IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-incremental-authz-00.txt

Dick Hardt <dick.hardt@gmail.com> Fri, 10 August 2018 18:16 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3034D130E18 for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2018 11:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-IpFdriv0KI for <oauth@ietfa.amsl.com>; Fri, 10 Aug 2018 11:16:32 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E4AD124C04 for <oauth@ietf.org>; Fri, 10 Aug 2018 11:16:32 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id d4-v6so4906896pfn.0 for <oauth@ietf.org>; Fri, 10 Aug 2018 11:16:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fd62scLmvB7NhzLwWF8ikyS0hFDVVrwILFMQ8pmbpx0=; b=qg+R235K9mjBDFEG78brjSzPH1UpJIdbpthpzl6r+jiT7KWIISdF2EHk3Y40uoqItY u3GcfJuT9xX6tFYOlE894ncykO3HuBqQ6n48UfaHJ3bvJUlIfPMT61W8i+4XvPTPTlv+ 0PeYtvmjUzqAD8anjqcDsPppAvKjrKIk83BGKdXD1QLsIodWuaIQMkSNUVeG2tNHuGxy VQNBV9ab40VIUjgZyrkhJKSVZoX6ZLGRiflwE6DcrkMyKdy2Fz6Th1huGc8sLTTl7gnH r6Sm6w2+AnJJg+SoKAHi+nyKHHxMlmyW8JpYkmyzKK1J/TYXvdIzBDAjrQc01tdlfbpj 7s1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fd62scLmvB7NhzLwWF8ikyS0hFDVVrwILFMQ8pmbpx0=; b=idpold+0Pj5L2s3q9LSWJCPSTykJm2kQWj3915mo6C58wsS9N3jsiaFO7V6/ttnn3Q WdDtGYLm3wiusQfly2dkSlIT5RZSZh/pjUm4kUJ59N/FZRNJRjDFHem4/67z2TVyrAlC aQy/RSS31lT89SPaQJM5qqA1KVJifV+gRmjdggR2hcfbcFX8vQWHG2+4exq4TngVwDXB Ji0H3SkfSvrIet2/j5LaWGp31HcX3kbmPXr7ZKiHw2sjdBdiKyuHMrz4Sxs45ZDxVHbg XUrkM44W2ndswUIcBLK63j4pwjuF+lBzIDj/rMUr2UPl2kGEgVk68laZnMheOjzit8P3 Sxbw==
X-Gm-Message-State: AOUpUlF3FDinwIsWP6eFRWwmxzZa+iA633BHQtLbmpMNcnWLaGUSNveZ ZQz8YzLLc2s3BAA0F0BMQCaqoc9iisTU/GNWF1Q=
X-Google-Smtp-Source: AA+uWPz6kcoqARxE0XmJir1UbQWfjnhBkVp6la4r7HdxykfX431PQNCE+cFYVxhRV8SMQ7gWaFv2k5Ev372EVm/WpL4=
X-Received: by 2002:a63:f414:: with SMTP id g20-v6mr7388249pgi.407.1533924992053; Fri, 10 Aug 2018 11:16:32 -0700 (PDT)
MIME-Version: 1.0
References: <153021689405.18540.5214482725778765448@ietfa.amsl.com> <F399049B-C36E-4014-8717-B82270A2EBF8@lodderstedt.net> <CAAP42hCDH3bGiiyLX47SyKha1PnwhMLws=_25bTYj1pEz6at4g@mail.gmail.com> <629FEF02-7853-4FA5-8895-0851809C8BA0@lodderstedt.net> <aa74936a-ea2d-8798-0de3-5715504d80cc@free.fr>
In-Reply-To: <aa74936a-ea2d-8798-0de3-5715504d80cc@free.fr>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 10 Aug 2018 11:16:19 -0700
Message-ID: <CAD9ie-sF+iZh2M8149-n4bhn_mZYzfrMeo+wX1GmuEY5fCOUZw@mail.gmail.com>
To: denis.ietf@free.fr
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004379a8057318befd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/x74w6jB0AXLKEnoqGifBmipfyS4>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-incremental-authz-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2018 18:16:34 -0000

On Fri, Aug 10, 2018 at 2:35 AM Denis <denis.ietf@free.fr> wrote:

> Hi William,
>
> The draft states:
>
>    The goal of incremental authorization is to enhance end-user privacy
>    by allowing clients to request only the authorization scopes needed
>    in the context of a particular user action, rather than asking for
>    ever possible scope upfront.
>
> Removing the requirement to request every possible scope that might be
> needed upfront would indeed be a nice feature.
>
> Authorization scopes will thus be used in the context of a particular
> action.
>

That implies that an authorization request is made on each action. In many
use cases that is not true. Access is needed asynchronously.


> Servers should determine whether the authorization scope
> matches with a particular action. However, the principle of minimum
> attributes should be used: only the authorization scope needed
> to perform the particular action should be requested and then sent. In
> other words, authorization scopes should not be incremental.
>

Your use case of on-demand authorization is different from the incremental
authorization use case.

The incremental use case is where trust is being built between the user and
the client. Initially, the user only provides a little authorization. As
trust builds and the user would like more functionality, the app can ask
for additional scopes to provide more functionality to the user.

/Dick

v2.23.0 | Report a Bug | By Email