[OAUTH-WG] RAR - Client Credentials and Authorization Details

2020-05-14 Thread Matthew De Haast 
RFC6749 allows scopes to be presented at the token endpoint for cases like
client credentials grants.

It's not clear how this could be achieved with the current RAR spec though
when a Client using Client Credentials wants to request fine grained access
using authorization_details. Or should this even be possible?

Matt
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] IETF 107 Virtual OAuth Sessions

2020-03-30 Thread Matthew De Haast 
That sound good Rifaat.

Matt

On Fri, Mar 27, 2020 at 5:59 PM Rifaat Shekh-Yusef 
wrote:

> This will have no impact on the adoption of the DPoP document.
>
> Regards,
>  Rifaat
>
>
> On Fri, Mar 27, 2020 at 11:22 AM Torsten Lodderstedt  40lodderstedt@dmarc.ietf.org> wrote:
>
>> Hi,
>>
>> assuming WG adoption of DPoP does not depend on the virtual interim, I’m
>> fine with the proposal.
>>
>> best regards,
>> Torsten.
>>
>> > On 26. Mar 2020, at 21:03, Hannes Tschofenig 
>> wrote:
>> >
>> > Hi all,
>> >
>> > Rifaat and I had a chat about the virtual interim meetings.
>> > We decided to schedule 6 one-hour-long sessions with 2 topics per
>> session.
>> >
>> > Here is the list of topics we want to discuss:
>> >
>> > 1) OAuth Security Topics + Browser-Based Apps
>> >
>> > 2) JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens + Nested JWT
>> >
>> > 3) PAR + RAR
>> >
>> > 4) OAuth 2.1 + JWT Response for OAuth Token Introspection
>> >
>> > 5) DPoP + OAuth 2.0 Incremental Authorization
>> >
>> > 6) Client Intermediary Metadata + Reciprocal OAuth
>> >
>> > We were thinking about using our Monday, 12:00 EDT, office hour
>> timeslot.
>> > Proposed starting date is April 6th.
>> >
>> > Would this be acceptable?
>> >
>> > Ciao
>> > Hannes & Rifaat
>> > IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>> ___
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Corona Virus and Vancouver

2020-03-10 Thread Matthew De Haast 
>
> For me, at the current point in time, it depends on whether a significant
> portion of the working group is attending in-person.


That is my sentiment as well. Also do we have any idea on the likelihood of
it being cancelled outright?

Matt


On Tue, Mar 10, 2020 at 6:37 AM n-sakimura  wrote:

> I probably will not be there in person unless the situation improves
> dramatically
>
> iPhoneから送信
>
> 2020/03/10 10:09、Sascha Preibisch のメール:
>
> 
> I will be there if it is not getting worse. But in any case I am in
> Vancouver.
>
> Regards,
> Sascha
>
> On Mon., Mar. 9, 2020, 11:35 Daniel Fett,  wrote:
>
>> Hi all,
>>
>> can we do a quick roll call on who is coming or not coming to Vancouver?
>>
>> For me, at the current point in time, it depends on whether a significant
>> portion of the working group is attending in-person.
>>
>> -Daniel
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.1: dropping password grant

2020-02-21 Thread Matthew De Haast 
>
> I have a feeling that if we had more concise JWT libraries and command
> line tools, where using the JWT Bearer grant became a one-liner again then
> we wouldn’t be having this conversation. So perhaps removing it is an
> incentive to make that happen.
>

Neil could you elaborate more on this please. What failures are you
currently experiencing/seeing with the JWT Bearer grant?

Matt

On Thu, Feb 20, 2020 at 12:42 AM Neil Madden 
wrote:

