Internet Engineering Task Force 104, 25 Mar 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF104-OAUTH-20190325-1610

Description

OAUTH meeting session at IETF104
2019/03/25 1610

https://datatracker.ietf.org/meeting/104/proceedings/

A

Okay, hello, everyone, everybody! So let's get going so welcome to the first session of way off.

A

So this is the note well everything that you say in contribute is governed by by this note. Well, so make sure to read it and understand the implication of this. No sweat, no note well and I think we have a jabber scribe as Roman and thank you, Ron yeah.

A

Someone obviously is our new ad so welcome, and they thanks for a care for being a chair for some time. The ad sorry, a minute taker.

B

A

Oh thanks, Tony and blue sheets are going around here. So, let's, okay, so let's say give an update on some of those same in drafts, are thinking that a browser-based, a apps will be discussed to him on Thursday the device flow I think it's I think it's waiting for an update from from William I. Don't know the latest that.

C

B

The so I think that's the draft update has been submitted, so that's fine I think it's waiting for the ad to follow up.

B

A

So it's a it's Whitacre, I guess and that's.

B

The device rule.

A

It distributed or tied I, don't think we. There was no update recently this one and incremental or auth.

B

Yeah was dick who's, the main author. She recently changed job so we'll have to, and unfortunately he wasn't able to come to this meeting so we'll have to find out what it is. Someone who can support him with this work and which originally started in by Amazon. So we'll have to saying.

C

Am I gonna continue. That's right. He didn't say anything right yeah. So so let's wait for.

A

Him that job request, I think I think it's wait guide. You know we.

D

Had a session on it at the security workshop last week, so we resolved a bit of the language, but now that we have the server metadata done, there was a request for now that we actually have a place to register server metadata parameters. There was a consensus or a sense in the room that some of the parameters, we should add a nayana consideration section and register a couple of extra parameters that would make it easier for people to use it.

D

So so there will be an update shortly.

E

I'm here no okay, so my memory was the William and I sat down together and went through this document is that that retinal.

D

Appeals memory, so it's.

E

D

The new document that I.

E

D

I should I can okay right, I think the only thing new from that is there was a change of name to have it make more sense, but that's not really normative. Yeah.

B

And the char, so what's the timeline for that one, because it's now and you got going to update it, yeah.

F

B

Because that would be obviously a good time to to get this out of the door, because it has been in right and like like in the ice sheet.

D

I'll, try I got that in and hopefully there won't. Hopefully it won't push it back into the iesg process. Just adding some.

D

Ayane registrations.

D

Will probably ever redo I am.

G

D

Again but that shouldn't be a big deal.

A

And then there that job BCP so I think it's where they occur. What is that.

H

Job BCP completed IAS G review. We addressed all the area director feedback now things I believe occur just needs to push the button once he's satisfied that I'm correct that it should go to the RFC editor.

A

And I think you have enough kind of bullets to go. Yeah.

I

We have enough that's right.

A

F

J

Let's it so that's true, it's not no! It's ad evaluations, a lot.

G

Of okay, I think.

J

I think my cousin's days am waiting for some changes.

B

Do you want to go to the microphone I believe.

H

I made the changes and emailed you, but I'll find that and resend it.

E

Back to you on this.

E

You said these were changes and I just.

E

A

Okay, good so I'm jut, introspection response that will be discussed today and TLS of its custom. Thursday GOP will be discussed on Thursday a reciprocal. This is again named Dixie document and resource indicator. This was submitted to the IDF to the eyes G just recently like yeah a few days ago on three weeks ago, right, good, the security topics is gonna, be discussed later today and a token binding. So this is I, don't think.

B

November's not date so before the token is changed. So Brian said that his priorities on there on the token exchange and not so much on updating the token finding at the moment, so hopefully we'll get a new version of the token exchange submitted. So to address some of the comments.

B

E

Yeah, it looked to me like there was a lunch, a lot of back and forth. Ladies who had discusses and tokens change, so Brian thinks too, like they're, not responding fast enough. Rome and I had chased them, but I, typically that the discussion happened on its own. So um let me know, let me.

K

Know how you want me to proceed.

E

We'll do some chasing or crawling people as necessary, yeah.

B

We dr. Brian last week he was very busy with with some other work, and so that's why I dropped dropped a little bit on his to-do list.

L

A

So our agenda again, we've talked about that chairs, updates, who skated topics and George introspection that a Torsten a then they Eve a remotely we'll be talking about uma, a draft and the last one would be the tour you're talking about that jut usage in access tokens, I.

B

Also wanted to point out that we are holding these conference calls every second week to discuss working group matters and if you guys have want something moving along or if there are some questions just Eileen. We stayed there for half an hour and and chat with you about the ongoing topics, so just to make sure that we are not letting anything fall between the cracks.

B

A

Okay, I guess Torsten.

A

A

Sorry well, the second one is okay,.

B

That's can't be true, like here's, the data tracker.

B

Security topics.

B

Which? For fullscreen yeah.

M

Hi, my name is Las Noches on where, if yes, calm and I'm gonna, give you an update on they work on the security best.

M

Current practice fall off to the security BCP aims to update the security threat model, the original or off to the DOS security threat model and a security consideration sections given in the Kawara C and the burro token, our c2 cup, with more current challenges on steaming from advanced use, cases such as open banking and so on, which elevate the need for or elevate the security requirements which Olaf has to cope with, and we also have learned from deployments in the last couple of years and that's why we decided to write the own this BCP.

M

It will update or updates the threat model and describes our newly discovered attacks along with mitigations, where we also use new technologies and mechanisms such as M, TLS, token binding and so on. So we nicely weave them into our recommendations and our goal is to give implementers simple and actionable actionable recommendations, how they can securely implement OAuth applications.

M

So what has happened since since Bangkok? A lot has happens? We published four revisions, nine to twelve and the most significant change, and we already had talked about that in Bangkok.

M

The working group came to the consensus to discourage use of the implicit grants and grants with similar properties, meaning grants that issue access tokens in the authorization response. I just pasted a pacer that the statement from the BCP here.

M

So this means the implicit grant as well as some of the Odyssey grants, are no longer recommended by this working group. Anyone is free to use them or to continue to use them, but our recommendation is to drop them and replace them by using authorization code plus pixie. And in my observation and last week we had a very, very good or security workshop.

M

Adoption of this has already been started so, for example, the financial grade api working group, if the open and ethan Foundation recently are removed the code token ID token, from the mod or to spec and I, also learned that already a JavaScript libraries are starting to to support code plus pixie, and there are some more changes in the course of the discussion around this call for consensus on the working group. A lot of additional topics came up, for example, by developers of s pas. They ask.

M

How are we supposed to work with refresh tokens, for example, and that's why we decided to add some more text around the use of refresh tokens to the BCP, along with texts on how replay detection can be achieved for refresh tokens? And obviously there is sender constraining there is, or one can binds the Refresh tokens to a client, ID and authenticate a client, but in scenario where both of those mechanisms are not available. For example, in the JavaScript application running in the browser, then you could potentially use a mechanism. We call refresh token rotation.

M

It just uses the fact that the Refresh token is issued with refresh in the end, detect whether someone utilized the Refresh token of an older generation and then just revokes all the all the access to active tokens. So we added some text around that topic and what we also did is realized.

M

Thanks to Daniel, we were working on the different working assumptions than for the original thread model, meaning the attacker model has changed, and that was one of the main reasons why we why we started to work on that PCP, because when off was initially published, the set up was quite simple. There was one client one a s and a fixed set of resource server, so a rather static setup, where the client could be configured at runtime to some URLs and then could use TLS server authentication to make sure it's talking to the right guy.

M

This has changed completely. Now we have, we are facing dynamic scenarios where an attacker could potentially also set up a fake RS on an AS and steal tokens. So we already considered that in our threat analysis, but we never had documented in you attack model or the enhanced and tech model, and we did that now.

M

So, if you take a look at the latest version of the BCP section, there is the enhanced attack model and what we also did- and this is nothing nothing specific to the content, but just to let you know, we moved from XML to RFC towards markdown for writing, actually writing a RFC or the BCP, and it proved to be quite useful.

M

So if you want to know how this is going to work and what what problems we were facing and how we circumvented them just drop down here for me, I think it's better to drop Danny on email about that.

