IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12

Justin Richer <jricher@mit.edu> Thu, 27 October 2022 18:06 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9490CC14F74E for <oauth@ietfa.amsl.com>; Thu, 27 Oct 2022 11:06:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cs5HrJyHDRfo for <oauth@ietfa.amsl.com>; Thu, 27 Oct 2022 11:06:50 -0700 (PDT)
Received: from outgoing-exchange-7.mit.edu (outgoing-exchange-7.mit.edu [18.9.28.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81746C14F6E5 for <oauth@ietf.org>; Thu, 27 Oct 2022 11:06:50 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id 29RI6jjb015093; Thu, 27 Oct 2022 14:06:47 -0400
Received: from oc11expo16.exchange.mit.edu (18.9.4.47) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 27 Oct 2022 14:06:01 -0400
Received: from oc11exhyb8.exchange.mit.edu (18.9.1.113) by oc11expo16.exchange.mit.edu (18.9.4.47) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Thu, 27 Oct 2022 14:06:30 -0400
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.169) by oc11exhyb8.exchange.mit.edu (18.9.1.113) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Thu, 27 Oct 2022 14:06:30 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OTI2QzZCudTjPndLYuqa4J973tLTFiI3uVgp6X0n1MZCbE6vUfCTc5U3Z5oxxbPu2yQG9AC/QqLKu5fpEw8vBuxooYQLAIGY+3gdV7BaM+1WeqXtZ0gjK54nxYqU5lIpe9e0U20/XI45kFPKCgNl/wZM1zHcN9LNsrEfslgeq0Mh1o5o7ZmaTIgwRpe7MrhdNi2nrE3UIKu7GWwyELfz6Z13lvtqC/CkFhzJQB/nEvc0P5OYKirDfDY/vk57Dk7xOZ7k7rCf3oIBTVzOCqmn24gNH8DvmUqgLulNWTViXmUAE8zFJWCxoPHMfhIy4vmKY7XOGTP+xHVHaWK3/4G5oQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DK2qJDTbXpOLqZAv2uKnPT3xpE5/9cc+fWcSt+Mte0s=; b=cWDoJbjf5qzUmKJDCgldajPkHsx73EXdGkpPBASLsV3aZjGFBLdFZAN0+8uXTi4XX0eHnSGrrL+My0Jw4Sg0F5Ky62A7Y4bCfsz5OBR87q8bkf1VDXst647FlYE0x7VJ6S1esfRfrUVpptjTUkJLU94FUEuidR2acMUfJL391oTQggPrzAl6pzbJ19dJNUtnV5UUvJnhhWOevcwsN1+cbv7+dsifyQJ7CARUL+xWR6qsF8JVIh4HejL2Gi1EeOP/At/akONQEWC0LVLe2py3cHwnBye4ssrPjNubP81k6XVCq1IJc6eZiQ6g2BdIqmp+gWhrNjVfJHS0vqTYIyTANA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DK2qJDTbXpOLqZAv2uKnPT3xpE5/9cc+fWcSt+Mte0s=; b=Lpg2fOg2LBPRr/wRhceSqMSc4e1NEdnijqxtkYMCT6WOWrX8NpLoKBtcB8FXhr5/uw63J7DVFhkP5Hprm0Lvrdo75vfZcRqyzdxPYCZTP1bXTlgaQHJLwX5svS2GT9axSNWWSwE1aTQWWonYLec6Mr9agiQBCIOMEgBpcx34D1M=
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by CH2PR01MB5782.prod.exchangelabs.com (2603:10b6:610:45::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Thu, 27 Oct 2022 18:06:26 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::166f:d203:ce70:94cf]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::166f:d203:ce70:94cf%3]) with mapi id 15.20.5746.028; Thu, 27 Oct 2022 18:06:26 +0000
From: Justin Richer <jricher@mit.edu>
To: "rdd@cert.org" <rdd@cert.org>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Thread-Index: AdjIiWV70TiGp2n1QyK+vwbKisrOXgAjS6wABa9LvKAClgZogAAAvcOA
Date: Thu, 27 Oct 2022 18:06:26 +0000
Message-ID: <041D943B-CE4A-443F-90D4-7307FD741C8D@mit.edu>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <3496F95F-14DE-4A66-90BD-4246ABB1AC20@mit.edu> <BN2P110MB1107B46FA1B5A4F8852807D2DC249@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <BN2P110MB11077232CB6BFFF458871DAFDC339@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB11077232CB6BFFF458871DAFDC339@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|CH2PR01MB5782:EE_
x-ms-office365-filtering-correlation-id: 85754831-509b-42d6-2bfa-08dab845f738