> I have a feeling that if we had more concise JWT libraries and command
> line tools, where using the JWT Bearer grant became a one-liner again then
> we wouldn’t be having this conversation. So perhaps removing it is an
> incentive to make that happen.
>
>
> > On 19 Feb 2020, at 22:01, Dick Hardt  wrote:
> >
> > Neil: are you advocating that password grant be preserved in 2.1? Or do
> you think that service account developers know enough about what they are
> doing to follow what is in 6749?
> > ᐧ
> >
> > On Wed, Feb 19, 2020 at 1:52 PM Neil Madden 
> wrote:
> > OAuth2 clients are often private to the AS - they live in a database
> that only the AS can access, have attributes specific to their use in
> OAuth2, and so on. Many existing systems have access controls based on
> users, roles, permissions and so on and expect all users accessing the
> system to exist in some user repository, e.g. LDAP, where they can be
> looked up and appropriate permissions determined. A service account can be
> created inside such a system as if it was a regular user, managed through
> the normal account provisioning tools, assigned permissions, roles, etc.
> >
> > Another reason is that sometimes OAuth is just one authentication option
> out of many, and so permissions assigned to service accounts are preferred
> over scopes because they are consistently applied no matter how a request
> is authenticated. This is often the case when OAuth has been retrofitted to
> an existing system and they need to preserve compatibility with already
> deployed clients.
> >
> > See e.g. Google cloud platform (GCP):
> https://developers.google.com/identity/protocols/OAuth2ServiceAccount
> > They use the JWT bearer grant type for service account authentication
> and assign permissions to those service accounts and typically have very
> broad scopes. For service-to-service API calls you typically get an access
> token with a single scope that is effectively “all of GCP” and everything
> is managed at the level of permissions on the RO service account itself.
> They only break down fine-grained scopes when you are dealing with user
> data and will be getting an access token approved by a real user (through a
> normal auth code flow).
> >
> > — Neil
> >
> > > On 19 Feb 2020, at 21:35, Torsten Lodderstedt 
> wrote:
> > >
> > > Can you explain more in detail why the client credentials grant type
> isn’t applicable for the kind of use cases you mentioned?
> > >
> > >> Am 19.02.2020 um 22:03 schrieb Neil Madden  >:
> > >>
> > >> I very much agree with this with regards to real users.
> > >>
> > >> The one legitimate use-case for ROPC I’ve seen is for service
> accounts - where you essentially want something like client_credentials but
> for whatever reason you need the RO to be a service user rather than an
> OAuth2 client (typically so that some lower layer of the system can still
> perform its required permission checks).
> > >>
> > >> There are better grant types for this - e.g. JWT bearer - but they
> are a bit harder to implement. Having recently converted some code from
> ROPC to JWT bearer for exactly this use-case, it went from a couple of
> lines of code to two screens of code. For service to service API calls
> within a datacenter I’m not convinced this resulted in a material increase
> in security for the added complexity.
> > >>
> > >> — Neil
> > >>
> > >>> On 18 Feb 2020, at 21:57, Hans Zandbelt 
> wrote:
> > >>>
> > >>> I would also seriously look at the original motivation behind ROPC:
> I know it has been deployed and is used in quite a lot of places but I have
> never actually come across a use case where it is used for migration
> purposes and the migration is actually executed (I know that is
> statistically not a very strong argument but I challenge others to come up
> with one...)
> > >>> In reality it turned out just to be a one off that people used as an
> easy way out to stick to an anti-pattern and still claim to do OAuth 2.0.
> It is plain wrong, it is not OAuth and we need to get rid of it.
> > >>>
> > >>> Hans.
> > >>>
> > >>> On Tue, Feb 18, 2020 at 10:44 PM Aaron Parecki 
> wrote:
> > >>> Agreed. Plus, the Security BCP is already effectively acting as a
> grace period since it currently says the password grant MUST NOT be used,
> so in the OAuth 2.0 world that's already a pretty strong signal.
> > >>>
> > >>> Aaron
> > >>>
> > >>>
> > >>>
> > >>> On Tue, Feb 18, 2020 at 4:16 PM Justin Richer 
> wrote:
> > >>> There is no need for a grace period. People using OAuth 2.0 can
>

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Rich Authorization Requests

2020-01-13 Thread Matthew De Haast 
+1 for adoption

Matt

On Mon, Jan 6, 2020 at 9:38 PM Rifaat Shekh-Yusef 
wrote:

> All,
>
> This is a call for adoption for the *OAuth 2.0 Rich Authorization
> Requests* document.
> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
>
> Please, let us know if you support or object to the adoption of this
> document as a working group document by Jan 20th.
>
> Regards,
>  Rifaat & Hannes
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth