Do you have a git repo too?
Jean-François “Jeff” Lombardo | Amazon Web Services Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada ( +1 514 778 5565 Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. From: Nick Watson <nwat...@google.com> Sent: July 1, 2025 6:28 PM To: Lombardo, Jeff <jeff...@amazon.com> Cc: Lombardo, Jeff <jeffsec=40amazon....@dmarc.ietf.org>; oauth@ietf.org; Alex Babeanu <alex.babe...@indykite.com>; yaron.zeh...@rbinternational.com; hannes.tschofe...@gmx.net Subject: RE: [EXT] [OAUTH-WG] [OAUTH-WG/IETF-123] Introduction and socialization of Personal Draft - OAuth 2.0 step-up authorization challenge protocol CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. I uploaded my early draft to datatracker – https://datatracker.ietf.org/doc/draft-watson-oauth-rich-error-response/ (github<https://github.com/njwatson32/oauth-error>) – so people can take a look if they want. On Mon, Jun 30, 2025 at 12:30 PM Lombardo, Jeff <jeff...@amazon.com<mailto:jeff...@amazon.com>> wrote: Hi Nick, Happy to contribute and take a look into your work to build a stronger case to present to this WG. Will you be in Madrid per chance? Regards, Jeff Jean-François “Jeff” Lombardo | Amazon Web Services Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada ( +1 514 778 5565<tel:(514)%20778-5565> Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. From: Nick Watson <nwat...@google.com<mailto:nwat...@google.com>> Sent: June 30, 2025 1:45 PM To: Lombardo, Jeff <jeffsec=40amazon....@dmarc.ietf.org<mailto:40amazon....@dmarc.ietf.org>> Cc: oauth@ietf.org<mailto:oauth@ietf.org>; Alex Babeanu <alex.babe...@indykite.com<mailto:alex.babe...@indykite.com>>; yaron.zeh...@rbinternational.com<mailto:yaron.zeh...@rbinternational.com>; hannes.tschofe...@gmx.net<mailto:hannes.tschofe...@gmx.net>; Lombardo, Jeff <jeff...@amazon.com<mailto:jeff...@amazon.com>> Subject: RE: [EXT] [OAUTH-WG] [OAUTH-WG/IETF-123] Introduction and socialization of Personal Draft - OAuth 2.0 step-up authorization challenge protocol CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. Hi Jeff, Thanks for the draft. It looks to be a useful extension. I've also been thinking about this problem as failure modes have become significantly more complicated in the last several years due to evolving privacy/security landscapes, regulation, and now the proliferation of agents. I have an (as yet) unpublished draft of an augmented error protocol for both token endpoint and resource server. I'd be interested in collaborating with you all on this spec as well, to see whether it could fully subsume the functionality from my WIP draft. I had a couple of thoughts: 1. In Section 5, the spec puts out of scope how the client should respond to a step-up authorization challenge. While I think it's good to leave the door open for RS and AS to define custom options, it seems like it might be useful for the spec to have some normative language for the out-of-the-box options, e.g. RAR, rather than leaving it to clients to infer the expected behavior from the examples. 2. It may be the case that during refresh token exchange, the token endpoint already knows some things will fail. Can we allow the token endpoint to return insufficient_authorization with details too? Nick On Mon, Jun 30, 2025 at 7:41 AM Lombardo, Jeff <jeffsec=40amazon....@dmarc.ietf.org<mailto:40amazon....@dmarc.ietf.org>> wrote: Dear OAuth Working Group, Alex, Yaron, George, and I would like to introduce a personal Draft to you. We have been working on since the beginning of the year while we were water testing our use cases and preliminary thoughts at OSW25. Personal Draft - OAuth 2.0 step-up authorization challenge protocol [https://datatracker.ietf.org/doc/draft-lombardo-oauth-step-up-authz-challenge-proto/] would extend of RFC 9470 - OAuth 2.0 Step Up Authentication Challenge Protocol by allowing a resource server to return detailed step-up authorization challenges: 1/ Based on access control decisions enforced at the resource server – whatever through a dedicated logic or a call to a Policy Decision Point (PDP) 2/ Enabling clients to request new tokens through enhanced grant types and extension like, but not limited to, RFC9396 - OAuth 2.0 Rich Authorization Requests, RFC9126 - OAuth 2.0 Pushed Authorization Requests, RFC8693 - OAuth 2.0 Token Exchange, or other grant type as the client might see fit This Personal Draft also aims at supporting requirements for [FAPI2.0-Security-Profiles] or [hl7.fhir.uv.smart-app-launch] regulated APIs when they are supporting and recommending those enhanced flows as ways to make access token least privilege, context based, and finer grained. We are also requesting, please, a 10 minutes time slot at IETF-123 / Madrid to be able to present our work and gather comments, questions, and support in the aim of working forward on this proposal as an IETF Draft. In the meantime, we remain available to answer any questions, comments, suggestions. Regards, Jeff Jean-François “Jeff” Lombardo | Amazon Web Services Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada ( +1 514 778 5565<tel:(514)%20778-5565> Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. _______________________________________________ OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org> To unsubscribe send an email to oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
