Re: [Txauth] Call for WG name preferences

Dick Hardt <> Fri, 05 June 2020 19:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 48D153A0827 for <>; Fri, 5 Jun 2020 12:56:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_PDS_OTHER_BAD_TLD=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kYQo8s5MhqEG for <>; Fri, 5 Jun 2020 12:56:52 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2D4D93A0A6C for <>; Fri, 5 Jun 2020 12:56:40 -0700 (PDT)
Received: by with SMTP id n24so13174089lji.10 for <>; Fri, 05 Jun 2020 12:56:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=StmXLeX8L+JC91PXHW9PDbdZfLadbfM7kp/lrCHB7aE=; b=iIeVGvAuCmWnVAyAK9S60xaG5HQfS9Ir7Vum6TfdNSmr7E8j3ZWxq5JrqI4uOELFbT Fat2TALehEy/SpB6a56iTX2QhyxT4izrOVjS7I3HTIfEF0M8lYeO6vtVGwNGzBUpm9MP 55AnhN9MFlZVmzqj1OWBaIx2yaMQIvXWCIiQDYEi/2OrrEQZZbz1WA5TvyvL+Qs4ss8R WZS2uPQ9eCW+6wQfiecY83mZC7L3wmYAZDu1WBB3nEAsPuTQpOW9C3sonoVY/lhoZgtH OogcSl67oPb/p40vGeoPiBnRLlbyQNPV8fps/fzS5LVarUCnF6b72Pc3HsRo26jxDHLu TJuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=StmXLeX8L+JC91PXHW9PDbdZfLadbfM7kp/lrCHB7aE=; b=dwXc93OWlvPBbljzquw1TnF3HU175a1Ht/gGU5+qm0xGmTRL7VfkCu4V7BxJ4ow2x2 unrqqqPsVgvvE8hZrwF2cNBAzSMd6k55Sbo/aq8ilENJIVg6KWiQnFLYjRo7C66Jhdl2 YHbprcd0LLswhugHoShgt0wnX+C5ocO5M+zHsJucQMV8spmR0HOEX0pCGwxJBNac53Ci BgaElk8V8IeIaFTTgqf6c+UPgOd44MEXSKg0wnYyYR2BqWUabZSqtedSVrdvXPdJqeqS qJaqIYo3xR8UymwCGRqVYxHvTHhTzUOhrXZ3G68NAdVBRoAwmztJFt0J2qvYa/DNzHPV EUDA==
X-Gm-Message-State: AOAM5329XMtAfgeG3iS3rgdU67pCtISNZod+aARcH+/SD+IAcs4JB/Wc 353pDiTlzObGfOGo/CTH5xdb54iyh39KTkREBQc=
X-Google-Smtp-Source: ABdhPJxdWQOe2KuAwRItu4foKLHSogCMqZV1Qhs0aDJ1rsqVdEFulp6MBc+w/MOT/rDJgkTtzfn7TbvU8DMg8SlrVKw=
X-Received: by 2002:a2e:140a:: with SMTP id u10mr5563053ljd.56.1591386994383; Fri, 05 Jun 2020 12:56:34 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Fri, 5 Jun 2020 12:56:07 -0700
Message-ID: <>
To: Justin Richer <>
Cc: Mike Jones <>, Yaron Sheffer <>, "" <>
Content-Type: multipart/related; boundary="00000000000080768705a75ba82f"
Archived-At: <>
Subject: Re: [Txauth] Call for WG name preferences
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Jun 2020 19:56:54 -0000

Thanks for the response Justin, but you did not answer my questions. My
question was why was "intent lodging" selected.

I am also not sure what "the intent lodging pattern" is.

Additionally, you say, "we’ve got an opportunity to do a whole lot more
than that and to really question the model and capabilities that a
delegation protocol can bring."

This sounds nice, but is not specific. Would you share more on what you
think we should question, and what the opportunities are? Assume most of us
have not read or seen your talks on the topic.
[image: image.gif]

On Fri, Jun 5, 2020 at 12:48 PM Justin Richer <> wrote:

