Re: [OAUTH-WG] Transaction Authorization with OAuth

Thanks for sharing this recommendation! > Am 21.04.2019 um 22:41 schrieb Vladimir Dzhuvinov : > > The proposed structured_scope fits nicely into the JSON object format of > the request object. > > At present for similar cases we recommend developers to encode the scope > value into a URI with

Re: [OAUTH-WG] Transaction Authorization with OAuth

Hi Sascha, > Am 22.04.2019 um 20:34 schrieb Sascha Preibisch : > > Thank you for the article, Torsten! my pleasure :-) > > I like that 'scope' is out of the game for these kinds of authorizations. > > What I can see for the general use case is a required identifier > within the

Re: [OAUTH-WG] Transaction Authorization with OAuth

Does UMA use the standard scope parameter? > Am 22.04.2019 um 21:03 schrieb George Fletcher : > > Speaking just to the UMA side of things... > > ...it's possible in UMA 2 for the client to request additional scopes when > interacting with the token endpoint specifically to address cases where

Re: [OAUTH-WG] Transaction Authorization with OAuth

I think this knowledge by clients of the ecosystem is something that a transactional authorization could avoid. Both UMA and ACE have solutions that make clients really dumb about what they need to send to the AS in regards to scopes. IMO, the RS should have the possibility to tell clients the

Re: [OAUTH-WG] Transaction Authorization with OAuth

Speaking just to the UMA side of things... it's possible in UMA 2 for the client to request additional scopes when interacting with the token endpoint specifically to address cases where the client knows it's going to make the following requests and wants to obtain a token with sufficient

Re: [OAUTH-WG] Transaction Authorization with OAuth

Thank you for the article, Torsten! I like that 'scope' is out of the game for these kinds of authorizations. What I can see for the general use case is a required identifier within the 'structures_scope' document that identifies the profile it should be used for. Thank you, Sascha Am Sa., 20.

Re: [OAUTH-WG] Transaction Authorization with OAuth

> Am 22.04.2019 um 19:54 schrieb Pedro Igor Silva : > > Sorry. I mean, UMA provides much more than this 1st party authorization flow > I'm talking about got it ;-) > >> On Mon, Apr 22, 2019 at 2:51 PM Pedro Igor Silva wrote: >> >> >>> On Mon, Apr 22, 2019 at 2:18 PM Torsten

Re: [OAUTH-WG] Transaction Authorization with OAuth

Sorry. I mean, UMA provides much more than this 1st party authorization flow I'm talking about On Mon, Apr 22, 2019 at 2:51 PM Pedro Igor Silva wrote: > > > On Mon, Apr 22, 2019 at 2:18 PM Torsten Lodderstedt < > tors...@lodderstedt.net> wrote: > >> Hi Pedro, >> >> > >> > > The general

Re: [OAUTH-WG] Transaction Authorization with OAuth

On Mon, Apr 22, 2019 at 2:18 PM Torsten Lodderstedt wrote: > Hi Pedro, > > > > > > The general idea is to empower RSs so that they can communicate to the > AS how access to their resources should be granted as well as decoupling > clients and RSs so that clients don't need to know the

Re: [OAUTH-WG] Transaction Authorization with OAuth

Hi Jim, thanks for pointing this out. Basically, what I’m proposing is not a new language for describing authorization policies. It’s more like the container to carry the data needed to inform the user about the intention of the client to the authorisation server. This container may contain

Re: [OAUTH-WG] Transaction Authorization with OAuth

Hi Pedro, > > > The general idea is to empower RSs so that they can communicate to the AS > > how access to their resources should be granted as well as decoupling > > clients and RSs so that clients don't need to know the constraints imposed > > by the RS to their protected resources (e.g.

Re: [OAUTH-WG] Transaction Authorization with OAuth

On Mon, Apr 22, 2019 at 1:33 PM Torsten Lodderstedt wrote: > Hi Pedro, > > > On 22. Apr 2019, at 16:34, Pedro Igor Silva wrote: > > > > Hi Torsten, > > > > Great article, thanks for sharing it. > > my pleasure :-) > > > > > We have been working on a solution for fine-grained authorization using

[OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens Author : Vittorio Bertocci

Re: [OAUTH-WG] Transaction Authorization with OAuth

Yeah, I did. XACML is a good standard, even better after v3. We do have options to leverage XACML policy language model to write policies, but protocol-wise, something on top of OAuth, would be very nice. As an authorization framework, fine-grained/contextual authorization seems to be a natural

Re: [OAUTH-WG] Transaction Authorization with OAuth

Hi Pedro, > On 22. Apr 2019, at 16:34, Pedro Igor Silva wrote: > > Hi Torsten, > > Great article, thanks for sharing it. my pleasure :-) > > We have been working on a solution for fine-grained authorization using > OAuth2 but specific for first-party applications where the granted >

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-jwt-introspection-response-02

All, We have not received any comment during this WGLC, so we assume that WG agrees with moving this forward. Regards, Rifaat On Mon, Apr 8, 2019 at 2:05 PM Rifaat Shekh-Yusef wrote: > All, > > As discussed during the meeting in Prague, we are starting a WGLC on the *JWT > Response for OAuth

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

And the root issue is that it *is* subject to interpretation. Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than

Re: [OAUTH-WG] Transaction Authorization with OAuth

Hi Torsten, Great article, thanks for sharing it. We have been working on a solution for fine-grained authorization using OAuth2 but specific for first-party applications where the granted permissions/scopes depend on the policies associated with the resources/scopes a client is trying to

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

FWIW, the second paragraph of resource indicators, section 2.1 says to use a JSON array via the following text: For authorization requests sent as a JWTs, such as when using JWT Secured Authorization Request

Re: [OAUTH-WG] Transaction Authorization with OAuth

Hi Torsten, thank you for writing this clarifying article :) In the health sector in Norway we are facing similar challenges regarding the need for contextual information. At the time, our planned solution is to package this information as custom claims in request objects - e.g.:

[OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17#section-4 How should multi-valued request params be expressed in the JWT claims set? As values in a JSON array? { "iss": "s6BhdRkqt3", "aud": "https://server.example.com;, "response_type": "code id_token",