IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12

Roman Danyliw <rdd@cert.org> Fri, 14 October 2022 16:50 UTC

Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D030C1524BF for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2022 09:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d26dJHrfHGuA for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2022 09:50:07 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0112.outbound.protection.office365.us [23.103.209.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C577AC1524B9 for <oauth@ietf.org>; Fri, 14 Oct 2022 09:50:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=1nKvqYx4Sv3lyOvS5UEWMsLp6kwBOz2E0uv4ltLd/FWY4DzYYIcThw6SFlJXdRWwbB00h/ZYozjNVkLtOILQWcehLmB5UKDK207nJbkQ+eA2fKax43eMzXyQPY9ywHfq87pK6y3ldl+gDFlyir72RIrfLAD+age8gUZSk/dXVR1A/3XED/FoE8hCYUQYhlRLCzHp0iMBXEH3i0x6ZpwANl5Ayz3Maq29d4zbFynfxLrqz+3kAA9Lv72K/KR7EKT93LejY/4v0AFgmJHnU2rfqUyR9uRNTWndN8E2nn1t2gCqN57yB0mTOcDvwsurGo0EwdkEit2CnCN1IzLFE+QXwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rma8iDFTj2xGlLYW2ZycSlB+WZcPK6Ge/RIU7V+ynMs=; b=xprsQQn+bYlXrlqM2ix0DkPeHrGUhT+UYvWQ1g67/xaczK/hc2NMeUKYQxMM0+eGbFKS+Q7KKEcnQTpLFRiZ9E/KVmFM3YhtNZi6N0ZJNiugXVV+milr9vEe/qRLv8TO2Cq32hkiMeHivXk3WYtHtbFRnanTY3q5zqKOWvXnzIfqlyW3HJXArq+CtueKOF8+f6KDZHK+5ViqCC22fOcr6npg91jWkyCqopVy0ek6lvk+ow9dMY6wx0Wd9BerDUYGugnKgpU1HwEji5AS1WBdLpQxwUAg5hN5qxWJKC1kqvZakVlTA9wgXhQJyH2ykh2z686K0jQ4IrDJr7EO3tzjbw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rma8iDFTj2xGlLYW2ZycSlB+WZcPK6Ge/RIU7V+ynMs=; b=nozwuUvGBvxDBms9Z3Hc7B3fQN+HUeSXP+66IdKas3wudH2TLzjLTmo+cg4+VNx9z+OACs0NfWtaIZAEUTiQPZkf04ZzrGzy/Up533efUl52Lh18vFRjqdt3voYbOWEsPz44dpflxqd9dpNPKT4My4cz3ATCyHCRkZtXDcX76fE=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB0963.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5709.21; Fri, 14 Oct 2022 16:50:05 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1%7]) with mapi id 15.20.5709.022; Fri, 14 Oct 2022 16:50:05 +0000
From: Roman Danyliw <rdd@cert.org>
To: Justin Richer <jricher@mit.edu>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
Thread-Index: AdjIiWV70TiGp2n1QyK+vwbKisrOXgAjS6wABa9LvKA=
Date: Fri, 14 Oct 2022 16:50:05 +0000
Message-ID: <BN2P110MB1107B46FA1B5A4F8852807D2DC249@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB110748BA202E467849E8A973DC469@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <3496F95F-14DE-4A66-90BD-4246ABB1AC20@mit.edu>
In-Reply-To: <3496F95F-14DE-4A66-90BD-4246ABB1AC20@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB0963:EE_
x-ms-office365-filtering-correlation-id: 3397f19e-f1af-4685-7732-08daae042570
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: R2I9FZ34ms7ymUuVz1PGc8IW3lpecw8WvgcW9dNxlnOSsQbeySbVNZIrFouYBTFPwu0e2Cm4Cobe2U1do7hde9Sp5/PZUzMiyEhuXdOSCR5Jk+oiaUrxCHI7lcXcYe45Ro3xuSoL99a35dH7nKXaYkLq1BWWm/AtuO6E3g4+1MunFo1pQZttDVVukXEArqWkG3fzrNEN3V5RXdsko2IX4q7cou1izLqQlUeXyxAW7QRv/B6qRPMfHkt57qsM8vZwdYhRIZA3v//5fYf2ThZZWKqRQk75aUjV35ptBsrK7YLhBFJblDePrvyvk1HFErkfP4koprTXz9y7hzZ3U9qhDy93ah8XXoGx9GDr0UQ7NTmABNcF6KkmrXxRPIz78o5rA9Bo5sc9sIDHr8dgdiM4gxC2KEx7LYTkxsORaJIXAmBHXMRmhh695+EMDiohK8CjNa2amHvXuKogbsAQ4ZELohGvjqT9NByKk28YBzhUxzh3wBj+LdfCTtdIYOYyQkXA+kYkkeczYBYSQc2wYUyEO3w2XYPbaS2YGHNw8FI2LvJxrlezMhKu1abZXkhwCKd87G0q4arAR52F1pY5LGD0OH9VTaT9bWhN5ARYfC5J2/YEq+5ZbeEqnOj2SLwFpIXYkoRogQtbqj6xVqio/cUv9T5Q0gHUWC6X1OTkLtU38G5yUG5uBIvMAdcmcWSXHrBf
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(6916009)(76116006)(66946007)(8676002)(4326008)(66476007)(64756008)(66556008)(66446008)(71200400001)(498600001)(26005)(9686003)(7696005)(6506007)(53546011)(52536014)(5660300002)(8936002)(2906002)(186003)(33656002)(83380400001)(38100700002)(122000001)(82960400001)(86362001)(55016003)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tvuNzQd7catSfRdJXYYwX1iJhCEHdPoSdwhft2RrqqkinOhZK2cKOx609jw2zvhO72xKDXe3wOPsEi6QZa1uLDsxXJYQbZT/QZf2ceKGKtEEKoBJY6OIgHfYBrO7eYh0++wHe8BIFB7gvouDUiWrnMuLh0KC5S7RGbNWf0VmsbocFDPHlvKdsdtLebKD9ki30zQO4mbgVe42+1CnrPhITKNzA7CRJgkuQtx/LwSVycwhQ48yQPKWoQfyyGD4JyGWn16jY9J8Ouen3/RuSGbgYOVNsSXrez5i7NXp1ZHvYnHe7RqFZz+c6Sp+T/T6N5rV6ZgYrnC5eRnTq39f2fKiWd48tr0D/CmYrZgRW4c7pVaih5dlt7kAs7Y3gxTyOoOPC5XAkmOSUyLyoUOVgEEdPinX/RiehS4Nk0XPCh6tqdQ=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3397f19e-f1af-4685-7732-08daae042570
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2022 16:50:05.7107 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB0963
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rfnsvuT3XZlAvC5u-K9W6eN8GhU>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 16:50:12 -0000

