IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

George Fletcher <gffletch@aol.com> Wed, 08 May 2019 14:43 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 693BE12011C for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 07:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ujd7zR_Ubfyr for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 07:43:49 -0700 (PDT)
Received: from sonic304-9.consmr.mail.bf2.yahoo.com (sonic304-9.consmr.mail.bf2.yahoo.com [74.6.128.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F07112010C for <oauth@ietf.org>; Wed, 8 May 2019 07:43:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1557326627; bh=7YHkCbB8UH4U/BiI+9BFsXLBKjFWrqQzpCLybdw6DEM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=ZFq9kCU3FEizsBLEL8k15twH8wz/9ovMlprM0DpO+QGXvqDaR6/Bk7e20p9kGUJZykyKPygXg18q89E4x17CH1DH0Uk6kbZN7m9C98Ax/66clHT/eEXV+9B2sLH27wAbePCNI7yLCCvkgatTSuySCrRenZOhYpsjAXwnSy8j8G5mV2DHrHShATRM7N+KvcAZGtLxUTkYzVbhLHuLocDSGGBpEzxDfAUI7eomxdOhnTOST1JowCQ9viilQRm8ppl0axWIFvyB2Z2JpH72fVFJjssvJC8sE1zxWvjvs6hqw6P9s3lWPqrwY8x5vlkYBlVRgErPU85/ROYf4NN4Y23Zkw==
X-YMail-OSG: YGeN4RsVM1k2Gluf0Msew9N1QTxouyBi4PZ56XGIsUt9O5l_FtozygESAoIxCEI pQs4O42YVJMCmM0x5AtEEQUh0KWDSVxWH0DnUtNDjqQhWi2Xg990h0gk11Gkoq8IjrSH2h6KSS6n .b3SszKzZiy0feS3FuhtAIYuuD3LpzBYeTIz9hgj1XNhgVP0pzbt2yV1Qi7t3RaXk5U.2DtVGkps dTWu.2bBbVuNombP8MEkv282ggM2OXzG9qMgh5YMRaL2qiVmIXcV47xNnVqUEwsF5UMMVess9Tw7 eSgJekvfpUT9vdK6CWL_mHfcd5aDPAfoETRvqueEDXftDEeatNWaz7toZDaMlQDyXRADpEwZkZn0 4grIPM0G9qYl6Im0LtAkczBlzRb28jF_y0xvZygbZVSJZPKLa7Y0NnzUgMEZ32cMGEOhHTPJiyq0 Ckayqh5xhEglFGJUbtdTZ.3KLV6mQTQuuCSsirI0zDkwjQOy_uc2oDOZ6SY_64BmLg5O5vfqTtDo B7Sal4nAg8KSkghy7H46dD2XdEMhz.OpQsOOff5Sdxq0kh6vyqXLwNXAW3lPPyP99bmq9sFmrw2p DGhXSOIsrC2WanO0m4N.qhOCvNCQgsnF6rVjPLSa5xnqDOcv0PUW46z.yVySLWBJ3uRoVPE6oESZ _KGWsVVdOJwTKfet9AGLOhkw0b5Rz8ryw3BIuVM352XO2mRcQlfHAkMRNXKO5KAy4jfqsJIWoAFd rgou94HUwCGt1x5vxgNIwu7sH330cH2Kqa1h8xfcjdUFu59iz6qNq0OVZ647qvb1uzC9Q9cG7DQq TW6XPMQ2Zf._O5HKk0Kfj8rzgZ9z6nCwcWzqffr97VAar627lCSXM1mQZ916mZFg2J5TbTJMsqie jiicfheYhQBBOsmV.lgpvX7qi7x9j9mrvvNlnu5hM0W4YfkHTgkPx8BKHFEuGXekmW0LGIxcf7Gk N6gN9ndZzRfgVBfTihDTcUHFSWWdFhzEMMueMutRWyvFgG7E9jP6vmtt3G9LWBK2.alOF8TEwTx4 MNfqi4Fl8wyvzkQYsPF.M5GGC5NnxL8bkHntx0O3ueX2K77bw0hBkRmSLJbYuojZ5BMcL0q._Hg9 0iLrrHM_eOJKXWhh7qX_HiyrhziHi3dwYWrBYZJ0mUoVYiLWJ78CZFAyTco4j2BPo8pyjeynKJc7 Oym.RaGFzlSL0YOg-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.bf2.yahoo.com with HTTP; Wed, 8 May 2019 14:43:47 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp417.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 2ab2ba8950ddb4134b1b99a9603f86f5; Wed, 08 May 2019 14:43:44 +0000 (UTC)
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Sascha Preibisch <saschapreibisch@gmail.com>, oauth <oauth@ietf.org>
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net> <119b93cb-d6c3-18dc-3e10-9ba087e0817e@aol.com> <B5BEEA54-B2B1-468A-AAE7-2B23A400919A@lodderstedt.net> <8c2187bd-3d17-9c9c-2b3c-6f9193ebdcbd@aol.com> <2EDD8634-20D1-40DE-AA0D-A64AB6AEA539@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <968aa387-16fe-4ed0-5ec2-d0f3426a0afa@aol.com>
Date: Wed, 08 May 2019 10:43:43 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <2EDD8634-20D1-40DE-AA0D-A64AB6AEA539@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------A8784BD710690087DFAAD650"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xEqMqsQs5UZer1AVfJQ-DepC1ls>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 14:43:55 -0000

