On Wed, May 27, 2020 at 07:20:29PM +0200, Denis wrote: > As indicated in the abstract: > > "This document introduces the ability to send request parameters in > a JSON Web Token (JWT) instead, > which allows the request to be signed with JSON Web Signature (JWS)". > > This approach has a major consequence which is not indicated in the > "Privacy Considerations section: > the AS will have the knowledge of these request parameters such as > "please let me make a payment with the amount of 45 Euros" > or "please give me read access to folder A and write access to file X". > > Such an approach has privacy issues which are currently not documented > in the Privacy Considerations section. > > The AS would be in a position to know, not only which resources servers > are going to be accessed, but also what kind of operations > are going to be performed by its clients on the resource servers. With > such an approach, ASs will have a deep knowledge of every > operation that can be performed by a user on every RS. > > As a consequence, the AS would also be in a position to trace the > actions performed by its users on the resources servers. > > Other approaches that are more "privacy friendly" should be considered > to address the initial problem.
Do you have the start of a list of such other approaches to seed the discussion? There seemms to be some inherent tension between the authorization server knowing what it is authorizing and the privacy properties you are advocating... Thanks, Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
