Re: [Txauth] A model with a User Consent Element (with a clean figure)

Denis <denis.ietf@free.fr> Thu, 09 July 2020 12:34 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04A163A099B for <txauth@ietfa.amsl.com>; Thu, 9 Jul 2020 05:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.62
X-Spam-Level:
X-Spam-Status: No, score=-1.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jmaip8OPkJr9 for <txauth@ietfa.amsl.com>; Thu, 9 Jul 2020 05:34:16 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19B743A099A for <txauth@ietf.org>; Thu, 9 Jul 2020 05:34:15 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d62 with ME id 10aC2300R4FMSmm030aDZz; Thu, 09 Jul 2020 14:34:14 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 09 Jul 2020 14:34:14 +0200
X-ME-IP: 86.238.65.197
To: txauth@ietf.org
References: <f7cdae74-ac8d-2069-db53-d4f8623c43de@free.fr> <ead88d07-83a6-07f7-4d78-0ee35f599d98@free.fr> <205c8bb2-516c-64a1-fe2a-8a2eac282dc3@danielfett.de>
From: Denis <denis.ietf@free.fr>
Message-ID: <0f907e0c-1938-0e3d-0126-38a945ce0b9c@free.fr>
Date: Thu, 9 Jul 2020 14:34:10 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <205c8bb2-516c-64a1-fe2a-8a2eac282dc3@danielfett.de>
Content-Type: multipart/alternative; boundary="------------6EFA4888B634AD8142DB08FA"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/5eq9ygh6cIJfw87g0PTSbPdwzTU>
Subject: Re: [Txauth] A model with a User Consent Element (with a clean figure)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2020 12:34:18 -0000

Hi Daniel,

The response is pretty obvious. The user must have an account with the 
AS, e.g.  logging using FIDO.

Denis

> Am 09.07.20 um 12:26 schrieb Denis:
>>
>> The user can see which attributes are requested by the RS for 
>> performing the requested operation and, if it consents, the Client 
>> contacts one or more
>> appropriate Authorization Servers (2a). The user consent is hence 
>> captured locally by the Client (i.e. there is no dialogue with any AS 
>> nor any RS).
>>
> What prevents a non-compliant client from retrieving data about (or 
> access tokens for) arbitrary users from arbitrary authorization servers?
>
> -Daniel
>
>
> -- 
> https://danielfett.de
>