>     George::
>
>     Again, I would want the transaction requirements to be part of the
>     API not part of the scope. In my mind, the authorization token
>     should convey the client is authorized to perform a set of actions
>     (capabilities) and then the API parameters define the exact
>     details of that particular transaction.
>
>
> Torsten:: I understand your sentiments. How would you envision to ask 
> a user for consent about those details if this consent is required by law?

So it seems we are looking for two key aspects as it relates to the 
transaction(s) and consent...

1. Require explicit user consent regarding the details of the transaction
2. Specify the details of the transaction

It seems the mapping of this to the term "scope" is because at the 
authorization endpoint it's the "scopes" the user has to consent to. 
However, we don't have to try and map this transactional functionality 
into the existing more capability model of OAuth2.

Assuming that something like a "consent receipt" will be issued to the 
user once they have consented... what about using a term more consistent 
with consent? "transaction_consent" ? I'd even be fine with 
"transaction_details" and then have the spec require that the user 
consent to all information in the "transaction_details" object. Though I 
suspect there are use cases where there are more details in the 
transaction than for which the user needs to give consent. So that might 
not be the best name.

At this point I'm probably splitting hairs:) Naming things is hard:)

On 4/30/19 6:39 AM, Torsten Lodderstedt wrote:
>
>
> Am 26.04.2019 um 16:17 schrieb George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>>:
>
>>
>>
>> On 4/25/19 1:54 PM, Torsten Lodderstedt wrote:
>>>
>>>
>>> Am 25.04.2019 um 17:03 schrieb George Fletcher <gffletch@aol.com 
>>> <mailto:gffletch@aol.com>>:
>>>
>>>> A couple of thoughts...
>>>>
>>>> 1. It doesn't feel like these are scopes (at least not as scope is 
>>>> defined by RFC 6749). It feels like they are more transaction 
>>>> requirements.
>>>
>>> What???s the difference? In my opinion, if you authorize a 
>>> transaction it???s the same. Moreover, in other use cases (account 
>>> information) it a complex requirement for a potentially long lasting 
>>> grant.
>>>
>>> In both cases, they describe the request power of the token == 
>>> it???s scope.
>> I guess I look at scope as "authorized to transfer" maybe something 
>> like "authorized to transfer up to 10K". However the details of which 
>> account to take the money from and the account of where to put the 
>> money are not aspects of the scope but rather restrictions on the 
>> transaction.
>>
>> It may be fine to have a model where the client tells the AS what 
>> transaction it wants to perform for the purpose of getting consent 
>> from the user to perform that transaction... but I don't think the 
>> details of the transaction should be considered scope(s).
>>
>> For me.. scope is a capability the client is authorized to perform... 
>> "send an Instant message", or "read a buddy list".
>>>
>>>>
>>>> 2. The schemas are going to be very ecosystem specific, correct?
>>>
>>> API (e.g. all psd2 standards), ecosystem, single deployment - just 
>>> like ???traditional??? scope values
>> Again, I would want the transaction requirements to be part of the 
>> API not part of the scope. In my mind, the authorization token should 