Hi Justin!

> -----Original Message-----
> From: Justin Richer <jricher@mit.edu>
> Sent: Thursday, September 15, 2022 11:20 AM
> To: Roman Danyliw <rdd@cert.org>
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-rar-12
> 
> Hi Roman, some responses inline.
> 
> > On Sep 14, 2022, at 6:30 PM, Roman Danyliw <rdd@cert.org> wrote:


[snip]

> > ** Section 2.2.
> >
> > All data fields are OPTIONAL for use by a given API
> >   definition.
> >
> > I don't follow how this is true in the general case.  I was under the impression
> that this section defined what is expected to be common fields.  Couldn't some
> AS with a particular type require their presence?
> 
> Yes — a particular “type” value can require any of these fields, but a type is
> itself not *required* to use any of these fields. That’s what we were trying to
> convey with the OPTIONAL here. Is there a better way to communicate this?
> Maybe we should just leave off the “OPTIONAL” flag here, but we wanted
> people to realize that the common elements don’t have to be used by each
> “type”, while every request needs to have a “type”.

We're on the same page.  It's up to the API/particular type field to decide which fields to use and this specification doesn't require any of them.  They are presented here for the possibility of reuse in common use cases.  I would recommend:

OLD
    All data fields are OPTIONAL for use by a given API
   definition.  The allowable values of all fields are determined by the
   API being protected.

