indieauth-ticketing.txt

indieweb.org                                                   D. Somers
                                                            3 April 2022


                     IndieAuth Ticketing DRAFT 0.1

Abstract

   This document defines new protocols for use with IndieAuth(an
   extension to OAuth 2.0) by defining how to request ("please push"),
   deposit ("push"), and grant ("exchange for a bearer token") tickets
   between two parties.  It further defines an new protocol to
   orchestrate the aforementioned to allow a third-party to act on-
   behalf-of the first party at the second-party.  Use cases are
   provided.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . .   3
       1.1.1.  There is a feed that you can subscribe to . . . . . .   3
       1.1.2.  Reading private content on-behalf-of  . . . . . . . .   5
       1.1.3.  Reading private feeds . . . . . . . . . . . . . . . .   8
     1.2.  Conventions . . . . . . . . . . . . . . . . . . . . . . .   8
     1.3.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   8
     1.4.  Example Formatting  . . . . . . . . . . . . . . . . . . .   9
   2.  Ticketing . . . . . . . . . . . . . . . . . . . . . . . . . .   9
     2.1.  Who implements what . . . . . . . . . . . . . . . . . . .  10
     2.2.  An archetypal implementation  . . . . . . . . . . . . . .  10
     2.3.  Target endpoint discovery . . . . . . . . . . . . . . . .  11
       2.3.1.  Discover Subject AS Metadata  . . . . . . . . . . . .  11
       2.3.2.  Discover Audience AS Metadata . . . . . . . . . . . .  12
     2.4.  Request . . . . . . . . . . . . . . . . . . . . . . . . .  12
     2.5.  Processing  . . . . . . . . . . . . . . . . . . . . . . .  12
     2.6.  Successful Response . . . . . . . . . . . . . . . . . . .  13
     2.7.  Error Response  . . . . . . . . . . . . . . . . . . . . .  13
     2.8.  The Ticket  . . . . . . . . . . . . . . . . . . . . . . .  13
     2.9.  Authorization Server Metadata . . . . . . . . . . . . . .  14
     2.10. Ticket Introspection  . . . . . . . . . . . . . . . . . .  14
   3.  Ticket Wanted Flow  . . . . . . . . . . . . . . . . . . . . .  15
     3.1.  Target Endpoint Discovery . . . . . . . . . . . . . . . .  16
     3.2.  Request . . . . . . . . . . . . . . . . . . . . . . . . .  16
     3.3.  Processing  . . . . . . . . . . . . . . . . . . . . . . .  17
     3.4.  Successful Response . . . . . . . . . . . . . . . . . . .  17
     3.5.  Error Response  . . . . . . . . . . . . . . . . . . . . .  18
   4.  Ticket Deposit Flow . . . . . . . . . . . . . . . . . . . . .  18
     4.1.  Target Discovery  . . . . . . . . . . . . . . . . . . . .  19
     4.2.  Request . . . . . . . . . . . . . . . . . . . . . . . . .  19



Somers                        Experimental                      [Page 1]

                                Ticketing                     April 2022


     4.3.  Processing  . . . . . . . . . . . . . . . . . . . . . . .  20
     4.4.  Successful Response . . . . . . . . . . . . . . . . . . .  21
     4.5.  Error Response  . . . . . . . . . . . . . . . . . . . . .  21
   5.  Ticket Grant Flow . . . . . . . . . . . . . . . . . . . . . .  21
     5.1.  Discovery . . . . . . . . . . . . . . . . . . . . . . . .  22
     5.2.  Request . . . . . . . . . . . . . . . . . . . . . . . . .  22
     5.3.  Processing  . . . . . . . . . . . . . . . . . . . . . . .  23
     5.4.  Successful Response . . . . . . . . . . . . . . . . . . .  23
     5.5.  Error Response  . . . . . . . . . . . . . . . . . . . . .  23
   6.  Authorization Code On-Behalf-Of Grant Flow  . . . . . . . . .  23
     6.1.  Discovery . . . . . . . . . . . . . . . . . . . . . . . .  24
     6.2.  Request . . . . . . . . . . . . . . . . . . . . . . . . .  25
     6.3.  Processing  . . . . . . . . . . . . . . . . . . . . . . .  26
     6.4.  Successful Response . . . . . . . . . . . . . . . . . . .  27
     6.5.  Error Response  . . . . . . . . . . . . . . . . . . . . .  27
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  28
   8.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  29
   9.  IndieWeb Considerations . . . . . . . . . . . . . . . . . . .  29
     9.1.  "OAuth Parameters" Registry . . . . . . . . . . . . . . .  29
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  30
   11. Related Work  . . . . . . . . . . . . . . . . . . . . . . . .  30
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  31
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  31
     12.2.  Informative References . . . . . . . . . . . . . . . . .  32
   Appendix A.  Why use a Code Verifier? . . . . . . . . . . . . . .  33
   Appendix B.  Acknowledgements . . . . . . . . . . . . . . . . . .  33
   Appendix C.  Document History . . . . . . . . . . . . . . . . . .  34
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  34

1.  Introduction

   This document defines new protocols for use with [IndieAuth] (an
   extension to OAuth 2.0 [RFC6749]) by defining flows between
   participants that directly or indirectly use tickets as an instrument
   to facilitate the following activities:

   want ticket
      Requesting that ticket to be sent to somebody's (the requestor's)
      authorization server.

   deposit ticket
      Depositing (pushing) a ticket to an authorization server.

   exchange ticket for authorization code
      Taking a deposited ticket and exchanging it with its issuer for an
      access code (Bearer token).





Somers                        Experimental                      [Page 2]

                                Ticketing                     April 2022


   third-party wants an authorization code
      Choreography across three parties to provide an authorization code
      (Bearer token) to a third-party to use at a second-party by
      impersonating the first-party.

   These activities are implemented respectively by the following flows:

   *  Ticket Wanted flow as specified in Section 3.

   *  Ticket Deposit flow as specified in Section 4.

   *  Ticket Grant flow as specified in Section 5.

   *  Authorization Code On-Behalf-Of grant flow as specified in
      Section 6.

1.1.  Use Cases

   The participants are:

   *  The first-party, formally the subject, also known as Alice, who
      authenticates herself to services using an IndieAuth authorization
      server as specified in Section 5.3.2 of [IndieAuth].

   *  The second-party, formally the resource server, also known as Bob,
      is a publisher who makes protected resources available to
      authorized parties using IndieAuth for identification and Bearer
      Token Usage [RFC6750].

   *  The third-party, formally the actor, also known as Carol, who can
      perform different roles for the benefit of the Alice (first-party)
      at the Bob (the second-party) who in this context is formally the
      audience(for Carol's performance).

1.1.1.  There is a feed that you can subscribe to

   In this case, Carol is playing the role of Felicity who is a feed
   reader.

