[OAUTH-WG] RAR WGLC comment
Brian Campbell <bcampbell@pingidentity.com> Fri, 18 June 2021 18:13 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90813A1D3B for <oauth@ietfa.amsl.com>; Fri, 18 Jun 2021 11:13:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7qyzEGOBnEP for <oauth@ietfa.amsl.com>; Fri, 18 Jun 2021 11:13:40 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A1303A1D37 for <oauth@ietf.org>; Fri, 18 Jun 2021 11:13:40 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id b37so15152436ljr.13 for <oauth@ietf.org>; Fri, 18 Jun 2021 11:13:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=2BQRC93OR7RbEWwzVxpBGoJW5f3MVgnqvRPRn+jVBwU=; b=Lk5iW1X887/NtR4FvQVkqGCeKWP8nCkkAR+paWVLKGIqzwYausHI6qoBP0S/LQMzxu /32ehx44sufF9bjyf58BBZNT3MEAnCQd6Pr2k8y6xA8cn8K6N0m0lgUu70bB8Dp6rs/X wBAwbTgAmgkmXbovw6QBshdqBbJzoCXjCuc0wsFPb5+jn4PlAcUFNV7iPhKAcd5WK5iT +kJA4S5VJRxX/ARLWJaIekkpDi20rQfnCE151qaH5i+l8ytlacoioP+yaEvKErcObzq8 4hLlspqMH46K1loywWfDvyRouMYKkv2G++nuhm1JNEGrutzXw+bI6T2Orp1HyIzwJW4Q eF3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2BQRC93OR7RbEWwzVxpBGoJW5f3MVgnqvRPRn+jVBwU=; b=bGLdgnnbdUV8GK5jpWdsI+cm2TDOxhIXoCDG1ZEGJRIsxpfyMxicPvuFGmrBY4/Bac X2bR+AuWtR/eKg5CcIB8MfJau/PUYVSov9AcDBMVegjiNjaPirsJwXbPWtQKbM1cQIdu En7QNy7FBcpWXIHf3f2ORjbspZ5xRNnBQdebxdwWZAbuaa/NWgVIBFhpDIbCZe2y8bIc 2wErorCT5DMFYCA1xip7hqKSL3WMjGnrpLIOa/gQIdzvPWK/YPTlBoab6JTnC+tPlz7U ibMhCGNMenQl1UN5y8sqaO0PUeY15gHEt3+sZWO5PKrFy2uZs519mG3FVINvxw5SyeHn BKHQ==
X-Gm-Message-State: AOAM531k4GCoci1EH5RyonDJH5TP/EMZYImIUi98g/l+yobcWmbSPXcG e1TuQXdPKNW8Zv0R7aj4tpoc0CBDlNqxXBJ7ia0L2htU15UlRgnc2IwBkCGprTmIQLCvUFzr8AA 3vRqljkqg/JCTuKy6TQk8mA==
X-Google-Smtp-Source: ABdhPJwAwYjwyTm8OOVefxgMOaANN7NLfgZkA5Li6cLjgJBcX90VC32ILbemEKsYEMuH7bZGSIGzZzgDZbY3uaLTbl8=
X-Received: by 2002:a05:651c:33c:: with SMTP id b28mr10955693ljp.489.1624040017124; Fri, 18 Jun 2021 11:13:37 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 18 Jun 2021 12:13:11 -0600
Message-ID: <CA+k3eCR-CABXDt5CFH6q4vG-hVZ-pRGyO0zm0jGPF7SVfEO7Fw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000052829a05c50e48e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/s_X7kCJVPyApFgGtUh7GOeMeLVk>
Subject: [OAUTH-WG] RAR WGLC comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jun 2021 18:13:45 -0000
In my reading and understanding of the text and intent, the content and meaning of a particular authorization details object are fully governed by its "type". And while the draft provides a set of common data elements intended to be usable across different types (locations, actions, datatypes, identifier, privileges) a specific type is free to define whatever suits its needs. A type definition may or may not involve those common elements and could even use the same name(s) with different meaning or structure. So, while I understand the motivation behind the RFC8707 resource parameter being usable in a token request to make the AS filter, the included authorization details of the resultant token based on the "locations" element[1], I'm a bit concerned about a layering problem here. The authorization details objects of the grant might not contain a "locations" element or might have one with a different meaning or structure. The draft also describes using the authorization_details token request parameter to specify the authorization details a client wants the AS to assign to a particular access token[2]. So the problematic resource parameter behaviour is also kind of redundant. I think maybe it should be removed. [*] described in https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#section-6.2 and mentioned at https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#section-1-8 and in https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#section-7-1 [2] https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#name-token-request -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] RAR WGLC comment Brian Campbell
- Re: [OAUTH-WG] RAR WGLC comment Torsten Lodderstedt
- Re: [OAUTH-WG] RAR WGLC comment Filip Skokan
- Re: [OAUTH-WG] RAR WGLC comment Torsten Lodderstedt
- Re: [OAUTH-WG] RAR WGLC comment Justin Richer