OAuth 2.0 Rich Authorization Requests
draft-ietf-oauth-rar-23
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2023-05-18
|
23 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2023-05-15
|
23 | Qin Wu | Request for Last Call review by OPSDIR Completed: Has Issues. Reviewer: Qin Wu. Sent review to list. |
2023-05-05
|
23 | (System) | RFC Editor state changed to AUTH48 |
2023-03-17
|
23 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2023-02-07
|
23 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2023-01-30
|
23 | Brian Campbell | New version available: draft-ietf-oauth-rar-23.txt |
2023-01-30
|
23 | Brian Campbell | New version accepted (logged-in submitter: Brian Campbell) |
2023-01-30
|
23 | Brian Campbell | Uploaded new revision |
2023-01-05
|
22 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2023-01-05
|
22 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2023-01-04
|
22 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2022-12-30
|
22 | (System) | RFC Editor state changed to EDIT |
2022-12-30
|
22 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2022-12-30
|
22 | (System) | Announcement was received by RFC Editor |
2022-12-29
|
22 | (System) | IANA Action state changed to In Progress |
2022-12-29
|
22 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2022-12-29
|
22 | Amy Vezza | IESG has approved the document |
2022-12-29
|
22 | Amy Vezza | Closed "Approve" ballot |
2022-12-29
|
22 | Amy Vezza | Ballot approval text was generated |
2022-12-27
|
22 | Roman Danyliw | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup |
2022-12-22
|
22 | (System) | Removed all action holders (IESG state changed) |
2022-12-22
|
22 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2022-12-22
|
22 | Brian Campbell | New version available: draft-ietf-oauth-rar-22.txt |
2022-12-22
|
22 | Brian Campbell | New version accepted (logged-in submitter: Brian Campbell) |
2022-12-22
|
22 | Brian Campbell | Uploaded new revision |
2022-12-15
|
21 | Roman Danyliw | Please provide clarifying language around the geolocation example and Section 6.1 per https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ballot/#draft-ietf-oauth-rar_paul-wouters |
2022-12-15
|
21 | (System) | Changed action holders to Brian Campbell, Torsten Lodderstedt, Justin Richer (IESG state changed) |
2022-12-15
|
21 | Roman Danyliw | IESG state changed to Approved-announcement to be sent::Revised I-D Needed from Approved-announcement to be sent::AD Followup |
2022-12-15
|
21 | (System) | Removed all action holders (IESG state changed) |
2022-12-15
|
21 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::AD Followup from IESG Evaluation |
2022-12-15
|
21 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2022-12-15
|
21 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2022-12-15
|
21 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-21.txt |
2022-12-15
|
21 | Torsten Lodderstedt | New version accepted (logged-in submitter: Torsten Lodderstedt) |
2022-12-15
|
21 | Torsten Lodderstedt | Uploaded new revision |
2022-12-15
|
20 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2022-12-15
|
20 | Roman Danyliw | This document now replaces draft-lodderstedt-oauth-rar instead of None |
2022-12-15
|
20 | Robert Wilton | [Ballot comment] Hi, Apologies, but I was a bit short of time this week, and this is somewhat out of my area, so I've only … [Ballot comment] Hi, Apologies, but I was a bit short of time this week, and this is somewhat out of my area, so I've only reviewed this as a light level. I did have one question regarding the security considerations. Are these JSON structures potentially susceptible to injection attacks if user input isn't properly sanitized and handled, and if so, should there be any text in the security section to warn of this? Regards, Rob |
2022-12-15
|
20 | Robert Wilton | [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton |
2022-12-15
|
20 | Éric Vyncke | [Ballot comment] # Éric Vyncke, INT AD, comments for draft-ietf-oauth-rar-19 CC @evyncke Thank you for the work put into this document. It is very easy … [Ballot comment] # Éric Vyncke, INT AD, comments for draft-ietf-oauth-rar-19 CC @evyncke Thank you for the work put into this document. It is very easy to read and quite powerful. Please find below one non-blocking COMMENT point (rather a suggestion). Special thanks to Hannes Tschofenig for the shepherd's detailed write-up including the WG consensus ***but*** missing the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric ## COMMENTS ### Section 1 I like the use of EUR rather than USD ;-) Suggest to also add "bic" in addition to "iban" to be consistent with https://en.wikipedia.org/wiki/Single_Euro_Payments_Area ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments |
2022-12-15
|
20 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2022-12-15
|
20 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2022-12-15
|
20 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-20.txt |
2022-12-15
|
20 | Torsten Lodderstedt | New version accepted (logged-in submitter: Torsten Lodderstedt) |
2022-12-15
|
20 | Torsten Lodderstedt | Uploaded new revision |
2022-12-15
|
19 | Murray Kucherawy | [Ballot comment] Thanks for the work put into this. Seems like it's in good shape. Thank you to Thomas Fossati for the ARTART review. "MUST … [Ballot comment] Thanks for the work put into this. Seems like it's in good shape. Thank you to Thomas Fossati for the ARTART review. "MUST consider" in Section 3.1 is curious. How does an implementation comply with something like "consider"? Why is the "RECOMMENDED" in Section 9.1 not a MUST? The text in Section 9 just above it suggest something stronger. In Section 7.1, I can't understand what's meant by "This mechanic ...". |
