[Openid-specs-authzen] OAuth Authorization Patterns draft

Tue Dec 19 03:07:15 UTC 2023

Hi Omri, if I understand correctly, you’ve got two main points here.

The first is that the doc is OAuth-centric. That’s true. I think Rifaat intended for this to serve as input to the bigger design patterns (PAD) doc – possibly to be slotted in where Alex and I had some comment threads in PAD saying “we really oughtta talk about OAuth a bit, since it’s so popular…”.

The second, separately, is that in addition to focusing on OAuth, it also provides a fair amount of authentication/IdP/etc. detail. There may be value in contextualizing readers’ authz expectations with these other components they’re familiar with. I think it might be best as an introductory topic, with detail that can mostly be elided in the authz patterns unless it makes an impact on the pro/con analysis.

Re the first point: As I just noted in Slack, I have a dream — to develop an abstract model for externalized authorization, using consensus-driven terminology, that can accelerate conversations about both P*P and OAuth, and all the other solutions in the space. :) To that end, I have revised my hand-drawn sketch to produce a second rev. I know this is still super rough, but if anyone shares my dream :), is it worth spending a few minutes on the call taking a look together? (I believe the boxes correspond roughly to the functionality already being proposed in the API doc and PDP-PEP doc.)

> On Dec 18, 2023, at 6:41 PM, Omri Gazitt via Openid-specs-authzen <openid-specs-authzen at lists.openid.net> wrote:
> 
> Thanks Rifaat... I added some of my comments. I may have misunderstood the purpose of the document, I took it to be a description of the authorization patterns we'd like to support / promote. If that's the intent, I feel like the current description is very OAuth / token-centric.  Most of the implementations of authorization systems in the wild treat the authentication ceremony as upstream / out-of-scope, and assume the result of the authN ceremony is a signed access token that can be used to identify the subject.
> 
> The "AS" in OAuth2 is functionally a different component from the authorizer in externalized authorization architectures (at least the ones I know of).
> 
> If we want to describe the state of the world more accurately, I think we would make this clear in the document and its various scenarios.
> 
> 
> On Mon, Dec 18, 2023 at 1:13 PM Rifaat Shekh-Yusef via Openid-specs-authzen <openid-specs-authzen at lists.openid.net <mailto:openid-specs-authzen at lists.openid.net>> wrote:
>> Resending the email, after it bounced back initially.
>> 
>> 
>> On Mon, Dec 18, 2023 at 3:15 PM Rifaat Shekh-Yusef <rifaat.s.ietf at gmail.com <mailto:rifaat.s.ietf at gmail.com>> wrote:
>>> All,
>>> 
>>> Eve and I have started working on the following document that describes the OAuth Authorization Patterns and various aspects of these patterns.
>>> OAuth Authorization Patterns - Google Docs <https://docs.google.com/document/d/1UtkBdabXhNvps-29lhfldwGxMkv8OSwSE2zbAidEH_g/edit>
>>> 
>>> This is still a work in progress document, but we would like to share it with the WG and maybe discuss it tomorrow during our weekly meeting.
>>> 
>>> Please, take a look and let us know what you think. Feel free to add comments to the document.
>>> 
>>> Regards,
>>>  Rifaat
>>> 
>> -- 
>> Openid-specs-authzen mailing list
>> Openid-specs-authzen at lists.openid.net <mailto:Openid-specs-authzen at lists.openid.net>
>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
> -- 
> Openid-specs-authzen mailing list
> Openid-specs-authzen at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-authzen

Eve Maler | cell and Signal +1 425.345.6756

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20231218/418d9924/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: high-level authz model.png
Type: image/png
Size: 519016 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20231218/418d9924/attachment-0001.png>