Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.0 Client Intermediary Metadata - IETF 107

OAuth 2.0 Client Intermediary Metadata - IETF 107

Aaron Parecki

May 08, 2020
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim https://authorization-server.com/oauth/authorize?response_ty Budget Bunny https://example-app.com by ACME Corp This application would like to: Allow Cancel View your profile info By clicking "Allow", you agree to the terms of service and to share your data described above with this third party application. View transactions from all of your accounts MiBank Signed in as Aaron Parecki
  2. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim https://authorization-server.com/oauth/authorize?response_ty Budget Bunny https://example-app.com by ACME Corp This application would like to: Allow Cancel View your profile info By clicking "Allow", you agree to the terms of service and to share your data described above with this third party application. View transactions from all of your accounts MiBank Signed in as Aaron Parecki client_id
  3. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim End User 
 Application Bank API This works fine when the end user application
 registers a client_id directly with the OAuth API
  4. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim Connect an Account Choose Your Bank MiBank UrBank RBank UnBank
  5. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim End User 
 Application Bank API In reality, the end user application talks to a single aggregator API
 which has relationships with many banks Bank API Bank API Aggregator
  6. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim End User 
 Application Bank API The banks sign contracts with aggregator companies,
 and don't actually have a relationship with the end user application Bank API Bank API Aggregator Aggregator Aggregator End User 
 Application End User 
 Application
  7. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim client_id? End User 
 Application Bank API The banks sign contracts with aggregator companies,
 and don't actually have a relationship with the end user application Bank API Bank API Aggregator Aggregator Aggregator End User 
 Application End User 
 Application
  8. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim Banks want to ensure the user is informed and has agreed to share their data with the end user application as well as any intermediaries that may be processing their data
  9. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim End User Application (API Client of Aggregator) Aggregator (OAuth Client) Bank API (OAuth Server) OAuth Proprietary API In practice, effectively an aggregator is acting on behalf of many end user applications
  10. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim https://authorization-server.com/oauth/authorize?response_ty Budget Bunny https://example-app.com by ACME Corp This application would like to: Allow Cancel View your profile info By clicking "Allow", you agree to the terms of service and to share your data described above with this third party application and intermediaries. View transactions from all of your accounts MiBank Signed in as Aaron Parecki Your data will also be shared with Alligator Corp which processes data for ACME Corp. intermediary
  11. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim Client Intermediary Metadata Extends Dynamic Client Registration to provide additional properties that describe one or more intermediaries acting on behalf of the client POST /register
 {
 ...
 "end_user_application": {
 "name": "Budget Bunny",
 "uri": "https://example-app.com/logo.png"
 },
 "intermediaries": [{
 "name": "Partner Application",
 ...
 }]
 }
  12. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim Client Intermediary Metadata Authorization servers that support Client Intermediary Metadata are expected to display the intermediary information on the OAuth consent screen
  13. OAuth 2.0 Client Intermediary Metadata • Aaron Parecki • IETF

    107 Virtual Interim Client Intermediary Metadata https://tools.ietf.org/html/draft-parecki-oauth-client-intermediary-metadata-01