IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Sascha Preibisch <saschapreibisch@gmail.com> Thu, 25 April 2019 21:36 UTC

Return-Path: <saschapreibisch@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 429431201B8 for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2019 14:36:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0AGz535aRuK for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2019 14:36:28 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2396B120025 for <oauth@ietf.org>; Thu, 25 Apr 2019 14:36:28 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id h18so1304706wml.1 for <oauth@ietf.org>; Thu, 25 Apr 2019 14:36:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=GmQz6wzdubKaV3pzQosPrsgiu12J8D9IapqltxwzV+Q=; b=VMEGcKISk5wJIXbXYMK7XpDORUUt77XqglPv+gRbF/jyvfMSBXPbbJQ8zOpdjkXcbz 9UCwoOUg79W866gF7T8ycu1s8tAti/zk0KHrhwgKhkSR84qb0Crj05BZAh2Irzdg9Uuu 8ncfquYZntNy7kUGW5mYswye1Tp7u0kj6A2cQvXjJU2Qr3oUySqhMak+CGoCdTKJ8N+G 1uh4hBzDmBO1GfhFbXCvqI2LjFvkB+/yXF5Ao41fkqf5rlIV2eHQ/mzcNstWmOizWTSo Ms5X7+0EKYaKjSN15UfgPmRdoZt0PrNHzfy4Ge81+vyO+q+2rbIKAGdy6xt6hPx8ccut /P2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=GmQz6wzdubKaV3pzQosPrsgiu12J8D9IapqltxwzV+Q=; b=UaVmQ/7oVN9EXl7ct8/rm8ima8u8sS6hLfIWk8YUlxoyPWrpf0nQ/a9j2YdQc8l6HH qSs2F/wrx5arp9ONG/WDXfNnh4PmUfpW/SVDeSUmMQe7No4NUNjen78MqcQ1Uiy3E5BJ Mb1ftoSWdX4fqe3NCNSnakzgghNCs9tzR7F6EPSQq+l2Ky1l8gLXqFOOZGo/pcKzM+3r DMeIU0pq2mpjD0NKYgfgf1Zbpv/pNN51ceYh9MJpljk//QzmAP7LdIc849VbAnvy0FpZ MaGUkAPqDZff39KaXGkc4Db1PzM7g1FA0AcmbYYYHGpIY225JxGgTqkvmroHaCKLE3ud F1TQ==
X-Gm-Message-State: APjAAAWnbmdL/CwUTesZYimTmlUXkKOtNVOMsQKJxcahyYK956MNgx19 gcvNgvtp2HvbaUMaZnUK8aB3kYsCldYE6KPvbMn/0Q6R6aM=
X-Google-Smtp-Source: APXvYqyluBVKdEUaPUHyX8Fi+lwtiC0WTyHtFRZqDtqUgIGFyoQK7i4KHl5pV96ElBBG9MosxrKokIoEhXHddIp9TVs=
X-Received: by 2002:a7b:c769:: with SMTP id x9mr5245037wmk.103.1556228186337; Thu, 25 Apr 2019 14:36:26 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CAP=vD9u8ki=WzHr-VrLZcdU4nszNja5pgkB+4n2N+-xqCrpm=Q@mail.gmail.com> <776A61E6-226C-434F-8D7E-AFF4D2E423E9@lodderstedt.net> <CAP=vD9sL-ESxo5obtnYCFrT4EEjeQt-0GDsqmxWFDy3+HxDN4A@mail.gmail.com> <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net>
In-Reply-To: <2997B550-C82B-4D3A-9639-15A004F2F6C5@lodderstedt.net>
From: Sascha Preibisch <saschapreibisch@gmail.com>
Date: Thu, 25 Apr 2019 14:35:15 -0700
Message-ID: <CAP=vD9tJS7yfajWna_HmY4LFC2EVzWDXL_bKRnbwh10ytbjhEw@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zXSyHj1f8lhcxxobbckgJt0q55U>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 21:36:30 -0000

Torsten,

I think that works in most cases if you look at it that way.

