+1 to adopting PAR. For RAR I have a number of questions myself with the approach and with some of the ramifications. I’m most concerned with the coupling of business-specific presentation, process validation and workflow within the AS, but also with the mixing of single transactional approval into accesses token that is normally meant for longer-lived, coarser client authorizations.
To stick with the primary payment example - there are payment cases which model well for single resource authorization, such as a PayPal-style transaction where the client is also the recipient of funds. For other types of transactions, I would worry this may become primarily an AS-executed action rather than a client authorization. Before the device flow and before CIBA, I’d probably try and make a case for not adopting it. The decoupling of the client from any user-agent that could ask for user authorization outside of OAuth has made an increase in scope (of scopes) a higher need - the current communication pipe between the client and user-agent is only defined in the scope of the actual OAuth grant processes. -DW > On Dec 16, 2019, at 9:26 AM, Brian Campbell > <bcampbell=40pingidentity....@dmarc.ietf.org> wrote: > > With respect to the Pushed Authorization Requests (PAR) draft the minutes do > capture an individual comment that it's a "no brainer to adopt this work" but > as I recall there was also a hum to gauge the room's interest in adoption, > which was largely in favor of such. Of course, one hum in Singapore isn't the > final word but, following from that, I was hoping/expecting to see a call for > adoption go out to the mailing list? > > On Tue, Dec 3, 2019 at 1:26 AM Hannes Tschofenig <hannes.tschofe...@arm.com > <mailto:hannes.tschofe...@arm.com>> wrote: > Here are the meeting minutes from the Singapore IETF meeting: > > https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03 > <https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03> > > > Tony was our scribe. Thanks! > > > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited.. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you._______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
