Re: [OAUTH-WG] OAuth Digest, Vol 147, Issue 3
이천욱 <nesone112@gmail.com> Tue, 12 January 2021 10:30 UTC
Return-Path: <nesone112@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B06803A105E for <oauth@ietfa.amsl.com>; Tue, 12 Jan 2021 02:30:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_5i8Sgd-vsN for <oauth@ietfa.amsl.com>; Tue, 12 Jan 2021 02:30:39 -0800 (PST)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72AF43A105D for <oauth@ietf.org>; Tue, 12 Jan 2021 02:30:39 -0800 (PST)
Received: by mail-ot1-x330.google.com with SMTP id i6so1813655otr.2 for <oauth@ietf.org>; Tue, 12 Jan 2021 02:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=16rsWVEFLLP/0luj42rg9yGNh/kuJNbmQFocOgeIkSA=; b=mTquik4r8fw7ILdWqFtsyBZfSbeMBe5pOa7ReXerAhIbilyNALpdGHp9qBYBi1sY/N hrARiguWJFDvHeaMms7qK5jM7CcMpShUxDI9CFxgSf2Lj4gxTQwN5DekXA23aTjT1Ves v+MW88YcTACkRBNFDMKnndtXIdDoUxxjLIHVXd5p27+dF6+YVJBGydMbY6KPNvwhgTja GrAqRgDfNy/OPqXzJF0DMl+Vrcp3zJKkTmhld48dkaxEm+jc0htbglkRpgPDDrpNr0Ef AftEmkXUQk1RjT3pE9lzA1W+K6D4I2aowXwd63iAWJ2ONC1dVrtGWQCenPZAuJfr2FPf TQCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=16rsWVEFLLP/0luj42rg9yGNh/kuJNbmQFocOgeIkSA=; b=qlLy/ZtSh+bKSqfzozwFnm/RMBBnZOcQw/L+S8Ccu2cW+KyxzaUz8v+8ET16ywMnfm gMlC3wqkNVzJMsJRTuVW+Yy6bS4t5bsKOcK6ntyHxgqqjPgN/5AYAnPzqU1ol0DUZ2cQ azFZqLLgEIG5QUGCK5xKr3V9WEC0BKPxBoZt6kEyFK7kq2CvnMfzYkxgFUz7dWRadTS4 goivw9h0qb6JQt/JOdNvK0tHU8Q1rTUzGGCkA7a81fxFxWRj13kM0D2nkWNwl1uRAg6R Woa4df7rzV05E1J6ITJvbcrOu4wT388thzvu/3eu/LcyZs1Y7Y/co5SIg5jE+jQLjMGO /TaA==
X-Gm-Message-State: AOAM531fihoz3fHCX68ogTDWSsVTpPbClKEdMrLT9sLRRTP4VXt4ABlP dp46HR4eZAb+KCLbl/P5K7WxNtBOnKdFHLl8+a5S1A1goyE=
X-Google-Smtp-Source: ABdhPJyjN/+nZyeZodYIo6cnyz2lrJOR9VchiMGUY3PwTkn2rfk/rHod42AEQClZzOSJLRyb1qEeFRYcpVJuWvm9fu8=
X-Received: by 2002:a9d:3985:: with SMTP id y5mr2269507otb.202.1610447438494; Tue, 12 Jan 2021 02:30:38 -0800 (PST)
MIME-Version: 1.0
References: <mailman.101.1610395214.20887.oauth@ietf.org>
In-Reply-To: <mailman.101.1610395214.20887.oauth@ietf.org>
From: 이천욱 <nesone112@gmail.com>
Date: Tue, 12 Jan 2021 19:30:27 +0900
Message-ID: <CAOkXUnawu5URYsGVEK418KVB9+yMk2Hc-T9+DbnBkKVi+6yycg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000803f0b05b8b18379"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zDcjM7m_qIQZHS0xDoC5xDheedU>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 147, Issue 3
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2021 10:30:42 -0000
You send not mail please Loose mail only Please send not mail 2021년 1월 12일 (화) 오전 5:02, <oauth-request@ietf.org>님이 작성: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Rich Authorization Requests feedbacks on implementation > (Nicolas Mora) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 10 Jan 2021 20:36:36 -0500 > From: Nicolas Mora <nicolas@babelouest.org> > To: oauth <oauth@ietf.org> > Subject: [OAUTH-WG] Rich Authorization Requests feedbacks on > implementation > Message-ID: <511128bf-348f-fc92-ddf1-9598502a20a9@babelouest.org> > Content-Type: text/plain; charset=utf-8; format=flowed > > Hello, > > I've implemented Rich Authorization Requests defined in > draft-ietf-oauth-rar-03 for Glewlwyd soon-to-be-released 2.5 [1], and I > humbly wanted to write my feedback about this implementation to share my > experience. > > For starters, this implementation and my following feedbacks are based > on the prism of Glewlwyd's implementation and philosophy, and my limited > experience on OAuth2, so I appologize in advance