M

Ok, um are we done yet? We don't think so, because there are some open topics. We would like to bring to your attention. um First of all, during the security workshop last week, the overall security works up, I, think net raise the question and it's in the end it wasn't an obvious question: how shall we proceed with the resource owner, password credentials and I?

M

Think the consensus in the room quickly was: let's deprecated it, because it was already seen as a legend see in RFC 67 49 I would like to get your opinion on that topic later on and I think we should also post that or all those topics are potentially to the list to get an opinion by the working group um next topic that we didn't really address.

M

Yet, although we recommend sender, constraint, access tokens and that typically includes some kind of public key cryptography, either em TLS or some application level stuff, the PCP doesn't talk about client authentication. Yet does it mean that we, like client secrets Tony? Where are you? Do you like client secrets, yeah? Okay, great?

M

So our proposal is to to add a recommendation to the draft to for implementers to move towards public key based crypto for client authentication. For these reasons, Tony, do you want to say something? Okay, you smile. That's great yeah! That's one other topic we would like to include and third since we now made pixie a mentor feature of all web-based flown off for the purpose of replay detection. We could also just recommend its use for Caesar after that prevention because it basically works along the same lines as a state. It's a it's a nun.

M

It's it's! A one-time-use nuns with even better protection and Daniel are also after having talked to the Stuttgart researchers that they are. The formal analysis of Olaf came back and said we should. We should get rid of that, meaning that the state parameter would be freed again for application purposes. So if we just go for pixie as the mechanism for tying or authorization sessions to a certain user agent and to detect replay, we no longer need to recommend state to be used for CSRF protection and the last one is the pixie mode.

M

We don't talk right now about a pixie mode and what we propose is to go with our sha-256, because it is better by the properties, since the code challenge can't be used as a very file. So if an attacker gets hold of a of a coal challenge in the authorization request and that's part of our new attack model, it can be used to in the end completed transaction. So those are the three proposed changes and if you've got an opinion, I would like to we'd be really appreciate to hear them.

N

Tony nedelin, so are you just gonna propose as far as the password is concerned and you're just proposing totally deprecating. This I mean it is used like a heck of a lot out there today I mean that's where people started from and it's an easy way to. You know to do to do things so. I'm just I understand the desire to not promote it, but I worry about. You know the input in the implementations that are out there today, yeah.

M

I read and dr. Taylor can be used it all over the place after after we had started with the code flow, we went to the to the resource owner password and then we went back to code because we wanted to introduce federated identity and and two-factor authentication. So there are not only security, our reasons for not no longer recommending it. First of all, as you said, well, that's what I heard.

M

If we recommend that, then it's called kind of a blessing for people to do it so I have I've met developers that when I told them, oh, it's really risky what you do, because all of your applications are gonna, handle credentials yeah sure, but you can find that brand type in RFC 67 49. So it must be okay and one really that reads the security considerations.

N

Sadly, yeah we at least have to have an answer. I mean an alternative for. Would you suggest we give them as an alternative? They.

M

Really they want me to answer that question I mean in the end. There is also always the way for an implementation or two to use custom grant types to do this kind of so.

O

Proxying from jabber just enricher says plus one to everything. That's here, the recommendations are sound. Thank.

M

You Justin.

P

Hi, it's Pamela! So what about the use case where the client is not using pixie and use deprecated State? What happens there.

M

Since we deprecated implicit and made pixie mandatory in combination with code, what grant type might be? Okay.

P

But does pixie itself not allow identity providers to have clients of either side like isn't there changes that have to happen to the pixie spec as well? No.

M

We use pixie, as it is just as a nonce to to tie the session to a certain user agent. The only difference is that now we are no longer limiting pixie to public clients. We also recommend to use of pixie with confidential clients, because it addresses a different need. The need is not to authenticate the client but to authenticate the originator of a certain transaction.

D

So just declare John Bradley so that clarification, we're not proposing deprecating state we're proposing no longer using state requiring state, be used for CSRF, because 90% of the implementations who are using state don't properly use it for CSRF and since pixie provides the CSRF protection. We can say you can just use state for state, don't worry about using it for CSRF, because you're, probably not going to do it right anyways for applications taking yeah, which is it was kind of a dual-purpose thing here.

D

Put your application state here and put enough entropy and other things to bind the request of the browser so that you can detect CSRF, but we're not going to tell you how so as a result, not so many people got it right, they used state values like 1, 2, 3 4, because an attacker would never guess that.

D

D

We suspect that that using pixee 4cs frf protection is actually going to be more effective than the current use of state for that which then makes it easier for developers. But we're not saying you can't use state for CSRF if you want you're, not using pixie. For some reason, you still need to use state for that.

H

So Mike Jones, Microsoft I, don't know if you have more slides to go through.

F

H

Because at some point soon, I want to ask some questions about the state of the implicit grant and what our next steps are. But if you have more to do, I'll just put a put a placeholder stop John I'll just put a placeholder.

Q

O

You're done proxy again from Jabbar Philip Hunt says back to what Justin was saying: I agree, I to run into issues of developers just to find bad practices because of the RFC so agree. Thank you.

M

So that's my last. That's my last slide for this presentation.

M

We are facing some more challenges than we were able to cope with the birth dbcp right now so, and one of them is that we as a community need to provide developers that develop SBA's with the clear guidance on how to implement those SPS correctly, which is.

M

Really a difficult task, as we learned last year last week, we've got a BCP on the way for that, for that specific topic, so I just wanted to just wanted to point out to people in the room. There is another sba: BCP are being worked on by. They would wait and help me Aaron Aaron yeah to describe how SBA should be implemented on top of OAuth. Doesn't.

B

For the new people, you should say what s pas Oh.

M

What does a Stanford? Thank you very much finial to each application, so basically all kinds of applications running in the user agent and they have different properties and can, for example, not use our or properly or simply use mutual TLS for sender, constraining as we recommend it to be used for other kinds of apps. So we have to find our way either by proposing completely different architectures, where all the OAuth stuff is put into a back-end where all those other mechanisms can be used again or- and that's that's the second bullet.

M

We come up with a mechanism for sender, constraining that can be used in SPS and we just recently discussed at the or security workshop. A mechanism john bradley proposed something and we gonna gonna do a write up and we hope to have something we can present on Thursday and there are two other aspects: I just want to just want to bring that up here for your information. There is some work in the financial, great API working group at the Open ID foundation.

M

That is dedicated to really high security use cases where we are working on protecting what I call rich authorization request. So authorization request carrying a lot of authorization data such as lists for of accounts, lists of documents to be signed, and so on. That needs to be protected against modification and also using signatures for protecting authorization responses. That's not work being done in the or working group, but in a yeah I would say in the close neighborhood I'm done Mike. Do you wanna.

H

So Mike Jones Microsoft I'm gonna challenge I'm gonna challenge. You made a statement you made fairly quickly early in your presentation where you said there was working groups consensus to deprecate the implicit flow. There was a vote in Thailand without much prior discussion about in the room. Should we do that, but I just looked on the list and to my knowledge there never been a working group consensus call on that topic.

H

Indeed, what happened on the list after you made your blog post, which you're welcome to do right. There was a lot of people saying that the reality is more complicated than a black/white choice and we should be describing the security trade-offs of preventing token injection attacks, preventing token theft and giving people as much actionable information as we could so I guess. My request is: if we're going to actually deprecated that there should actually be a working group.

H

Consensus call to do so, but there's other alternatives like instead describe how you mitigate those problems, rather than just saying you can't use it in fact, there's ways to use it safely and I'm not one to stand in the way of progress, as you know, but at the same time, this whole discussion has generated an awful lot of fear, uncertainty and doubt and I think it's made this situation in the OAuth developer community much more confused I know I, see that but Microsoft.

M

So, first of all, as you may know, when you've read the PCP the PCP he gives advise so it's discouraged use of those flows, and it also gives advise what to do, and we also have a PCP that gives advice on that and exactly this text that I have shown you was the result of a working group. Consents there's a threat on the mailing list. You can look it up. It has 120 messages. How much wanted messages.

G

Now, in era there.

M

Were just two people objecting against that consensus and roughly 20 people voting in favor of that.

O

M

M

M

It was a consensus call about exactly that text. My.

H

Read is it didn't say, consensus call anywhere in the thread Hannes.

B

Yeah we can, we can look it up, but I saw it as a consensus call on the on the text, but we can. We can have a.

