O slideshow foi denunciado.

Rich Authorization Requests

2

Compartilhar

Próximos SlideShares
Pushed Authorization Requests
Pushed Authorization Requests
Carregando em…3
×
1 de 12
1 de 12

Rich Authorization Requests

2

Compartilhar

Baixar para ler offline

Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.

Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.

Mais Conteúdo rRelacionado

Audiolivros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo

Rich Authorization Requests

  1. 1. Rich Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-rar Justin Richer, Bespoke Engineering Torsten Lodderstedt, yes.com
  2. 2. Problem Statement ● Expressiveness of scopes is not sufficient for emerging OAuth scenarios, e.g. open banking ● Allocation of requested permissions to resource server specific access tokens is hard (despite resource indicators)
  3. 3. Example: Authorization in Financial APIs
  4. 4. ® Requirements from PSD2 regulation ● Consent: customer consent is required, either for individual requests or as mandate for designated payment accounts and associated payment transactions ● Dynamic Linking: payment initiation requests must must be bound to amount and payee as approved by the customer
  5. 5. Authorization Information { "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured":"Ref Number Merchant" } Challenge: More dynamic and complex than currently supported by OAuth through scopes
  6. 6. ® (Selected) Solutions in the PSD2 Wild ● NextGenPSD2 ○ external resource (payment or consent) ○ reference in (dynamic) scope value, e.g., “pis:12345678” ● UK OB ○ external resource (payment or consent) ○ reference in consent_id claim in claims parameter in signed request object ● Polish API ○ static scope values + JSON-based scope_details request parameter ○ OAuth authorization request as HTTP POST to AS, which returns transaction redirect URL (PL)
  7. 7. Time for something more suitable ...
  8. 8. authorization_details ● JSON array containing API-specific authorization objects ● Draft introduces a set of common data type fields for use across different APIs, e.g. type, locations, actions ● Based on work in the FAPI WG and on OAuth XYZ ● Authors: ○ Justin Richer ○ Brian Campbell ○ Torsten Lodderstedt
  9. 9. authorization_details (where to use) The request parameter can be used anywhere where the "scope" parameter is used, e.g: ● Authorization requests as specified in [RFC6749], ● Request objects as specified in [I-D.ietf-oauth-jwsreq], ● Device Authorization Request as specified in [RFC8628]. It is also used in the “resources” element in OAuth.xyz.
  10. 10. authorization_details (Examples)
  11. 11. Processing ● AS renders user consent based on rich authorization data ● Authorization details need to be passed to RSs (via AT or Introspection) ● Resource indicator is used by client to obtain RS-specific AT associated with the RS-specific authorization only.
  12. 12. Q & A

×