Re: [art] [OAUTH-WG] Artart last call review of draft-ietf-oauth-step-up-authn-challenge-12
Vittorio Bertocci <vittorio@auth0.com> Thu, 02 March 2023 22:20 UTC
Return-Path: <vittorio.bertocci@okta.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B13B3C151AE9 for <art@ietfa.amsl.com>; Thu, 2 Mar 2023 14:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Level:
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b="SqXkS6d6"; dkim=pass (2048-bit key) header.d=auth0.com header.b="Nsfscm/r"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_-0NE2Dd3NR for <art@ietfa.amsl.com>; Thu, 2 Mar 2023 14:20:17 -0800 (PST)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92D3AC14CE45 for <art@ietf.org>; Thu, 2 Mar 2023 14:20:17 -0800 (PST)
Received: from pps.filterd (m0209338.ppops.net [127.0.0.1]) by mx0b-00553301.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 322LUqmF000481 for <art@ietf.org>; Thu, 2 Mar 2023 13:52:02 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=proofpoint-2020; bh=dY/e9MQ58sBk3q2E3gAaYrWxQyJFrGaAQyhIxA7aKWI=; b=SqXkS6d6pPkGb4uvK5ihlBrsYlCTVTBPRXA1ZA6+BoYbhKbGnsBubbrEtNGtE9w70RuF xVHsdW3X0XEgzaczPjT4b2EP+WR02i+qz30FqDjtDNeAhA82I+sczFE2Jj86gb82lMt2 48BpoS4nVs+5yawJ+yTnUdpnHlADV99ks7yanQ6K52GTt0yNiZsTRjNFv0EjgvV7cbDL 2EeD8kowye4JnUabQ6EgsDZO8+ye/CcuOM4Wi7l/WPTzxM67oS9omMuYDlOhIhEm0EWz NxlUXBm/yhDBec9DXuQxaM9x4KDc932K8u6OyOtGY4dzztpIGB8o4CzeUpYEszbq/CvI GA==
Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 3nyfrjkn80-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <art@ietf.org>; Thu, 02 Mar 2023 13:52:02 -0800
Received: by mail-io1-f69.google.com with SMTP id c13-20020a0566022d0d00b0074cc4ed52d9so266895iow.18 for <art@ietf.org>; Thu, 02 Mar 2023 13:52:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=newauth0; t=1677793921; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dY/e9MQ58sBk3q2E3gAaYrWxQyJFrGaAQyhIxA7aKWI=; b=Nsfscm/rrvcos+xd9tEiYhcSdMLVrm7YTinffIMwt0r1sF6fFgZ8Kvh5mwjzUOPRqa Ei/4ivDJy59/sr5rFeNKrrrOwNJ8zEHQy755Aix9hlTeAKZCv4xuRR4hV2ZtWE4RPphp WeGAvbzs8tdrPbBT8aP8F65NsKBQ6vMFMEj54fvhp2XF5AF6PwiNPJkwcQL+QwQQEhk5 Rsym94DfA9rt1sCnWPlCb+/K4NIDCBDepZkMNTK8XLs3PPre+tqGyRe6f454WhvVWmJz hhr+YkMw15YxmCLx0HUUjuu9jljbmgSFjXJZjmxmcilN9v02Awc8VfriNokACO57ff3X 7QWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677793921; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dY/e9MQ58sBk3q2E3gAaYrWxQyJFrGaAQyhIxA7aKWI=; b=26FaULQP2ag+2Dh1W1Z1YuA4yGD+QtK5d56PsUv8papmJhHVlPtCkY3vMKi2R7QxXJ EMOalVJAMquJbEC0ZJZs2bOWrT2CmftCWFN4xUwLy5A+Zs6MyV5Fasj8V+RBxN4a1mSp cTR6pyYvZWXuzGW9zZ5fTvpOvy3oSUxiEZxFwBKFRoHXQnxvj+RqcUuiXMVsTdQApZuI 8mhaOyjmXeOu53fFrMGJzu5pgl8k9a0pAQQ0xUNxakRFnlEGouia6ySJR7wMLL4O35jf f60oikUb7MLk7wwwz1AEn2Dch/y7PFk7Aj+qW9AtaOqH1w1hrdV3hFyJSUXl5kFKcHn6 MDzA==
X-Gm-Message-State: AO0yUKU2I9RqYcJIeQPHDypIu8H/9FIbXFGtJsZoRt9z+D4dnJzuGL/Q M7nC/Y3M4empcv1xQ8IMTfDuko3+TtHIwLl727+Rnu7ln0DiwwXkivrD70J+FWU3Ak/bAqnfR3J j/CmkA+XfMsej5BOea/+8iF2KZ0LQ
X-Received: by 2002:a05:6e02:1094:b0:310:fc49:1d9 with SMTP id r20-20020a056e02109400b00310fc4901d9mr5130363ilj.6.1677793921077; Thu, 02 Mar 2023 13:52:01 -0800 (PST)
X-Google-Smtp-Source: AK7set/k12TJTs9Fo6BNBHB+m/v8ZBdMC8fS+LRE2snbJkiwQPGLY22XlPGMzeNAAqMXCnacx2YzOImzytHbbavHoCo=
X-Received: by 2002:a05:6e02:1094:b0:310:fc49:1d9 with SMTP id r20-20020a056e02109400b00310fc4901d9mr5130356ilj.6.1677793920617; Thu, 02 Mar 2023 13:52:00 -0800 (PST)
MIME-Version: 1.0
References: <167778249416.23678.7058306125542432959@ietfa.amsl.com>
In-Reply-To: <167778249416.23678.7058306125542432959@ietfa.amsl.com>
From: Vittorio Bertocci <vittorio@auth0.com>
Date: Thu, 02 Mar 2023 13:51:50 -0800
Message-ID: <CAEFJvaqpu0JUwr-cLQaS_yqJedU1seDLXbN+_wiqv0kDmf+jPw@mail.gmail.com>
To: Robert Sparks <rjsparks@nostrum.com>
Cc: art@ietf.org, draft-ietf-oauth-step-up-authn-challenge.all@ietf.org, last-call@ietf.org, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a52cdc05f5f1d6f5"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-02_15,2023-03-02_02,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/tZTjEK_fB1uO8iV0AJgKQvzCbtw>
Subject: Re: [art] [OAUTH-WG] Artart last call review of draft-ietf-oauth-step-up-authn-challenge-12
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 22:20:21 -0000
Hi Robert, thanks for your comments! Some of the ideas you mention here were also touched upon during the AD review w Roman, the exchange we had might provide some context https://mailarchive.ietf.org/arch/msg/oauth/PBDCtVB7vtou5Dlz6nPJxX_5Yyo/ but more succinctly: - "step down". One of the key reasons this spec exists is that the RS, and only the RS, is the arbiter of what's good enough for a request at a given moment. The exact same API call and exact same token that worked few seconds earlier (and still meets the requirements of a preceding challenge, including max_age) could be rejected later, and trigger a completely different set of requirements, for example as the result of black box logic executed by an anomaly detection engine on the API side. Neither the client nor the AS can know in advance whether a particular token will work again, all they can do is caching tokens according to the call circumstances they know (URL, call parameters etc) and hope it will work again, while remaining ready to receive and process a new challenge if it doesn't. - Caching. Please see the discussion with Roman in the referenced thread, it should address the question. - Nit: we'll remove the ref from the doc history on the next update :) thanks V. On Thu, Mar 2, 2023 at 10:42 AM Robert Sparks via Datatracker < noreply@ietf.org> wrote: > > This message originated outside your organization. > > > Reviewer: Robert Sparks > Review result: Ready with Issues > > Summary: essentially ready but with issues to consider before being > published > as a proposed standard RFC. > > Issues: > > I expected to find some discussion of considerations of avoiding "step > down" > given the intuitive appeal to "step up". Can the client or Authorization > server > notice if the resource server has through whatever fault asserted that it > will > only accept the use of an authentication context class that is blatantly > inferior to what has already been provided? And if they notice, what is > expected to happen? Or is it expected that this is allowed, particularly > when a > short max_age is also supplied? > > The document also suggests that the client hold on to, and possibly re-use > in > the future, access tokens that have been challenged as having insufficient > user > authorization. Is this behavior something that follows a well-known and > well-implemented pattern documented elsewhere? If so, a pointer would be > useful. If not, this seems like something that deserves more discussion if > not > more definition. > > Nits: > The reference to abr-twitter-reply will go away with the changelog when > the RFC > Editor removes it. It would be kind to acknowledge that in the note to the > RFC > Editor so that they know it's expected and don't have to ask. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [art] Artart last call review of draft-ietf-oauth… Robert Sparks via Datatracker
- Re: [art] [OAUTH-WG] Artart last call review of d… Vittorio Bertocci
- Re: [art] [OAUTH-WG] Artart last call review of d… Robert Sparks