Hi
On 07/07/17 18:56, William Denniss wrote:
What you describe is incremental auth.

Thanks... FYI, I thought of doing some work around it after browsing through the Google docs; the line about the "asking to approve the purchase of the kitchen sink at the authentication time is a death of the modern web" (or something similar that I read on this list) was even more convincing :-)

Aside: Do you return the "scope" in the token response as required when the scope in the response is not identical to the request (§ 5.1 <https://tools.ietf.org/html/rfc6749#section-5.1>, parameter: scope)?

Yes, the token service is doing it by default for all the returned access tokens

My only question is: does the client expect this? The spec talks about the authorization server *reducing* scope in a few places (in § 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>, "The authorization server MAY fully or partially ignore the scope requested by the client" and § 10.3 <https://tools.ietf.org/html/rfc6749#section-10.3> "The authorization server SHOULD take the client identity into account when choosing how to honor the requested scope and MAY issue an access token with less rights than requested."). It never talks about *increasing* scope (other than it can't be done during refresh).

So I think some normative language around the potential to increase the scope of the request for confidential clients (in either the way you describe, or the way I described in the draft) is warranted.

Open question: should we require an indication from the client if they *want* the scope increase? That's what include_granted_scopes was designed to do. To allow clients to specify if this is behavior they desire.
Right, I see how a proposed "include_granted_scopes" can make it non ambiguous


The more innovative part of the spec I think is the public (native app) client incremental auth – as native apps cannot use the methods you discuss, or the ones Google has supported for a while for confidential clients. That said, if we write this – I think we may as well formally document approaches for confidential clients too.


thanks, Sergey

On Fri, Jul 7, 2017 at 9:24 AM, Sergey Beryozkin <[email protected] <mailto:[email protected]>> wrote:

    Hi

    Re the confidential client: let me explain please how we
    experimented with this feature when the code flow is used.

    1. Client requests a scope 'a' for a given User, it gets approved by
    the user, the clients gets a code and exchanges it for a token.

    2. At some later stage Client requests a scope 'b' for the same user
    and if an access token for a given Client + User combination exists
    and the incremental authorization is supported (we use a different
    term for now) than the service finds out from this token that 'a'
    has already been approved and offers a consent screen where a user
    sees 'a' being selected and needs to approve 'b'.

    3. User approves 'b'. The client gets a new code back and exchanges
    it for a new token which now has "a" and "b".

    At this point a client has 2 tokens, one with the "a" scope and
    another with the "a" and "b" scopes and the assumption was that the
    client would itself remove the now redundant token with the scope
    "a" only.

    I've just updated the code for the service itself do it on the
    client's behalf, optionally remove the scope "a" token so that the
    client can simply replace a reference to its scope "a" token with
    the new one (scopes "a" and "b") it will get after exchanging a code
    grant.

    Is it an incremental authorization or something else completely :-) ?

    One obvious difference, apart from the lower level implementation
    details, is that it is not a client which requests to include the
    already authorized scopes but the service does it itself if the
    configuration allowing for it is enabled

    Thanks, Sergey






    On 05/07/17 18:17, William Denniss wrote:

        Earlier this week I submitted the following I-D:
        https://tools.ietf.org/html/draft-wdenniss-oauth-incremental-auth 
<https://tools.ietf.org/html/draft-wdenniss-oauth-incremental-auth>

        The topic is incremental authentication (or incremental auth for
        short).  Incremental auth is used to enable clients to request
        just the scopes they need when they need them – rather than all
        upfront – while still only a maintaining a single authorization
        grant.

        The I-D details two techniques used at Google, one that has been
        used for a while in confidential clients, and one that we
        launched recently as a new solution to deliver incremental auth
        for public clients.

        I look forward to discussing this proposal with the working
        group. I plan to present this draft at IETF99, hope you can be
        there or watching the livestream!

        I plan to ask for a call for adoption after that presentation.
        If you're interested in this topic I'd encourage you to read the
        draft (it's fairly concise!).

        Best,
        William



        _______________________________________________
        OAuth mailing list
        [email protected] <mailto:[email protected]>
        https://www.ietf.org/mailman/listinfo/oauth
        <https://www.ietf.org/mailman/listinfo/oauth>


    _______________________________________________
    OAuth mailing list
    [email protected] <mailto:[email protected]>
    https://www.ietf.org/mailman/listinfo/oauth
    <https://www.ietf.org/mailman/listinfo/oauth>



_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to