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SH060r8F20qvBWu23hEl6Ql7tOPQzonsH47hniVUDglkQenDbnhlllYw3gAaIXT08faYNvaGqr5xT9XATZZ5Tn/IBTKJdp9Yn/AObIgn4w9QEaB75knHdliudmVGVuudF51BPuy9lPzefgAN1XIgDEufav01M7pB+u806R5Zh5GuN+OW2i6T+vgSRYtc1Po4Sk748GQcJQZ+cFMDMSI8oBuU9FmoS56RIBUFJoQj9orHcQIL+DvDNZUeRsGNQLEjki2kQ+0zk0kNXp4E+mtzlnIO32gdaWYXIciv1WPEzcZ/YSoh9qzOkWiWCEak9+hAEO0TQxKPpbiechtt5WJnYRmkpsGsl+FsX1Bf+9Ej7R1hn/gX2uecVWbL6e7AzXlYk35UyYM9puzxtmRF7rZorFhCLLACTb298iPPmwZM9jpi0aivqR/a6VIM/5aIaQaQUG2TBwFCoy3h9TfKSC7Q2Log/jZn2L6NCTD5NM2mL5PFR011X4eBwVlIwlPnlBvQeTSTt6CI34G0YgFlfjDEf3A/kXt6/tykIg8EFaY+1OQtqs3GEVMMPKjwVR69jvUxaQMyA7JCcmv1CcFbfm6N5yaQctHLIoVmJrBCa+x09QeITbVRcLpGbcxM0ON745PoZEWWXEfwXGYFNk0+tRXCxsngYAcRHT5jt2/jz/VHdKiLdDD5tun9x3UK6MpSuxVjo78AzLn6WwbLFk2Y+4b5+fQEYl5bs1c8wd1L7HEQUleOgFJqbAyOOvx+D4LdV9h+xfS4kOSTVU6clrwFRtx/Yiwq+pedWDhSJdOyn6t5QWREtb96dGJU6Bq5KiwG6FwTGF8vMsXVgl9lTGWbeDbdbg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(346002)(376002)(396003)(366004)(136003)(451199015)(6512007)(53546011)(2616005)(83380400001)(186003)(26005)(6506007)(478600001)(2906002)(75432002)(6916009)(66556008)(316002)(66476007)(71200400001)(8676002)(8936002)(66446008)(786003)(6486002)(41300700001)(64756008)(4326008)(66946007)(5660300002)(91956017)(966005)(76116006)(86362001)(36756003)(33656002)(122000001)(38070700005)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: EdWnYQJKOh6/r4S0yjajOBZITpGL/+5fbWM1jysySjFd1HogPUpC9GB9oZpKOE95MZnc/cvjbNsHeTr+jnuU8iJEHUHCcsQr7gt24SUbAmX1MDAQhs7Ear+ACDnlot5vzLhSCn325hmZNLDzen6RF3Y/o0Pq1XSHoW/wrW0Sx/KDNJwROeFBbUwyWMIFql+gdA0fWzyT0Gxoyr6FEquQjJ3H8XIjI8SuCZWRqEIMgYOZwzp14ZrvKzY+9XuehQxtY5rogExMPMyvs3YI1MSCoBmvDJ9HK7oRBsC5uJKHeC8n5KRGWQ02dYYPjk8B8D8yfoPHhrn8cK7QlgzFLOIY4BnSUnY87/eAkKaDDM6QLfdDDXvPn/4DapgEZxha2J5YGBpCHHUwGYAlC/b3nTwEPKUHhmd0l5sHcqNQLJJb+MQcB1XlzU2VDURSsoCRhBW/udRv7xctF1UH/QtDp29NA9/Y+3LeTlddqZwi26ypfWmDaIoOxH+P18lZ2IW+ekaAHwJYTbMqqE8zqVua6YFzdJhzAI+ypu2pfzmEuV3VIlpTGS7/g1dfS68igklpuu0ec7EwVh9fjL1yhsq9bkYx1ZAheG33KAMzxhKiyHbYvi/4+Pp2hqFgJ4HY/4w/goRYN16iusJCJpTa6pUSePu5O/N42IGKfVpyGtln9Ah2CwOheYeQLK3FlDGCOUPF/vbG7/+6p/5zWeZAe2TIEF0Ce7wuQyFZejNk1ZRLtnRcJX60GzhZIg/qeq9cQaENlv/hQTRwTUGi0ok32lF2IIO1b1qHZQZFitWwJi2uNtCd7UskOFJLnXU99FN12QjB6+RsWcn8VwGxNj3v2eMjTx94U0TzD9S5SFpWNh8fgWLqRNz7EM6zazCSCJDfxmpnzfUdJZOnLpMHQkB6usFDlPeWr/304rpVVeT6toKIGQSaRFJN2BrZFuoBzAndUyM4U2kMcjglXTHWRhNDLToNf6v2qHsJctJ9kbIuAYaoE4ETSiNRH9to95ru7jAKHrzVuK3cN5KYxUwbhZu2TaDQs3SSxdwi+VbFZKfzlIwNqm3sHSrUSvfSGs+UT4HKnlBwz9V7nYprYCW77MNPKlqpg6wqZRqoXJhF/wJ1CvcJgHXUZ0bueXpBSOfKHvx+OkOT3Su9L9vSMjBBkL8Y9fp6Ayy3jn7U1MXnYSmPvj4ncH3xHIAFZlRmHdfm3Hw53l7cs+WdvJ1fOJQfMI3Xz/xaSc8a+PXb0MybnLIUzHZp8ry6L7axUy15CX/Mkq7zjofNpr3JwaykKPNZsj0vFvD06jel+7MYdynK8l6kKiMy/qmua+sqmxlU5oNA0YhjoqkUlpw6tSEKxUarrZ16EgPEyl27ROnGIwTMmQsFT/QsxAly3osfeVcwxgB2vTVqasG0bhnQMY6kZzxuPXLuYjHCNSgRSvgUBIL37xCDV6aIix7qB6zQR3q1rpLsxuD5Tmr1CWLbHoX0qz4oheXxnOvaHlFQWU7n083tGp17WV+C+8I1NBsag2BKz+c1NiY4bT6wtZAJS/EOUpo3/By51isXpJTxdko6Fp7cX41YXXDDzTBBp/tIaqfKcy+jIhgi1JKM7hW8
Content-Type: text/plain; charset="utf-8"
Content-ID: <4DDEE2BEAC549942B4AED9B5D5CFA631@prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 85754831-509b-42d6-2bfa-08dab845f738
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2022 18:06:26.5941 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IqGM//ZKSgxZJofHiuObUeSEYObP2fPtsj6Q0Kgg2n8ecZBEn0gsDnbZ/cUkDPFn
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR01MB5782
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/phTGQ1kcyhH6hWCToKsRtg-68ps>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 18:06:55 -0000