   Bob makes available feed-oriented resources which can be used by
   Alice to read resources recently published on his site.  Bob tells
   Alice's authorization server the location of the feed, which then
   tells Felicity to subscribe to it.

   This to be achieved when:

   1.  The resource server (Bob) implements ticket deposit flow.




Somers                        Experimental                      [Page 3]

                                Ticketing                     April 2022


   2.  The subject's (Alice) authorization server implements ticket
       deposit flow and optionally ticket grant flow.

   3.  The resource server (Bob) uses ticket deposit flow to inform the
       subject (Alice) that there is a feed she might want to subscribe
       to.  When Bob informs Alice of the location of the feed is at the
       discretion of the resource server.

   4.  If the subject's (Alice) authorization server implements ticket
       grant flow it then performs it.  This serves the important
       purpose of confirming that the ticket originated from Bob (the
       resource server) and not a nefarious actor.  The secondary
       purpose is to have a Bearer token that can be passed to a feed
       reader to access private resources.

   5.  The subject's (Alice) authorization server requests the reader
       (Felicity) to subscribe to Bob's feed using an appropriate
       mechanism; how this is achieved is dependent on the authorization
       server and the feed reader but would typically involve a WebSub
       subscription request as specified in Section 5.1 of
       [W3C.REC-websub-20180123].






























Somers                        Experimental                      [Page 4]

                                Ticketing                     April 2022


 ┌───────────────────────┐    ┌───────────────────────┐    ┌───────────┐
 │        "Alice"        │    │         "Bob"         │    │"Felicity" │
 ├───────────────────────┤    ├───────────────────────┤    ├───────────┤
 │        subject        │    │    resource server    │    │   actor   │
 ├───────────┬───────────┤    ├───────────┬───────────┤    ├───────────┤
 │  profile  │subject as │    │ metadata  │audience as│    │ websubhub │
 └───────────┴───────────┘    └───────────┴─────┬─────┘    └───────────┘
       │           │                │           │                │
       │           │                │discover   │                │
       │◀──────────┼────────────────┼─subject─ ┌┴┐               │
       │           │                │metadata  │D│               │
       │           │                │          │ │               │
       │          ┌┴┐◁───ticket─────┼──────────└┬┘               │
       │          │D│               │           │                │
       │          │ │   discover    │           │                │
       │          │┌┴┐──audience───▶│           │                │
       │          ││ │  metadate    │           │                │
       │          ││ │              │           │                │
       │          ││X│  ticket      │           │                │
       │          ││ │──grant───────┼─────────▷┌┴┐               │
       │          ││ │              │          │X│               │
       │          │└┬┘◀ ─ ac─ ─ ─ ─ ┼ ─ ─ ─ ─ ─└┬┘               │
       │          │ │               │           │     subscribe  │
       │          └┬┘───────────────┼───────────┼──────to feed──▶│
       ▼           ▼                ▼           ▼                ▼

 D: ticket deposit flow
 X: ticket grant flow (exchange ticket for token)
 S: subscribe to feed

       Figure 1: Use case of ticketing for feed notification and
                              subscription

1.1.2.  Reading private content on-behalf-of

   In this case, Carol is playing the role of Rachel, an impersonator,
   who only does so with a permissive and in a non-malicious manner.

   Alice wants to have Rachel read private resources that Bob makes
   available to her.  Bob does not know Rachel but Rachel can
   impersonate Alice so she can read things on-behalf-of Alice.

   To achieve this the goal is the acquisition of an authorization code
   (Bearer token) across the security boundary of three parties
   (subject, audience, and actor/impersonator).






Somers                        Experimental                      [Page 5]

                                Ticketing                     April 2022


   It should be stressed that this should happen without any action
   needed by the subject (it is "hands-off"), who also retaining agency
   over obtaining and passing token-based authorization codes to their
   chosen actor and that no preexisting relationship is needed between
   audience and actor.

   This to be achieved when:

   1.  The subject's authorization server implements ticket deposit
       flow, token grant flow, and authorization code on-behalf-of grant
       flow.

   2.  The audience's authorization server implements ticket wanted
       flow, ticket deposit flow, and ticket grant flow.

   3.  The actor implements authorization code on-behalf-of grant flow.

   4.  The actor attempts to read a protected resource from the
       audience, receives a 403 Unauthorized response, then performs
       authorization code on-behalf-of grant flow with the subject's
       authorization server to obtain a Bearer token that can be used to
       access the protected resource.





























Somers                        Experimental                      [Page 6]

                                Ticketing                     April 2022


 ┌───────────────────────┐    ┌───────────────────────┐    ┌───────────┐
 │        "Alice"        │    │         "Bob"         │    │ "Rachel"  │
 ├───────────────────────┤    ├───────────────────────┤    ├───────────┤
 │        subject        │    │    resource server    │    │   actor   │
 ├───────────┬───────────┤    ├───────────┬───────────┤    ├───────────┤
 │  profile  │subject as │    │ metadata  │audience as│    │  reader   │
 └───────────┴───────────┘    └───────────┴───────────┘    └───────────┘
       │           │                │           │                │
       │           │                │           │     discover   │
       │◀──────────┼────────────────┼───────────┼──────subject──┌┴┐
       │           │                │           │     metadata  │O│
       │           │                │           │               │ │
       │          ┌┴┐◀──────────────┼───────────┼───────ac-obo──│ │
       │          │O│   discover    │           │               │ │
       │          │┌┴┐──audience───▶│           │               │ │
       │          ││W│  metadata    │           │               │ │
       │          ││ │              │           │               │ │
       │          ││ ├──want ticket─┼─────────▶┌┴┐              │ │
       │          ││ │              │          │W│              │ │
       │          │└┬┘◀─ ack ─ ─ ─ ─│─ ─ ─ ─ ─ │ │              │ │
       │          │ │               │          │ │              │ │
       │          │ │               │discover  │ │              │ │
       │◀─────────┤ ├───────────────┼─subject─┌┴┐│              │ │
       │          │ │               │metadata │D││              │ │
       │          │ │               │         │ ││              │ │
       │          │┌┴┐◁──ticket─────┼─────────└┬┘│              │ │
       │          ││D│              │          │ │              │ │
       │          │└┬┘  discover    │          │ │              │ │
       │          │┌┴┐──audience───▶│          │ │              │ │
       │          ││ │  metadate    │          │ │              │ │
       │          ││ │              │          │ │              │ │
       │          ││X│  ticket      │          │ │              │ │
       │          ││ │──grant───────┼────────▷┌┴┐│              │ │
       │          ││ │              │         │X││              │ │
       │          │└┬┘ ◀ ─ac ─ ─ ─ ─│─ ─ ─ ─ ─└┬┘│              │ │
       │          │ │               │          └┬┘              │ │
       │          └┬┘─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ac─ ▶└┬┘
       │           │                │           │                │
       ▼           ▼                ▼           ▼                ▼

 W: want ticket flow
 D: ticket deposit flow
 X: ticket grant flow (exchange ticket for token)
 O: code obo grant flow (get token via ticketing between participants)

     Figure 2: Use case of ticketing for acquiring an authorization
                     code for use by a third-party




Somers                        Experimental                      [Page 7]

                                Ticketing                     April 2022


1.1.3.  Reading private feeds

   In this case, Carol performs a dual role (she is Felicity-Rachel):
   the ability to not only read feeds (the Felicity role), which
   themselves may be a protect resource, but also any protected
   resources in the feed, by impersonating Alice as necessary (the
   Rachel role).

