[OAUTH-WG] Dynamic Scopes

Torsten Lodderstedt Mon, 18 Jun 2018 08:35:40 -0700

Hi all,

I have been working lately on use cases where OAuth is used to authorize 
transactions in the financial sector and electronic signing. What I learned is 
there is always the need to pass resource ids (e.g. account numbers) or 
transaction-specific values (e.g. amount or hash to be signed) to the OAuth 
authorization process to further qualify the scope of the requested access 
token.


It is obvious a static scope value, such as „payment“or „sign“, won’t do the 
job. For example in case of electronic signing, one must bind the 
authorization/access token to a particular document, typically represented by 
its hash.

I would like to get your feedback on what you consider a good practice to cope 
with that challenge. As a starting point for a discussion, I have assembled a 
list of patterns I have seen in the wild (feel free to extend). 

(1) Parameter is part of the scope value, e.g. „sign:<hash_to_be_signed>“ or 
"payments:<payment_resource_id>" - I think this is an obvious way to represent 
such parameters in OAuth, as it extends the scope parameter, which is intended 
to represent the requested scope of an access token. I used this pattern in the 
OAuth SCA mode in Berlin Group's PSD API. 

(2) One could also use additional query parameter to add further details re the 
requested authorization, e.g. 

GET /authorize?
....
&scope=sign
....
&hash_to_be_signed=<hash_to_be_signed>

It seems to be robust (easier to implement?) but means the scope only 
represents the static part of the action. The AS needs to look into a further 
parameter to fully understand the requested authorization. 

(3) Open Banking UK utilizes the (OpenID Connect) „claims“ parameter to carry 
additional data. 

Example:  

"claims": {
    "id_token": {
        "acr": {
            "essential": true,
            "value": "..."
          },
        "hash_to_be_signed": {
            "essential": true,
            "value": "<hash_to_be_signed>"
        }
    },
    "userinfo": {
        "hash_to_be_signed": {
            "essential": true,
            "value": "<hash_to_be_signed>"
        }
    }
  }

I‘m looking forward for your feedback. Please also indicated whether you think 
we should flush out a BCP on that topic. 

kind regards,
Torsten.

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Dynamic Scopes

Reply via email to