2022-12-15
|
19 | Murray Kucherawy | [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy |
2022-12-14
|
19 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2022-12-14
|
19 | John Scudder | [Ballot Position Update] New position, No Objection, has been recorded for John Scudder |
2022-12-14
|
19 | Alvaro Retana | [Ballot comment] The datatracker page should indicate that this document replaces draft-lodderstedt-oauth-rar. |
2022-12-14
|
19 | Alvaro Retana | Ballot comment text updated for Alvaro Retana |
2022-12-14
|
19 | Alvaro Retana | [Ballot comment] This datatracker page should indicate that this document replaces draft-lodderstedt-oauth-rar. |
2022-12-14
|
19 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2022-12-14
|
19 | Paul Wouters | [Ballot comment] Thanks to Carl Wallace for his SECDIR review, please see his comments: https://datatracker.ietf.org/doc/review-ietf-oauth-rar-15-secdir-lc-wallace-2022-11-16/ Thanks to Robert Sparks for his GENART review, please see … [Ballot comment] Thanks to Carl Wallace for his SECDIR review, please see his comments: https://datatracker.ietf.org/doc/review-ietf-oauth-rar-15-secdir-lc-wallace-2022-11-16/ Thanks to Robert Sparks for his GENART review, please see his comments: https://datatracker.ietf.org/doc/review-ietf-oauth-rar-15-genart-lc-sparks-2022-11-17/ I find the geolocation example confusing. Is it giving access to photos taken in the geolocation or is it giving access to anyone residing in that geolocation? Section 6.1: The AS would compare the type value and the action value to determine that the read access is already covered by the write access previously granted to the client. I see some ambiguity here if there is a list of 3 requests. If we start out with asking for "write" and received it, and it implies "read", and then a new request comes in to ask for "read", that is clear. The "write" access is dropped. But what if we ask for "write" now? A previous request did give us that, but we dropped the capability and are no re-asking it again. Should this be allowed or not? Can the document give more guidance on this? Section 10 Why "authorization_details_types" and not "authorization_details_types_requests" to ensure there is no confusion with authorization_details_types_supported ? (I guess a bit too late to change name now, as it seems this is already deployed) |
2022-12-14
|
19 | Paul Wouters | [Ballot Position Update] New position, Yes, has been recorded for Paul Wouters |
2022-12-14
|
19 | Zaheduzzaman Sarker | [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker |
2022-12-13
|
19 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2022-12-13
|
19 | Amanda Baber | IANA Experts State changed to Expert Reviews OK from Reviews assigned |
2022-12-12
|
19 | Brian Campbell | New version available: draft-ietf-oauth-rar-19.txt |
2022-12-12
|
19 | Brian Campbell | New version accepted (logged-in submitter: Brian Campbell) |
2022-12-12
|
19 | Brian Campbell | Uploaded new revision |
2022-12-12
|
18 | Francesca Palombini | [Ballot comment] Thank you for the work on this document. Many thanks to Thomas Fossati for his ART ART review: https://mailarchive.ietf.org/arch/msg/art/EckO_3zF-gnI83Q_HmO5xREursI/ and thanks to the … [Ballot comment] Thank you for the work on this document. Many thanks to Thomas Fossati for his ART ART review: https://mailarchive.ietf.org/arch/msg/art/EckO_3zF-gnI83Q_HmO5xREursI/ and thanks to the authors for addressing Thomas' comments. No other comments from me, just a note: I was wondering if it wouldn't have made sense to informally reference and discuss in a short paragraph RFC9237 and its applicability to OAuth given its content - I will accept that it might not be the case since 9237 is really intended for Ace and IoT but the similarities made me question it. Francesca |
2022-12-12
|
18 | Francesca Palombini | [Ballot Position Update] New position, No Objection, has been recorded for Francesca Palombini |
2022-12-12
|
18 | Lars Eggert | [Ballot comment] # GEN AD review of draft-ietf-oauth-rar-18 CC @larseggert Thanks to Robert Sparks for the General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/shFcI11Wajhydi8wJuFM3VaVfkI). … [Ballot comment] # GEN AD review of draft-ietf-oauth-rar-18 CC @larseggert Thanks to Robert Sparks for the General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/shFcI11Wajhydi8wJuFM3VaVfkI). ## Comments ### Inclusive language Found terminology that should be reviewed for inclusivity; see https://www.rfc-editor.org/part2/#inclusive_language for background and more guidance: * Terms `her` and `his`; alternatives might be `they`, `them`, `their` ## Nits All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. ### URLs These URLs in the document did not return content: * https://taxservice.govehub.no * http://hl7.org/fhir/organization-type * http://example.info/claims/groups I guess these are supposed to be example URLs. Please use the designated example domain names for this. ### Grammar/style #### Section 2.1, paragraph 1 ``` fication does not require the use of any of these common fields by an API def ^^^^^^^^^ ``` Consider simply using "of" instead. #### Section 3, paragraph 6 ``` if any of the following are true of any of the objects in authorization_deta ^^^^^^^^^ ``` Consider simply using "of" instead. #### Section 3, paragraph 10 ``` ke security decisions based on whether or not the request is asking for "mor ^^^^^^^^^^^^^^ ``` Consider shortening this phrase to just "whether". It is correct though if you mean "regardless of whether". #### Section 7, paragraph 6 ``` Token Error Response MUST conform the the rules given in Section 5. 9. Reso ^^^^^^^ ``` Possible typo: you repeated a word. #### Section 16, paragraph 7 ``` * tax_payer_id: identifier of the tax payer (if known to the client) A.4. eH ^^^^^^^^^ ``` This word is normally spelled as one. ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT]. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments [IRT]: https://github.com/larseggert/ietf-reviewtool |
2022-12-12
|
18 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded for Lars Eggert |
2022-12-08
|
18 | Brian Campbell | New version available: draft-ietf-oauth-rar-18.txt |
2022-12-08
|
18 | Brian Campbell | New version accepted (logged-in submitter: Brian Campbell) |
2022-12-08
|
18 | Brian Campbell | Uploaded new revision |
2022-12-05
|
17 | Roman Danyliw | Placed on agenda for telechat - 2022-12-15 |
2022-12-05
|
17 | Roman Danyliw | Ballot has been issued |
2022-12-05
|
17 | Roman Danyliw | [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw |
2022-12-05
|
17 | Roman Danyliw | Created "Approve" ballot |
2022-12-05
|
17 | Roman Danyliw | IESG state changed to IESG Evaluation from Waiting for Writeup |
2022-12-05
|
17 | Roman Danyliw | Ballot writeup was changed |
2022-12-02
|
17 | Brian Campbell | New version available: draft-ietf-oauth-rar-17.txt |
2022-12-02
|
17 | Brian Campbell | New version accepted (logged-in submitter: Brian Campbell) |
2022-12-02
|
17 | Brian Campbell | Uploaded new revision |
2022-11-22
|
16 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2022-11-22
|
16 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-16.txt |
2022-11-22
|
16 | (System) | New version approved |
2022-11-22
|
16 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2022-11-22
|
16 | Torsten Lodderstedt | Uploaded new revision |
2022-11-17
|
15 | Robert Sparks | Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Robert Sparks. Review has been revised by Robert Sparks. |
2022-11-17
|
15 | Robert Sparks | Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Robert Sparks. Sent review to list. |
2022-11-17
|
15 | Sabrina Tanamal | IANA Experts State changed to Reviews assigned |
2022-11-17
|
15 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2022-11-17
|
15 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-oauth-rar-15. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-oauth-rar-15. If any part of this review is inaccurate, please let us know. The IANA Functions Operator understands that, upon approval of this document, there are seven actions which we must complete. First, in the OAuth Parameters registry on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a new registration is to be made as follows: Name: authorization_details Parameter Usage Location: authorization request, token request, token response Change Controller: IESG Reference: [ RFC-to-be ] As this document requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Second, in the JSON Web Token Claims registry on the JSON Web Token (JWT) registry page located at: https://www.iana.org/assignments/jwt a new registration is to be made as follows: Claim Name: authorization_details Claim Description: The claim authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. Change Controller: IESG Reference: [ RFC-to-be ] As this document also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Third, in the OAuth Token Introspection Response registry on the the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a new registration is to be made as follows: Name: authorization_details Description: The member authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. Change Controller: IESG Reference: [ RFC-to-be ] As this document also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Fourth, in the OAuth Token Introspection Response registry located at: https://www.iana.org/assignments/oauth-parameters/ a new registration is to be made as follows: Name: authorization_details Description: The member authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. Change Controller: IESG Reference: [ RFC-to-be ] As this document also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Fifth, in the OAuth Authorization Server Metadata registry located at: https://www.iana.org/assignments/oauth-parameters/ a new registration is to be made as follows: Metadata Name: authorization_details_types_supported Metadata Description: JSON array containing the authorization details types the AS supports Change Controller: IESG Reference: [ RFC-to-be ] As this document also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Sixth, in the OAuth Dynamic Client Registration Metadata registry located at: https://www.iana.org/assignments/oauth-parameters/ Metadata Name: authorization_details_types Metadata Description: Indicates what authorization details types the client uses. Change Controller: IESG Reference: [ RFC-to-be ] As this document also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Seventh, in the OAuth Extensions Error registry located at: https://www.iana.org/assignments/oauth-parameters/ Metadata Name: invalid_authorization_details Metadata Description: indicates invalid authorization_details_parameter to the client. Change Controller: IESG Reference: [ RFC-to-be ] As this document also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." IANA Question --> Would it be acceptable to list the IETF as the change controller for the above registrations instead of the IESG? There has been a preference for doing so, as described in the expired document at https://datatracker.ietf.org/doc/html/draft-leiba-ietf-iana-registrations-00, but it hasn\u2019t been recorded in a permanent document yet.] Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed. For definitions of IANA review states, please see: https://datatracker.ietf.org/help/state/draft/iana-review Thank you, Sabrina Tanamal Lead IANA Services Specialist |
2022-11-17
|
15 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2022-11-16
|
15 | Carl Wallace | Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Carl Wallace. Sent review to list. |
2022-11-06
|
15 | Brian Campbell | New version available: draft-ietf-oauth-rar-15.txt |
2022-11-06
|
15 | Brian Campbell | New version accepted (logged-in submitter: Brian Campbell) |
2022-11-06
|
15 | Brian Campbell | Uploaded new revision |
2022-11-04
|
14 | Thomas Fossati | Request for Last Call review by ARTART Completed: Ready. Reviewer: Thomas Fossati. Sent review to list. |
2022-11-04
|
14 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Qin Wu |
2022-11-04
|
14 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Qin Wu |
2022-10-31
|
14 | Barry Leiba | Request for Last Call review by ARTART is assigned to Thomas Fossati |
2022-10-31
|
14 | Barry Leiba | Request for Last Call review by ARTART is assigned to Thomas Fossati |
2022-10-30
|
14 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Carl Wallace |
2022-10-30
|
14 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Carl Wallace |
2022-10-27
|
14 | Jean Mahoney | Request for Last Call review by GENART is assigned to Robert Sparks |
2022-10-27
|
14 | Jean Mahoney | Request for Last Call review by GENART is assigned to Robert Sparks |
2022-10-27
|
14 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2022-10-27
|
14 | Cindy Morgan | The following Last Call announcement was sent out (ends 2022-11-17): From: The IESG To: IETF-Announce CC: Hannes.Tschofenig@gmx.net, draft-ietf-oauth-rar@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, oauth@ietf.org … The following Last Call announcement was sent out (ends 2022-11-17): From: The IESG To: IETF-Announce CC: Hannes.Tschofenig@gmx.net, draft-ietf-oauth-rar@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org Reply-To: last-call@ietf.org Sender: Subject: Last Call: (OAuth 2.0 Rich Authorization Requests) to Proposed Standard The IESG has received a request from the Web Authorization Protocol WG (oauth) to consider the following document: - 'OAuth 2.0 Rich Authorization Requests' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2022-11-17. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ No IPR declarations have been submitted directly on this I-D. |
2022-10-27
|
14 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2022-10-27
|
14 | Cindy Morgan | Last call announcement was changed |
2022-10-27
|
14 | Roman Danyliw | Last call was requested |
2022-10-27
|
14 | Roman Danyliw | Last call announcement was generated |
2022-10-27
|
14 | Roman Danyliw | Ballot approval text was generated |
2022-10-27
|
14 | Roman Danyliw | Ballot writeup was generated |
2022-10-27
|
14 | Roman Danyliw | IESG state changed to Last Call Requested from AD Evaluation::AD Followup |
2022-10-27
|
14 | Roman Danyliw | Residual AD feedback to address concurrent to IETF LC: https://mailarchive.ietf.org/arch/msg/oauth/r0FKseCRyAyYOLhkODm-h2chSKQ/ |
2022-10-24
|
14 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-14.txt |
2022-10-24
|
14 | (System) | New version approved |
2022-10-24
|
14 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2022-10-24
|
14 | Torsten Lodderstedt | Uploaded new revision |
2022-10-24
|
13 | (System) | Changed action holders to Roman Danyliw (IESG state changed) |
2022-10-24
|
13 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2022-10-24
|
13 | Justin Richer | New version available: draft-ietf-oauth-rar-13.txt |
2022-10-24
|
13 | (System) | New version approved |
2022-10-24
|
13 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2022-10-24
|
13 | Justin Richer | Uploaded new revision |
2022-09-14
|
12 | Roman Danyliw | AD review: https://mailarchive.ietf.org/arch/msg/oauth/h5mKmRtBTW93E4AUW53n-FR8KpY/ |
2022-09-14
|
12 | (System) | Changed action holders to Roman Danyliw, Brian Campbell, Torsten Lodderstedt, Justin Richer (IESG state changed) |
2022-09-14
|
12 | Roman Danyliw | IESG state changed to AD Evaluation::Revised I-D Needed from Publication Requested |
2022-05-05
|
12 | Brian Campbell | New version available: draft-ietf-oauth-rar-12.txt |
2022-05-05
|
12 | Brian Campbell | New version accepted (logged-in submitter: Brian Campbell) |
2022-05-05
|
12 | Brian Campbell | Uploaded new revision |
2022-05-04
|