1.2.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.3.  Terminology

   This specification uses the terms "as metadata" and "user profile
   URL" defined by [IndieAuth], the terms "access token", "authorization
   server", "authorization endpoint", "authorization request", "client",
   "resource server", and "token endpoint" defined by The OAuth 2.0
   Authorization Framework [RFC6749], the terms "delegation" and
   "security token service" defined by [RFC8693] the term "bearer token"
   defined by [RFC6750]

   This specification defines the following terms:

   Actor
      A URL that represents the identity of the acting party.
      Typically, this will be the party (the third-party) that is
      authorized to use a token obtained by and to act on-behalf-of the
      subject at another party (the second-party).

   Audience
      A URL that represents the second-party in a multi-participant
      protocol.

   Role
      The activity (a scope) that an actor will perform on-behalf-of a
      subject.

   Subject
      A person, the first-party in a multi-participant protocol.

   Subject Identity
      The identity of the subject as a URI, nominally an IndieAuth user
      profile URL.



Somers                        Experimental                      [Page 8]

                                Ticketing                     April 2022


   Ticket
      A ticket is an opaque string, not intended to have any meaning to
      clients using it.

   Ticket Endpoint
      The IndieAuth/OAuth 2.0 endpoint through which ticket deposit
      operation is accomplished.

   Ticket Wanted Endpoint
      The IndieAuth/OAuth 2.0 endpoint through which ticket wanted
      operation is accomplished.

   Ticketing
      The act of acquiring or using tickets as a utility to allow
      information to be exchanged between two or more parties through
      use of the network protocol defined in this document.

1.4.  Example Formatting

   Where examples of protocol messages are given, the payload has been
   formatted for presentation and is not a true representation of what
   is the wire data: for form-urlencoded payloads URL-encoding has not
   been done and additional white-space and line-breaks are shown
   between key-value pairs to aid readability; similarly for JSON
   payloads.

2.  Ticketing

   This specification defines new protocol flows around the use of
   tickets between participants in the IndieAuth universe:

   Ticket Wanted
      This is where somebody requests an authorization server to send a
      ticket to the authorization server for a subject.

   Ticket Deposit
      This is where somebody issues a ticket to the authorization server
      for a subject to indicate that it can be exchanged at the
      authorization server for the audience to obtain an access code
      (Bearer token) or to notify them simply of the presence of a feed
      at the resource server that they may be interested in subscribing
      to.

   Ticket Grant
      This is where a ticket is redeemed at the authorization server for
      audience to grant a token assigned to the subject.





Somers                        Experimental                      [Page 9]

                                Ticketing                     April 2022


   Authorization Code On-Behalf-Of (ac-obo) Grant
      This is where an actor requests that the authorization server for
      the subject for a bearer token to use at the audience on their
      behalf.  The authorization server validates that the request is
      from the actor and then orchestrates wanted ticket flow with the
      audience, waits for it to send a ticket using ticket deposit flow,
      then exchanges the ticket with the authorization server for the
      audience for a token, and finally returns the token to the caller.

2.1.  Who implements what

   The following table summarizes which participant/system is
   responsible for implementing which side of each ticketing flow.

            +====================+=============+=============+
            | ticketing flow     | client      | server      |
            +====================+=============+=============+
            | (W) ticket wanted  | subject as  | audience as |
            +--------------------+-------------+-------------+
            | (D) ticket deposit | audience as | subject as  |
            +--------------------+-------------+-------------+
            | (X) ticket grant   | subject as  | audience as |
            +--------------------+-------------+-------------+
            | (O) ac-obo grant   | actor       | subject as  |
            +--------------------+-------------+-------------+

                                 Table 1

2.2.  An archetypal implementation

   Each protocol flow follows an archetypal pattern, as illustrated in
   Figure 3, between an initiator (the client-side of an HTTP request)
   and a target (the sever-side of an HTTP response):

   Client: Discovery (of the target endpoint)
      The client discovers the target endpoint to where a request is to
      be made under the doctrine of "distrust and verify" per Section 7.

   Client: Make the request
      The client makes a request to the target endpoint as an HTTP
      "POST".

   Server: Receive the request and work it
      The endpoint receives the request, validates the parameters,
      ensures that the request is valid, meets all policy and other
      criteria of the authorization server, processes the request to
      build response parameters, and returns the response.




Somers                        Experimental                     [Page 10]

                                Ticketing                     April 2022


   Client: Receive the response and work it
      The response is either a successful response or an error response.

┌─────────────┐                     ┌─────────────┐
│  Initiator  │                     │   Target    │
├─────────────┤                     ├─────────────┤
│   Client    │                     │   Server    │
└─────────────┘                     └─────────────┘
       │                                   │
      ┌┴┐──┐                               │
      │ │  │ Discover                      │
      │ │  │ Target                        │
      │ │  │ Endpoint                      │
      │ │◀─┘                               │
      │ │    POST to target                │
      │ │────parameters are──────────────▶┌┴┐──┐validate parameters
      │ │    x-www-form-urlencoded        │ │  │meets criteria?
      │ │                                 │ │◀─┘meets policy?
      │ │                                 │ │
┌ALT─ ┤ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
      │ │                                 │ │──┐ work request          │
│     │ │◀ ─ ─ ─ ─ ─ Successful Response ─│ │◀─┘ build response
 ─ ─ ─│ │─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│ │─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤
│     │ │                                 │ │
      │ │◀─ ─ ─ ─ ─ ─ ─ ─ Error Response─ ┤ │                          │
└ ─ ─ ┤ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┴┬┴ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
      │ │──┐                               │
      │ │◀─┘work response                  │
      └┬┘                                  │
       ▼                                   ▼

                      Figure 3: Archetypal flow

2.3.  Target endpoint discovery

   The client needs to discover the endpoint where the request needs to
   be made.

2.3.1.  Discover Subject AS Metadata

   For "subject":

   A subject is identified by a user profile URL which is their
   canonical homepage in the world wide web at a domain which is unique
   to them and accessible by either the http or https scheme as
   specified in section 3.1 of [IndieAuth].





Somers                        Experimental                     [Page 11]

                                Ticketing                     April 2022


   It is RECOMMENDED that a profile URL with a http scheme be considered
   unacceptable due toSection 7.

   The client undertakes discovery as specified in Section 4.1 of
   [IndieAuth] against the user profile URL.

2.3.2.  Discover Audience AS Metadata

   For "audience":

   Do discovery for "audience" as detailed in Section 4.1 of [IndieAuth]

2.4.  Request

   The client makes a request to the target endpoint using the HTTP
   "POST" method.  Parameters are included in the HTTP request entity-
   body using the "application/x-www-form-urlencoded" format with a
   character encoding of UTF-8 as described in Appendix B of [RFC6749].

   The parameters are detailed for each flow in this specification.

2.5.  Processing

   When an server receives a request it performs the following steps:

   1.  Validate the parameters to ensure that all mandatory one are
       present.

   2.  Ensure that the parameter values are semantically correct, for
       example:

       *  The type matches that expected.

       *  If a URL is expected that the value can be parsed as a URL and
          is normalized as required.

   3.  Ensures that it meets all policy and other criteria specific to
       the implementation.

   4.  Works the request and construct the result parameters.











Somers                        Experimental                     [Page 12]

                                Ticketing                     April 2022


2.6.  Successful Response

   A successful response is constructed by adding the result parameters
   to the entity-body of the HTTP response using the "application/json"
   media type, as specified by [RFC8259], and an HTTP 202 status code or
   other applicable code.  The result parameters are serialized into a
   JavaScript Object Notation (JSON) structure by adding each parameter
   at the top level.  Parameter names and string values are included as
   JSON strings.  Numerical values are included as JSON numbers.  The
   order of parameters does not matter and can vary.

   The result parameters are detailed for each flow in this
   specification.

2.7.  Error Response

   If the request is not valid or is unacceptable based on policy or
   there is a problem when processing the request the authorization
   server MUST construct an error response, as specified in Section 5.2
   of [RFC6749].  The value of the "error" parameter MUST be the
   "invalid_request" error code or other values as detailed for each
   flow in this specification.

   The authorization server MAY include additional information regarding
   the reasons for the error using the "error_description" as discussed
   in Section 5.2 of [RFC6749].

   Other HTTP status codes may also be used as appropriate, for example:

   405
      If the request did not use the "POST" method, the authorization
      server responds with an HTTP 405 (Method Not Allowed) status code.

   413
      If the request size was beyond the upper bound that the
      authorization server allows, the authorization server responds
      with an HTTP 413 (Payload Too Large) status code.

   429
      If the number of requests from a client during a particular time
      period exceeds the number the authorization server allows, the
      authorization server responds with an HTTP 429 (Too Many Requests)
      status code.

2.8.  The Ticket

   The ticket is an opaque string.  It MUST be at lest 16 characters in
   length and no more than 512 characters.



Somers                        Experimental                     [Page 13]

                                Ticketing                     April 2022


   When an authorization server generates a ticket it is HIGHLY
   RECOMMENDED that it is a version 4 UUID generated as specified in
   Section 4.4 of [RFC4122].

   If an authorization server wants to generate a structured ticket it
   MUST not be a JWT due to Section 7 and its content MUST respect
   Section 8.

2.9.  Authorization Server Metadata

   The following authorization server metadata [RFC8414] parameters are
   introduced to signal an authorization server's capability and policy
   with respect to which aspects of ticketing it supports.

   ticket_wanted_endpoint
      If this endpoint is declared this indicates that the authorization
      server implements the server-side of ticket wanted flow.

   ticket_endpoint
      If this endpoint is declared this indicates that the authorization
      server explicitly implements the server-side of ticket deposit
      flow.  A client MAY use the "token_endpoint" as a fall-back target
      as an implicit (and not guaranteed) signal and target endpoint.

   grant_types_supported
      If the authorization server supports authorization code on-behalf-
      of grant flow this MUST include
      "urn:indieweb.org:params:oauth:grant-type:on_behalf_of"; if it
      supports ticket grant flow it MUST include
      "urn:indieweb.org:params:oauth:grant-type:ticket".

2.10.  Ticket Introspection

   If an authorization server implements OAuth Introspection [RFC7662]
   it MAY consider a ticket to be like a token and allow it to be
   introspected with "token_type__hint=ticket" as per Section 1 of
   [RFC7662].

   Example token introspection request against a ticket:

   POST /as/token_introspect HTTP/1.1
   Host: https://bob.example.com
   Content-type: application/x-www-form-urlencoded; charset=utf-8
   Accept: application/json

   token=TICKET1234
   &token_type_hint=ticket




Somers                        Experimental                     [Page 14]

                                Ticketing                     April 2022


   Example token introspection response against a ticket:

   HTTP 1.1
   Content-Type: application/json
   Cache: no-cache, no-store

   {
      "active" : false,
      "scope": "read",
      "client_id": "https://bob.example"
      "username": "rachel obo alice",
      "token_type": "ticket",
      "iat": "1648710000",
      "exp": "1648992070",
      "sub": "https://alice.example/",
      "aud": "https://bob.example/".
      "iss": "https://bob.example/as"
   }

3.  Ticket Wanted Flow































Somers                        Experimental                     [Page 15]

                                Ticketing                     April 2022


┌──────────────────────────────────────────────────────────────────────┐
│             ticket wanted flow - (subject, audience):nil             │
└──────────────────────────────────────────────────────────────────────┘
                               ┌───────────────────────────────┐
                               │           audience            │
                               ├───────────────────────────────┤
                               │     authorization server      │
┌───────────────┐              ├───────────────┬───────────────┤
│    client     │              │   /metadata   │/ticket_wanted │
└───────────────┘              └───────────────┴───────────────┘
        │                              │               │
       ┌┴┐                             │               │
       │ │read audience metadata       │               │
       │ │want ticket_wanted_endpoint  │               │
       │ │────────────────────────────▶│               │
       │ │send request:                │               │
       │ │send a ticket to "subject"   │               │
       │ │─────────────────────────────┼─────────────▶┌┴┐
       │ │successful response:         │              │ │
       │ │request received             │              │ │
       │ │◀─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─│ │
       └┬┘                             │              └┬┘
┌OPT─ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─
        │                              │       ┌─REF───┴───────┐       │
│       │                              │       │ticket deposit │
        │                              │       └───────┬───────┘       │
└ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─
        ▼                              ▼               ▼

          Figure 4: Sequence diagram for ticket wanted flow

3.1.  Target Endpoint Discovery

   1.  Obtain the metadata for the authorization server for the subject
       as detailed in Section 2.3.2.

   2.  Target endpoint is the "ticket_wanted_endpoint" property in the
       metadata; if the property does not exist or has an empty value
       fallback to the "token_endpoint" property.

   The target endpoint MUST use the "https" scheme per Section 7.

3.2.  Request

   The client makes a request as specified in Section 2.4 to the target
   endpoint with the following parameters:





Somers                        Experimental                     [Page 16]

                                Ticketing                     April 2022


   action
      REQUIRED.  This MUST be "ticket".  NOTE: if the ticket is received
      on a "token_endpoint" this key-value combination can be used to
      easily identify the request as one for ticket wanted.

   subject
      REQUIRED.  The user profile URL of the subject.

   Example ticket wanted request:

   POST /as/ticket_wanted HTTP/1.1
   Host: https://bob.example.com
   Content-type: application/x-www-form-urlencoded; charset=utf-8
   Accept: application/json

   action=ticket
   &subject=https://alice.example.com/

3.3.  Processing

   The request is processed as specified in Section 2.5 and the specific
   work to be performed for ticket wanted flow is:

   1.  To decide to act on the wanted request or not.

   2.  If it decides to act it does Ticket Deposit Flow for the subject
       in the request.

3.4.  Successful Response

   The response will be as specified in Section 2.6 and there are no
   response parameters so the body of the response is at the discretion
   of the authorization server.

   It is RECOMMEND that http content negotiation as specified in section
   5.3 of [RFC7231] is undertaken and the server responds to following
   media types accordingly (defaulting to "application/json"):

   application+json
      An object with a single key of "subject" and value of the subject
      in the request (which may be different due to normalization or
      canonicalization).

   Example ticket wanted response with content-negotiated JSON body:







Somers                        Experimental                     [Page 17]

                                Ticketing                     April 2022


   HTTP 1.1
   Content-Type: application/json
   Cache: no-cache, no-store

   {
      "subject" : "https://alice.example.com/"
   }

   text/plain:
      "Ticket Wanted Request Received for <subject>"

   Example ticket wanted response with content negotiated text/plain
   body:

   HTTP 1.1
   Content-Type: text/plain
   Cache: no-cache, no-store

   Received Ticket Wanted Request for https://alice.example.com/

3.5.  Error Response

   If an error response is warranted it MUST be as per Section 2.7.

   An error response MUST only be returned if there is a problem with
   the request parameters per se (for example missing or malformed).

   The server MUST NOT return an error response if the subject is not
   known because that would leak that the publisher does not have a
   relationship with the subject, and conversely that it does (which
   would be an issue if the request did not originate from the subject
   but from a malicious client).

4.  Ticket Deposit Flow

















Somers                        Experimental                     [Page 18]

                                Ticketing                     April 2022


┌──────────────────────────────────────────────────────────────────────┐
│                 ticket deposit flow - f(subject):nil                 │
└──────────────────────────────────────────────────────────────────────┘
                               ┌───────────────────────────────┐
                               │            subject            │
                               ├───────────────────────────────┤
                               │              as               │
┌───────────────┐              ├───────────────┬───────────────┤
│    client     │              │   /metadata   │    /ticket    │
└───────────────┘              └───────────────┴───────────────┘
        │ read subject as metadata     │               │
        │ want ticket_endpoint         │               │
       ┌┴┐────────────────────────────▶│               │
       │ │generate ticket              │               │
       │ │send request:                │               │
       │ │ticket to use at "audience"  │               │
       │ │─────────────────────────────┼─────────────▶┌┴┐
       │ │successful response:         │              │ │
       │ │request received             │              │ │
       └┬┘◀─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─│ │
┌OPT─ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ┤ ├ ─ ─ ─ ─ ─ ─ ─
        │                              │       ┌─REF──┴─┴──────┐       │
│       │                              │       │ ticket grant  │
        │                              │       └───────┬───────┘       │
└ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─
        ▼                              ▼               ▼

          Figure 5: Sequence diagram for ticket deposit flow

4.1.  Target Discovery

   1.  Obtain the metadata for the authorization server for the subject
       as detailed in Section 2.3.1.

   2.  Target endpoint is the "ticket_endpoint" property in the
       metadata.

   The target endpoint MUST use the https schema per Section 7.

4.2.  Request

   The client makes a request as specified in Section 2.4 to the target
   endpoint with the following parameters:

   subject
      REQUIRED.  The user profile URL of the subject.





Somers                        Experimental                     [Page 19]

                                Ticketing                     April 2022


   resource
      REQUIRED.  The URL to the resource server where the ticket can be
      used (the audience).  If the path component is just the root
      directory this is a hint that the ticket can be exchanged for an
      token (using ticket grant) otherwise it is a path to feed on the
      resource server that the subject may be interested in subscribing
      to in their feed reader.

   ticket
      REQUIRED.  The ticket as per Section 2.8.

   Example ticket deposit request:

   POST /as/ticket_wanted HTTP/1.1
   Host: bob.example.com
   Content-type: application/x-www-form-urlencoded; charset=utf-8
   Accept: application/json, text/plain

   subject=https://alice.example.com/
   resource=https://bob.example.com/
   ticket=TICKET1234567890

   Example ticket deposit request hinting there is a feed that the
   subject can subscribe to:

   POST /as/ticket_wanted HTTP/1.1
   Host: bob.example.com
   Content-type: application/x-www-form-urlencoded; charset=utf-8
   Accept: application/json, text/plain

   subject=https://alice.example.com/
   resource=https://bob.example.com/feeds/
   ticket=TICKET1234567890

4.3.  Processing

   The request is processed as specified in Section 2.5 and the specific
   work to be performed for ticket deposit flow is:

   1.  Confirm that the subject is handled by this authorization server.

   2.  If "resource" has a path component that is not just the root
       directory, it is a path to a feed that can be subscribed to; how
       the authorization server does this is outside the scope of this
       specification but would typically involve a subscription request
       as specified in Section 5.1 of [W3C.REC-websub-20180123] to an
       endpoint configured by the subject.




Somers                        Experimental                     [Page 20]

                                Ticketing                     April 2022


   3.  Optionally, perform ticket grant type flow with the following
       parameters:

       *  ticket is the "ticket" from the request.

       *  audience is the "resource" from the request.

4.4.  Successful Response

   The authorization server MUST respond as specified in Section 2.6
   with the caveat that a response body is optional, but if provided the
   parameters are:

   ticket_received
      The value of the ticket in the request.

   Example ticket deposit successful response:

   HTTP/1.1 202 Accepted
   Content-Type: application/json
   Cache-Control: no-cache, no-store

   {
     "ticket_deposited" : "TICKET1234567890"
   }

   A server MAY use content negotiation, and respond to "text/plain"
   with the a body containing the parameter as a key "=" value.

   Example ticket deposit successful response with content-negotiated
   text/plain body:

   HTTP/1.1 202 Accepted
   Content-Type: text/plain
   Cache-Control: no-cache, no-store

   ticket_deposited=TICKET1234567890

   For content negotiation evaluating to "text/html" the server can
   respond with any body that it likes.

4.5.  Error Response

   If an error response is warranted it MUST be as per Section 2.7.

5.  Ticket Grant Flow





Somers                        Experimental                     [Page 21]

                                Ticketing                     April 2022


┌──────────────────────────────────────────────────────────────────────┐
│              ticket grant flow – f(ticket, audience):ac              │
└──────────────────────────────────────────────────────────────────────┘
                               ┌───────────────────────────────┐
                               │           audience            │
                               ├───────────────────────────────┤
                               │              as               │
┌───────────────┐              ├───────────────┬───────────────┤
│    client     │              │   /metadata   │    /ticket    │
└───────────────┘              └───────────────┴───────────────┘
        │ read audience as metadata    │               │
        │ want token                   │               │
       ┌┴┐────────────────────────────▶│               │
       │ │                             │               │
       │ │send request:                │               │
       │ │grant ac for this ticket     │               │
       │ │─────────────────────────────┼─────────────▶┌┴┐
       │ │successful response:         │              │ │
       │ │ac (Bearer token)            │              │ │
       └┬┘◀─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─└┬┘
        │                              │               │
        ▼                              ▼               ▼

           Figure 6: Sequence diagram for ticket grant flow

5.1.  Discovery

   1.  Obtain the metadata for the authorization server for the audience
       as detailed in Section 2.3.2.

   2.  The target endpoint is the "token_endpoint" property.

5.2.  Request

   The client makes a request as specified in Section 2.4 to the target
   endpoint with the following parameters:

   grant_type
      REQUIRED.  This MUST be "ticket".

   ticket
      REQUIRED the ticket to exchange for an access code (Bearer token).

   Example ticket grant request:







Somers                        Experimental                     [Page 22]

                                Ticketing                     April 2022


   POST /as/token HTTP/1.1
   Host: bob.example.com
   Content-type: application/x-www-form-urlencoded; charset=utf-8
   Accept: application/json, text/plain

   grant_type=ticket
   &ticket=TICKET1234567890

5.3.  Processing

   The request is processed as specified in Section 2.5 and the specific
   work to be performed for ticket grant flow is:

   1.  The generation of a Bearer token for the subject with a short
       lifespan due to Section 7.  It is RECOMMENDED that the age be
       limited to more than 36 hours.

   2.  Construction of access token response

       Note that a refresh token SHOULD NOT be included in the response
       but if it is it will be ignored.

5.4.  Successful Response

   The response is an access token response as specified in section
   5.3.3 of [IndieAuth].

   Example response to a ticket grant request:

   HTTP 1.1
   Content-Type: application/json
   Cache: no-cache, no-store

   {
     "access_token" : "TOKEN1234567890",
     "token_type"   : "Bearer",
     "expires_in"   : 259200,
     "scope"        : "read"
   }

5.5.  Error Response

   If an error response is warranted it MUST be as per Section 2.7.

6.  Authorization Code On-Behalf-Of Grant Flow






Somers                        Experimental                     [Page 23]

                                Ticketing                     April 2022


┌──────────────────────────────────────────────────────────────────────┐
│   ac-obo flow – f(subject, resource/audience, actor/client_id):ac    │
└──────────────────────────────────────────────────────────────────────┘
                               ┌───────────────────────────────┐
                               │            subject            │
                               ├───────────────────────────────┤
                               │              as               │
┌───────────────┐              ├───────────────┬───────────────┤
│    client     │              │   /metadata   │    /token     │
└───────────────┘              └───────────────┴───────────────┘
        │                              │               │
        │ read subject as metadata     │               │
        │ want token endpoint          │               │
       ┌┴┐────────────────────────────▶│               │
       │ │send request:                │               │
       │ │grant ac for actor           │               │
       │ │to use at audience           │               │
       │ │on behalf of subject         │               │
       │ │─────────────────────────────┼─────────────▶┌┴┐
       │ │                             │       ┌─REF──┴─┴──────┐
       │ │                             │       │ ticket wanted │
       │ │                             │       └──────┬─┬──────┘
       │ │                             │       ┌─REF──┴─┴──────┐
       │ │                             │       │ticket deposit │
       │ │                             │       └──────┬─┬──────┘
       │ │                             │       ┌─REF──┴─┴──────┐
       │ │ successful response:        │       │ ticket grant  │
       │ │ ac (Bearer token)           │       └──────┬─┬──────┘
       └┬┘◀─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─└┬┘
        │                              │               │
        ▼                              ▼               ▼

    Figure 7: Sequence diagram for authorization code on-behalf-of
                              grant flow

6.1.  Discovery

   1.  Obtain the metadata for the authorization server for the subject
       as detailed in Section 2.3.1.

   2.  The metadata MUST have a "grant_types_supported" that includes
       "on_behalf_of" to indicate that the subject's authorization
       server supports "requested_token_use=on_behalf_of" at its
       "token_endpoint" and is therefore a signal that it implements the
       authorization code on behalf of grant flow.

   3.  The target endpoint is the "ticket_endpoint" property in the
       metadata.



Somers                        Experimental                     [Page 24]

                                Ticketing                     April 2022


6.2.  Request

   When the request is made, it MUST also include something which can be
   used to assure the receiver that it has come from the "client_id"
   provided.  The client MUST NOT use more than one method in each
   request.  The following methods be offered:

   client_secret
      By providing a "client_secret" that has previously been exchange
      out-of-band between the actor and the subject.

   clientid, claimtype="code_verifier" and claim
      By providing the last successful "code_verifier" parameter from
      when the client assured their identity with the actor.  This is
      the preferred method because it provides a "hands-off" experience
      for the subject.  The rationale for using a PKCE Code Verifier is
      detailed in Appendix A.

   The client makes a request as specified in Section 2.4 to the target
   endpoint with the following parameters:

   grant_type
      REQUIRED.  This MUST be "authorization_code".

   requested_token_use
      REQUIRED.  This MUST be "urn:indieweb.org:params:oauth:grant-
      type:on_behalf_of" or the less strictly qualified form
      "on_behalf_of".

   subject
      REQUIRED.  The user profile URL of the subject.

   resource
      REQUIRED.  The URL of the resource server where the granted code
      will be used, i.e. the audience.

   client_id
      REQUIRED.  The URL of the requestor (the actor).

   client_secret
      OPTIONAL.  A secret previously provided by the actor to assure the
      receiver that the request was made by it.

   claim
      OPTIONAL but REQUIRED if "claim_type" is not provided.  An item
      from the actor's authorization server to prove its claim to be the
      aforementioned to the caller.  This parameter becomes *MANDATORY*
      when no "client_secret" is offered.



Somers                        Experimental                     [Page 25]

                                Ticketing                     April 2022


   claim_type
      OPTIONAL but REQUIRED if "claim" is provided.  The format of the
      proof as defined by the authorization server.  The value indicates
      what type of data the "claim" parameters contains.

