| < draft-ietf-oauth-rar-09.txt | draft-ietf-oauth-rar-10.txt > | |||
|---|---|---|---|---|
| Web Authorization Protocol T. Lodderstedt | Web Authorization Protocol T. Lodderstedt | |||
| Internet-Draft yes.com | Internet-Draft yes.com | |||
| Intended status: Standards Track J. Richer | Intended status: Standards Track J. Richer | |||
| Expires: 26 July 2022 Bespoke Engineering | Expires: 30 July 2022 Bespoke Engineering | |||
| B. Campbell | B. Campbell | |||
| Ping Identity | Ping Identity | |||
| 22 January 2022 | 26 January 2022 | |||
| OAuth 2.0 Rich Authorization Requests | OAuth 2.0 Rich Authorization Requests | |||
| draft-ietf-oauth-rar-09 | draft-ietf-oauth-rar-10 | |||
| Abstract | Abstract | |||
| This document specifies a new parameter authorization_details that is | This document specifies a new parameter authorization_details that is | |||
| used to carry fine-grained authorization data in OAuth messages. | used to carry fine-grained authorization data in OAuth messages. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 26 July 2022. | This Internet-Draft will expire on 30 July 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 36 ¶ | skipping to change at page 2, line 36 ¶ | |||
| 11. Implementation Considerations . . . . . . . . . . . . . . . . 27 | 11. Implementation Considerations . . . . . . . . . . . . . . . . 27 | |||
| 11.1. Using authorization details in a certain deployment . . 27 | 11.1. Using authorization details in a certain deployment . . 27 | |||
| 11.2. Minimal product support . . . . . . . . . . . . . . . . 28 | 11.2. Minimal product support . . . . . . . . . . . . . . . . 28 | |||
| 11.3. Use of Machine-readable Type Schemas . . . . . . . . . . 29 | 11.3. Use of Machine-readable Type Schemas . . . . . . . . . . 29 | |||
| 11.4. Large requests . . . . . . . . . . . . . . . . . . . . . 29 | 11.4. Large requests . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 12. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | 12. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | |||
| 13. Privacy Considerations . . . . . . . . . . . . . . . . . . . 31 | 13. Privacy Considerations . . . . . . . . . . . . . . . . . . . 31 | |||
| 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 | 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 15.1. JSON Web Token Claims Registration . . . . . . . . . . . 32 | 15.1. JSON Web Token Claims Registration . . . . . . . . . . . 32 | |||
| 15.2. OAuth Authorization Server Metadata . . . . . . . . . . 32 | 15.2. OAuth Token Introspection Response . . . . . . . . . . . 32 | |||
| 15.3. OAuth Dynamic Client Registration Metadata . . . . . . . 32 | 15.3. OAuth Authorization Server Metadata . . . . . . . . . . 32 | |||
| 15.4. OAuth Extensions Error registry . . . . . . . . . . . . 32 | 15.4. OAuth Dynamic Client Registration Metadata . . . . . . . 32 | |||
| 15.5. OAuth Extensions Error registry . . . . . . . . . . . . 33 | ||||
| 16. Normative References . . . . . . . . . . . . . . . . . . . . 33 | 16. Normative References . . . . . . . . . . . . . . . . . . . . 33 | |||
| 17. Informative References . . . . . . . . . . . . . . . . . . . 33 | 17. Informative References . . . . . . . . . . . . . . . . . . . 34 | |||
| Appendix A. Additional Examples . . . . . . . . . . . . . . . . 35 | Appendix A. Additional Examples . . . . . . . . . . . . . . . . 35 | |||
| A.1. OpenID Connect . . . . . . . . . . . . . . . . . . . . . 35 | A.1. OpenID Connect . . . . . . . . . . . . . . . . . . . . . 35 | |||
| A.2. Remote Electronic Signing . . . . . . . . . . . . . . . . 37 | A.2. Remote Electronic Signing . . . . . . . . . . . . . . . . 37 | |||
| A.3. Access to Tax Data . . . . . . . . . . . . . . . . . . . 38 | A.3. Access to Tax Data . . . . . . . . . . . . . . . . . . . 38 | |||
| A.4. eHealth . . . . . . . . . . . . . . . . . . . . . . . . . 39 | A.4. eHealth . . . . . . . . . . . . . . . . . . . . . . . . . 39 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 42 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 42 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 1. Introduction | 1. Introduction | |||
| skipping to change at page 32, line 13 ¶ | skipping to change at page 32, line 13 ¶ | |||
| specification. | specification. | |||
| 15. IANA Considerations | 15. IANA Considerations | |||
| 15.1. JSON Web Token Claims Registration | 15.1. JSON Web Token Claims Registration | |||
| This specification requests registration of the following value in | This specification requests registration of the following value in | |||
