Hi William,
The draft states:
The goal of incremental authorization is to enhance end-user privacy
by allowing clients to request only the authorization scopes needed
in the context of a particular user action, rather than asking for
ever possible scope upfront.
Removing the requirement to request every possible scope that might be
needed upfront would indeed be a nice feature.
Authorization scopes will thus be used in the context of a particular
action. Servers should determine whether the authorization scope
matches with a particular action. However, the principle of minimum
attributes should be used: only the authorization scope needed
to perform the particular action should be requested and then sent. In
other words, authorization scopes should not be incremental.
A diagram of the exchanges should be added.
One of the approaches would be to allow the client to send an action
(without sufficient authorization), so that the server can reply
by indicating the authorization scope needed for that particular action
(if the current authorization scope is insufficient). Sending that
authorization scope in the next exchange would then allow to get an
appropriate response from the server.
This means that the reply from the server to indicate the authorization
scope needed for that particular action should also be normalized.
I would think that the wording 'user action authorization' should be
used instead of 'incremental authorization'.
The next draft should better be named:
draft-ietf-oauth-user-action-authz-00.
Denis
Hi William,
I think it would make sense to add AS metadata fields, which the AS can use to
advertise support for include_granted_scopes and existing_grant.
kind regards,
Torsten.
Am 17.07.2018 um 19:33 schrieb William Denniss <wdenn...@google.com>:
Hi Torsten,
On Tue, Jul 17, 2018 at 7:57 AM, Torsten Lodderstedt <tors...@lodderstedt.net>
wrote:
Hi William,
please find below my review feedback.
First of all, I think you managed to come up with the minimal extension needed
to address a very relevant use case. Thanks!
Glad you like it! Thanks for reviewing.
- Section 5, last paragraph.
"the new refresh token issued in the Access Token Response (Section 4.1.4 of )
SHOULD include authorization for the scopes in the previous grant.“
Wouldn’t it be better to make that a MUST? Otherwise the client must assume the
AS decides to not include all previously granted scopes, which in turn means
the client must keep older grants (and hope the AS dd not automatically revolve
it).
I was torn about this. From a protocol perspective you're not implementing the
protocol if you don't do that, so it should be a MUST. However, we need to be
careful that we defer to the provider when it comes to what authorization is
included as this is always their discretion. I'll think of a better way to
word this so that it can be a MUST while still not limiting the provider's
discretion.
- Section 6.1.1
The section describes how a client should handle denial for incremental
authorizations. How is the AS supposed to handle it? From the text one could
deduce the AS should not discard any pre-existing granted scopes. Is that
correct? Would it make sense to explicitly state that?
Good point. That section is mostly talking about the client, I'll add a section
for the server. I agree, the normal behavior would not be to revoke previously
granted scopes (which is how Google implements it).
Best,
William
Am 28.06.2018 um 22:14 schrieb internet-dra...@ietf.org:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Incremental Authorization
Author : William Denniss
Filename : draft-ietf-oauth-incremental-authz-00.txt
Pages : 8
Date : 2018-06-28
Abstract:
OAuth 2.0 authorization requests that include every scope the client
might ever need can result in over-scoped authorization and a sub-
optimal end-user consent experience. This specification enhances the
OAuth 2.0 authorization protocol by adding incremental authorization,
the ability to request specific authorization scopes as needed, when
they're needed, removing the requirement to request every possible
scope that might be needed upfront.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-incremental-authz/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-00
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-incremental-authz-00
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