R

B

In number, do that not right now, but I fought on it was understood as such as probably not, though the word consensus call in the subject heading but I will so.

A

Maybe a question so so here we're saying, should not or recommend so it's you're not saying we're deprecating that and you must not use the existing implicit right.

M

We we turned around over the over net recommended to make it a must not I leaned in favor of a should not because basically, what I want to achieve is to get a movement rolling right. So, in the end, any anybody out there can can can do implicit as long as they want, but I don't want to give them the blessing that we as a working group, recommend this kind of stuff. If you take a look into our see, 67 49 security conservation section, it explicitly states that implicit grant is vulnerable to injection attacks.

M

I, don't know exactly why we ever made that part of OAuth seriously speaking. The only reason I know of is at the time when we published, oh, of course, didn't exist. That's the only rationale, and since that this is no longer a problem. We can go ahead and community use code which, in the end, simplifies all as a whole. So.

A

I'm asking this because typically people when we know when they're each should not, they would say. Well, it's not it's not that it's come.

M

To you want me to make it a must, not.

A

M

Tell you I can I can I can tell you what my observation is. My observation is people have blamed me for fear, uncertainty and doubt, but basically what happened? Is the community started to move in the direction we recommend them to move? As I said they're already the people that that blamed me on Twitter started to to migrate their JavaScript library to support, offer recommendations and I mean what can we hope for.

P

M

They want me to send you to Punto.

R

F

Sorry about this.

C

It's the longest.

B

Or like I will be posted to the list, but you can see my original text here and the headline says it said: recommended authorization code instead of implicit, all security topics and it provide the sort of initial image here.

B

But of course there were lots of follow-up emails and then I concluded the whole thing sort of we went through the feedback afterwards, so I thought that it was a pretty good discussion and a judgement I may have been more I, probably could have been more clear and a subject header of the email in saying that the consensus called will do that in the future, to make it more clear, but that was essentially became to the text that I had previously shown on the screen and that.

M

Was you send the posting with this with this text and ask people for consensus, so this was a later in the later posting. So my suggestion is: let's sit together over the meeting and we will find this read right so because we also had a mill meeting about that.

M

I'm quite sure that most people perceive that as a consensus call including me. Okay,.

H

My perception is, we just had a rollicking discussion but I'm willing to be wrong on this, but I didn't think if there was any consensus that we just had a lot of discussion. Let's.

F

M

Okay, can you please open the other slide egg.

B

Let's I would still get a like to hear what the folks in the room think about the previous.

C

B

So to hear what what sort of impression of the room is so I just go through one by one to see what the views are so who, who, in the room, is in favor of discouraging the use of the resource owner password credential strand, raise your hand and who's who's against it? Who thinks that we shouldn't discourage the use of it, so I I would say that be blind in favor of discouraging this, of course, will confirm it on a mini list who, in the room recommends. Do you have some from someone from under.

O

Under first item no I'm late on the sequencing, Philip Han says I recall in Singapore there was an agreement to produce a guy-guy spec for implicit.

B

Okay, I, don't recall that one, but okay, there's who is who's in favors, recommending client authentication methods based on public key crypto, raise your hand. So we again about two four six. So.

O

I have to in jabber in favor of discouraging on.

B

The previous one, so yes, yeah, mmm okay, sorry jabbers, he's a little slow, yeah, uh-huh, okay, so who's against, making any recommendations on a client authentication methods based on public key crypto.

B

But if the details, no that's not find us.

B

In the client, client, ID, transit, okay, I, don't.

H

B

That's true, yeah yeah, okay,.

O

I, don't I don't hear any anyone, so it's these the folks are jabber saying. Can you please restate the call for having trouble okay.

B

Sorry so I repeat the second one again so who is in in favor of making your recommendation and on client authentication methods based on public key crypto raise your hand again, so we have two four six jealous.

F

B

I count the only ones even here in sports fans, okay,.

O

Any objection before we do that in favor of crypto is one okay.

B

Are you writing this down? No, roughly okay, good thanks thanks sunny okay, the next one who is in favor of using pixie for CSRF protection instead of the state parameter, raise your hand.

Q

B

O

One coming in to coming in favor of pixie, okay, so eight three in favor nine.

B

Whose boost against this recommendation.

B

Nobody and finally, who is in favor of recommending the pixie mode sha-256 instead of the plane mode, raise your hand.

B

It's a kind of it. That's not easier. I am q1 Jabbar, okay, so and who's who is against it? Who would like to stick with the plane mode as a recommendation?

B

B

Well, but I still want to ask because I think it's here, it's an easier one and and others, but okay, so I think that was pretty clear and that people want to follow the recommendations you put on that slide for the next version of the of the document. But we still do a consensus. Call on the mailing is to make sure that we also catch those who are not on the online Noah in the room. Okay, you.

M

Will send consensus, cause or post.

B

M

That okay, thank you very much.

M

L

It's a little bit of night.

B

M

Thank you so um next topics I would like to give you an update on a draft that I have written together the Vladimir omnia. So we enough it's about just protected responses from the introspection endpoint, so what it basically does is it enhances or FCR 7660 to by the ability to not only respond with a JSON response from the token introspection endpoint, but make it a jot, which then allows for signing especially signing the introspection response.

M

The use case that we have in mind for this kind of functionality, our high assurance use cases where the recipient of the data, the resource server, needs to take the RAS some kind of liability. Regarding the content of this introspection response.

M

Basically, some auditing and non-repudiation requirements that we see in open banking and also in the electronic signing signing sphere and the problem is in those use cases you not necessarily can use jots as access tokens, which would provide you with this kind of non repudiation by auditor signatures, because you use the access token to interact with different resource servers and in those situations, introspection. Much better fits and adopting this.

M

This draft will more or less give us a balance between the different design alternatives using judge, signed, dropped tokens and using introspections for high assurance use cases. The.

M

Draft was adopted, I think midlist year last year as a walking working group item, and we haven't had much changes since Bangkok. Basically, we updated some references, for example, for the server metadata, but the draft is: is here it's it's. It's a it's a role of all draft they're, all a simple draft: it's being implemented, it's being used, but not many changes.

M

There's one open issue with that draft and I would like to bring that to your attention. I would like to get your advice on that just since it suggested to change the draft into a more general mechanism to enable Church responses at any kind of o of end point, meaning, introspection, registration, relocation and so on. I brought that question up at the last meeting and also post it to the mailing list exactly that question, and there were exactly two postings reacting on my question and exactly both in completely different directions.

M

So Mike just said: let's do one thing well and Justin revised his support or its proposal to make it a more general generic mechanism. I try to keep niche neutral on that point, but my my objective is to get it get it through because we have deployments, depending or depending on that draft and I think it's a useful extension I would like to get your advisors of working group and us working co-chairs how to proceed with that topic.

A

Any opinions decide think Michael Lee the status division, but you.

S

A

H

Mike Jones Microsoft I just want to reiterate I think unless there's clear use cases for more less is more.

Q

I'm mark I'm, just thinking there is a there- are use cases for returning a job from introspection endpoint, but returning a job from discovery or registration. I think it's been soaked already in a standardized way. Isn't it like that you have assigned metadata document as a job as part of the discovery response? So if you were to add that, then you would have to change it as well. Those specs as well I, don't know if that's worth it to be honest,.

I

N

Tony Nadler and I would say: let's keep it simple and get done and out the door. I think it solves the case. The use case, at least for things that we have going on and that the end stuff that we need to need to worry about right now, I'd like to see a drag you up for another year and we don't get a get something out the door. That's the only that's my concern.

A

So I think, when that when the document was except they do or it was with a specific scope right so.

M

Justin already pointed out at that time that he would propose to to make it a more generic mechanism, I see. So it's what kind of kind of a conditional acceptance, at least from his side.

O

So from from Jabbar just insists: well, that's my point: we're doing a point solution in parallel and shouldn't. We just do one thing everywhere: I think the end state might be the same thing anyway and then prior that Brian said in my opinion, given where things are right now, I think keeping this document to be introspection only in scope is the right thing to do so. It looks like Brian adjust their since again.

D

So I well I do have some sympathy for Justin's position. The reality is that we have mime content-type negotiation. Jots have a mime type. There is a clearer way to ask for different mime types that people already have for other specs. The difference, I think is all of the trust stuff around. It's not just asking for a jot it's. How do you define all of the trust relationships? I think if we start to pulling those other trust relationships into this spec we're not going to finish so.

D

Yes, it would be nice in in principle to have the same way to do it and other specs can do it in a similar way, but they're probably going to have to define their own trust relationships, so I think other specs having some sort of profile to say how they do. It is going to be required anyways. Yes, they can follow this pattern, so I would come down on the side of keeping this not dragging those other things into this back and just getting it done.

A

Okay, so we would like to get the sense of the meeting so in the room here so may call for a hum and see if a what-what, the like the workgroup is, is leaning towards so so the question is they want to ask if you, if you want to keep their scope, as as it is, and the other one is to extend that scope so hum now, if you in support of keeping the scope of the document, as is.

A

Okay, um now, if you in favor extending the scope of this document,.

R

A

Okay, I think yeah I think we'll we'll stick with the first document. Okay,.

M

So and from my perspective, it's done okay. So what are the next steps.

C

A

Maybe we call for reviews just to make sure.

T

B

I think in we will obviously confirm that on a milling use, but I think we if mailing list was or the folks on the list, also agree with that. Then we'll start a working group last call on that document. I. Think, okay, because we end up the pipe here.

C

B

Think she has to I think if you have to join the queue as a speaker or sir and then we can accept it, and you can start your presentation I think that's the way it is okay,.

G

Can you hear me okay, hi everybody so so matcha and I are both presenting, so we'll be going back and forth. Matcha you'll probably want to turn on your microphone. If you haven't so we've got a lot of material. We're gonna be just doing some highlights and sort of treating the slides leave behind. In addition to matcha and myself we're both presenting remotely there's a couple of other relevant folks in the room Pedro.

G

Can you just identify yourself if you're there it's a little reading, so Pedro is a an uma implementer from kee cloak from Red, Hat and also ishaara. Are you there as well? You say hello from wso to another implementer and they are willing to have some sort of evening discussion if people want to get together later have additional questions, maybe over a beer, so you can figure that out yourselves later on, which may be much I and I can just have a beer ourselves at home in on earth.

G

So next slide, please so we're just going to cover a bunch of topics pretty quickly. Those last two topics before the conclusion or just if we have time I've got a timer set here, so that we'll keep an eye on things we do want to get to the conclusion and next steps. Most importantly, so I'll keep an eye on that. We're gonna take a progressive disclosure approach, so we'll hit a few topics several times.

G

Knowing that user managed access is kind of, even though it's based on OAuth, it's kind of a kind of a newish thing, so we'll hit a few things sort of several times in expanding fashion. So next slide, please much I'll. Take this overview. Section hi.

S

Guys can you hear me? Well, yes, okay, fantastic all right, so we we all know right. It enables like constraint allegation. So it's a pretty straightforward from a high level perspective. We have a resource owner, a client that interacts with a resource server at the authorization server, and you can see in here. We have these kind of. We have that kind of a colocation of the authorization server and the resource server. If we can go to the next slide and uma differs in outside to main in two main points.

S

The first thing is that it does enable a cross-party sharing. So, firstly, the sharing of a very sort of a protected resource does not happen to just a different application to a different client, but it happens to a different to a different party. So we have a concept of a resource owner, but we also have a concept of a requesting party with which can be different from the resource owner. So we have that notion of a cross-party sharing and we also have a notion of a wide ecosystem.

S

So if you take a look at the at the bottom of the other diagram, you see that there's no dotted kind of line between the authorization server and the resource servers. It means that those resource server can realistically reside in different domains. They can be kind of managed by different organizations and still talk to the same single authorization server and that is achieved through introduction of a number of different I would say concepts, but also endpoints.

S

In the previous diagram, we had the standard endpoint of the authorization and the token endpoint, but in here you see additional resource registers or resource registration permission and enhanced token introspection and acclaims interaction. Endpoint.

S

If you can't go to next slide, please so an overview of of the of the uma. So anyway, we have kind of these these to tax. The bottom line is sorry. The bottom part of the diagram shows the Ummah grant for authorization. So this is the the Specht that kind of defines this cross party sharing.

S

The upper part of the diagram is the federated authorization for OMA, and it discusses how we can make this white ecosystem. I would say, concept a reality, so a single organization, server, multiple different resource servers and in uma we have this new set of tokens. So you see that we have a protection API token. We have a requesting party token, we have a persistent claim stock and we will discuss them on examples and int flows in the next in the next slides. So next slide, please so.

G

A little bit of history of how all this came to be so, the work of user managed access has been done at the Cantera initiative, where people had wanted to sort of empower users to share data, but we have actually had some interaction with IETF over time. Why? All these contributions that we've been making? We actually had a goal to sediment some modular pieces into wider communities where appropriate, so we've been assessing over time appetite for a broader adoption and and doing this helps promote adoption.

G

So actually the original, dynamic, client registration, spec came from early uma works, uma, 1.0, work and matcha is one of the authors of the ultimate oo, auth, dynamic, client registration spec from this history. All of these that you see here on the screen are expired, except for the new uma to dot o drafts and any questions at this point before we move on just to check. Ok, I'm, not actually there may be some stuff in the chat that just flag us since we're remote. Ok, great!

G

So now, just a couple of sort of one slide on each of these specs to sort of say what what you can see in them next slide. Please yeah right.

S

So, let's, let's discuss the uma grant for authorization, so I printed, the the spec and I think it's best to write if write discuss that on the from the example that we have in the specification. So let me read that, and let me relate it to these three concepts that we see on the slide, the first one being party to party sharing the second one being a synchronous and the third one mentioning mentioning policies. So the example that we have in the spec basically says the following.

S

So we have a bank customer Alice who has a bank account service, which is the the resource server and she can use a sharing management service. The authorization server hosted by the bank to manage access to her various protected resources and she can manage access to her spouse of an accounting, professional Charlene or a financial information aggregation company.

S

So all of those kind of parties that can potentially access they are the requesting party. So we see that the actual sharing happens, not you know from Alice Alice, but from Alice to Bob or different different other parties. The second thing is that it's it's. It's a synchronous, so in the case of it's a typical scenario that we would authorize access to a protected resource in case of uma, what happens is that Alice would be able to use the authorization server and go and set policies not at the time the actual access happens.

S

So in respect to the to the grant? It's it's not a it's, not a synchronous, interaction and the second thing are those fall, and the third thing are those policies, so at the other is a server. What Alice does is that she can manage I would say various different, complex policies for access to protected resources, so it doesn't have to be just authorized or deny it can be a more complex policy that requires some claims gathering, as we will discuss later, that mentions some conditions, etc, etc.

S

Next slide, please and to discuss the the second specs of the federated authorization. I'll also use the example from from the specification to relate these again, three concepts: o1m servant and interactions, scope, great control and the resource and scope concept.

S

So the example is following: it's: it's pretty much a similar similar example. We have a bank customer, a resource owner Alice, who has a bank account service, a resource server, but also a cloud file system which is a different resource. Server and Alice uses a dedicated sharing management service, which is an authorization server hosted by the bank. So she can manage access to both the bank account service and to the cloud service from a single authorization server, and that shows this 1 to n relationship.

S

Again she manages access to various different various different parties and during the sharing, what she, what she can do is that she can define whether access to a resource is of video type of edit type that can relate to, let's say files or in relation to the bank. You know few financial data, maybe move money, etc, etc. So this scope, scope, grained access control means that we are really able to have various different scopes associated with various different resources and those resources and scope concepts. They kind of differ in the uma case.

S

So in the oh of it's more of a flat structure that we have in the uma case, we have a specific set of resources and scopes associated with these words. These resources.

S

Are there may be any questions at this point.

G

S

Next slide, please: okay and a quick reference to token. So, if you, if you recall the diagram that was presented earlier, showing the the two specs and the kind of the two different mechanism that we had, we have two in Omaha, then the three main tokens that are in the in the flows that that we use I'll start with the protection API access tokens with the path token. So in the protection. Api access. Token is a token that allows this interaction between the resource, server and the authorization server.

S

So the authorizations, sorry between the resource, server and the authorization server the resource server in that interaction, acts as a outside playing or client. The token has to have the uma protection scope associated in it. So it's a probably the simplest token to explain the other two tokens which are very much uma. Specific is the requesting party token and the persisted claims docket. So the RPT. That's the token that represents the permissions when a client tries to access a protected resource on the resource server.