> PAR aligns itself with OAuth 2 terminology, as it should given it’s an
> OAuth 2 extension. And I’ll point out that it isn’t a “request” but an
> “authorization request” which is a specific item. The “request” variable
> name is actually from OIDC, where it is used as a means to protect
> information while it is in the front channel and not in an intent lodging
> pattern.
> For people who want just the intent lodging pattern in an OAuth 2
> compatible way, PAR is absolutely the way to go and I encourage people to
> do just that. If you do that, you can re-use client IDs and scopes and
> client secrets and everything else directly. So if, for example, you’re
> doing OIDC today and you want to get the benefits of the intent lodging
> pattern while changing the minimum amount of code, then you should be using
> PAR. It even allows you to package the entire incoming request to the PAR
> endpoint as a JWT, since it can use OIDC’s request objects as part of the
> incoming request.
> But it’s not ideal, because it’s grafted on to a system that wasn’t meant
> to have it. Having implemented it on several platforms now I can say that
> it’s a little odd to get right, as is the case with most OAuth 2 extensions
> that have to deal with its quirks and baggage. I bring this up because our
> proposed charter and working group goal aren't just to implement PAR with
> slightly prettier syntax; instead, we’ve got an opportunity to do a whole
> lot more than that and to really question the model and capabilities that a
> delegation protocol can bring. That’s why we aren’t just an offshoot of the
> OAuth WG in the first place. And because of that, this working group is
> going to need to be able to direct implementors and conversations in the
> appropriate direction (which is also part of our charter), and things like
> PAR key to that conversation in helping people find the right solution that
> fits their needs. Not everyone’s going to want or need what we’re building
> here, and we need to be OK with that.
> In my time working with XYZ over the last year and a half or so, I’ve had
> a number of people approach me to see if it’s a good fit for what they’re
> doing. In some cases, it really is, for a lot of the reasons that we
> outline as needs to address within the charter. In a bunch of cases,
> though, I’ve pointed people at PAR, RAR, DPoP, and related work because it
> makes more sense for many people to be more tightly aligned with the
> existing OAuth 2 ecosystem. But if you aren’t already tied to OAuth 2 or
> OIDC, it might not be worth the trouble. As a consultant I’m used to doing
> that kind of redirecting, but the unique niche this working group will
> occupy alongside OAuth means we’re going to need to do it as a community as
> well. Otherwise, we run the risk of new work being unnecessarily fettered
> to old ways, or of people not availing themselves of legacy solutions that
> would work better for them just because they think this work is the new
> shiny that they’re supposed to use instead. This is why the proposed
> charter says we aren’t building things that are necessarily compatible with
> OAuth 2 — they can and should be influenced by the ecosystem of OAuth 2,
> but it’s also our job to help the new protocol evolve beyond that.
>  — Justin
> On Jun 5, 2020, at 1:25 PM, Dick Hardt <> wrote:
> Thanks for posting Justin, speaking for myself, I
> appreciate the background as I had not seen the term "intent" be used.
> Can you share any history why "lodging intent" was the term selected vs
> other choices? Why not "request"? Overused?
> To me, an intent is an action ie. the client saying "I am going to do X",
> whereas a request is asking for something, the client saying "I would like
> X"
> Or is the idea the client saying "I intend to request X"?
> FWIW: I don't see the term "intent" used in PAR. It is a "request".
> On Fri, Jun 5, 2020 at 7:59 AM Justin Richer <> wrote:
>> Since there seems to be some confusion by a few people about the term
>> “Intent” and its inclusion here, I wanted to clarify that for people. There
>> is a protocol feature is variously known as “intent registration” or
>> “lodging intent”, where the party starting the process (the client) makes a
>> statement about what it wants to do and is then given the tools to complete
>> the next steps to do that. It’s a key feature of the pattern we’re looking
>> to codify in this group’s work.
>> The FAPI working group in the OIDF has done a lot of work around it, and
>> you see this style in a bunch of different financial APIs dating back
>> decades:
>> Torsten Lodderstedt has a great blog post that touches on it as well:
>> And it’s the basis behind OAuth 2.0’s Pushed Authorization Request (PAR)
>> extension that’s happening now:
>> To be clear, I’m not saying this is sufficient for it driving the name,
>> but I do think it’s important that people be familiar with this terminology
>> as its likely to come up again as the work progresses.
>>  — Justin
>> On Jun 4, 2020, at 7:25 PM, Mike Jones <
>>> wrote:
>> *Prefer:*
>>     * GNAP    Grant Negotiation and Authorization Protocol – The focus on
>> grants is correct.  And it’s a snappy name.
>>     * GranPro    GRAnt Negotiation Protocol – The focus on grants is
>> correct.  Pronounceable.
>>     * NIRAD    Negotiation of Intent Registration and Authority
>> Delegation – Cool sci-fi sounding name.
>>     * PAuthZ    Protocol for Authorization – Accurate description.
>>     * RefAuthZ    Refactored Authorization Protocol – Accurate
>> description.
>>     * ReAuthZ    Reimagined Authorization Protocol – Accurate description.
>>     * WRAC (Web Resource Authorization Collaboration) - Pronounced like
>> RACK – Cool name, with history going back to OAuth WRAP.
>>     * XAuthZ    eXtensible authoriZation protocol – Accurate description.
>> *Wouldn't object to:*
>>     * AAuthZ    Alternative Authorization Protocol (AAuthZ)
>>     * AZARP    AuthoriZed Access to Resources Protocol
>>     * AZARAP    AuthoriZation And Resource Access Protocol
>>     * BeBAuthZ    Back-end Based Authorization Protocol
>>     * DAZARAP    Delegated AuthoriZation And Resource Access Protocol
>>     * TINOA   This Is Not OAuth
>> *Object to:*
>>     * BYOAuthZ    Build-Your-Own Authorization Protocol – Too cheesy.
>>     * CPAAP    Comprehensive Privileged Authentication Authorization
>> Protocol – Too much like a medical device name.
>>     * DIYAuthZ    Do-It-Yourself Authorization Protocol – Too cute.
>>     * IDPAuthZ    Intent Driven Protocol for Authorization – IDP already
>> means something else.
>>     * TIAAP    Tokenized Identity and Access Protocol – I don’t know what
>> “tokenized” is referring to here.
>>     * TIDEAuth    Trust via Intent Driven Extension Auth – I don’t know
>> what “intent” is referring to here.
>>     * TIDYAuth    Trust via Intent Driven Yield Auth – I don’t know what
>> “intent” is referring to here.
>>     * TIEAuth    Trust via Intent Extension Auth – I don’t know what
>> “intent” is referring to here.
>>     * TXAuth    Testable eXtensible Authorization – I don’t know what
>> “testable” is referring to here.
>>     * TxAuth      Transmission of Authority – It’s delegation of
>> authority – not transfer of authority.
>>     * TXAuth      Truly eXtensible Authorization – Too cute.
>>                                                        -- Mike
>> --
>> Txauth mailing list
>> --
>> Txauth mailing list
> ᐧ