Re: [OAUTH-WG] PAR Shepherd Review

2020-11-10 Thread Brian Campbell 
On Tue, Nov 10, 2020 at 2:44 AM Hannes Tschofenig 
wrote:

> Hi all,
>
>
>
> I am in the process of writing my shepherd write-up for the PAR document
> and wanted to make sure that I properly understand the document.
>
> The introduction says:
>
>
>
> “
>
>
>
>This document [PAR] complements JAR by providing an interoperable way
> to
>
>push the payload of an authorization request directly to the
>
>authorization server in exchange for a "request_uri" value usable at
>
>the authorization server in a subsequent authorization request.
>
> “
>
>
>
> JAR provides the ability to send Authorization Request parameters in a JWT
> format protected with JWS and optionally JWE. It allows the JAR to be
> conveyed by value and by reference but does not define how the client would
> upload the JAR and how to obtain the reference.
>

For pass-by-reference JAR really only covers the case where the client
hosts the request object at some HTTPS URL that it controls and the value
of that URL is the request_uri. PAR defines how the AS can host/hold the
authorization request data and how a client can deliver it directly to the
AS.



>
>
> PAR defines how the client uploads the request object and how to obtain
> the reference. It relies primarily on TLS to protect the communication but
> mentions that it is possible to also use the JWT-based approach suggested
> by JAR.
>

Primarily TLS but also client authentication. A JWT request object can also
be used.


>
> Both drafts claim to have solved the security issues of protecting the
> communication through the user agent.
>

JAR is really the one that solved that. PAR provides a simple interoperable
way for a client to use JAR's request_uri by 'pushing' the content of an
authorization request directly to the AS and getting a request_uri
reference value in exchange.


>
>
> Is this a correct summary?
>

I think so, yes, along with my notes/clarifications.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] PAR Shepherd Review

2020-11-10 Thread Hannes Tschofenig 
Hi all,

I am in the process of writing my shepherd write-up for the PAR document and 
wanted to make sure that I properly understand the document.
The introduction says:

"

   This document [PAR] complements JAR by providing an interoperable way to
   push the payload of an authorization request directly to the
   authorization server in exchange for a "request_uri" value usable at
   the authorization server in a subsequent authorization request.
"

JAR provides the ability to send Authorization Request parameters in a JWT 
format protected with JWS and optionally JWE. It allows the JAR to be conveyed 
by value and by reference but does not define how the client would upload the 
JAR and how to obtain the reference.

PAR defines how the client uploads the request object and how to obtain the 
reference. It relies primarily on TLS to protect the communication but mentions 
that it is possible to also use the JWT-based approach suggested by JAR.

Both drafts claim to have solved the security issues of protecting the 
communication through the user agent.

Is this a correct summary?

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth