Re: [OAUTH-WG] RAR WGLC comment
Filip Skokan <panva.ip@gmail.com> Sat, 19 June 2021 15:01 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 136F53A133A for <oauth@ietfa.amsl.com>; Sat, 19 Jun 2021 08:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0aaEsvchj2T for <oauth@ietfa.amsl.com>; Sat, 19 Jun 2021 08:01:52 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 721B33A1333 for <oauth@ietf.org>; Sat, 19 Jun 2021 08:01:52 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id i13so12640622edb.9 for <oauth@ietf.org>; Sat, 19 Jun 2021 08:01:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=As0HMn3PcQi6D87TfC3+UmhoP831/XlGaaK6VscehOc=; b=AuJoQvRhmaOXIzlPrWELuUdGThLsQfE4pZk9YjqT6+op/H2N1zLA+ffFczZ4hW/qvr sJlGgQP6FtzxiqlU1KJXNdK673sg88x+D9uCPfTaAMXcsvuZFgv86LyDh9HO2RjloZ2k c/2goq4rxz+jrJrPYTemT9KXhb7Wy+/mctYyl5oB/OEQxxmioF3iyUMWQ9T961vxAvM1 4cmRhxAd/vvsbLaVnYzu6pGemp1COcPIJSeKssn9D3/Rn2bxqvEKrINfM/FsalP0kslK CunjE7KDsTOZF4y/9y7rAg/vE8juY5iuPJ9o3SSIj24eo+FPbCI0MxWc2ttqFWI6KZG4 VPyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=As0HMn3PcQi6D87TfC3+UmhoP831/XlGaaK6VscehOc=; b=fXv1fppYftfqAaL9+hyk55mAhiTl1UEzamAjM0dZIEx5VIlb0Wr+kcSYgbJs7c7j1h c+RsNmEbKUCOlLFs2VshciGwUuYzt695B5uLfrSJsZf+BwxTrqV73WEutOgGDj80irFr Lw08y6+71bRtR0unQVSYybXtV5ZamLRjx/G+UYkuh3AEp+vpxoYpISmOZQ11kJCf7Stv oD2xpov9rmlImZw/We8EneUo1bYxgh34BLOETM0NLxWr7YyHbgZHoT9lTCXwc4Ch6bUI EPVDsQZ1Z0UD7G9m3KGEMvOSZONVoQ9kN0ZVdTEoQtLbmjUF+3X5HtD3+i9xyHzvAQ5k wzZQ==
X-Gm-Message-State: AOAM5315RaFvzbyT/sxIO4mUSQSdwZObobfJqv64Ld1tiXWXvAn5kj3k CvGGSfmnkejEkML1cGiINOUEPUgt9l9X
X-Google-Smtp-Source: ABdhPJxAVOgNFReqR5oPAbQi/hpjRN6P7/3hK/pnoWnCdMB/5Rh3x++u1kVwXiQbi959QcaBdb+GAw==
X-Received: by 2002:a05:6402:1d17:: with SMTP id dg23mr11200142edb.128.1624114910205; Sat, 19 Jun 2021 08:01:50 -0700 (PDT)
Received: from smtpclient.apple ([2a00:102a:5003:36e2:b8e5:dd52:ce2:2580]) by smtp.gmail.com with ESMTPSA id b14sm2409215ejk.120.2021.06.19.08.01.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 19 Jun 2021 08:01:49 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-6C3A7B29-DD98-4CA8-A5A1-E2C9846EAA4B"
Content-Transfer-Encoding: 7bit
From: Filip Skokan <panva.ip@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 19 Jun 2021 17:01:47 +0200
Message-Id: <E1EF9916-651A-4537-9CF9-CA13F580CB34@gmail.com>
References: <F4877542-CD79-4401-B8F4-A06C321959C0@lodderstedt.net>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
In-Reply-To: <F4877542-CD79-4401-B8F4-A06C321959C0@lodderstedt.net>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
X-Mailer: iPhone Mail (18F72)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/v79AZRvu_kLKc_eHPGzjVoHfC2E>
Subject: Re: [OAUTH-WG] RAR WGLC comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jun 2021 15:01:57 -0000
I support such change. Odesláno z iPhonu > 19. 6. 2021 v 15:36, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>: > > > Hi Brian, > > the idea was to use resource indicators as convenient short cut to support audience restricted access tokens. However, I agree this can be achieved by specifying authorization details in the token request as well. > > So I‘m fine with dropping resource indicators for RAR at all. This means RAR on one hand and scopes + resource indicators on the other hand are clearly decoupled and independent. > > best regards, > Torsten. > >>> Am 18.06.2021 um 20:13 schrieb Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>: >>> >> >> In my reading and understanding of the text and intent, the content and meaning of a particular authorization details object are fully governed by its "type". And while the draft provides a set of common data elements intended to be usable across different types (locations, actions, datatypes, identifier, privileges) a specific type is free to define whatever suits its needs. A type definition may or may not involve those common elements and could even use the same name(s) with different meaning or structure. >> >> So, while I understand the motivation behind the RFC8707 resource parameter being usable in a token request to make the AS filter, the included authorization details of the resultant token based on the "locations" element[1], I'm a bit concerned about a layering problem here. The authorization details objects of the grant might not contain a "locations" element or might have one with a different meaning or structure. >> >> The draft also describes using the authorization_details token request parameter to specify the authorization details a client wants the AS to assign to a particular access token[2]. So the problematic resource parameter behaviour is also kind of redundant. I think maybe it should be removed. >> >> [*] described in https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#section-6.2 and mentioned at https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#section-1-8 and in https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#section-7-1 >> >> [2] https://www.ietf.org/archive/id/draft-ietf-oauth-rar-05.html#name-token-request >> >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1624644831000000&usg=AOvVaw1Ol8hiDotFufYe9jQCTi1m > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] RAR WGLC comment Brian Campbell
- Re: [OAUTH-WG] RAR WGLC comment Torsten Lodderstedt
- Re: [OAUTH-WG] RAR WGLC comment Filip Skokan
- Re: [OAUTH-WG] RAR WGLC comment Torsten Lodderstedt
- Re: [OAUTH-WG] RAR WGLC comment Justin Richer