariat
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_7E0DB8C1-AF81-489A-9B0C-EF0F24F86AFE
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCC0ow
ggUyMIIEGqADAgECAhEAh3cjdwfbVS49xtpMKQd5tjANBgkqhkiG9w0BAQsFADCBljELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYG
A1UEChMPU2VjdGlnbyBMaW1pdGVkMT4wPAYDVQQDEzVTZWN0aWdvIFJTQSBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xOTAxMzAwMDAwMDBaFw0yMDAxMzAyMzU5
NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iT7e+ZazS5uGQ2/oV6rKb+dLiC1cbVCWN1TEV1XemJP68/I
91+YUtc87N8M46QgGHN25FeM8xaWL6Q83aArs/nnuYx26+x0Em5Z8cqcAe+i1JLbvxt5j47h+5ii
ZErQld2GCf7EsW5YO+UoNws9ZMkcOHp77qSUuva0mDxitDpsMdlVIbYTkOIW2/x7NinUBBSvpO0b
xlejSGukCX73pTUWPBK3kznd3wqg7SaiqZH+1g/1cQxMD8Wk8S1QPO3AB2xA7hES4EjWFZ7a9HhX
5VMRyJlsEDb1KJAot7cypJcfDhCJwG8De5hSEsW5kEWL0h+AOFXcB+JQzLW0sdSVxwIDAQABo4IB
5jCCAeIwHwYDVR0jBBgwFoAUCcDy/AvalNtf/ivfqJlCz8ngrQAwHQYDVR0OBBYEFBnmpsoJu2zU
GrbmQoBZG6uxqdNRMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsG
AQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwQAYDVR0gBDkwNzA1BgwrBgEE
AbIxAQIBAQEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwWgYDVR0fBFMw
UTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklo
dHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNl
Y3VyZUVtYWlsQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAiBgNV
HREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAKEl922ls
OY5xPqRLJUKLCshBzoNcJ6UDXI4CwCClc4E3yIDQg09zpK0UdrFW0cU8qFc7iXRixKdU361AADG+
SB/N9ttU40JB7HgJYLhHYijKjXwobUGohyhZRv00PvAS6qV8Xevj2OGZ1V/w3VPJxEyYPpSCFJ0g
qUut0Nt6qse67hS5+BZsJp5d+v/Ozo9UGjLa658ZovxG7/CsKZXF6AQe5fNPhpWAfyVfnTHwQpqm
5jQYPX3fB3k3JQv/IuB2CIENxgQoYpfXg37sSbcdkeWQu4ouiRlTwTfLDI2pfuxRQLJzoCxIYkxg
jlq6XtpvolvwKfJpeg44hus5k11RPDCCBhAwggP4oAMCAQICEE2ULBDUO+CUCcWBLTorBk8wDQYJ
KoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQH
EwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVV
U0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MTEwMjAwMDAwMFoXDTMw
MTIzMTIzNTk1OVowgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIx
EDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1U2Vj
dGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKPO2UCkH/3vlGuejWO+bakr8rEE6qGryCvb4mHCkq
KtLNnFCBP22ULvOXqGfV9eNKjkypdR8i0yW2sxpepwRIm4rx20rno0JKuriIMpoqr03E5cWapdfb
M3wccaNDZvZe/S/Uvk2TUxA8oDX3F5ZBykYQYVRR3SQ36gejH4v1pXWuN82IKPdsmTqQlo49ps+L
bnTeef8hNfl7xZ8+cbDhW5nv0qGPVgGt/biTkR7WwtMewu2mIr06MbiJBEF2rpn9OVXH+EYB7PmH
fpsEkzGp0cul3AhSROpPyx7d53Q97ANyH/yQc+jl9mXm7UHR5ymr+wM3/mwIbnYOz5BTk7kTAgMB
AAGjggFkMIIBYDAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUCcDy
/AvalNtf/ivfqJlCz8ngrQAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgwBgYEVR0gADBQBgNVHR8ESTBH
MEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNhdGlv
bkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNodHRwOi8vY3J0LnVz
ZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAEFEdQCrOcIV9d6OlW0ycWiM
AN0X13ocEDiQyOOxvRcxkfO244K0oX7GzCGHYaqRbklCszzNWVT4DZU/vYrLaeVEDUbCYg+Ci7vh
Nn9dNqscbzN0xKBoOuRVjPPWDechU70geT3pXCxpwi8EXwl+oiz7xpYfY99JSs3E/piztTSxljHi
tcPr5yoWr9lbkFR8KU3+uGTZ11BfKfuSSaRrZFBv133SeY0d2AqvB9Dj2ZDaFZA0OQkkhfAqNgDp
VRH99lQV4JSKx0N7/QAEtMj6OF5dRXV6hhXuU3A0Eql4d0247oBpxvnfcmV95QfG8HP059hZSJe7
T2wwC+IzXVDQO4xnnvrQJ07ZWemxc/grFpgiG+o+pQxapF1bKftysi02Rl6uhdp5wbTeLeYzt2SI
9oKSChwGDQQFixtkNnxuwbdrTwvASwvViDPdIGzIQJrTBqriE5/9nzkXbDZmld8/7DyriJ/A73RI
ZllX4dH8mHqsRpU8NEX8IQZWpHWGK5A5nVgvl7MxNfRlIvCvKZQTSnCL8oNqJgHXm6zCB4gBwDon
M8V/2kuQAUVazVA3I376eIWGwzjuqh3H88v7mNHzubLHm5h0ERCSQNz6UoHVZy3q5xeqbYSaxpDQ
z3lCNObL6sNaOQNh3DcyzqZJYTcGfuLlmC3AIteAAh7lbybJszYnMYIDxzCCA8MCAQEwgawwgZYx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50
IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEQCHdyN3B9tVLj3G2kwpB3m2MA0G
CWCGSAFlAwQCAQUAoIIB6zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0xOTA5MjMxODE3MDNaMC8GCSqGSIb3DQEJBDEiBCCl7qyIWMwzIv433JxDFULxyBIx2gbMHiPX
dJ0lnL7ABTCBvQYJKwYBBAGCNxAEMYGvMIGsMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0
ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl
IEVtYWlsIENBAhEAh3cjdwfbVS49xtpMKQd5tjCBvwYLKoZIhvcNAQkQAgsxga+ggawwgZYxCzAJ
BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx
GDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEQCHdyN3B9tVLj3G2kwpB3m2MA0GCSqG
SIb3DQEBAQUABIIBADMdDVcI9En4a0aj7RkdlY7lIyZs0EGzXZB2R/p2D6M3EqcqTQVbile7Pbmy
LJ4UW8DZd+Ym/5ldZpWCXAepGjmBjqomPj5zQgaxvR00K+Oj80aVANHokN1NQyh9xNapd+MxnIck
yEckDGKIcVWAnY6oKMw2yY1rdH/j3WBMEwGN/ue2suP/6OAlb+MbP5fCr4Kk607mEjs5xsUkhIoF
gSOejgKNmpPo3LANqM6pnkPG3MQC2CUeuztHRxkigZu4LI8EXkL4dsUjYRdFdfESd24GlytVK6XH
+v20n0DvE5pGEk6M5/06M9FH1aj1CvadE443FE3abrZUSe8TeX3sKqQAAAAAAAA=
--Apple-Mail=_7E0DB8C1-AF81-489A-9B0C-EF0F24F86AFE--