It is just that elements such as 'iban' are practically unknown here
in Canada for example. This means, there needs to be a differentiator
that tells a client that one payment may be of type 'payment_eu' and
in the other case 'payment_ca'. Actually .... now I see the 'type'
element. With that, 'payment + type' would provide that information.

The only thing I would look into would be a change in the document
hierarchy to simply parsing of it. Potentially multiple payments could
be submitted at once also by adding a 'payments' root element:

{
"payment": {
"sepa-credit-transfer": {
"instructedAmount": {
"currency": "EUR",
"amount": "123.50"
},
"debtorAccount": {
"iban": "DE40100100103307118608"
},
"creditorName": "Merchant123",
"creditorAccount": {
"iban": "DE02100100109307118603"
},
"remittanceInformationUnstructured": "new Smartphone"
}
}
}

But generally, the 'structured_scope' is a good concept I think.

Thanks again, Torsten,

Sascha

Am Mi., 24. Apr. 2019 um 10:08 Uhr schrieb Torsten Lodderstedt
<torsten@lodderstedt.net>:
>
> Hi Sascha,
>
> I see. I assume every element within the structured scope element to be an independent scope (value) object and intended to use the name of that object as kind of content type definition.
>
> In my last example, the scope is defined as
>
>    "structured_scope":{
>       "sign":{
>          "credentialID":"qes_eidas",
>          "documentDigests":[
>             {
>                "hash":
>                  "sTOgwOm+474gFj0q0x1iSNspKqbcse4IeiqlDg/HWuI=",
>                "label":"Mobile Subscription Contract"
>             }
>          ],
>          "hashAlgorithmOID":"2.16.840.1.101.3.4.2.1"
>       },
>       "payment":{
>          "type":"sepa-credit-transfer",
>          "instructedAmount":{
>             "currency":"EUR",
>             "amount":"123.50"
>          },
>          "debtorAccount":{
>             "iban":"DE40100100103307118608"
>          },
>          "creditorName":"Merchant123",
>          "creditorAccount":{
>             "iban":"DE02100100109307118603"
>          },
>          "remittanceInformationUnstructured":"new Smartphone"
>       }
>
> This means “sign" and “payment" would determine the scheme of the respective object.
>
> What do you think?
>
> best regards,
> Torsten.
>
> > On 23. Apr 2019, at 17:14, Sascha Preibisch <saschapreibisch@gmail.com> wrote:
> >
> > Hi Torsten!
> >
> > If 'structured_scope' would become a generic field for application
> > specific content, I believe an indicator for the type of content would
> > be needed on the long run. That is what I meant my 'profile'. I hope
> > this helps!
> >
> > Thank you,
> > Sascha
> >
> > Am Mo., 22. Apr. 2019 um 22:06 Uhr schrieb Torsten Lodderstedt
> > <torsten@lodderstedt.net>:
> >>
> >> Hi Sascha,
> >>
> >>> Am 22.04.2019 um 20:34 schrieb Sascha Preibisch <saschapreibisch@gmail.com>:
> >>>
> >>> Thank you for the article, Torsten!
> >>
> >> my pleasure :-)
> >>
> >>>
> >>> I like that 'scope' is out of the game for these kinds of authorizations.
> >>>
> >>> What I can see for the general use case is a required identifier
> >>> within the 'structures_scope' document that identifies the profile it
> >>> should be used for.
> >>
> >> What does profile mean in this context?
> >>
> >> best regards,
> >> Torsten.
> >>>
> >>> Thank you,
> >>> Sascha
> >>>
> >>> Am Sa., 20. Apr. 2019 um 11:21 Uhr schrieb Torsten Lodderstedt
> >>> <torsten@lodderstedt.net>:
> >>>>
> >>>> Hi all,
> >>>>
> >>>> I just published an article about the subject at: https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
> >>>>
> >>>> I look forward to getting your feedback.
> >>>>
> >>>> kind regards,
> >>>> Torsten.
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email