11 | Hannes Tschofenig | Shepherd Writeup for OAuth 2.0 Rich Authorization Requests (draft-ietf-oauth-rar-11) (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, … Shepherd Writeup for OAuth 2.0 Rich Authorization Requests (draft-ietf-oauth-rar-11) (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? The request is for a Proposed Standard for draft-ietf-oauth-rar. The document defines a new OAuth protocol parameter that is used to carry fine-grained authorization data in OAuth messages. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: The OAuth 2.0 authorization framework [RFC6749] defines the parameter scope that allows OAuth clients to specify the requested scope, i.e., the permission, of an access token. This mechanism is sufficient to implement static scenarios and coarse-grained authorization requests, such as "give me read access to the resource owner's profile" but it is not sufficient to specify fine-grained authorization requirements, such as "please let me transfer an amount of 45 Euros to Merchant A" or "please give me read access to folder A and write access to file X". This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures. Working Group Summary: Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? There were no controversial discussions related to this document. Document Quality: There are several implementations and deployments of this specification available, such as - the Yes banking ecosystem (with ~1200 IDPs) uses RAR for authorising payment initiation and qualified electronic signatures. - ConnectID product implementation, see https://connect2id.com/products/server/docs/datasheet#rar - Authlete supports RAR since version 2.2 and it is confirmed that at least one of their customers is operating a commercial service that utilizes RAR with CIBA as of April, 2022. Additionally, other organizations use this specification as a foundation for their work. For example: - The Cloud Signature Consortium included RAR as means to authorise electronic signature to the v 2.0 of its API for remote signature creation (https://cloudsignatureconsortium.org/resources/ ). - OpenID Foundation’s FAPI working group added RAR support to the FAPI 2 baseline profile (https://openid.net/specs/fapi-2_0-baseline-01.html ). Personnel: Who is the Document Shepherd? Who is the Responsible Area Director? Hannes Tschofenig is the document shepherd and Roman Danyliw is the responsible area director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The shepherd has done a detailed review and posted his review to the mailing list. The review comments have been addressed by the authors. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns regarding the reviews. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. This document, as other OAuth documents, are about security. There has been sufficient security review of this document as part of the regular working group process. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no concerns regarding this document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Each author has confirmed that any and all appropriate IPR disclosures have already been filed: - Torsten Lodderstedt: https://mailarchive.ietf.org/arch/msg/oauth/OmUmH83MRfU67sI5JwvNOfYXbes/ - Brian Campbell: https://mailarchive.ietf.org/arch/msg/oauth/8U8voDsTNn79OoRVmlhxZi-PVyA/ - Justin Richer: https://mailarchive.ietf.org/arch/msg/oauth/1Y8cF1sxsdi1VBoYCZWX3MwtiRI/ (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPRs have been filed for this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working group has not raised any concerns regarding the publication of this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) Nobody has threatened an appeal or expressed discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd has verified nits using the https://www6.ietf.org/tools/idnits tool. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document adds several entries to existing IANA OAuth registries and contains examples in JSON format. The examples have been verified. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All normative references point to published RFCs. (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. The normative references to protocol specifications are to Standards Track documents. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of an existing RFC. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126). The shepherd verified the content of the IANA registry with the content of the IANA registry section. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. There are no new registries being created by this specification. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc. The JSON examples were verified with an online tool. (20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342? This document does not use YANG. |
2022-05-04
|
11 | Hannes Tschofenig | Responsible AD changed to Roman Danyliw |
2022-05-04
|
11 | Hannes Tschofenig | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2022-05-04
|
11 | Hannes Tschofenig | IESG state changed to Publication Requested from I-D Exists |
2022-05-04
|
11 | Hannes Tschofenig | IESG process started in state Publication Requested |
2022-05-04
|
11 | Hannes Tschofenig | Changed consensus to Yes from Unknown |
2022-05-04
|
11 | Hannes Tschofenig | Intended Status changed to Proposed Standard from None |
2022-05-04
|
11 | Hannes Tschofenig | Shepherd Writeup for OAuth 2.0 Rich Authorization Requests (draft-ietf-oauth-rar-11) (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, … Shepherd Writeup for OAuth 2.0 Rich Authorization Requests (draft-ietf-oauth-rar-11) (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? The request is for a Proposed Standard for draft-ietf-oauth-rar. The document defines a new OAuth protocol parameter that is used to carry fine-grained authorization data in OAuth messages. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: The OAuth 2.0 authorization framework [RFC6749] defines the parameter scope that allows OAuth clients to specify the requested scope, i.e., the permission, of an access token. This mechanism is sufficient to implement static scenarios and coarse-grained authorization requests, such as "give me read access to the resource owner's profile" but it is not sufficient to specify fine-grained authorization requirements, such as "please let me transfer an amount of 45 Euros to Merchant A" or "please give me read access to folder A and write access to file X". This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures. Working Group Summary: Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? There were no controversial discussions related to this document. Document Quality: There are several implementations and deployments of this specification available, such as - the Yes banking ecosystem (with ~1200 IDPs) uses RAR for authorising payment initiation and qualified electronic signatures. - ConnectID product implementation, see https://connect2id.com/products/server/docs/datasheet#rar - Authlete supports RAR since version 2.2 and it is confirmed that at least one of their customers is operating a commercial service that utilizes RAR with CIBA as of April, 2022. Additionally, other organizations use this specification as a foundation for their work. For example: - The Cloud Signature Consortium included RAR as means to authorise electronic signature to the v 2.0 of its API for remote signature creation (https://cloudsignatureconsortium.org/resources/ ). - OpenID Foundation’s FAPI working group added RAR support to the FAPI 2 baseline profile (https://openid.net/specs/fapi-2_0-baseline-01.html ). Personnel: Who is the Document Shepherd? Who is the Responsible Area Director? Hannes Tschofenig is the document shepherd and Roman Danyliw is the responsible area director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The shepherd has done a detailed review and posted his review to the mailing list. The review comments have been addressed by the authors. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns regarding the reviews. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. This document, as other OAuth documents, are about security. There has been sufficient security review of this document as part of the regular working group process. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no concerns regarding this document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Each author has confirmed that any and all appropriate IPR disclosures have already been filed: - Torsten Lodderstedt: https://mailarchive.ietf.org/arch/msg/oauth/OmUmH83MRfU67sI5JwvNOfYXbes/ - Brian Campbell: https://mailarchive.ietf.org/arch/msg/oauth/8U8voDsTNn79OoRVmlhxZi-PVyA/ - Justin Richer: https://mailarchive.ietf.org/arch/msg/oauth/1Y8cF1sxsdi1VBoYCZWX3MwtiRI/ (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPRs have been filed for this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working group has not raised any concerns regarding the publication of this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) Nobody has threatened an appeal or expressed discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd has verified nits using the https://www6.ietf.org/tools/idnits tool. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document adds several entries to existing IANA OAuth registries and contains examples in JSON format. The examples have been verified. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All normative references point to published RFCs. (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. The normative references to protocol specifications are to Standards Track documents. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of an existing RFC. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126). The shepherd verified the content of the IANA registry with the content of the IANA registry section. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. There are no new registries being created by this specification. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc. The JSON examples were verified with an online tool. (20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342? This document does not use YANG. |
2022-05-04
|
11 | Hannes Tschofenig | Shepherd Writeup for OAuth 2.0 Rich Authorization Requests (draft-ietf-oauth-rar-11) (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, … Shepherd Writeup for OAuth 2.0 Rich Authorization Requests (draft-ietf-oauth-rar-11) (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? The request is for a Proposed Standard for draft-ietf-oauth-rar. The document defines a new OAuth protocol parameter that is used to carry fine-grained authorization data in OAuth messages. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: The OAuth 2.0 authorization framework [RFC6749] defines the parameter scope that allows OAuth clients to specify the requested scope, i.e., the permission, of an access token. This mechanism is sufficient to implement static scenarios and coarse-grained authorization requests, such as "give me read access to the resource owner's profile" but it is not sufficient to specify fine-grained authorization requirements, such as "please let me transfer an amount of 45 Euros to Merchant A" or "please give me read access to folder A and write access to file X". This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures. Working Group Summary: Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? There were no controversial discussions related to this document. Document Quality: There are several implementations and deployments of this specification available, such as - the Yes banking ecosystem (with ~1200 IDPs) uses RAR for authorising payment initiation and qualified electronic signatures. - ConnectID