As indicated in the abstract:
"This document introduces the ability to send request parameters in
a JSON Web Token (JWT) instead,
which allows the request to be signed with JSON Web Signature (JWS)".
This approach has a major consequence which is not indicated in the
"Privacy Considerations section:
the AS will have the knowledge of these request parameters such as
"please let me make a payment with the amount of 45 Euros"
or "please give me read access to folder A and write access to file X".
Such an approach has privacy issues which are currently not documented
in the Privacy Considerations section.
The AS would be in a position to know, not only which resources servers
are going to be accessed, but also what kind of operations
are going to be performed by its clients on the resource servers. With
such an approach, ASs will have a deep knowledge of every
operation that can be performed by a user on every RS.
As a consequence, the AS would also be in a position to trace the
actions performed by its users on the resources servers.
Other approaches that are more "privacy friendly" should be considered
to address the initial problem.
Denis
PS. This email closely relates to the previous email sent on the WG
mailing list with the following topic:
Comments on OAuth 2.0 Rich Authorization Requests
(draft-ietf-oauth-rar-01)
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
