Re: [OAUTH-WG] One-time token login
Warren Parad <wparad@rhosys.ch> Wed, 03 March 2021 21:29 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB9F3A1B63 for <oauth@ietfa.amsl.com>; Wed, 3 Mar 2021 13:29:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.078
X-Spam-Level:
X-Spam-Status: No, score=-2.078 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sUkspNA9TinB for <oauth@ietfa.amsl.com>; Wed, 3 Mar 2021 13:29:25 -0800 (PST)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B1823A1B71 for <oauth@ietf.org>; Wed, 3 Mar 2021 13:29:13 -0800 (PST)
Received: by mail-il1-x12b.google.com with SMTP id f10so22296246ilq.5 for <oauth@ietf.org>; Wed, 03 Mar 2021 13:29:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K31qfMp0SbT9m+th6s3/if8iMncdJRzk/AJq//pvJNE=; b=GjWsNaIEuv1ZfTDvZPK+YPfPScEG9Qxc33/rIQh0o7/nH50oFAs27J1FkAj6SEEJEk A6ivNfR/ttm3YDF8Wf447hYTZbEjL3nDrs1JVgq+H00VG6wDuHyipjr+Dy96ZZE9c/Bk rHZI1SVN+olrqU3D/vLKeBEN90fMkuVr2gVGEtQm5yRi6Q9j+sG9VvwvGghYzmE+UZRT RUTCrTaxyyF7HodgStRnE2e0WJY3OCJBF5sIF8Tyk+CRgUdGvpD83M6Oyt0P6iziu0Ez UChdLYCqtd9YYVhok9TGPB2QpBS02/9hUG+/8kUihrcqNgBdAiRGioXaPJkKP29xRDDP LkzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K31qfMp0SbT9m+th6s3/if8iMncdJRzk/AJq//pvJNE=; b=b5C4xs+Adr4/ndxyCOpG7jSHdT4VWpUkSPmPd96pn+E4i9LiT3roKwZajFYe0trVTI eHs7DkG2EfbkPCzBompzd6+aUnAywKrcflYmn2pv9i5NQO/vwfjE0iGoLy5ZAXy3w0IR ZsA6jmyxz119wwdoyqqxpH0t3oVbLVlCpHpy6bCV0DKLm0wxT6Xe2EmCJ0flsi3HYHEC cQwCxzXCqVAY7uDZqc9xK5He6z9K9Ui/Wtmh3AXkKqNfYlGQvpg/LfmrS3LPWxvrJnnz QdXVQAUUnnxyQQCZsN+f9/DZbkuANXv83G4yLAhbCIRDK6I38iWVRSshQjEzt7/Y5AL6 6swQ==
X-Gm-Message-State: AOAM533PLIWGc2C+zeMLlV0cSldBaWi8P5GCGbKh/hfZExebWcdiP5pW k+xXu0mR6IMFiq9Yox7XLUGxDwQwIh4C6eu08BIgY2hJTKLCASsN1g==
X-Google-Smtp-Source: ABdhPJxsuidF1cfCLKHlPwsN/HkVy0SrcisYQDpK3cca7/XB7QeH6sUMQxvu81ACCWh6D2YaWjehrpRnVkM/97JfS2U=
X-Received: by 2002:a92:c6ca:: with SMTP id v10mr1237712ilm.195.1614806951492; Wed, 03 Mar 2021 13:29:11 -0800 (PST)
MIME-Version: 1.0
References: <6105c6f6-d291-b80e-4596-9ff4f10b3b55@evertpot.com> <67896868-B842-402D-8BFC-DBDFA6AF648D@forgerock.com> <1ac815d9-3634-97bb-537c-478fce52b389@evertpot.com> <CAMtUnc42wMX3zAVL9aUo5s=WZUQsHh-fvs5zzCpRE8cifUnUWg@mail.gmail.com>
In-Reply-To: <CAMtUnc42wMX3zAVL9aUo5s=WZUQsHh-fvs5zzCpRE8cifUnUWg@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 03 Mar 2021 22:29:00 +0100
Message-ID: <CAJot-L3wbK0ghypvpAy1mG=nQeu1e1erTbsyGoh7QqeGC+R6FA@mail.gmail.com>
To: Sam Goto <goto=40google.com@dmarc.ietf.org>
Cc: Evert Pot <me@evertpot.com>, oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="000000000000b9ba9605bca88ac4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3X4--9wl3ebzMoKhzW668Ij-yMQ>
Subject: Re: [OAUTH-WG] One-time token login
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 21:29:29 -0000
I just formed a strong opinion, so I apologize if this comes across as if I know something in the area. I think the warning is key here: [image: image.png] And in reality the WebOTP verification of phone numbers is actually a work around for establishing client access via the real AS which in this case would be the phone number provider. The fact that then there is even a standard being developed on top of the hack workaround which in itself is known to be a security risk, is shocking. Rather than