Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-rar-02.txt

Justin Richer <justin@bspk.io> Tue, 24 September 2019 23:33 UTC

Return-Path: <justin@bspk.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07876120033 for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2019 16:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pjaHt9O9v9s7 for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2019 16:33:45 -0700 (PDT)
Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [208.79.240.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A70B1201AA for <oauth@ietf.org>; Tue, 24 Sep 2019 16:33:45 -0700 (PDT)
Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id D9C0B2800049; Tue, 24 Sep 2019 16:33:37 -0700 (PDT)
Received: from [172.16.2.17] (50-206-22-50-static.hfc.comcastbusiness.net [50.206.22.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Tue, 24 Sep 2019 16:33:37 -0700 (PDT)
From: Justin Richer <justin@bspk.io>
Message-Id: <CBCF41AA-CADB-4CF9-8BB4-172E4571B655@bspk.io>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B1C0559B-3FB9-4C45-8D56-DAEA7CC404A2"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 24 Sep 2019 16:33:37 -0700
In-Reply-To: <e4427073-f995-4337-ca7c-99a92c745bf2@aol.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
To: George Fletcher <gffletch@aol.com>
References: <156907504831.22964.1710780113673136607.idtracker@ietfa.amsl.com> <A82AA337-86BF-485D-901B-3A3C73C6177B@lodderstedt.net> <e4427073-f995-4337-ca7c-99a92c745bf2@aol.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://www.rollernet.us/policy
X-Rollernet-Submit: Submit ID 95b.5d8aa7d1.bb9e3.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/thnm0nVHwKWVdXkP9ZMewpReI6w>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-rar-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 23:33:48 -0000

The idea behind the “locations”, “actions”, “data”, and “identifier” data element types mirrors what I’ve seen “scope” used for in the wild. They roughly equate to “where something is”, “what I want to do with it”, “what kind of thing I want”, and “the exact thing I want”, respectively. I’m completely open for better names, and have even been thinking “datatype” might be better than just “data” for the third one.

As for encoding, I think that form encoding makes sense because it’s the simplest possible encoding that will work. I personally don’t see a need to armor this part of the request with base64, as it is in JOSE, and doing so would make it one more step removed from easy developer understanding. 

-- Justin Richer

Bespoke Engineering
+1 (617) 564-3801
https://bspk.io/



> On Sep 24, 2019, at 1:45 PM, George Fletcher <gffletch@aol.com> wrote:
> 
> Just two questions...
> 
> 1. What is the rationale that 'data' is really an array of arbitrary top-level claims? I find looking at the spec and not finding a 'data' section a little confusing.
> 
> 2. What is the rationale for sending the JSON object as a urlencoded JSON string rather than a base64url encoded JSON string? The later would likely be smaller and easier to read:)
> 
> Thanks,
> George
> 
> On 9/21/19 1:51 PM, Torsten Lodderstedt wrote:
>> Hi all,??
>> 
>> I just published a draft about ???OAuth 2.0 Rich Authorization Requests??? (formerly known as ???structured scopes???).??
>> 
>> https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02 <https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02>
>> 
>> It specifies a new parameter?????authorization_details"??that is used to carry fine grained authorization data in the OAuth authorization request. This mechanisms was designed based on experiences gathered in the field of open banking, e.g. PSD2, and is intended to make the implementation of rich and transaction oriented authorization requests much easier than with current OAuth 2.0.
>> 
>> I???m happy that Justin Richer and Brian Campbell joined me as authors of this draft. We would would like to thank Daniel Fett, Sebastian Ebling, Dave Tonge, Mike Jones, Nat Sakimura, and Rob Otto for their valuable feedback during the preparation of this draft.
>> 
>> We look forward to getting your feedback.??
>> 
>> kind regards,
>> Torsten.??
>> 
>>> Begin forwarded message:
>>> 
>>> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>> Subject: New Version Notification for draft-lodderstedt-oauth-rar-02.txt
>>> Date: 21. September 2019 at 16:10:48 CEST
>>> To: "Justin Richer" <ietf@justin.richer.org <mailto:ietf@justin.richer.org>>, "Torsten Lodderstedt" <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>, "Brian Campbell" <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
>>> 
>>> 
>>> A new version of I-D, draft-lodderstedt-oauth-rar-02.txt
>>> has been successfully submitted by Torsten Lodderstedt and posted to the
>>> IETF repository.
>>> 
>>> Name:		draft-lodderstedt-oauth-rar
>>> Revision:	02
>>> Title:		OAuth 2.0 Rich Authorization Requests
>>> Document date:	2019-09-20
>>> Group:		Individual Submission
>>> Pages:		16
>>> URL: ??????????????????????https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt <https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt>
>>> Status: ????????????????https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ <https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/>
>>> Htmlized: ????????????https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02 <https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02>
>>> Htmlized: ????????????https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar <https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar>
>>> Diff: ????????????????????https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02 <https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02>
>>> 
>>> Abstract:
>>> ????This document specifies a new parameter "authorization_details" that
>>> ????is used to carry fine grained authorization data in the OAuth
>>> ????authorization request.
>>> 
>>> 
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
>>> 
>>> The IETF Secretariat
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>