IETF Logo Mail Archive

Re: [Txauth] TxAuth Charter (Take 3.5)

Justin Richer <jricher@mit.edu> Wed, 29 January 2020 10:23 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80963120825 for <txauth@ietfa.amsl.com>; Wed, 29 Jan 2020 02:23:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgVsu-FMMi-J for <txauth@ietfa.amsl.com>; Wed, 29 Jan 2020 02:23:01 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5A7B1207FB for <txauth@ietf.org>; Wed, 29 Jan 2020 02:23:01 -0800 (PST)
Received: from [10.38.98.116] ([83.219.75.72]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 00TAMa60026046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 29 Jan 2020 05:22:51 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <A1164418-284D-4C28-B808-167E8B10CE49@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3E4CDC09-2637-4061-8D15-886F26F56515"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 29 Jan 2020 11:22:35 +0100
In-Reply-To: <CA+eFz_+wag1DQYsBE7_VUDEcZz1zFmazSHDa4msfw5cDV85rfg@mail.gmail.com>
Cc: "rdd@cert.org" <rdd@cert.org>, "txauth@ietf.org" <txauth@ietf.org>
To: Adrian Hope-Bailie <adrian@hopebailie.com>
References: <359EC4B99E040048A7131E0F4E113AFC0216F15F2E@marchand> <359EC4B99E040048A7131E0F4E113AFC0216F15F4E@marchand> <D9533FDA-1B20-4CC5-972D-B6C9F9219143@mit.edu> <CA+eFz_+wag1DQYsBE7_VUDEcZz1zFmazSHDa4msfw5cDV85rfg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/MkZ_aa5-PgFCIz4xG1cPm6WWdl0>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 10:23:04 -0000


> On Jan 29, 2020, at 10:40 AM, Adrian Hope-Bailie <adrian@hopebailie.com> wrote:
> 
> 
> 
> > ** what new use cases would TxAuth address (that aren't in scope for OAuth)?
> 
> Identity is a big one, which is what OIDC currently layers on top of OAuth 2. We’d also be looking at user-to-user delegation (the UMA and CIBA use cases). We’re also looking at cases that involve non-web interaction with users (like the DID/VC work, or app-to-app communication on devices). All of these are listed in the proposed text, do they need to be called out as being beyond OAuth 2?
> 
> We are most interested in payments use cases. Specifically we find the use of OAuth 2.0 for delegated access to financial accounts very limited, forcing us into using things like the "Lodging Intents Pattern". I think Torsten has made the point well in his blogs on the topic (https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948 <https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948>).
> 
> I believe this can be broadened to include any use case where the authorization flow involves the user/RO giving consent to a client to perform a specific transaction (as opposed to simply get access to a resource or API) and the need for the AS to have the details of this prior to authorization so the details can be properly presented to the user.
>  


Exactly — because OAuth forces this information to go through the browser to get to the authorization page, it’s a bad fit for this type of use where you’re putting potentially sensitive information as inputs to the decision (which account to choose, for instance) that you don’t want leaked through the browser. 

TxAuth is based on the lodging intent pattern from the start. PAR does a great job of back porting this functionality to OAuth 2, but there are limitations and awkwardness to this approach that TxAuth can avoid.


 — Justin

v2.23.0 | Report a Bug | By Email