Hi Pedro, > On 22. Apr 2019, at 16:34, Pedro Igor Silva <[email protected]> wrote: > > Hi Torsten, > > Great article, thanks for sharing it.
my pleasure :-) > > We have been working on a solution for fine-grained authorization using > OAuth2 but specific for first-party applications where the granted > permissions/scopes depend on the policies associated with the > resources/scopes a client is trying to access. We don't have extensions to > the authorization endpoint but a specific grant type for this purpose on the > token endpoint. > > The solution is similar to the Lodging Intent Pattern but also based on > specific parts of UMA and ACE. > > Basically, when a client first tries to access a protected resource the RS > will respond with all the information the client needs to obtain a valid > token from the AS. The information returned by the RS can be a > signed/encrypted JWT or just a reference that later the AS can use to > actually fetch the information. With this information in hands, clients can > then approach the AS in order to obtain an access token with the permissions > to access the protected resource. > > The general idea is to empower RSs so that they can communicate to the AS how > access to their resources should be granted as well as decoupling clients and > RSs so that clients don't need to know the constraints imposed by the RS to > their protected resources (e.g. scopes). Sounds very much like UMA2. The difference I see is the RS needs to be heavily involved in the authorization process (whereas the approaches I discussed leave it passive). How would you handle the use cases I described? So for example, how would you construct the JWT for the signature use case? I’m asking because the signing case uses more data in the authorization process and might bundle the request to sign multiple documents, even if the first signing request would only need the hashes or even just a single hash of a document. > > I've started to write a document with this idea in mind and I'm happy to > share it with you and see what you think. > Look forward to reading your article. best regards, Torsten. > Best regards. > Pedro Igor > > On Sat, Apr 20, 2019 at 3:21 PM Torsten Lodderstedt <[email protected]> > wrote: > Hi all, > > I just published an article about the subject at: > https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948 > > > I look forward to getting your feedback. > > kind regards, > Torsten. > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
