Re: [OAUTH-WG] New OAuth I-D: Incremental Auth
William Denniss <wdenniss@google.com> Fri, 07 July 2017 17:56 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA1CF13167C for <oauth@ietfa.amsl.com>; Fri, 7 Jul 2017 10:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3tOPkHSVIxtc for <oauth@ietfa.amsl.com>; Fri, 7 Jul 2017 10:56:45 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F46313153B for <oauth@ietf.org>; Fri, 7 Jul 2017 10:56:45 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id v143so33590307qkb.0 for <oauth@ietf.org>; Fri, 07 Jul 2017 10:56:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ObS+k51WgfrqMWClm7Hfc48Cd+EfmgK3tVj2xlGp5Ek=; b=cEEoPjdc3HuGgltyOSbdNfrfAL7CWM7eU4xEtfMVZ6Y4C4Z2mYZzcEaCBcsGvQZI+d iaHhn7dc4dw8SLWl6/0PbAQpLtW5hpmPChB/l0KsK1XhSjoDHWKhqvssh+T6lS6D6HiX m1Cfe5H9BFlGKQKg6XgGPn4EN440VFm75p884U244B2dVJFSTj3GWQqRZI8x2JMIQ+89 /419FXwSkNSbjY26xlJg/sMyCuGZ8axD+YB3nSuiO8/0qcNgytlsl8NkowktBEY3id3E R/qa2WAoebFQzHeD3Yo36zAf8aiB+otwp5+j61pHDfv3XrqSJnQTMxBAvb38+pvnki34 j4Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ObS+k51WgfrqMWClm7Hfc48Cd+EfmgK3tVj2xlGp5Ek=; b=etmddMKhYWZk59Wy0Dy26BG8uM9upUKCV/dSIfTzEcqmGMfyIbNgxEYHaj4lsvRzmM qTqRlGmie+V+s18eiyAVlm0M9dSQR0nPfCu2gRaJhxXAJwXEoIAqXoJ2beC9yU0ZldIU ETrUu8c4bHCVgT2dETk+/s0WyCO6fFmpDV8eDkmb0WsG6N72VqsJxTMuMfqGPjU0WCSV RCIgBY+oCaDZehRLw8zX5EptHwtNJtXuBvgX3WFCZa6Dt7k7D2KM5AarNol10nin/5PC /sJdsD50Lu0sPtJQCdcePOHEj1GVUVL25MCQWHuLgto5Wa2xXGIzdXvBKyj6EgVn76c8 Y5zg==
X-Gm-Message-State: AKS2vOxjnafxm3L7j7t56iPt7nCoDLQkbE5ILmMnJEa4wPXpOWDoqq1g 6IerWhR6/Isx5JQ/ogc++hF80gzbVL/uwny4MQ==
X-Received: by 10.55.7.8 with SMTP id 8mr64351985qkh.124.1499450203920; Fri, 07 Jul 2017 10:56:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.17.242 with HTTP; Fri, 7 Jul 2017 10:56:23 -0700 (PDT)
In-Reply-To: <59d3c1f5-01de-e419-4c4c-3115ed35e451@gmail.com>
References: <CAAP42hA5BzSAsszX5hYTCc075eE_HNy7XHwWHKu2mgNhwsXsZg@mail.gmail.com> <59d3c1f5-01de-e419-4c4c-3115ed35e451@gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 07 Jul 2017 10:56:23 -0700
Message-ID: <CAAP42hBzsjjw1Za8KS3E-wOi76n5SKm=jF9fhiDgCw-PsM7HtQ@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a114c46f4c409650553bdf40b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xHPbwYDCVzYcP_Vk5-iQLu22YjU>
Subject: Re: [OAUTH-WG] New OAuth I-D: Incremental Auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 17:56:48 -0000
What you describe is incremental auth. Aside: Do you return the "scope" in the token response as required when the scope in the response is not identical to the request (§ 5.1 <https://tools.ietf.org/html/rfc6749#section-5.1>, parameter: scope)? My only question is: does the client expect this? The spec talks about the authorization server *reducing* scope in a few places (in § 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>, "The authorization server MAY fully or partially ignore the scope requested by the client" and § 10.3 <https://tools.ietf.org/html/rfc6749#section-10.3> "The authorization server SHOULD take the client identity into account when choosing how to honor the requested scope and MAY issue an access token with less rights than requested."). It never talks about *increasing* scope (other than it can't be done during refresh). So I think some normative language around the potential to increase the scope of the request for confidential clients (in either the way you describe, or the way I described in the draft) is warranted. Open question: should we require an indication from the client if they *want* the scope increase? That's what include_granted_scopes was designed to do. To allow clients to specify if this is behavior they desire. The more innovative part of the spec I think is the public (native app) client incremental auth – as native apps cannot use the methods you discuss, or the ones Google has supported for a while for confidential clients. That said, if we write this – I think we may as well formally document approaches for confidential clients too. On Fri, Jul 7, 2017 at 9:24 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > Hi > > Re the confidential client: let me explain please how we experimented with > this feature when the code flow is used. > > 1. Client requests a scope 'a' for a given User, it gets approved by the > user, the clients gets a code and exchanges it for a token. > > 2. At some later stage Client requests a scope 'b' for the same user and > if an access token for a given Client + User combination exists and the > incremental authorization is supported (we use a different term for now) > than the service finds out from this token that 'a' has already been > approved and offers a consent screen where a user sees 'a' being selected > and needs to approve 'b'. > > 3. User approves 'b'. The client gets a new code back and exchanges it for > a new token which now has "a" and "b". > > At this point a client has 2 tokens, one with the "a" scope and another > with the "a" and "b" scopes and the assumption was that the client would > itself remove the now redundant token with the scope "a" only. > > I've just updated the code for the service itself do it on the client's > behalf, optionally remove the scope "a" token so that the client can simply > replace a reference to its scope "a" token with the new one (scopes "a" and > "b") it will get after exchanging a code grant. > > Is it an incremental authorization or something else completely :-) ? > > One obvious difference, apart from the lower level implementation details, > is that it is not a client which requests to include the already authorized > scopes but the service does it itself if the configuration allowing for it > is enabled > > Thanks, Sergey > > > > > > > On 05/07/17 18:17, William Denniss wrote: > >> Earlier this week I submitted the following I-D: >> https://tools.ietf.org/html/draft-wdenniss-oauth-incremental-auth >> >> The topic is incremental authentication (or incremental auth for short). >> Incremental auth is used to enable clients to request just the scopes they >> need when they need them – rather than all upfront – while still only a >> maintaining a single authorization grant. >> >> The I-D details two techniques used at Google, one that has been used for >> a while in confidential clients, and one that we launched recently as a new >> solution to deliver incremental auth for public clients. >> >> I look forward to discussing this proposal with the working group. I plan >> to present this draft at IETF99, hope you can be there or watching the >> livestream! >> >> I plan to ask for a call for adoption after that presentation. If you're >> interested in this topic I'd encourage you to read the draft (it's fairly >> concise!). >> >> Best, >> William >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth Sergey Beryozkin
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth Sergey Beryozkin
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth Jim Willeke
- Re: [OAUTH-WG] New OAuth I-D: Incremental Auth William Denniss