Thank you, Roman — I put together a PR with those changes here:

https://github.com/oauthstuff/draft-oauth-rar/pull/89

 — Justin

> On Oct 27, 2022, at 1:51 PM, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi!
> 
> I appreciate the updated in -13 and -14.  Most of the AD feedback has been addressed there.  Combing through the multiple sub-threads, I've pruned to text to cover what is the residual feedback.  See below.
> 
> To keep this document moving, I'm going to start IETF LC on it.  Please address this feedback concurrently.
> 
>>> -----Original Message-----
>>> From: Justin Richer <jricher@mit.edu>
>>> Sent: Thursday, September 15, 2022 11:20 AM
>>> To: Roman Danyliw <rdd@cert.org>
>>> Cc: oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
>>> 
>>> Hi Roman, some responses inline.
>>> 
>>>> On Sep 14, 2022, at 6:30 PM, Roman Danyliw <rdd@cert.org> wrote:
> 
> [snip]
> 
>>>> ** Section 6.1
>>>> 
>>>> However, when comparing a new request to an existing request,
>>>>  authorization servers can use the same processing techniques as used
>>>>  in granting the request in the first place to determine if a resource
>>>>  owner needs to authorize the request.
>>>> 
>>>> Why is it possible to assess two arbitrary requests in this case to
>>>> determine "if
>>> a resource owner needs to authorize the request", but the prior
>>> paragraph explicitly calls out that comparing two arbitrary requests
>>> is not feasible?  To me is seems like comparing two requests to
>>> understand if more or less permissions are being requested is
>>> equivalent to determining if a new request exceed the current request to
>> determine if going back to the resource owner is needed.
>>>> 
>>> 
>>> It might be possible to do such a comparison in a specific case, but
>>> we can’t add logic in the general case. In OAuth, scopes are supposed
>>> to be purely additive, so if you have another scope it’s for “more”
>>> things. We know in practice that that’s not always how it works.
>>> Things get much more complex with RAR because you could have an object
>>> with :more: fields in it that makes things more :strict: by the
>>> presence of those fields. That’s all going to be up to the “type”
>>> definition though, so if you understand the “type” definition you
>>> could do a comparison based on that. To me the text is clear, can you suggest
>> how we could clarify this?
>> 
>> OLD 1
>> Since the nature of an authorization details request
>>   is based solely on the API or APIs that it is describing, there is
>>   not a simple means of comparing any two arbitrary authorization
>>   details requests.
>> 
>> NEW 1
>> Since the semantics of the fields in the authorization details result will be
>> implementation specific to a given API or set of APIs, there is a no standardized
>> mechanism to compare two arbitrary authorization detail requests.
>> 
>> OLD 2
>>   However, when comparing a new request to an existing request,
>> 
>> NEW 2
>> 
>> When comparing a new request to an existing request, ...
> 
> [snip]
> 
> 
>>>> ** Section 11.2.
>>>> 
>>>> Accept authorization_details parameter in authorization requests
>>>>     including basic syntax check  for compliance with this
>>>>     specification
>>>> 
>>>> Why only "basic syntax checking"?  Perhaps "syntax checking"?
>>> 
>>> I’m not positive, but I think the guidance here is meant for “basic”
>>> to mean more like “make sure it’s a JSON object and that it has a type
>>> field” as opposed to “check the type field’s value and run it against a JSON
>> Schema definition”.
>> 
>> I don't think this is worth unpacking and would just recommend:
>> 
>> OLD
>> *  Accept authorization_details parameter in authorization requests
>>      including basic syntax check for compliance with this
>>      specification
>> 
>> NEW
>> *  Accept authorization_details parameter in authorization requests
>>      Conformant with this this specification
> 
> Thanks,
> Roman
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email