>> convey the client is authorized to perform a set of actions 
>> (capabilities) and then the API parameters define the exact details 
>> of that particular transaction.
>
> I understand your sentiments. How would you envision to ask a user for 
> consent about those details if this consent is required by law?
>
>>>
>>>>
>>>> On 4/24/19 1:08 PM, Torsten Lodderstedt wrote:
>>>>> Hi Sascha,
>>>>>
>>>>> I see. I assume every element within the structured scope element to be an independent scope (value) object and intended to use the name of that object as kind of content type definition.
>>>>>
>>>>> In my last example, the scope is defined as
>>>>>
>>>>>     "structured_scope":{
>>>>>        "sign":{
>>>>>           "credentialID":"qes_eidas",
>>>>>           "documentDigests":[
>>>>>              {
>>>>>                 "hash":
>>>>>                   "sTOgwOm+474gFj0q0x1iSNspKqbcse4IeiqlDg/HWuI=",
>>>>>                 "label":"Mobile Subscription Contract"
>>>>>              }
>>>>>           ],
>>>>>           "hashAlgorithmOID":"2.16.840.1.101.3.4.2.1"
>>>>>        },
>>>>>        "payment":{
>>>>>           "type":"sepa-credit-transfer",
>>>>>           "instructedAmount":{
>>>>>              "currency":"EUR",
>>>>>              "amount":"123.50"
>>>>>           },
>>>>>           "debtorAccount":{
>>>>>              "iban":"DE40100100103307118608"
>>>>>           },
>>>>>           "creditorName":"Merchant123",
>>>>>           "creditorAccount":{
>>>>>              "iban":"DE02100100109307118603"
>>>>>           },
>>>>>           "remittanceInformationUnstructured":"new Smartphone"
>>>>>        }
>>>>>
>>>>> This means ???sign" and ???payment" would determine the scheme of the respective object.
>>>>>
>>>>> What do you think?
>>>>>
>>>>> best regards,
>>>>> Torsten.
>>>>>
>>>>>> On 23. Apr 2019, at 17:14, Sascha Preibisch<saschapreibisch@gmail.com>  wrote:
>>>>>>
>>>>>> Hi Torsten!
>>>>>>
>>>>>> If 'structured_scope' would become a generic field for application
>>>>>> specific content, I believe an indicator for the type of content would
>>>>>> be needed on the long run. That is what I meant my 'profile'. I hope
>>>>>> this helps!
>>>>>>
>>>>>> Thank you,
>>>>>> Sascha
>>>>>>
>>>>>> Am Mo., 22. Apr. 2019 um 22:06 Uhr schrieb Torsten Lodderstedt
>>>>>> <torsten@lodderstedt.net>:
>>>>>>> Hi Sascha,
>>>>>>>
>>>>>>>> Am 22.04.2019 um 20:34 schrieb Sascha Preibisch<saschapreibisch@gmail.com>:
>>>>>>>>
>>>>>>>> Thank you for the article, Torsten!
>>>>>>> my pleasure :-)
>>>>>>>
>>>>>>>> I like that 'scope' is out of the game for these kinds of authorizations.
>>>>>>>>
>>>>>>>> What I can see for the general use case is a required identifier
>>>>>>>> within the 'structures_scope' document that identifies the profile it
>>>>>>>> should be used for.
>>>>>>> What does profile mean in this context?
>>>>>>>
>>>>>>> best regards,
>>>>>>> Torsten.
>>>>>>>> Thank you,
>>>>>>>> Sascha
>>>>>>>>
>>>>>>>> Am Sa., 20. Apr. 2019 um 11:21 Uhr schrieb Torsten Lodderstedt
>>>>>>>> <torsten@lodderstedt.net>:
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I just published an article about the subject at:https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
>>>>>>>>>
>>>>>>>>> I look forward to getting your feedback.
>>>>>>>>>
>>>>>>>>> kind regards,
>>>>>>>>> Torsten.
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>

v2.23.0 | Report a Bug | By Email