S

So this is the token that has to be in the request that is fast from the client to the resource server and it has to be associated. It has to have a set of permissions associated for the access to the protected resource. To be successful, the persistent claims talkin as we'll explain further in the during the presentation, is some kind of a correlation handle that allows the authorization server to kind of remember the requesting party. That's interacting with that server before and our pretty so.

S

Your custom party token can be issued to the client that is operated by that requesting party.

G

S

Slide move a long, different.

G

Topic here, so what are people doing with it? Implementation getting back in the wild just.

G

R

Idling just a question.

N

On you know, do I have an RP T in and PCT token right. Aren't these can't we just wind up using access tokens here. Yeah.

G

The RP t is literally just an access token, and we gave it a nickname because we had a couple of other things floating around in the environment. So it's literally an access token. It could be called the access token, except that the Pat is also an access token, so we gave them nicknames. That's all it is Thanks thanks for the question.

G

Okay, implementation and use in the wild next slide, please so here's some typical use cases we've been seeing. Uma was originally designed for this Alice to Bob use case. So when you want to be able to have other autonomous third parties who are not Alice wielding clients- and here we see use cases like patient directed health data and device sharing financial use. Cases like this discovering and aggregating pension accounts and sharing access to financial advisors.

G

That's from UK pensions dashboard, which is where the UK Department for Work and Pensions has been doing a profile, but we've seen other use. Cases arise because it tended to be sort of a generative use case once solved so enterprise k, Alice, so enterprise, API access management and access delegation between employees, because the initial resource owner is basically the enterprise, as well as an Alice Alice use case where you want Alice to be able to proactively set policy for which applications get access to her stuff.

G

So and you can see on the right where people have been profiling or pointing to Emma. So those are some use cases and next slide. Please, you can see a list of known implementations so far, so as I mentioned as some people in the room who represent some of these implementations as well as I, see some people participate, participating and observing remotely. If you want to ask questions, there may be some people who can also answer through the chat.

G

Okay, so now we're going to change gears a little bit in the next section, with basic flows in the immigrants. So this is the immigrant spec, which is kind of a the major main spec, abstract sequence, for the uma to grant. So we're just going to build on this swimlane as we go here. These are sort of the the entities getting to the grant. This means we're focusing on the client perspective, the client interacting with a s and the RS.

G

The RO is not in the picture. Therefore, we said it's asynchronous, so they may not be around at all. By the way the Illuma clients can be a public or confidential. So a little similar to the assertion grant the client can have learned of the protected resource location in any way. So, for example, maybe the requesting party role of Bob role might have clicked on an email link or whatever next slide. Please continuing here.

G

So the initial resource request, unlike other Roth grants, but but like some other things we might know of the client, goes to the the resource server first, so that's kind of familiar from web access management or as we're seeing from some ace work. One of the ace patterns is Planet RS. First, so we'll discuss some implications of this in a bit next slide. Please!

G

So now we're getting into the response to a token las' resource request for something that turns out to be protected, so we've got a client that is Uma, enabled it's going to know how to respond to what the RS sends it. In this response, the RS is going to get what Emma calls a permission ticket and yes, then send that in a header called ticket the clients gonna have to present that at the a s and the next step, the RS also indicates in this step of what is to go to.

G

So it's going to do some a s discovery. Does this in a header a s underscore URI and based on this, the client is going to be able to go to a discovery doc.

G

We just reused the OAuth discovery, doc and add a little bit of extension metadata to it. We didn't. Actually we missed by a timing thing. We didn't point to the final RFC for that because of a timing. Skew maybe if I don't know.

G

If we'll have time today or if there will be some discussion time, Thursday I'm, gonna miss it will be a little my night, but I know that there's some pay s discovery stuff going on and there's been some discussion on the list back in the fall, but I'm just gonna suggest that we go to the the next slide. At this brief.

S

Right, yes, so so we have this permission, as you saw on the earlier slide, we have this permission. Ticket that gets returned to the client, that's trying to access a protected resource and the permission ticket is kind of like an authorization, it's just that for the interesting partition and the client and it binds the server and the application server.

S

So it points that that interaction of those like untrusted entities and it references the permissions that a client, sorry, it references the permissions that the client will eventually obtain and those are registered for the resource server at the authorization server.

S

So it's important that like if the client tries to arts as a resource and makes let's say a get request that to a photo to a single photo, then the permissions that get registered and that are reflected by the permission ticket can be just a really big risk up for that particular forum, or it can be, let's say, read for the photo and the entire album or some additional comes at the Rs Thanks, and the decides that it should that it should apply.

S

Okay next slide, please.

S

Right and now we'd like to discuss the basically the way that we exchange sorry the way we actually obtain the or the the way we enter the entire notes. I promise were like an abstract assistant, the sequence for the main immigrant, and there are like two ways that we can that we can enter the first one is by so when, when the client obtains the permission, ticket M decided to push it claims directly to the authorization server or and decide that it will redirect the requested party for a more of an interactive claims gathering flow.

S

So the first one was a back-channel interaction without the involvement of the second one is a front, eternal interaction where there is a redirect to define it's called the claims, interaction and point at das, which eventually allows for the requesting party to engage in the potentially a very complex, a very complex, a very complex flow.

R

G

S

G

With four examples of those in a second come these high school, so.

S

Next flight piece.

G

Alright, so um so that uma grant is, you know, it's got some moving parts, but ultimately, if there is the the requesting side has given the authorization server, what it needs to just say: well, you're gonna, succeed. There's this authorization assessment process.

G

That's that's internal to the a s, but there's there some requirements on how it performs that just call that some set math I'll describe that in a sec, then it goes through a happy flow that should look familiar from other OAuth grants and.

G

So I'm gonna I'm gonna leave aside some of this the the lower bubble there there's you know some sort of standard access, token behavior a little bit of behavior, that's unfamiliar I'm, not gonna. We're not gonna spend time on on the persistent claims. Token today, just maybe discuss that in the fullness of time, but the reason why we have that authorization assessment and set math stuff is to account for the fact that there's policy conditions that the resource owner can set up. So let's talk about that next slide, please so authorization assessment.

G

The reason why there are those constraints is that the the resource owner gets to say if you think about like uma, is sort of standardizing a little bit of what goes on. If there's like a Google Docs share button or an access approval loop, the resource owner has a chance to impose some wishes on the process, and so, if Alice gets to impose some wishes and then Bob has to prove he's him or prove that he meets some criteria. Well, some of that has to be taken into account. So this will.

G

This is a diagram showing how that has to be taken into account somewhat I by the authorization server. So, first of all, since the client starts out, a hundred percent untrusted and the requesting party starts out a hundred percent untrusted and they never become a hundred percent trusted.

G

We say that the client had to pre-register scopes for whatever that means, with the a s in order for a scope request at the a s to have some effect, so that has to be some union of pre registered scopes, and you know, just in time requested scopes for those to be considered now.

G

Any permissions that are represented in the permission ticket can add to the total requested scopes for them to be considered, so you can see, there's a little there's the math um and then ultimately, if what ends up in these requested, scopes is just partially satisfying what somebody asked for, then the ask can say: look for business rule reasons: I can air this out or I can grant what ends up being partial.

G

So those are so. Those are some of guardrails that we put in.

G

If no questions we'll move on okay, now we're gonna give you some sample flows and I know this may be an eye chart. But of course you guys have this available. We have to sample flows, and these are sort of the most popularly implemented.

G

This is we call this pushed claims and I'm gonna call this.

G

It sort of looks like an assertion grant pattern, because it's it means that the requesting side provides a token packaged up already that Bob doesn't have to the requesting party doesn't have to experience typing in something having a live interaction with it means the client is in possession of some sort of token it can push along kind of like single sign-on or something so what you're seeing is by the way at the top I've got a little dotted line around basically authorization server and a bunch of endpoints that all represent the authorization server, so not not to confuse anybody, but that's what you're seeing there and we'll see that in the next slide as well.

G

So so um this is. This is the most popular flow through the grant sequence. So far, among the options, all the implementers that we know of have implemented the pushed claim option. So this starts with the back-channel option and just stays there. It basically just uses the token endpoint. It illustrates kind of a narrow ecosystem, in that the AAS is also the IDP that Bob uses. So the client lets the requesting party Bob log in to this, a s that is the IDP and then it hangs on to the resulting ID token.