| the IANA "JSON Web Token Claims Registry" established by [RFC7519]. | the IANA "JSON Web Token Claims Registry" established by [RFC7519]. | |||
| Claim Name: authorization_details | Claim Name: authorization_details | |||
| Claim Description: The request parameter authorization_details | Claim Description: The claim authorization_details contains a JSON | |||
| contains, in JSON notation, an array of objects. Each JSON object | array of JSON objects representing the rights of the access token. | |||
| contains the data to specify the authorization requirements for a | Each JSON object contains the data to specify the authorization | |||
| certain type of resource. | requirements for a certain type of resource. | |||
| Change Controller: IESG | Change Controller: IESG | |||
| Specification Document(s): Section 2 of this document | Specification Document(s): Section 9.1 of this document | |||
| 15.2. OAuth Authorization Server Metadata | 15.2. OAuth Token Introspection Response | |||
| This specification requests registration of the following value in | ||||
| the IANA "OAuth Token Introspection Response Registry" established by | ||||
| [RFC7662]. | ||||
| Name: authorization_details | ||||
| Description: The member authorization_details contains a JSON array | ||||
| of JSON objects representing the rights of the access token. Each | ||||
| JSON object contains the data to specify the authorization | ||||
| requirements for a certain type of resource. | ||||
| Change Controller: IESG | ||||
| Specification Document(s): Section 9.2 of this document | ||||
| 15.3. OAuth Authorization Server Metadata | ||||
| This specification requests registration of the following values in | This specification requests registration of the following values in | |||
| the IANA "OAuth Authorization Server Metadata" registry of | the IANA "OAuth Authorization Server Metadata" registry of | |||
| [IANA.OAuth.Parameters] established by [RFC8414]. | [IANA.OAuth.Parameters] established by [RFC8414]. | |||
| Metadata Name: authorization_details_types_supported | Metadata Name: authorization_details_types_supported | |||
| Metadata Description: JSON array containing the authorization | Metadata Description: JSON array containing the authorization | |||
| details types the AS supports | details types the AS supports | |||
| Change Controller: IESG | Change Controller: IESG | |||
| Specification Document(s): Section 10 of [[ this document ]] | Specification Document(s): Section 10 of [[ this document ]] | |||
| 15.3. OAuth Dynamic Client Registration Metadata | 15.4. OAuth Dynamic Client Registration Metadata | |||
| This specification requests registration of the following value in | This specification requests registration of the following value in | |||
| the IANA "OAuth Dynamic Client Registration Metadata" registry of | the IANA "OAuth Dynamic Client Registration Metadata" registry of | |||
| [IANA.OAuth.Parameters] established by [RFC7591]. | [IANA.OAuth.Parameters] established by [RFC7591]. | |||
| Metadata Name: authorization_details_types | Metadata Name: authorization_details_types | |||
| Metadata Description: Indicates what authorization details types the | Metadata Description: Indicates what authorization details types the | |||
| client uses. | client uses. | |||
| Change Controller: IESG | Change Controller: IESG | |||
| Specification Document(s): Section 10 of [[ this document ]] | Specification Document(s): Section 10 of [[ this document ]] | |||
| 15.4. OAuth Extensions Error registry | 15.5. OAuth Extensions Error registry | |||
| This specification requests registration of the following value in | This specification requests registration of the following value in | |||
| the IANA "OAuth Extensions Error registry" registry of | the IANA "OAuth Extensions Error registry" registry of | |||
| [IANA.OAuth.Parameters] established by [RFC6749]. | [IANA.OAuth.Parameters] established by [RFC6749]. | |||
| Metadata Name: invalid_authorization_details | Metadata Name: invalid_authorization_details | |||
| Metadata Description: indicates invalid | Metadata Description: indicates invalid | |||
| authorization_details_parameterto the client. | authorization_details_parameterto the client. | |||
| Change Controller: IESG | Change Controller: IESG | |||
| Specification Document(s): Section 5 of [[ this document ]] | Specification Document(s): Section 5 of [[ this document ]] | |||
| 16. Normative References | 16. Normative References | |||
| [RFC8628] Denniss, W., Bradley, J., Jones, M., and H. Tschofenig, | ||||
