TxAuth and XYZ (and Maybe someday OAuth 3)

From IIW

TxAuth And XYZ (and Maybe Someday OAuth 3)

Session: 10G

Convener: Justin Richer

Notes-taker(s): Josh Verbarg & George Fletcher

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Started with… Justin thinking about “What’s wrong with OAuth?” oauth.xyz - not a standard.

Talk given at Identiverse. What’s wrong with OAuth2


Blog post on that talk: http://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

Simplify / Synergize OAuth, OpenID Connect, UMA and other related specs

Goal to simplify the protocol (see http://oauth.xyz for more details):

  • Always start at the Authorization server
  • Single endpoint (at the Authorization Server) and logically “defines” the Authorization Server.

Discussing the page: http://oauth.xyz/transactionrequest/ Request multiple access tokens simultaneously.

Should a request have the ability to mark a resource as required. Justin argues no. Reference to FHIR data elements

No Client ID, Client asserts identity via many different key methods. -- Client ID’s replaced by a “key handle” -- static registration still supported (obtain the key handle out-of-band)

Supports an Anonymous/Dynamic client making a request to an AS.

Request by Tom to explore different AS. AS on a persons phone vs cloud, for example. Interact element -- support per request callback url -- supports multiple interactions at once.

User element -- just the handle, or full user id_token

Discussing https://oauth.xyz/interaction/ The interaction allows OAuth and UMA to be combined in one request

Zoom Chat Log:

13:07:19 From Justin Richer : http://oauth.xyz/

13:07:52 From timcappalli : Probably the fix for the SMB path issue :)

13:12:56 From Jan Taylor : Can you link that blog post?

13:14:17 From Ryo Kajiwara : htts://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

13:14:30 From Jan Taylor : Thanks @Ryo

13:15:25 From Josh Verbarg (State Farm) : http://www.youtube.com/watch?v=OLwz7pIXOWQ

13:25:46 From Jan Taylor : That was the question I had. Good question and good answer.

13:31:05 From Alan Karp : Won’t returning a subset of the requested permissions encourage clients to request a lot that they don’t really need?

13:36:24 From George Fletcher : Alan - I'm not sure it matters... if the system supports multiple permissions, then this problem exists. Whether it's all or nothing doesn't matter. In fact, I'd argue that an all or nothing choice for the user will cause the user to consent to giving up more permissions than they would if they had granularity over which permissions were granted.

13:38:51 From Alan Karp : I agree what you say about users. I was thinking more about an UMA-type situation where the user’s policy is managed by the AS.

13:47:29 From Tom Jones : wrt Justin's proposal on TXAUTH to HEART - i note one missing element - specifically how does the requesting site tell the sending site what data they want in a manner that permits the user to accept or request the request. I do not believe that a list of FHIR data elements is something that the user could evaluate. If we want to put the user in control, we must provide the user a choice that they can understand. I can share the Kantara doc on patient choice if that is desired. TXAuth does not currently do that, but could be adapted to do it.

13:53:10 From Tom Jones : I love the idea of a id for the client that is separate from the redirect URL

13:53:34 From Kyle Den Hartog : @Tom, I’ve thought about doing that for awhile now in a few different contexts, one being in the SSI space. The problem that it almost always comes back to is how to handle the dynamic nature of the IP address when operating on a mobile phone. There’s some exploratory ways I’ve thought of using DIDs with a service endpoint that points at a domain that points at a dynamic dns resolver which mobile doesn’t have great support for. In particular, it usually requires mobile networks to be configured in a particular way to make the dynamic dns resolution work properly, which the user doesn’t have the ability to configure.

13:54:17 From Tom Jones : I presented a solution at session 9 today

13:54:32 From Kyle Den Hartog : I didn’t see that. Would love to see that.

13:55:19 From Kyle Den Hartog : Are there links in the notes that I can look at?

13:55:19 From Vineet Banga : @Tom, to your point about user consent…the resource json does allow you to add label…which can be used for consent? Right?

13:55:55 From Tom Jones : Don’t know how to parse that statement

13:56:47 From Tom Jones : @ Kyle http://tomjones.us/Home/Solutions

13:58:24 From Tom Jones : Another good idea from Juston - a single transmission with all the data

14:00:32 From Kyle Den Hartog : Thanks I’ll take a look at that link

14:08:15 From Josh Verbarg (State Farm) : NodeJS - JavaScript running on a server

14:08:37 From Jan Taylor : NodeJS is a V8 JavaScript Server

14:12:35 From Terry Hayes : The QR goes to example.com!

14:14:22 From Tom Jones : Not worse is not sufficient

14:16:23 From Jan Taylor : Thanks Justin, great session.

14:17:12 From Kyle Den Hartog : Thanks Justin this was great to learn more