G

It pushes that ID token to that, is the IDP, silently to prove that Bob is Bob unrequired, because Alice's policy demands that. So it is it's kind of very approximately, like IDP, initiated single sign-on or something so there's kind of this narrow oka system that agreed that that's what was needed, or it's kind of like Google Docs when bob has already logged in because Alice's policy said, share this document with Bob.

G

If no questions and next slide, please.

S

Okay and as he mentioned, the previous one was more of a more popular flow. This one is the less popular one, and this one involves the actual front channel interaction of the of the requesting party at the TAS. So it you can see like there is a front channel redirect of a requesting party to the claims, interaction endpoint at the das.

S

So this is the the claim that is the dotted line it does allow between the arrow to and are all free to have a very complex outside interaction between the a s and the and the requesting party.

S

So let's say that the a s can even act as a let's say, a requesting, a sorry, a relying party to a different ID peak and collect you know various attributes about the individual from you know some kind of distributed sources and based on that can execute the authorization assessment after that it redirect the requesting party back to the back to the client, so it redirects it back to what is called the claim to redirect URI, and that can finish the interaction once the client has the the the new permission ticket.

S

It can again request the requesting party token, so it does that through the for the tonkin end point at the ass again once the RPG is issued to the client and can the client can then start interacting with the resource server by using the newly issued RPG.

S

Okay next slide, please one.

G

One quick comment about that last: one just want to say a comment that we've heard at least from one or two implementers is that that claims interaction. It kind of functions like an authorization endpoint only a little bit more flexible because you don't have to start with it. You a go to the token endpoint. First, you could go to the claims, interaction. First, you can sort of mix them up, so it functions a little bit. That's why we call it the authorization token. If.

S

It's important that yeah, these two can kind of you know crevices in the same flow right, so some flows down some claims can be kind of collected in the push mode outside and Sanford claims interaction, mode.

G

N

Some questions in reading the spec it was hard to figure out. You know the dynamic claims gathering actually works. It looks like if there was some undocumented stuff going on there as far as the actual, how the claim the protocol to actually do the claims gathering and the other thing is, you know you know we I looked at it and it looked like resource sharing can be done. You know by some some of the token exchange work. That's been done in here and have you guys looked at that?

N

Integrating the token exchange work in this stuff and then I still am curious of how this fits with current authorization servers, because they have a different pattern today and I'm a little bit concerned over. You know changing that or is. Do you believe that this is just for users that have to go through the uma process for resource registrations and stuff so I mean? Do you see I mean you're, proposing this as a standalone document as I understood the the great the right.

G

So I think you're. We are I, think you're talking about the act as semantics yeah. um The challenge is that it isn't always act as it's. It's allowing somebody to act on behalf of themselves.

N

But to exchange has both of those semantics so.

G

Yeah, it's um we couldn't figure out how to get an individual to to actually delegate access, and that's the one thing I've seen in all the other proposals is how to fully get an individual or anybody else responsible like basically as a resource owner.

G

So there's actually business model work as well. How you can get a data subject to have somebody else. I have a privacy section in here as well that we can talk about yeah.

N

I have some privacy questions too yeah.

G

So there's some folks who are wanting this for privacy purposes basically, and they have not found something that actually packages it up for privacy purposes, so so I I have looked at it. We have not found anything that actually meets all of the needs packaged up, and that is part of the challenge.

G

So we could do a comparison exercise, but the the challenge has been to find something that actually solves a business use case end to end, and this has has met the needs of a whole bunch of customers, and maybe some other folks in the room can speak up as well for their purposes, I'm, not sure if they have dealt with that question.

N

So, who do you see using this particular set of specification, at least the at least this first at least the first specification.

G

We can go back to slide 12 if you want to. The typical use case. Is health financial, IOT, inter.

N

You see it for just the people that want to register that want to register their resources. I mean this is not necessarily how things work today, so I'm curious of how you see people changing to use this I'm.

G

Talking about customers, actual customers.

N

G

N

They, okay, so I'm, trying to figure out how how we, how this will actually wind up getting used over the current model of the current oweth model. Well,.

G

The problem is that you'd have to build a lot of stuff, I believe on token exchange, which is a building block spec to get it to actually solve this use case end to end. That is what people have been discovering I, don't know anybody who's actually used token exchange to solve, share button and access approval, loops for Alice to Bob, sharing.

G

In an interoperable fashion,.

N

I'll take it to the list, then Thanks.

G

S

Right questions, or should we come to the next slide, yeah all right, so some some observations of the clients that, like I, don't know if Joe is in the room, but if he is then I believe some of those are his comments in the case of the uma clients, what we realize is that the the clients themselves, they can't be a little bit dumber than our case right, so they don't have to Caesarea, understand all the Scopes etc. They can start making requests to.

S

They can make a request or a resource server, obtain the permission, ticket and kind of follow the interaction based on that permission they get without understanding what you know. What cops are associated there, so we can externalize, this entire I would say entitlement logic and because- and then the second aspect is that also the outsid error flows are really kind of well defined in in the spec, so the clients can based on whatever they receive they can act.

S

They can understand that you know they have to either we direct the user, push the claims, etc, etc. So it's in, in short, they they can be a kind of lightweight I, think we're short on time. So, let's skip to the next slide. Please yeah! You have about 13 minutes yeah.

G

Oh, we have 30 minutes left or yes.

B

G

Okay, we may have time, I would say: let's go quickly through this section: okay,.

S

So that's three I think.

G

One 3:13, okay, yeah I, would like to have at least five minutes plus for discussion in that last couple. Slides manches of.

S

Course so basic close intima.

S

Okay, can we go back sorry? This light is fine yeah, so so, firstly, in the federated authorization. So what we have is that the AAAS presents a standard, what we call a protection API for resource servers and there are three main functions of the protection API. The first one is for resource registration. The second one is for permission, registration and the third one is for token introspection and there are respective endpoints for that old, which we should.

S

We chose registration, endpoint permission, endpoint and the token engine and the enhanced token introspection endpoint for the resource server to interact with the protection API. As we mentioned, it has to have a part which is a plane of a token with the unmarked protection scope associated and it's typically it's a issued to the sorry it's issued to the resource server with with the resource owner in place unless it's a unless it's a kind of like an enterprise resource owner. So then a different flow happens. If you can go to the next slide.

S

O

Jump in a comment from Jabbar.

O

O

Justin says, in my view, Yuma clients aren't dumber than our clients so much as they are dumb in a different way. Okay,.

G

F

G

Couple of the new artifacts that we are not gonna have time to discuss the PCT, assuming that an ass produces them. That's something that a client has to manage.

S

Right so make the next slide piece.

S

Right so first, the first endpoint as I mentioned, was the resource, registration and points. So it's a very standard.

S

It's a it's a restful, endpoint kind of like a crude type and endpoint that allows the resource server to start managing resources for protection. So it allows to create the resource description. It allows to list the available the registered resource descriptions to update the descriptions to eat, etc, etc.

S

Again, all the research all the requests have to have a path associated next slide. Please the resources and the scope that get registered are so two things on the resources. The resources are just descriptions that get registered on das right, so the earth pretty much does not learn what the resource is. The information that gets registered is something that should allow the resource owner to manage a policy. So there are a number of things like a description and icon a type, etc, and importantly, the scopes are resource specific.

S

So we can see that on the example, we have our RS 1 and RS 2 and they have a different set of scopes. Let's.

G

Go yeah they might share, they might share some scopes right, end up being identical, which can make a difference, an authorization assessment, but they might have different scopes, which is something maybe we're not yes,.

S

Normally, yes, and some of the scopes, they kept your eyes, which can be resolvable, which also means that we can, let's say, create kind of like a set of standard, as course, which can be reused across different resource protected resources.

S

Next slide, please.

A

So guys it try to leave five minutes at the end, for just some discussion and around this, the.

S

Permission and point very simple: once the client executes a request to a resource server the resource server. What it does is that it registers a permission at the authorization server. It uses the permission and point for that purpose. You can see an example of a request at the bottom, which references a particular resource and the Scopes, which should be kind of added to that permission.

S

So to that permission ticket importantly, the the resource server can register like a single resource or an like an a set of resources that it thinks should be linked with the permission ticket and next slide. Please and the talk and introspection. So the packet introspection follows the the OAuth 1 one important change, so it does not return the scope a value. Instead, it has the permissions value and that's because we have this kind of layered structure, so we have a resource and associated scopes for that resource.