product implementation, see https://connect2id.com/products/server/docs/datasheet#rar - Authlete supports RAR since version 2.2 and it is confirmed that at least one of their customers is operating a commercial service that utilizes RAR with CIBA as of April, 2022. Additionally, other organizations use this specification as a foundation for their work. For example: - The Cloud Signature Consortium included RAR as means to authorise electronic signature to the v 2.0 of its API for remote signature creation (https://cloudsignatureconsortium.org/resources/ ). - OpenID Foundation’s FAPI working group added RAR support to the FAPI 2 baseline profile (https://openid.net/specs/fapi-2_0-baseline-01.html ). Personnel: Who is the Document Shepherd? Who is the Responsible Area Director? Hannes Tschofenig is the document shepherd and Roman Danyliw is the responsible area director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The shepherd has done a detailed review and posted his review to the mailing list. The review comments have been addressed by the authors. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns regarding the reviews. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. This document, as other OAuth documents, are about security. There has been sufficient security review of this document as part of the regular working group process. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no concerns regarding this document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Each author has confirmed that any and all appropriate IPR disclosures have already been filed: - Torsten Lodderstedt: https://mailarchive.ietf.org/arch/msg/oauth/OmUmH83MRfU67sI5JwvNOfYXbes/ - Brian Campbell: https://mailarchive.ietf.org/arch/msg/oauth/8U8voDsTNn79OoRVmlhxZi-PVyA/ - Justin Richer: https://mailarchive.ietf.org/arch/msg/oauth/1Y8cF1sxsdi1VBoYCZWX3MwtiRI/ (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPRs have been filed for this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working group has not raised any concerns regarding the publication of this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) Nobody has threatened an appeal or expressed discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd has verified nits using the https://www6.ietf.org/tools/idnits tool. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document adds several entries to existing IANA OAuth registries and contains examples in JSON format. The examples have been verified. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All normative references point to published RFCs. (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. The normative references to protocol specifications are to Standards Track documents. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of an existing RFC. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126). The shepherd verified the content of the IANA registry with the content of the IANA registry section. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. There are no new registries being created by this specification. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc. The JSON examples were verified with an online tool. (20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342? This document does not use YANG. |
2022-04-08
|
11 | Brian Campbell | New version available: draft-ietf-oauth-rar-11.txt |
2022-04-08
|
11 | (System) | New version accepted (logged-in submitter: Brian Campbell) |
2022-04-08
|
11 | Brian Campbell | Uploaded new revision |
2022-04-06
|
10 | Hannes Tschofenig | Shepherd Writeup for OAuth 2.0 Rich Authorization Requests draft-ietf-oauth-rar-10 (1) What type of … Shepherd Writeup for OAuth 2.0 Rich Authorization Requests draft-ietf-oauth-rar-10 (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? The request is for a Proposed Standard for draft-ietf-oauth-rar. The document defines a new OAuth protocol parameter that is used to carry fine-grained authorization data in OAuth messages. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: The OAuth 2.0 authorization framework [RFC6749] defines the parameter scope that allows OAuth clients to specify the requested scope, i.e., the permission, of an access token. This mechanism is sufficient to implement static scenarios and coarse-grained authorization requests, such as "give me read access to the resource owner's profile" but it is not sufficient to specify fine-grained authorization requirements, such as "please let me transfer an amount of 45 Euros to Merchant A" or "please give me read access to folder A and write access to file X". This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures. Working Group Summary: Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? There were no controversial discussions related to this document. Document Quality: Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, YANG Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? TBD: Mail sent to the list. Personnel: Who is the Document Shepherd? Who is the Responsible Area Director? Hannes Tschofenig is the document shepherd and Roman Danyliw is the responsible area director. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The shepherd has done a detailed review and posted his review to the mailing list. The review comments have been addressed by the authors. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns regarding the reviews. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. This document, as other OAuth documents, are about security. There has been sufficient security review of this document as part of the regular working group process. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no concerns regarding this document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? TBD: Mail sent to the list. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPRs have been filed for this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working group has not raised any concerns regarding the publication of this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) Nobody has threatened an appeal or expressed discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd has verified nits using the https://www6.ietf.org/tools/idnits tool. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document adds several entries to existing IANA OAuth registries and contains examples in JSON format. The examples have been verified. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All normative references point to published RFCs. (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. The normative references to protocol specifications are to Standards Track documents. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of an existing RFC. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126). The shepherd verified the content of the IANA registry with the content of the IANA registry section. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. There are no new registries being created by this specification. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc. The JSON examples were verified with an online tool. (20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342? This document does not use YANG. |
2022-04-06
|
10 | Hannes Tschofenig | Document shepherd changed to Hannes Tschofenig |
2022-04-06
|
10 | Hannes Tschofenig | Notification list changed to hannes.tschofenig@arm.com, Hannes.Tschofenig@gmx.net from hannes.tschofenig@arm.com because the document shepherd was set |
2022-04-06
|
10 | Hannes Tschofenig | Document shepherd changed to Hannes Tschofenig |
2022-01-26
|
10 | Brian Campbell | New version available: draft-ietf-oauth-rar-10.txt |
2022-01-26
|
10 | (System) | New version accepted (logged-in submitter: Brian Campbell) |
2022-01-26
|
10 | Brian Campbell | Uploaded new revision |
2022-01-22
|
09 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-09.txt |
2022-01-22
|
09 | (System) | New version approved |
2022-01-22
|
09 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2022-01-22
|
09 | Torsten Lodderstedt | Uploaded new revision |
2021-10-27
|
08 | Rifaat Shekh-Yusef | IETF WG state changed to WG Consensus: Waiting for Write-Up from WG Document |
2021-10-18
|
08 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-08.txt |
2021-10-18
|
08 | (System) | New version approved |
2021-10-18
|
08 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2021-10-18
|
08 | Torsten Lodderstedt | Uploaded new revision |
2021-09-12
|
07 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-07.txt |
2021-09-12
|
07 | (System) | New version approved |
2021-09-12
|
07 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2021-09-12
|
07 | Torsten Lodderstedt | Uploaded new revision |
2021-09-12
|
06 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-06.txt |
2021-09-12
|
06 | (System) | New version approved |
2021-09-12
|
06 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2021-09-12
|
06 | Torsten Lodderstedt | Uploaded new revision |
2021-06-04
|
05 | Rifaat Shekh-Yusef | Notification list changed to hannes.tschofenig@arm.com because the document shepherd was set |
2021-06-04
|
05 | Rifaat Shekh-Yusef | Document shepherd changed to Hannes Tschofenig |
2021-05-15
|
05 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-05.txt |
2021-05-15
|
05 | (System) | New version approved |
2021-05-15
|
05 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2021-05-15
|
05 | Torsten Lodderstedt | Uploaded new revision |
2021-02-07
|
04 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-04.txt |
2021-02-07
|
04 | (System) | New version approved |
2021-02-07
|
04 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Justin Richer , Torsten Lodderstedt |
2021-02-07
|
04 | Torsten Lodderstedt | Uploaded new revision |
2020-10-18
|
03 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-03.txt |
2020-10-18
|
03 | (System) | New version approved |
2020-10-18
|
03 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Torsten Lodderstedt , Justin Richer |
2020-10-18
|
03 | Torsten Lodderstedt | Uploaded new revision |
2020-08-21
|
02 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-02.txt |
2020-08-21
|
02 | (System) | New version approved |
2020-08-21
|
02 | (System) | Request for posting confirmation emailed to previous authors: Brian Campbell , Torsten Lodderstedt , Justin Richer |
2020-08-21
|
02 | Torsten Lodderstedt | Uploaded new revision |
2020-02-19
|
01 | Brian Campbell | New version available: draft-ietf-oauth-rar-01.txt |
2020-02-19
|
01 | (System) | New version approved |
2020-02-19
|
01 | (System) | Request for posting confirmation emailed to previous authors: Justin Richer , Torsten Lodderstedt , Brian Campbell |
2020-02-19
|
01 | Brian Campbell | Uploaded new revision |
2020-01-21
|
00 | Torsten Lodderstedt | New version available: draft-ietf-oauth-rar-00.txt |
2020-01-21
|
00 | (System) | WG -00 approved |
2020-01-21
|
00 | Torsten Lodderstedt | Set submitter to "Torsten Lodderstedt ", replaces to (none) and sent approval email to group chairs: oauth-chairs@ietf.org |
2020-01-21
|
00 | Torsten Lodderstedt | Uploaded new revision |