In a recent South Park episode, Kyle is kidnapped and subjected to product prototyping (made of people) by employees of a large, cult-like tech company who explain that it is all justified: Kyle failed to read the complex terms and conditions he agreed to. Unfortunately, the risks of consenting to the agreement were not clear to Kyle.
There is a new hope. Earlier this week, Twitter announced more precise controls over permissions granted to third parties. Twitter wants to make the risks of consent more clear. Access to your direct messages should be on a need-to-know basis. Twitter says that by mid-June, when you grant a third-party permission to your twitter account, it will no longer be able to access your direct messages unless you have explicitly granted that particular type of access.
At IIW12, in the session New UMA solutions for scoped access and centralized AUTHZ, Eve Maler explained that part of the motivation is that we don't end up like rats at the feeder bar. One of the elements of User-Managed Access (UMA) that I found immediately useful was the requested scope format. For instance, here is one of three scopes I made for a financial service provider.
We have an identifier to reference the type of access requested, some text to display so that it is clear what type of access is being requested and an icon image for visual aid. For a simple one-time payment, we also need two dynamic values "asset" and "amount" which can be added as query parameters to the requested scope url.
Suppose an OAuth consumer (related to a merchant) wanted a customer to authorize a withdrawal of 3 bernal bucks from his financial service provider (FSP). We supply the requested scope url in the body.
It's not crazy to assume that the FSP will want to host its own scope definitions and that is the assumption made in the create_request_token method.
Regardless of the scope specified, the request token is not issued if the asset isn't specified or isn't supported by the FSP or if the json scope file doesn't exist on the FSP.
Here, we see that after receiving a request token associated with the requested scope, the merchant has redirected the customer to the authorization page where the scope definition is used to display what the customer is being asked to authorize. The name of the type of scope is displayed with a light yellow background.
In RSpec and Cancan Authorization for Intentional Economics, a process of using RSpec examples to drive the rules for authorizing a payment in the Cancan Ability class was described. Using the same process, we create 4 new specs that produce two new lines of code in the ruleset: if it is an OAuth payment, we pass the payment amount to authorized_for? on the access token. These are the two lines added to the Ability class in the checkin.
Here is authorized_for?
Although this seems like progress, there's plenty of room for improvement and plenty more that needs to be done. I have only implemented the single payment scope. How will recurring payment scope work? What if multiple scopes are specified? If this is interesting to you, let's collaborate. One place to do this is on the OpenTransact mailing list. Another way is to work on it at the next Internet Identity Workshop (IIW). At the most recent one, I facilitated a session called Beautiful Payment Systems w/OAuth.
Finally, if you're in Austin on June 1st, come to the EFF-Austin meeting where we'll be talking about What's up with the Internet Identity Movement?.