   Example authorization code on-behalf-of grant request:

   POST /as/token HTTP/1.1
   Host: alice.example.com
   Content-type: application/x-www-form-urlencoded; charset=utf-8
   Accept: application/json

   grant_type=authorization_code
   &requested_token_use=on_behalf_of
   &subject=https://alice.example.com/
   &resource=https://bob.example.com/
   &client_id=https://rachel.example.com/
   &claim=CV123
   &claim_type=pkce_verifier

6.3.  Processing

   The request is processed as specified in Section 2.5 and the specific
   work to be performed for authorization code on-behalf-of grant flow
   is:

   1.  Check that the subject is known to the token endpoint.

   2.  Check that the client_id corresponds to an actor (reader) that it
       wants to delegate to.

   3.  Ensure that the subject has verified their identity with the
       client (the actor); if the subject has verified their identity,
       the authorization server should have a record of the code request
       made to its authorization endpoint.

   4.  Check that the client issuing the grant request is who they claim
       to be.  This is done by checking the validity of the "claim" and
       "claim_type" pairing.

   5.  Do ticket wanted flow (target is the current authorization
       server) to request a ticket.

   6.  Wait for a ticket to be made available via ticket deposit flow.

   7.  Do ticket grant flow (with target of subject) to exchange the
       ticket for a token.




Somers                        Experimental                     [Page 26]

                                Ticketing                     April 2022


   8.  Ensure that the ticket grant response meets the constrictions
       specified in Section 6.4 and if not it a policy decision whether
       to respond with an error response or to filter the parameters to
       conform.

   9.  The response parameters are the ticket grant response parameters
       with the caveat that the "refresh_token" if provided MUST be
       removed.

6.4.  Successful Response

   If a successful response is warranted it MUST be as per Section 2.6
   and the parameters correspond to this for a normal OAuth 2.0 response
   as specified in Section 5 of [RFC6749] but the following constraints:

   *  It is RECOMMENDED the expiration time is in the near future and
      that a refresh token is provided.

   *  The "scope" MUST contain at least "read".

   *  The "scope" SHOULD be as limited as possible as per Section 7.

   Additional parameters MAY be included for implementation-specific
   reasons.

   Example access token successful response:

   HTTP 1.1 200 OK
   Content-type: application/json
   Cache-Control: no-cache, no-store

   {
     "access_token" : "AT1234"
     "token_type"   : "Bearer"
     "expires_in"   : 3600
     "scope"        : "read"
     "refresh_token": "RT1234"
   }

6.5.  Error Response

   If an error response is warranted it MUST be as per Section 2.7.

   The following alternative "error" values MUST be used instead of the
   generic "bad_request" in the following circumstances:






Somers                        Experimental                     [Page 27]

                                Ticketing                     April 2022


   "invalid_ticket_want"
      When there is an issue performing the ticket wanted flow (W) with
      the "audience", for example, unable to obtain the metadata for the
      authorization server.  It is HIGHLY RECOMMENDED that the reason is
      returned in the "error_description" with attention to Section 7
      and Section 8.

   "invalid_ticket"
      When either no ticket is available or one has not been received in
      response to a ticket wanted request, within a reasonable amount of
      time.

   "invalid_ticket_grant"
      When there is an issue performing the ticket grant flow (X) with
      the audience's authorization server.  It is HIGHLY RECOMMENDED
      that the reason is returned in the "error_description" with
      attention to Section 7 and Section 8.

7.  Security Considerations

   Much of the guidance from Section 10 of [RFC6749], the Security
   Considerations in The OAuth 2.0 Authorization Framework, is also
   applicable here.  Furthermore, [RFC6819] provides additional security
   considerations for OAuth, and [I-D.ietf-oauth-security-topics] has
   updated security guidance based on deployment experience and new
   threats that have emerged since OAuth 2.0 was originally published.

   If the ticket issued by an authorization server is a JWT particular
   attention should be paid to Section 5 of [RFC9068].

   The use of JWTs as a ticket is not encouraged and implementors should
   use an opaque string.

   Do NOT attempt to read tickets.  No assumption should be made as to
   their format and they may or many not validate as a JWT.  While
   reading tickets is a useful for debugging, implementations should not
   depend on this ability because tickets are opaque.

   In addition, both delegation and impersonation introduce unique
   security issues.  Any time one principal is delegated the rights of
   another principal, the potential for abuse is a concern.  The use of
   the "scope" claim (in addition to other typical constraints such as a
   limited token lifetime) is suggested to mitigate potential for such
   abuse, as it restricts the contexts in which the delegated rights can
   be exercised.






Somers                        Experimental                     [Page 28]

                                Ticketing                     April 2022


   For authorization code on-behalf-of grant flow, the relative agency
   of the subject is limited by the expiration time of the token issued.
   The agency can only be exercised when the subject's authorization
   server is requested to acquire a new token during this flow.  Hence
   the limitation on the subject's agency is bounded by the age of the
   token from the audience that they forward to the actor.  For this
   reason it is imperative that an audience issue tokens in response to
   this grant request with a sensibly short expiration time to ensure
   the subject can maintain agency over the actor.

8.  Privacy Considerations

   Tickets and tokens employed in the context of the functionality
   described herein may contain privacy-sensitive information and, to
   prevent disclosure of such information to unintended parties, MUST
   only be transmitted over encrypted channels, such as Transport Layer
   Security (TLS).

   Deployments SHOULD determine the minimally necessary amount of data
   and only include such information in issued tickets or tokens.  In
   some cases, data minimization may be needed and this is of particular
   relevance when an authorization server is acting like an STS in
   authorization code on-behalf-of grant flow.

9.  IndieWeb Considerations

   1.  In [IndieAuth] the user profile URL can use the http or https
       scheme.  The use of https is contrary to Section 7.

   2.  Some authorization servers may regard user profiles URLs at the
       same host and path but access by different scheme
       (http://example.com/ (http://example.com/) and
       https://example.com/ (https://example.com/)) as separate
       identities.  As IndieWeb uses the domain as a identifier for a
       subject, this would seem to be misinterpretation.  Give the
       previous consideration if user profiles were mandated to be
       accessible only over https then this second consideration would
       be moot.

9.1.  "OAuth Parameters" Registry

   To indicate ticket grant flow is supported:

   *  URN: urn:indieweb.org:params:oauth:grant-type:ticket

   *  Common Name: Ticket exchange grant type for IndieAuth Ticketing

   *  Change Controller: indieweb.org



Somers                        Experimental                     [Page 29]

                                Ticketing                     April 2022


   *  Specification Document: Section 2.9 of this specification

   To signal that authorization code on-behalf-of grant flow is
   supported:

   *  URN: urn:indieweb.org:params:oauth:grant-type:on_behalf_of

   *  Common Name: On-Behalf-Of Ticketing grant type

   *  Change Controller: indieweb.org

   *  Specification Document: Section 2.9 of this specification

10.  IANA Considerations

   There are no IANA actions requested at this time.

