> the AS will have the knowledge of these request parameters such as "please let me make a payment with the amount of 45 Euros" or "please give me read access to folder A and write access to file X"
Typically in OAuth it's the authorization server's job to inform users and protect access to their resources. Obviously in order to do that the AS must know about the details of the request. Can you please clarify the scenario in which you would want the AS to have no information about the request that it's authorizing? Aaron Parecki On Wed, May 27, 2020 at 10:20 AM Denis <denis.i...@free.fr> wrote: > As indicated in the abstract: > > "This document introduces the ability to send request parameters in a JSON > Web Token (JWT) instead, > which allows the request to be signed with JSON Web Signature (JWS)". > > This approach has a major consequence which is not indicated in the > "Privacy Considerations section: > the AS will have the knowledge of these request parameters such as "please > let me make a payment with the amount of 45 Euros" > or "please give me read access to folder A and write access to file X". > > Such an approach has privacy issues which are currently not documented in > the Privacy Considerations section. > > The AS would be in a position to know, not only which resources servers > are going to be accessed, but also what kind of operations > are going to be performed by its clients on the resource servers. With > such an approach, ASs will have a deep knowledge of every > operation that can be performed by a user on every RS. > > As a consequence, the AS would also be in a position to trace the actions > performed by its users on the resources servers. > > Other approaches that are more "privacy friendly" should be considered to > address the initial problem. > > Denis > > PS. This email closely relates to the previous email sent on the WG > mailing list with the following topic: > Comments on OAuth 2.0 Rich Authorization Requests > (draft-ietf-oauth-rar-01) > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- --- Aaron Parecki https://aaronparecki.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