NEW
The allowable values of all fields are determined by the API (as defined by a particular "type" value) being protected.  This specification does not require the use of any of these common fields.


[snip]

> > ** Section 6.1
> >
> >  However, when comparing a new request to an existing request,
> >   authorization servers can use the same processing techniques as used
> >   in granting the request in the first place to determine if a resource
> >   owner needs to authorize the request.
> >
> > Why is it possible to assess two arbitrary requests in this case to determine "if
> a resource owner needs to authorize the request", but the prior paragraph
> explicitly calls out that comparing two arbitrary requests is not feasible?  To me
> is seems like comparing two requests to understand if more or less permissions
> are being requested is equivalent to determining if a new request exceed the
> current request to determine if going back to the resource owner is needed.
> >
> 
> It might be possible to do such a comparison in a specific case, but we can’t add
> logic in the general case. In OAuth, scopes are supposed to be purely additive,
> so if you have another scope it’s for “more” things. We know in practice that
> that’s not always how it works. Things get much more complex with RAR
> because you could have an object with :more: fields in it that makes things
> more :strict: by the presence of those fields. That’s all going to be up to the
> “type” definition though, so if you understand the “type” definition you could
> do a comparison based on that. To me the text is clear, can you suggest how
> we could clarify this?

OLD 1
Since the nature of an authorization details request
   is based solely on the API or APIs that it is describing, there is
   not a simple means of comparing any two arbitrary authorization
   details requests.

NEW 1
Since the semantics of the fields in the authorization details result will be implementation specific to a given API or set of APIs, there is a no standardized mechanism to compare two arbitrary authorization detail requests.

OLD 2
   However, when comparing a new request to an existing request,

NEW 2

When comparing a new request to an existing request, ... 

[snip]

> > ** Section 7.
> >
> >   If the client does not specify
> >   the authorization_details token request parameters, the AS determines
> >   the resulting authorization details at its discretion.  The
> >   authorization server MAY consider the values of other parameters such
> >   as resource and scope if they are present during this processing, and
> >   the details of such considerations are outside the scope of this
> >   specification.
> >
> > This guidance seems to indicate the use of the scope parameter is optional in
> determining the authorization details.  Section 3.1 says "The AS MUST consider
> both sets of requirements in combination with each other for the given
> authorization request."  My read is that this is conflicting guidance and Section
> 3.1 is correct.
> 
> You aren’t required to use “scope” in order to use “authorization_details”, but
> we do want to say that the AS is allowed to (or even is supposed to) consider
> both “scope” and “authorization_details” when determining the resulting
> access for any given request that might have both. The guidance in 3.1 should
> probably say “the AS MUST consider all requirements present on a request” or
> something like that?

That softer language of "use what is presented" makes sense to me.

[snip]

> > ** Section 11.2.
> >
> > Accept authorization_details parameter in authorization requests
> >      including basic syntax check  for compliance with this
> >      specification
> >
> > Why only "basic syntax checking"?  Perhaps "syntax checking"?
> 
> I’m not positive, but I think the guidance here is meant for “basic” to mean
> more like “make sure it’s a JSON object and that it has a type field” as opposed
> to “check the type field’s value and run it against a JSON Schema definition”.

I don't think this is worth unpacking and would just recommend:

OLD
*  Accept authorization_details parameter in authorization requests
      including basic syntax check for compliance with this
      specification

NEW
*  Accept authorization_details parameter in authorization requests
      Conformant with this this specification

> >
> > ** Section 11.2
> >
> >   One option would be to have a mechanism allowing the registration of
> >   extension modules, each of them responsible for rendering the
> >   respective user consent and any transformation needed to provide the
> >   data needed to the resource server by way of structured access tokens
> >   or token introspection responses.
> >
> > I don't follow the flexibility being described here.  "One option ..." with
> respect to what?
> 
> With respect to having certain types hard-coded (like someone like Facebook or
> GitHub might do because their API is specific) or having some kind of
> mechanism that just prints out the RAR objects verbatim.
> 

Ah, you mean relative to customization.  Maybe s/One option would be/One option to support customization/

Regards,
Roman

v2.23.0 | Report a Bug | By Email