IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12

Roman Danyliw <rdd@cert.org> Thu, 27 October 2022 17:51 UTC

Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0EF6C14F74C for <oauth@ietfa.amsl.com>; Thu, 27 Oct 2022 10:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9ZpbiqsxBjH for <oauth@ietfa.amsl.com>; Thu, 27 Oct 2022 10:51:40 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0095.outbound.protection.office365.us [23.103.209.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 499BBC14F612 for <oauth@ietf.org>; Thu, 27 Oct 2022 10:51:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=s0Wsx5/MIC8EtejdvEkGsUp3bMjobbUCB/gssVNqMRCPCic58Px3oWGB8F0IFMnbA620qnoikCEcovghbcF23YLhvAS3fXrBwDE9xJmJgP4IDFC5vrA7HGuvcj4nC/wytRr1TjXw1xdhdw+eIvnwwl5aVeNafg5LkreX+mnmaW0OJRdY1o5yFClEFDbS2X5U9sUjykqxtzxBfuIJkn66HXTa4Du9nZoBk2aj6wWXCmuY4Kz6i8Cx0i97qKsqTIVeD2dS/84UnaS6udpt74lUqRmi2twZk4ccgJibFEIKGN1EqoyKRuiJajSG2K309eA3gBV2nI+90wtTlgMKOLKbrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wz/BpakHIjUMHzGI3Rs3MPoHIdi9pKhOPnVp6wMLi8o=; b=Jpn1x2ULxDa322PAQBoduCWQzwEG9/OGIsP5K/0XTZmdRpzhltwXc9n59Bw2W4qfgU9bB2NcNjm+P4XeWOo9y+ZOPZYS9mEkEvfa7+kCEAVz1IEmyavZ6RKjqrVQTzM1XMLVG0fCr9O/edsD8ecMPya7hs0Y/uWCkVh0fXFJE5nX4zagYntMcYbmmm96WlLtopziCojo3pNtFYSNS4K2WLG1oHsxQtBZYD2utpyd5X+wGCY4Jx7WPGY/ygMMFjzzox8xfVKt8RVV6pITGXVrxuQOkyUwp4SwcsMPA+/6rCUSdPrguKtQlx46QPqABmP1jETOvC9LcIC4pwh3xFY7aA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wz/BpakHIjUMHzGI3Rs3MPoHIdi9pKhOPnVp6wMLi8o=; b=B6mgKcMCdPY2c4xxjpOYD3++9hDmmRrjBxFLfHYJzIBxzFRtXnwpHUqv6Yt6EXWVncehoukotnhwftrlXwcGbWvzSFv1OcLSCdb+58wM98RM+BgUemR73GmSS0noglC/kQUcxnh+5id9pP8Xj0xD93ZSRyQlLWfCNULvnLYfAb0=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1224.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Thu, 27 Oct 2022 17:51:38 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5746.028; Thu, 27 Oct 2022 17:51:38 +0000
From: Roman Danyliw <rdd@cert.org>
To: Roman Danyliw <rdd@cert.org>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Thread-Index: AdjIiWV70TiGp2n1QyK+vwbKisrOXgAjS6wABa9LvKAClgZogA==
Date: Thu, 27 Oct 2022 17:51:38 +0000
Message-ID: <BN2P110MB11077232CB6BFFF458871DAFDC339@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <3496F95F-14DE-4A66-90BD-4246ABB1AC20@mit.edu> <BN2P110MB1107B46FA1B5A4F8852807D2DC249@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107B46FA1B5A4F8852807D2DC249@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1224:EE_
x-ms-office365-filtering-correlation-id: f1be14b8-e214-4659-8ed3-08dab843e5b4
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: x+h3iCw8Dgxm9BQAVMRR7SDZAhXr+TUoDT99n0FeAOSQe4d+i/uMIQGM/QkJJTNTawo1kQwWShmE9KiPrBlBwBC1F0vDye9bk7tyzVYXVNXHPFWEVWkuHQK+oXQiCkrPzNok+nIA6X1EORbn8XiZ8A6fl4Q+V6SNT/JjN/b15qCeqxes4RArdSaw2xo3sj2aVrJmnoGba5w9GPECC6ExShCz+19afRGZ/gUbA9RNN5+6oSEN9ytn7MmEiKCWL6Mx5xfBEif0MlGIdZkFR3i1+KsRb7YGCTiGHIvXOfHebKpdxexcfODipK+MtiDXupEmU/BA0sBMp2ERLeXf9LqkP0zg053K9hjSo2smi4sNlEKgQikSTlXPJhueOg9X/TuzC7D08hDjcuaT0zzHaTPuhbCCXU70vIfcKNYQfmbHEv7SjPfxxbV8DWyaqz/KaEi1AfkbftaCvJoITAbV/2U3//z6ZCnYCRGbNY16b7+MY4CEqXU4s1sQaL4idO6a4c9a9HXErmh7li5b6TJtoDIv2IXuFa6WCoLcyTOu1sy6mFT8IyYT2JUPiara8hb1+x3QMnsTZcHEC7VHGo1Nxt1cvR5uBFljl/uB5CIC1RIaHYHed0xhRvkGs6n6MdcWHrS1GC8lDKMq8XpX2/Hkp1iu1pAyQBspGZd0gF7PDtfaKof//Q5toYYvpLuickGhY+BW
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(33656002)(86362001)(82960400001)(38100700002)(38070700005)(2906002)(6200100001)(55016003)(5660300002)(8936002)(6862004)(6506007)(26005)(9686003)(186003)(53546011)(7696005)(122000001)(83380400001)(71200400001)(52536014)(66946007)(76116006)(498600001)(66446008)(8676002)(64756008)(66556008)(4326008)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CP9OyXl/v/9rgzruB0G5ZEUq5l6FTOTXCQtQaxwXhp1/brsBGo9EG7L/p6sxuKKqNFC73gx1DuIW5qmxUVfuct6Kz38s5bFndw1hGWMz9BbPARihbsGWiXgbwrv1y9GSnH1vjqixAxv9UuYJy63FW0ZhxEJjO1pkaW4Z8Q436wI9tepqHm9VileHb5pgw0WgFr1N7ubhO+PhNHvdChEAHbEOLa6tOmEmZgtOhXSmSxiUlnt15PhJxN5VfRz8DswWWTqLSPq5kE0eEGD3zm9S4hGhCy0yiO0+lVRmv34lyTa2ogpNRXVsC1tQM6GcRAgmsPK7AiGZC+jbv2E/WQ7y3ZREgjevB880THgoGq2kvr1SWUK9XCAio+uKWHiEwWpX89dMjtwSzq4N79aLbQM1GxZJkkFI6cl5ApL9EBPp+sk=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f1be14b8-e214-4659-8ed3-08dab843e5b4
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2022 17:51:38.2169 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1224
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/r0FKseCRyAyYOLhkODm-h2chSKQ>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 17:51:44 -0000