| "OAuth 2.0 Device Authorization Grant", RFC 8628, | ||||
| DOI 10.17487/RFC8628, August 2019, | ||||
| <https://www.rfc-editor.org/info/rfc8628>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8707] Campbell, B., Bradley, J., and H. Tschofenig, "Resource | ||||
| Indicators for OAuth 2.0", RFC 8707, DOI 10.17487/RFC8707, | ||||
| February 2020, <https://www.rfc-editor.org/info/rfc8707>. | ||||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", | ||||
| RFC 7662, DOI 10.17487/RFC7662, October 2015, | ||||
| <https://www.rfc-editor.org/info/rfc7662>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 | [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 | |||
| Authorization Server Metadata", RFC 8414, | Authorization Server Metadata", RFC 8414, | |||
| DOI 10.17487/RFC8414, June 2018, | DOI 10.17487/RFC8414, June 2018, | |||
| <https://www.rfc-editor.org/info/rfc8414>. | <https://www.rfc-editor.org/info/rfc8414>. | |||
| 17. Informative References | [RFC8628] Denniss, W., Bradley, J., Jones, M., and H. Tschofenig, | |||
| "OAuth 2.0 Device Authorization Grant", RFC 8628, | ||||
| DOI 10.17487/RFC8628, August 2019, | ||||
| <https://www.rfc-editor.org/info/rfc8628>. | ||||
| [RFC9126] Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., | [RFC8707] Campbell, B., Bradley, J., and H. Tschofenig, "Resource | |||
| and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", | Indicators for OAuth 2.0", RFC 8707, DOI 10.17487/RFC8707, | |||
| RFC 9126, DOI 10.17487/RFC9126, September 2021, | February 2020, <https://www.rfc-editor.org/info/rfc8707>. | |||
| <https://www.rfc-editor.org/info/rfc9126>. | ||||
| 17. Informative References | ||||
| [CSC] Consortium, C. S., "Architectures and protocols for remote | [CSC] Consortium, C. S., "Architectures and protocols for remote | |||
| signature applications", 1 June 2019, | signature applications", 1 June 2019, | |||
| <https://cloudsignatureconsortium.org/wp- | <https://cloudsignatureconsortium.org/wp- | |||
| content/uploads/2019/07/CSC_API_V1_1.0.4.0.pdf>. | content/uploads/2019/07/CSC_API_V1_1.0.4.0.pdf>. | |||
| [transaction-authorization] | [ETSI] ETSI, "ETSI TS 119 432, Electronic Signatures and | |||
| Lodderstedt, T., "Transaction Authorization or why we need | Infrastructures (ESI); Protocols for remote digital | |||
| to re-think OAuth scopes", 20 April 2019, | signature creation", 20 March 2019, | |||
| <https://medium.com/oauth-2/transaction-authorization-or- | <https://www.etsi.org/deliver/ | |||
| why-we-need-to-re-think-oauth-scopes-2326e2038948>. | etsi_ts/119400_119499/119432/01.01.01_60/ | |||
| ts_119432v010101p.pdf>. | ||||
| [OpenID.CIBA] | ||||
| Fernandez, G., Walter, F., Nennker, A., Tonge, D., and B. | ||||
| Campbell, "OpenID Connect Client Initiated Backchannel | ||||
| Authentication Flow - Core 1.0", 16 January 2019, | ||||
| <https://openid.net/specs/openid-client-initiated- | ||||
| backchannel-authentication-core-1_0.html>. | ||||
| [I-D.ietf-oauth-jwt-introspection-response] | [I-D.ietf-oauth-jwt-introspection-response] | |||
| Lodderstedt, T. and V. Dzhuvinov, "JWT Response for OAuth | Lodderstedt, T. and V. Dzhuvinov, "JWT Response for OAuth | |||
| Token Introspection", Work in Progress, Internet-Draft, | Token Introspection", Work in Progress, Internet-Draft, | |||
| draft-ietf-oauth-jwt-introspection-response-12, 4 | draft-ietf-oauth-jwt-introspection-response-12, 4 | |||
| September 2021, <https://datatracker.ietf.org/doc/html/ | September 2021, <https://datatracker.ietf.org/doc/html/ | |||
| draft-ietf-oauth-jwt-introspection-response-12>. | draft-ietf-oauth-jwt-introspection-response-12>. | |||
| [IANA.OAuth.Parameters] | ||||
| IANA, "OAuth Parameters", | ||||
| <http://www.iana.org/assignments/oauth-parameters>. | ||||
| [JSON.Schema] | [JSON.Schema] | |||
| json-schema.org, "JSON Schema", | json-schema.org, "JSON Schema", | |||
| <https://json-schema.org/>. | <https://json-schema.org/>. | |||
| [OIDC] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | ||||
| C. Mortimore, "OpenID Connect Core 1.0 incorporating | ||||
| errata set 1", 8 November 2014, | ||||
| <http://openid.net/specs/openid-connect-core-1_0.html>. | ||||
| [OpenID.CIBA] | ||||
| Fernandez, G., Walter, F., Nennker, A., Tonge, D., and B. | ||||
| Campbell, "OpenID Connect Client Initiated Backchannel | ||||
| Authentication Flow - Core 1.0", 16 January 2019, | ||||
| <https://openid.net/specs/openid-client-initiated- | ||||
| backchannel-authentication-core-1_0.html>. | ||||