11.  Related Work

   Authorization Grants
      [RFC7521] provides a common framework for OAuth 2.0 to interwork
      with other identity systems using assertions and to provide
      alternative client authentication mechanisms.

   Assertion grant profile for OAuth 2.0 authorization grants
      https://docs.pingidentity.com/bundle/pingfederate-93/page/
      umd1564002958895.html (https://docs.pingidentity.com/bundle/
      pingfederate-93/page/umd1564002958895.html)

   AutoAuth
      Described in [AutoAuth].  An extension to IndieAuth that allows
      clients to authorize to other servers in the name of their user,
      without the user being present to confirm each individual
      authorization flow.

   Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow
      https://docs.microsoft.com/en-us/azure/active-directory/develop/
      v2-oauth2-on-behalf-of-flow (https://docs.microsoft.com/en-
      us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)

   This where an application invokes a service/web API, which in turn
   needs to call another service/web API.  The idea is to propagate the
   delegated user identity and permissions through the request chain.
   Detailed at







Somers                        Experimental                     [Page 30]

                                Ticketing                     April 2022


   TicketAuth
      Described in [TicketAuth], this is an extension to IndieAuth that
      enables a publisher to send authorization, known as a ticket, that
      can be redeemed for an access token.  This allows both solicited
      and unsolicited invitations to fetch restricted resources.

   Token Exchange
      OAuth Token Exchange [RFC8693] is a protocol to request and obtain
      security tokens from an authorization server for impersonation and
      delegation.

12.  References

12.1.  Normative References

   [I-D.ietf-oauth-security-topics]
              Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett,
              "OAuth 2.0 Security Best Current Practice", Work in
              Progress, Internet-Draft, draft-ietf-oauth-security-
              topics-19, 16 December 2021,
              <https://www.ietf.org/archive/id/draft-ietf-oauth-
              security-topics-19.txt>.

   [IndieAuth]
              Parecki, A., "IndieAuth, IndieWeb Living Standard", 12
              February 2022, <https://indieauth.spec.indieweb.org/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
              Unique IDentifier (UUID) URN Namespace", RFC 4122,
              DOI 10.17487/RFC4122, July 2005,
              <https://www.rfc-editor.org/info/rfc4122>.

   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
              RFC 6749, DOI 10.17487/RFC6749, October 2012,
              <https://www.rfc-editor.org/info/rfc6749>.

   [RFC6750]  Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
              Framework: Bearer Token Usage", RFC 6750,
              DOI 10.17487/RFC6750, October 2012,
              <https://www.rfc-editor.org/info/rfc6750>.






Somers                        Experimental                     [Page 31]

                                Ticketing                     April 2022


   [RFC6819]  Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
              Threat Model and Security Considerations", RFC 6819,
              DOI 10.17487/RFC6819, January 2013,
              <https://www.rfc-editor.org/info/rfc6819>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              DOI 10.17487/RFC7231, June 2014,
              <https://www.rfc-editor.org/info/rfc7231>.

   [RFC7636]  Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key
              for Code Exchange by OAuth Public Clients", RFC 7636,
              DOI 10.17487/RFC7636, September 2015,
              <https://www.rfc-editor.org/info/rfc7636>.

   [RFC7662]  Richer, J., Ed., "OAuth 2.0 Token Introspection",
              RFC 7662, DOI 10.17487/RFC7662, October 2015,
              <https://www.rfc-editor.org/info/rfc7662>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,
              <https://www.rfc-editor.org/info/rfc8259>.

   [RFC8414]  Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
              Authorization Server Metadata", RFC 8414,
              DOI 10.17487/RFC8414, June 2018,
              <https://www.rfc-editor.org/info/rfc8414>.

   [RFC8693]  Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J.,
              and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693,
              DOI 10.17487/RFC8693, January 2020,
              <https://www.rfc-editor.org/info/rfc8693>.

   [RFC9068]  Bertocci, V., "JSON Web Token (JWT) Profile for OAuth 2.0
              Access Tokens", RFC 9068, DOI 10.17487/RFC9068, October
              2021, <https://www.rfc-editor.org/info/rfc9068>.

12.2.  Informative References

   [AutoAuth] indieweb.org, "AutoAuth", <https://indieweb.org/AutoAuth>.






Somers                        Experimental                     [Page 32]

                                Ticketing                     April 2022


   [RFC7521]  Campbell, B., Mortimore, C., Jones, M., and Y. Goland,
              "Assertion Framework for OAuth 2.0 Client Authentication
              and Authorization Grants", RFC 7521, DOI 10.17487/RFC7521,
              May 2015, <https://www.rfc-editor.org/info/rfc7521>.

   [TicketAuth]
              indieweb.org, "IndieAuth Ticket Auth",
              <https://indieweb.org/IndieAuth_Ticket_Auth>.

   [W3C.REC-websub-20180123]
              Genestoux, J. and A. Parecki, "WebSub", World Wide Web
              Consortium Recommendation REC-websub-20180123, 23 January
              2018, <https://www.w3.org/TR/2018/REC-websub-20180123>.

Appendix A.  Why use a Code Verifier?

   If the subject has identified themselves to the actor as specified in
   Section 5.3.2 of [IndieAuth] various exchanges will have taken place
   between the subject's authorization server and the actor's
   authorization client during which a "code_verifier" is generated
   because IndieAuth mandates the use of PKCE as specified in [RFC7636].
   The actor can use the "code_verifier" of the last successfully
   exchange with the subject's authorization server as claim that they
   are who they are on the basis that only they have this information
   and that the subject's authorization server can verify it.  For this
   to be implemented:

   *  The actor MUST require the subject to identify themslves using
      IndieAuth which means the actor has an authorization server.

   *  The actor's authorization server MUST be able to stored and
      retrieve the last successfully exchanged "code_verifier" with the
      subject.

   *  The subject's authorization server MUST be able to store and
      retrieve the last successfully exchanged "code_verifier" with the
      actor.

Appendix B.  Acknowledgements

   This document stands on the shoulders of the members of the IndieWeb
   community for their work on [TicketAuth] and [AutoAuth] which
   provided inspiration for this document.

   The following individuals directly or indirectly contributed ideas,
   feedback, and wording to this specification: @fluffy, @gwg, @zegnat.





Somers                        Experimental                     [Page 33]

                                Ticketing                     April 2022


Appendix C.  Document History

   [[ To be removed from the final specification ]]

   -00

   * first draft

Author's Address

   David Somers
   Email: dsomers@omz13.com







































Somers                        Experimental                     [Page 34]