Hi!

I appreciate the updated in -13 and -14.  Most of the AD feedback has been addressed there.  Combing through the multiple sub-threads, I've pruned to text to cover what is the residual feedback.  See below.

To keep this document moving, I'm going to start IETF LC on it.  Please address this feedback concurrently.

> > -----Original Message-----
> > From: Justin Richer <jricher@mit.edu>
> > Sent: Thursday, September 15, 2022 11:20 AM
> > To: Roman Danyliw <rdd@cert.org>
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
> >
> > Hi Roman, some responses inline.
> >
> > > On Sep 14, 2022, at 6:30 PM, Roman Danyliw <rdd@cert.org> wrote:

[snip]

> > > ** Section 6.1
> > >
> > >  However, when comparing a new request to an existing request,
> > >   authorization servers can use the same processing techniques as used
> > >   in granting the request in the first place to determine if a resource
> > >   owner needs to authorize the request.
> > >
> > > Why is it possible to assess two arbitrary requests in this case to
> > > determine "if
> > a resource owner needs to authorize the request", but the prior
> > paragraph explicitly calls out that comparing two arbitrary requests
> > is not feasible?  To me is seems like comparing two requests to
> > understand if more or less permissions are being requested is
> > equivalent to determining if a new request exceed the current request to
> determine if going back to the resource owner is needed.
> > >
> >
> > It might be possible to do such a comparison in a specific case, but
> > we can’t add logic in the general case. In OAuth, scopes are supposed
> > to be purely additive, so if you have another scope it’s for “more”
> > things. We know in practice that that’s not always how it works.
> > Things get much more complex with RAR because you could have an object
> > with :more: fields in it that makes things more :strict: by the
> > presence of those fields. That’s all going to be up to the “type”
> > definition though, so if you understand the “type” definition you
> > could do a comparison based on that. To me the text is clear, can you suggest
> how we could clarify this?
> 
> OLD 1
> Since the nature of an authorization details request
>    is based solely on the API or APIs that it is describing, there is
>    not a simple means of comparing any two arbitrary authorization
>    details requests.
> 
> NEW 1
> Since the semantics of the fields in the authorization details result will be
> implementation specific to a given API or set of APIs, there is a no standardized
> mechanism to compare two arbitrary authorization detail requests.
> 
> OLD 2
>    However, when comparing a new request to an existing request,
> 
> NEW 2
> 
> When comparing a new request to an existing request, ...

[snip]


> > > ** Section 11.2.
> > >
> > > Accept authorization_details parameter in authorization requests
> > >      including basic syntax check  for compliance with this
> > >      specification
> > >
> > > Why only "basic syntax checking"?  Perhaps "syntax checking"?
> >
> > I’m not positive, but I think the guidance here is meant for “basic”
> > to mean more like “make sure it’s a JSON object and that it has a type
> > field” as opposed to “check the type field’s value and run it against a JSON
> Schema definition”.
> 
> I don't think this is worth unpacking and would just recommend:
> 
> OLD
> *  Accept authorization_details parameter in authorization requests
>       including basic syntax check for compliance with this
>       specification
> 
> NEW
> *  Accept authorization_details parameter in authorization requests
>       Conformant with this this specification

Thanks,
Roman

v2.23.0 | Report a Bug | By Email