S

Next slide, please and right, ok and some observations. If you want to take it.

G

Yeah, let me let me um sort of take this and we can sort of go to the end right after this I just wanted to point out that we've been watching with interest. What ace has been doing also watching the resource indicators, conversation and the RS offline use cases is of interest to us, given some a lot of IOT use cases that that almost seems to have so I'll just sort of let that sit there in case. There's people interested to go down that path.

G

G

And we can skip all these next slides and I think go to slide 39, and we can go to the conclusion and if you don't mind, I can just I could just take these. This is just a kind of quick summary. We tried to put together based on stuff that we've been hearing from all the folks who have been implementing and using uma, so I'm, just gonna sort of let that be there as a sort of a sort of a leave behind I.

G

Suppose, if we can, we can take Justin's point about the really dumb point. Again. That's a quote so I put it in quotes on the client side, but there's benefits that we've been hearing on the RS side about externalizing authorization, that's feedback that we gathered and putting this together standardizing management of protected resources, again, feedback gathered benefits to the resource owner around controlling data sharing.

G

That's a privacy benefit that we've been hearing from those who are you know those were in the position of deploying this, for consumers benefits to an AS and to the requesting party, as well around things like revoking access meaningfully when you're actually sharing with an autonomous third party that becomes really different than we're sort of sharing it with yourself using a client and so I'll just go to the last slides that we can hopefully have a little bit of discussion here and to Tony's point. You know if there's ways to incorporate specs that already exist.

G

That's you know. It's part of the point of sedimenting things down and part of the point of you know leveraging more OAuth, that's actually how Huma 2 happened. It was to leverage watts to more fully because a lot one was based on a auth one, but apparently not enough actually and then os/2 happened and we were able to sort of leverage o auth to more fully and that's how we have a formal extension grant, for example.

G

So you know we're trying to solve real use cases that people seem to have and sedimenting further into the ecosystem is part of our goal, because there's seems like there's pretty high demand right now for for the flows, the the use cases that that we've described we're trying to figure out a way to leverage the expertise of this group, and so on. So here you can see the proposal on the screen so figure out how to open it up and the time remaining. Okay,.

B

So let me get a sense of who has had a chance to look at those documents and thanks for submitting them and say, please raise your hand if you had a chance to look at them three, four, if a few five six yeah. So we have a bunch of folks who actually looked at the documents so clearly, this is currently uh another one on the on Java.

B

Clearly, this is something that would require a reach on train because it's because it's obviously not in our Charter today, but we both are interested to hear on what you guys think in in terms of sort of adoption for this group, which is what even danmachi are asking for. In this specific case, John John.

D

Bradley hi I'm AJ, unless I guess my question is exactly what are you asking for? Is this proposal that the work technical specification work moves to the OAuth work group and the lumo working group at Cantara winds down or that to the Covenant parallel? It you're you're, probably well aware that once something becomes an IETF spec, the working group, it feels obliged to make breaking changes and put its own stamp on it. So I mean it's I mean the working group would publish a fully compatible spec with what Cantara has already published.

D

G

Yeah I mean we're aware that you know a work item is a work item we are also. You know.

G

We're also aware that if it's taken up as a work item that can lead to greater adoption- and we wanted to make sure that this community, this wider community, aware that there's quite a few implementers who can advise and and contribute to the process around existing implementations and deployments, because it's a sign of I hope the value of you know the nature of the use cases and the nature of adoption today, and so that that could inform how the the work items could proceed.

G

If there's interest to your question about what would happen to the existing work group in Cantara, there's actually existing work, as I pointed on the slide. That would probably continue at least for a time number. One interrupt processes for the current specs, which are Cantara recommendations, were we're planning to have an interrupt results report out effectively.

G

It identifies for one and there's work that I didn't report on right here for times sake, but work that we call business model work, and you know we can just treat it as a lead behind that are in the slides here, I've presented on it previously over the last year. Plus, that would probably continue, as you know, as long as the specs are stable enough or you know, would continue in some form to whatever state the specs are in you know, breaking changes would be on fortunate.

G

We'd probably want to keep them to a minimum, given that we've got a whole bunch of folks who have implemented- and you know deployed, and so hopefully there'd be a balance and a consideration for that. Okay,.

A

I've got to cut them to lie enough to the Roman god.

F

O

Ben wanted to jump in saying. Sometimes we publish an existing technology, unchanged interoperable in the ITF stream as an informational document, with the other standing that this effectuates transfer of change, control and future ITF versions need not be compatible right.

B

That was where I was going to, but I think Eve has answered that quite clearly right but yeah. It's a it's a contribution to the working group and you know you don't.

D

Know yet what changes would when it? It wouldn't be published as a working group document unchanged, it would be published as an individual submission.

B

If it would real and treat it like any.

D

Other document that we have and we'd never know what changes. No, what do you mean that that wasn't that there could be an individual submission from Cantara to the IETF document stream, which would enable a publication of nay draft I understand.

G

D

Not as a working group document, then there would be a uma three I understand, but that's not what, for is that? What you're asking for or no that's.

B

What you just said, I,.

G

Mean what's a: what of most interest, I think is what would be of mutual interest to do, to strengthen it and, oh uh together, there's like various streams and- and you know, maybe a.

B

N

Fight out on the list, but that was I understand.

N

Yeah I'm still confused over.

B

What's being asked for here, okay, don't have some, maybe maybe I. Are you planning to ask some detailed questions about the specification yeah.

N

We don't have time for that.

N

R

Wait I mean it does have.

R

B

Because we ran out of time, but maybe we clarify this high-level point and if so, the question of a surrounding here is like in the contributions that you're making. If these documents do, you expect them to be published, as our sees as they are today, like as you have submitted them, or are they supposed to be input to the working group with, but then most likely there would be changes sort of specification, as we have seen all our specifications change, which one of those two do you are you aiming for.

G

Well, the latter recognizing there would probably be changes. We'd hope that input from folks who have existing implementations and deployments would be taken into consideration. That's.

B

That was pure, more.

G

Interesting to do.

O

Jabar Brian is Brian, Campbell was asking: is this going to be contributed to a stew, then.

G

We had not talked about it or consider it considered it I would have thought that'd be confusing, but constrained or IOT use cases are definitely something we had been striving for in our work over the last few years. I I, don't know how it would work to contribute them to two groups with the same aim that I just expressed. So maybe somebody could say that no.

O

Roman does the ad hat yeah that would be confusing minimally. You know H co-chairs and ladies can get together. I.

B

Think I think the most likely route in that context is like it was done by the age group in other contexts. They define different transports for stuff that we define in this working group. So sorry right, oh yeah, but we would double check that, but we would we are going to send a mail to the list about this and continued discussion from there and see what the level of interest is. Thanks even ma che for the presentation. Thank.

G

You all for the opportunity and for the police thanks Victoria.

B

You're next you have 15 minutes: I, yeah one-five, all.

U

Right, thank you. Well, Joan everybody. Can you hear me? Yes,.

G

U

Right I know you guys have tired and bored, so I will try to keep you alive for the next fourteen minutes, I'm gonna present on a new work which occurred basically, all in the last 20 days and too long, alekhya long didn't read. We are trying to find an interoperable profile for access tokens that uses credibility can I have the next slide. Please thank you.

U

So, to give you just a bit of context, I'm sure, vector in your professional life, you have stumbled the countless times in situations in which access tokens, which are not are shapeless according to off to in fact, have been implemented by particular vendors in JWT format. Now it doesn't mean that the scenarios in which you have in no format access token are not valid.

U

They are, of course, perfectly valid, however, a very large number of scenarios in which for vendors, it actually makes sense to use a format that can be evaluated by the resource server, without calling on the father and, typically all those vendors go and use GWT as VAT format and, interestingly, they pretty much all try to achieve the same things they want to validate the token they want to get delegated of realization information they want to get identity, information, sometimes context and so on and so forth.

U

However, given that verses the guidance, they all do this in a slightly different way, different enough that you can't standardize on SDKs, you can't sterilize on approach and sometimes they the same concept is interpreted differently. So it's a mess. Also, there are many specifications that somehow always talk about these mythical audience in the access tokens, but we never refer to it anyway. So clearly, I believe that there is a need for some guidance where that will help unify and avoid reinventing the wheel across multiple providers.

