IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 12 February 2021 23:38 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 385F63A0DC6 for <oauth@ietfa.amsl.com>; Fri, 12 Feb 2021 15:38:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g5LJnRp4Dg-3 for <oauth@ietfa.amsl.com>; Fri, 12 Feb 2021 15:38:39 -0800 (PST)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7755C3A0DAD for <oauth@ietf.org>; Fri, 12 Feb 2021 15:38:39 -0800 (PST)
Received: by mail-lf1-x131.google.com with SMTP id v24so1839458lfr.7 for <oauth@ietf.org>; Fri, 12 Feb 2021 15:38:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FtWOmzIjSilcbAw+clPOsIx6Nzp/xlg7SlJkxOLBgXA=; b=domBBB/av1XkNAqnBLdHILkQo8SjOdwXAmyFlOck9S2fi1PEbAcqGq2842uePmmgw0 l44NXia2/HFiSOXhOLop5sP72yghA3Wef/7Bbo96NZEYjqZHB5B30hSeey61gglQq3nI 7TXMnZO/TL60/DGccCK/UMxSQio32p9vANYzgXh4SY4xq0+ip/VE/NOjbbG9ehwOMVGk b2ZE1mrbLYMtTGIROExUAdknM81utn+oWUs0j59X0HKmAehZhK5PtusaslEbTCqq+68U uG8ELCTW8iat6xK0crdFgJXOfWislQYpjFZmxMEwS910LZxkWTdjzFc/v29166qQHTGp lP+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FtWOmzIjSilcbAw+clPOsIx6Nzp/xlg7SlJkxOLBgXA=; b=NzwnvaqjKHocuCl+AFT/BCx/LEzi6slH4aFqHW/TzSwyTuCo8TbosiK7WRqheocGW2 FaABjS0Ty+z1h+34nAnEitjEnstpYNdaSCSicU+qWW50r+Mvq833PE9t2FwfOBa5ZnsJ wFYS5IdBn24LYaFRnZXjSaR0y5XjBghDVM+lazf5ko9M+p3QeJULbzg1ieYGGFDtj6P7 sVOIs1k4rAmUHLXeT0GDAr5A8ZAHMjAYS9DXNAbjeJO2CPevYYNP9TfBkrAM9t1JD5sa AsASxrWQTFmJ+W7goABMDDBZmUP43KgaVGrQ0F3DiSi6BtdUWhmjdGPdMLqsxtb7fD36 bpFw==
X-Gm-Message-State: AOAM532bohd/pSHmdro6babnEQ9nyBZBW/+Dqz5V58KobCMqZrR14mXv thWZnLv/x97PLo+h3esb6LD1KUTsCeOIYZKg/cQVyKiDZ762ckCM3fXgi9J1rr3zddoXGzVhirA O59V79hZPTVSaewBfHv7R9w==
X-Google-Smtp-Source: ABdhPJz3LKyXdWpOREi3oh4Tzuko9cYJpqjiKDFNVUp+QNF8MeamMfELrxdrK0xnXZiaOehnUhyJW4qpBtpmsONqYl0=
X-Received: by 2002:a05:6512:3196:: with SMTP id i22mr2609441lfe.574.1613173117310; Fri, 12 Feb 2021 15:38:37 -0800 (PST)
MIME-Version: 1.0
References: <161270175060.8296.1897997883947486904@ietfa.amsl.com> <06504BA6-6065-4ADD-BE45-5E13DF00DC1A@lodderstedt.net> <FR2P281MB01063CE7EE6ECFE8727E58878D8E9@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>
In-Reply-To: <FR2P281MB01063CE7EE6ECFE8727E58878D8E9@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 12 Feb 2021 16:38:10 -0700
Message-ID: <CA+k3eCR2VBKWgvjEvTzOQOkROBBPJxySBjT==p5EAqG31mhp9w@mail.gmail.com>
To: Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009e75c505bb2c22cc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vNBT2xMot0Uy7OfQQSHrtnD7dh8>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 23:38:42 -0000

On Tue, Feb 9, 2021 at 5:53 AM Francis Pouatcha <fpo=
40adorsys.de@dmarc.ietf.org> wrote:

> Find bellow my review of the draft:
>
>
>    1. Redactional changes:
>
> 2.2.  Authorization Data Types
>
>
> Interpretation of the value of the "type" parameter, and the object
>
>    elements that the "type" parameter allows => allowed
>
>
>
The "allows" seems correct there.



> 9.  Metadata
>
> which is an
>
>    JSON array. => which is a JSON array
>

Fixed this in the document source. Thanks!


>
>    1. Application to existing APIs
>
> reason-1: Current open banking initiatives are built on the of existing
> Data Standards like ISO20022 (PAIN, CAMT) which are XML's that do not
> provide direct translation to JSON. Some authorization server's might even
> be able to parse an ISO PAIN file to display the proper authorization
> request to the user.
>

That the APIs are XML doesn't necessarily mean that the details of the
authorization can't be represented in JSON. And, if really need be, XML can
be included as the value of some member in the authorization details and
defined as such by the type.



> reason-2: In some situation, it might be more privacy preserving to have
> the authorization request content negotiated between the AS and the RS. In
> this case the "scope" parameter shall only carry some sort of "grant-id"
> (known in the Berlin Group spec as consent-id). This will allow the AS to
> negotiate the data to be displayed directly with the RS.
>

RAR probably just isn't applicable in that kind of case.



>
> Any idea how to consider these two edge cases?
>




> Best regards.
> /Francis
>
>
> ------------------------------
> *From:* OAuth <oauth-bounces@ietf.org> on behalf of Torsten Lodderstedt
> <torsten=40lodderstedt.net@dmarc.ietf.org>
> *Sent:* Sunday, February 7, 2021 12:49 PM
> *To:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-rar-04.txt
>
> Hi all,
>
> here is the list of changes in revision -04:
>
>
>    - restructured draft for better readability
>    - simplified normative text about use of the resource parameter with
>    authorization_details
>    - added implementation considerations for deployments and products
>    - added type union language from GNAP
>    - added recommendation to use PAR to cope with large requests and for
>    request protection
>
>
> Your feedback is highly appreciated.
>
> best regards,
> Torsten.
>
> Am 07.02.2021 um 13:42 schrieb internet-drafts@ietf.org:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>        Title           : OAuth 2.0 Rich Authorization Requests
>        Authors         : Torsten Lodderstedt
>                          Justin Richer
>                          Brian Campbell
> Filename        : draft-ietf-oauth-rar-04.txt
> Pages           : 36
> Date            : 2021-02-07
>
> Abstract:
>   This document specifies a new parameter "authorization_details" that
>   is used to carry fine grained authorization data in the OAuth
>   authorization request.
>
>
> The IETF datatracker status page for this draft is:
>
> https://www.google.com/url?q=https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/&source=gmail-imap&ust=1613306557000000&usg=AOvVaw3-4SmuMFgxbz-cDK2Ir_a7
>
> There is also an HTML version available at:
>
> https://www.google.com/url?q=https://www.ietf.org/archive/id/draft-ietf-oauth-rar-04.html&source=gmail-imap&ust=1613306557000000&usg=AOvVaw1J52xGTvk1ZAuBC_fUAIjJ
>
> A diff from the previous version is available at:
>
> https://www.google.com/url?q=https://www.ietf.org/rfcdiff?url2%3Ddraft-ietf-oauth-rar-04&source=gmail-imap&ust=1613306557000000&usg=AOvVaw0TYqmFwryvAYznR2Ho5Oj6
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1613306557000000&usg=AOvVaw06g1z6o36BkkaqkiWc1Lw9
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email