| [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <https://www.rfc-editor.org/info/rfc6749>. | <https://www.rfc-editor.org/info/rfc6749>. | |||
| [IANA.OAuth.Parameters] | [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and | |||
| IANA, "OAuth Parameters", | P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", | |||
| <http://www.iana.org/assignments/oauth-parameters>. | RFC 7591, DOI 10.17487/RFC7591, July 2015, | |||
| <https://www.rfc-editor.org/info/rfc7591>. | ||||
| [RFC9101] Sakimura, N., Bradley, J., and M. Jones, "The OAuth 2.0 | ||||
| Authorization Framework: JWT-Secured Authorization Request | ||||
| (JAR)", RFC 9101, DOI 10.17487/RFC9101, August 2021, | ||||
| <https://www.rfc-editor.org/info/rfc9101>. | ||||
| [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", STD 90, RFC 8259, | Interchange Format", STD 90, RFC 8259, | |||
| DOI 10.17487/RFC8259, December 2017, | DOI 10.17487/RFC8259, December 2017, | |||
| <https://www.rfc-editor.org/info/rfc8259>. | <https://www.rfc-editor.org/info/rfc8259>. | |||
| [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and | [RFC9101] Sakimura, N., Bradley, J., and M. Jones, "The OAuth 2.0 | |||
| P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", | Authorization Framework: JWT-Secured Authorization Request | |||
| RFC 7591, DOI 10.17487/RFC7591, July 2015, | (JAR)", RFC 9101, DOI 10.17487/RFC9101, August 2021, | |||
| <https://www.rfc-editor.org/info/rfc7591>. | <https://www.rfc-editor.org/info/rfc9101>. | |||
| [OIDC] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | [RFC9126] Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., | |||
| C. Mortimore, "OpenID Connect Core 1.0 incorporating | and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", | |||
| errata set 1", 8 November 2014, | RFC 9126, DOI 10.17487/RFC9126, September 2021, | |||
| <http://openid.net/specs/openid-connect-core-1_0.html>. | <https://www.rfc-editor.org/info/rfc9126>. | |||
| [ETSI] ETSI, "ETSI TS 119 432, Electronic Signatures and | [transaction-authorization] | |||
| Infrastructures (ESI); Protocols for remote digital | Lodderstedt, T., "Transaction Authorization or why we need | |||
| signature creation", 20 March 2019, | to re-think OAuth scopes", 20 April 2019, | |||
| <https://www.etsi.org/deliver/ | <https://medium.com/oauth-2/transaction-authorization-or- | |||
| etsi_ts/119400_119499/119432/01.01.01_60/ | why-we-need-to-re-think-oauth-scopes-2326e2038948>. | |||
| ts_119432v010101p.pdf>. | ||||
| Appendix A. Additional Examples | Appendix A. Additional Examples | |||
| A.1. OpenID Connect | A.1. OpenID Connect | |||
| OpenID Connect [OIDC] specifies the JSON-based claims request | OpenID Connect [OIDC] specifies the JSON-based claims request | |||
| parameter that can be used to specify the claims a client (acting as | parameter that can be used to specify the claims a client (acting as | |||
| OpenID Connect Relying Party) wishes to receive in a fine-grained and | OpenID Connect Relying Party) wishes to receive in a fine-grained and | |||
| privacy-preserving way as well as assign those claims to certain | privacy-preserving way as well as assign those claims to certain | |||
| delivery mechanisms, i.e. ID Token or userinfo response. | delivery mechanisms, i.e. ID Token or userinfo response. | |||
| skipping to change at page 42, line 19 ¶ | skipping to change at page 42, line 19 ¶ | |||
| identity, role and organizational context. This data is provided | identity, role and organizational context. This data is provided | |||
| to facilitate authorization and for auditing purposes. | to facilitate authorization and for auditing purposes. | |||
| In this use case, the AS authenticates the requester, who is not the | In this use case, the AS authenticates the requester, who is not the | |||
| patient, and approves access based on policies. | patient, and approves access based on policies. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ To be removed from the final specification ]] | [[ To be removed from the final specification ]] | |||
| -10 | ||||
| * Updated IANA registrations | ||||
| -09 | -09 | |||
| * Incorporated feedback by Hannes as document shepherd | * Incorporated feedback by Hannes as document shepherd | |||
| -08 | -08 | |||
| * formatting in authorization details type section | * formatting in authorization details type section | |||
| * added example for privileges common data element | * added example for privileges common data element | |||
| End of changes. 25 change blocks. | ||||
| 69 lines changed or deleted | 91 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||