U

Yep, that's pretty much, it can I have an accept. Thank you. Oh wow, your AI understands exactly when I want the next slide.

U

It's amazing, thank you guys, so, whatever we done so far, basically to meet with intuition I worked with some individual vendors identity, server octa Microsoft of zero I know I'm for a pink identity and I, basically acquire the examples of access tokens in credibility, format for different scenarios like a two-leg to offer free logged off and examine the content, put everything together and somehow try to extract commonalities and differences, and then out of that work, I created a very rough proposal and then last week, I basically spent two hours talking with the offer security workshop audience and refine.

U

This proposal and I have to say that that was a really amazing. Let's say that the progress was really fast. Many ideas which were not particularly well advised were killed right away. Other really great ideas were contributed in it and then on my flight back from Germany I wrote everything in a draft yesterday, I changed it in your silly XML syntax, which is really really I, felt like when I first learned about Fortran as a fix.

U

The columns like really like what sentries vis but anyway, never mind, I, somehow managed to convince the uploader to accept a draft, and now a draft is now and I've sent a mail to Melissa. I already got interesting feedback and I know that others are talking about this on Twitter another eye, deep release and similar so clearly I believe a very some interesting. Can we go to the next slide? Please thank you, and even the next one.

U

Thank you okay, so this packet isn't longer, it shouldn't be, and it's relatively simple: it just tries to bring you some fix. The points in here so here in these short presentation, I just want to give you a taste of it, but of course, I think that the the discussion is much done on this back here in itself. So here there is a Model S ver, a layout that emerged from the cross analysis of all these different access tokens.

U

Where is a bunch of claims that are typically used for establishing validity or a token, and those are all good friends that we know we have been known for a long time we needed to know Vera, we need to know exploration. We really want to scope these access tokens down to an audience in 11, more to say about it when in a couple of sides from now, and then we have like a classic information about the issuance time or authentication time which can occasionally come in useful, but not mandatory.

U

We are the subject, of course- and here is already some discussion about this, as in in the first proposal that I put forth I suggested that we make Masada mandatory even for laws in which there is no subject matter is only planning application.

U

Reason being that a number of vendors do that, but not only is that, from a point of view of a SDKs and tool makers, if there is some logic which deals with membership having the ability to have one unique identifier which you are latch, that kind of logic might be handing the information is in there anyway, because, like a we mandate, also the use of client ID so potentially, even if we make the sub only for end-user we'd be fine.

U

It's just a matter of like convenience and reliability of a kind of information that is in there. But anyway, that's already in the list to discuss. Then we discussed the possibility of giving some guidance on how to include identity claims in Access sockets, and we know that there are privacy concerns and saw in the current draft their various language which wants the reader that always should be done with care. However, we know for a fact that the vendors do v's.

U

Let's say that the day samples that I got contain, identity, permission model user, so ad waiver links giving guidance of a flavor of a claims. What we used, and, in particular the one that we got from the open area, connect profile and the introspection seem to be good their starting points. Then, of course, now. Finally, we have a way of specifying for certain the scope, and there is some logic that I'm suggesting about how to map between scopes in requests and how they would appear.

U

In the token, we also know from the various samples that we have seen vector vendors use access tokens to carry other authorization, information which is not strictly related to do off, as in imagine that your organization and your original server is facade in resources, but already exceeds the regardless of a protocol and on which we already have entitlements roles and potential relationship with groups, and so often you'll see those access tokens transporting also these information.

U

Of course, we know that authorization is a Cambrian explosion, so we wouldn't probably want to get into the details of what goes inside of a sphinx but in terms of type I. Think that we the benefit everyone by suggesting, at least that we claim types that we still act are from. One agreed upon scores and the best one that we identified during the the workshop last week was a scheme core which has some good times. Tony. Do you want to do visa at the very end?

U

Because I is it's not long as you like, as you prefer?

U

Okay, because it's not long yeah, Gavin, avatar, 15 minutes I, don't want to risk it not to cover all the ground. Six.

B

More minutes, six.

U

One minute: okay, I'm gonna, go even faster, so instead of a wave client, ID, okay, perfect doing really good. So one very important thing is that we want to make sure that the people- don't sir, don't misinterpret the access tokens expressing should've left me as ID tokens make use of that would lead to issues. So we are using stronger typing and I'm, suggesting that we created your mime type. In fact, it makes very clear that in season actually spoken and should not be interpreted as an access token next slide.

U

Thank you just give you a flavor. This would be the smallest access token each other, but you from our materials we can obtain. There should be no surprises in there. As you can see, there is no PII, so good stuff, next fence, okay, when we request an access token, you know whatever a traditional way we are doing. We can get back into the ability access token just like before when we use the express indicator and we pass the resource.

U

We expect that resource be reflected in the audience in line with what Christmas indicator says, and we discussed the possibility of scope confusion.

U

Unfortunately, in my opinion, resource indicator allows using multiple audiences, and that is a problem, because when you have a list of scopes, unless the new scopes, nothing, you might get in EPS no confusion in which you don't know what scope is relevant for what lasers, so so, for the sake of simplicity and the effectiveness in here. This rejection is to restrict resource on single resources, as course to leave the resources, and that should prevent scope. Confusion for vacation in which a resource is not provided. At the request of time, the novelization said.

U

Where is suppose that you have some resources string that will be used in the audience. This can be a different value extracted from context or it can be extracted from scopes if it's Corp, somehow in in one particular resource, your physicians are where should be able to pull this out. Of course, it is open up the possibility of scopes, giving contrasting resources, and so a veg with some kind of battle. Next, please, but it isn't even gonna, be surprising for anyone.

U

The idea is if we are using a symmetric crypto, we can publish of the valley different coordinates through rayon organization server metadata or they open the connect discovery, which is what almost every vendor does already today. The checks are substantially we needed to check in every type is the 80 plus 2ws and then all the other tracks.

U

You can see the spec, but we are largely what you would expect from the claim, not with your being possible open-ended is whether we should explicitly say that we're physician server should look and air actor on the slopes, because that's something that we don't do else. One next place I already made even easier security concentrations nor next and a for-profit. Here we just be extra certain that we remind the reader so respective actor. Now the client will be able to see inside the token, even if they are not cause look.

U

These remains of big for clients, but in practice someone might see the content, and so, if you content is not even user single, his or her own information, we should take measures to protect it and then a row concerned disclosing it sponsor to the resource server like identities and similar. We have to make sure we have everything by the book Xena. If we add it to ask for consent, you got it. If we add it to have a users agree on a some time of use.

U

We should do it, but we should be careful that we share information. Only two parties with are expected to get it next place. Okay, so next step to me are: are you guys interested in adopting this puppy one?

U

What, of course, this one is a very first draft, I feel pretty good about twins because I we had extensive high bundle of conversation last week, but of course, the visa and her will have a lot of things to iron out needs to be discussed, and then I have a number of open issues, but I I think it might be premature to go through his list and so I'd rather stop here and open it up for questions good.

B

Thanks Victoria, it's probably so let me show a few okay, it's probably too early to ask whether you guys actually have reviewed it, given that you just submitted it, but some of you have been at the at the workshop last week, and so let me ask on like who has read the document or who has knows about the content, one two three who has read the document, what one do well, there are two people who have already read: yeah, who am, but let me yeah, who is in more general question, is who is in favor of having a document in the OS working group that describes a profile of access tokens, one two, three, four: five: okay, who objects to that idea of having such a profile.

B

That that's you know like not only you you, as you know, like I'm, not going to ask you and now for adoption, because that would be a little bit too fast, but I would like to get a sense of the room, but are there's interest in doing anything like this at all, regardless? um What exactly the recommendations are that we will come out at the end of the tunnel.

B

So I guess what we will do is drop a major to the list and encourage people to read the document and provide some comments and then we'll obviously have to talk to the ABS to find out or ad to find out whether that fits in the scope of the group or reach out during or milestone editions are needed. Definitely milestone. Editions of reach out during probably not, but the milestone Edition will need to figure this out, but yeah I think that's where what we should do Vittoria. What do you think.

U

You're, the boss.

B

That's the first time someone says that to me in this group you know: okay, good, perfect, think Thanks Bedoya. Thank you all um for the input so far and we have the next session on first day, where we discuss more and yeah, see where we go. Thank you guys.

B

I