Hi Janak, thanks for your feedback.
> On 22. Sep 2019, at 09:45, Janak Amarasena <janakama...@gmail.com> wrote: > > Hi, > > Since the "authorization_details" parameter is newly introduced I feel it > would be better to show how this is used with the existing authorization > request at the beginning of the specification. Maybe a small sample of the > complete authorization request in the "introduction" section. Sounds reasonable, I put it on the list for the next revision. > > Also, in the "Security Considerations" section it says > Authorization details are sent through the user agent in case of an > OAuth authorization request, which makes them vulnerable to > modifications by the user. > > Do we really need to worry that the "authorization_details" could be > manipulated by the user(Resource Owner) as the client is trying to access the > users' resources which the user is giving consent to? Also, the resulting > token will contain the given permissions as well. I understand. I think the more general case of modifying the Authorization Request content, e.g. PKCE challenge, and swapping such parameters between different devices is the important attack vector. I will improve the text. best regards, Torsten. > > Best Regards, > Janak Amarasena > > On Sat, Sep 21, 2019 at 11:21 PM Torsten Lodderstedt > <tors...@lodderstedt.net> wrote: > Hi all, > > I just published a draft about “OAuth 2.0 Rich Authorization Requests” > (formerly known as “structured scopes”). > > https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02 > > It specifies a new parameter “authorization_details" that is used to carry > fine grained authorization data in the OAuth authorization request. This > mechanisms was designed based on experiences gathered in the field of open > banking, e.g. PSD2, and is intended to make the implementation of rich and > transaction oriented authorization requests much easier than with current > OAuth 2.0. > > I’m happy that Justin Richer and Brian Campbell joined me as authors of this > draft. We would would like to thank Daniel Fett, Sebastian Ebling, Dave > Tonge, Mike Jones, Nat Sakimura, and Rob Otto for their valuable feedback > during the preparation of this draft. > > We look forward to getting your feedback. > > kind regards, > Torsten. > >> Begin forwarded message: >> >> From: internet-dra...@ietf.org >> Subject: New Version Notification for draft-lodderstedt-oauth-rar-02.txt >> Date: 21. September 2019 at 16:10:48 CEST >> To: "Justin Richer" <i...@justin.richer.org>, "Torsten Lodderstedt" >> <tors...@lodderstedt.net>, "Brian Campbell" <bcampb...@pingidentity.com> >> >> >> A new version of I-D, draft-lodderstedt-oauth-rar-02.txt >> has been successfully submitted by Torsten Lodderstedt and posted to the >> IETF repository. >> >> Name: draft-lodderstedt-oauth-rar >> Revision: 02 >> Title: OAuth 2.0 Rich Authorization Requests >> Document date: 2019-09-20 >> Group: Individual Submission >> Pages: 16 >> URL: >> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-rar-02.txt >> Status: https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ >> Htmlized: https://tools.ietf.org/html/draft-lodderstedt-oauth-rar-02 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-rar >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-rar-02 >> >> Abstract: >> This document specifies a new parameter "authorization_details" that >> is used to carry fine grained authorization data in the OAuth >> authorization request. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