if I write non-sense or > big mistakes. > > 1 - Design > > The way I saw it, there are 2 different approaches to implement oauth2 > rar: either to get a token with a more detailed scope, or to get a > one-time token with extra grants. > > Both are not exclusive, but a big difference I see between those 2 > approaches is the grant access from the user part. The second approach > would require the user to know what extra grant is asked by the client > every time the client asks for it, i.e. when the client redirects the > user to the /authorization endpoint. > > To be more consistent with Glewlwyd's philosophy, I chose the first > approach, with those rules. > The AS administrator declares what rar types are allowed [2] > - a rar type has a defined set of locations, actions, datatypes and > enriched authorization details that the client can ask for > - the client must be explicitly allowed to add a rar type in the > authorization request > - a rar type can be linked to one or more scope. In that case, the > authorization request must include at least one of the linked scope, and > the scope must be available for the user and the scope must be granted > to the client > - the client can add as many properties as required in the rar type, > those extra properties are not verified by the AS, on access granted, > the extra properties will be present in the "authorization_details" result. > > On first use of a rar type by a client for a user, the user must grant > to the client the rar access [3]. That's why the grant message will show > to the user ALL access possible via this rar type > Once this access is granted or not, the user will not be asked again on > another authorization request by the client (but is can be changed at > any time, as a scope grant). > > 2 - Limitations > > In this design, the AS has a limited control over the > authorization_details content, and the trust between the AS and the > client must be high enough so if a rar type can gain access to sensitive > actions or information, the user should know about it. > > Also, in the draft specification, the only mandatory element type in a > rar is the "type" element. In my point of view, this means that the > business logic is mostly defined by the RS, rather than the AS. > > Therefore, for a client implementation to be compliant with the specs, > there's not much to do: add as a parameter a JSON array with objects > containing at least one "type" string property in it. > > 3 - Extensions > > I believe one way to mitigate these limitations is to allow extensions > to be defined on top of the rar specifications. An extension can be > declared like this: > > "RAR Extension XYZ: > A rar whose type is XXX > - Actions available: YYY, ZZZ or AAA > - datatypes possibles: BBB, CCC, DDD or EEE > - additional elements mandatory: an array of FFF and an object of GGG to > represent access to some" > > Like this, if the AS, the RS and the client agree on using a rar > extension, they can have at least a detailed pattern on what to expect > in the rar type. > > Any thoughts? > > /Nicolas > > [1] https://github.com/babelouest/glewlwyd > [2] > > https://raw.githubusercontent.com/babelouest/glewlwyd/master/docs/screenshots/plugin-oidc-rar.png > [3] > > https://raw.githubusercontent.com/babelouest/glewlwyd/master/docs/screenshots/login-rar-grant.png > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 147, Issue 3 > ************************************* >