coming up with this, I would rather the phone os developers just write phone side AS plugins to support push notifications from providers uniquely identifying the device, rather than the phone number. That would avoid the need to have a number, provide a mechanism that works when "online" but not connected to the provider (i.e. in a different network), and allow all AS connect to the user without needing a custom 3rd party app instead specifically for the AS (or a generic one that lacks good UX) for every new app a user wants to enable MFA using their device. Magic links are certainly better if they don't register the device, and in the case device persistence isn't a requirement, then jwt bearer grant certainly works a good solution, doesn't it. Even with phone numbers you can still send the link and click on it, thus sidestepping the justification in the document about, since the SMS is a full link: > Then copying and pasting it to the form is cumbersome I'm probably missing ten different important nuances here though. - Warren Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Wed, Mar 3, 2021 at 10:15 PM Sam Goto <goto=40google.com@dmarc.ietf.org> wrote: > Unclear to me if this is a perfect fit for the question, but wanted to > raise awareness of WebOTP [1] which is coming up with conventions for > verifying phone numbers (e.g. with SMS OTP formats [2]) and email addresses > (e.g. conventions over magic links). > > LMK if that's of interest/relevance and I'd be happy to expand. > > [1] https://web.dev/web-otp/ > [2] https://github.com/WICG/sms-one-time-codes > > On Tue, Mar 2, 2021 at 12:10 PM Evert Pot <me@evertpot.com> wrote: > >> Thanks Neil & Hans, >> >> Our AS doesn't do jwt quite yet. It's in-house, but open source. We don't >> have rfc7523 yet, but this does sounds like a pretty great longer-term >> solution. >> We're a bit time constrained, so perhaps this feature just needs to be >> done as a one-off before we can do RFC7523 for real, later. >> >> Thank you! >> >> On 2021-03-02 3:05 p.m., Neil Madden wrote: >> >> One option is JWT Bearer grant with “jti” and replay prevention ( >> https://tools.ietf.org/html/rfc7523#page-7 >> <https://tools.ietf.org/html/rfc7523#page-7>) if your AS supports it. >> This is nice if some other component is generating the emails as it needs >> no coordination with the AS. >> >> — Neil >> >> On 2 Mar 2021, at 19:04, Evert Pot <me@evertpot.com> <me@evertpot.com> >> wrote: >> >> >> >> Dear list, >> >> We have a requirement to let users log in to an application via a code >> sent by email. >> This code needs to be exchanged for an access/refresh token pair, and >> should only work once. >> >> The access/refresh token scope would give limited access to the >> application. Since we already use the authorization_code flow for other >> (more sensitive) parts of the application, I would like to re-use the >> OAuth2 framework for parts of this. >> >> It doesn't sit right with me to overload the 'code' in >> authorization_code, so I was considering introducing a new custom >> grant_type for our application, specific for this purpose. >> It seems that grant_type in the 'token' endpoint would support extension >> in this manner, by using a uri such as https://vendor.example/email-token >> >> I'm comfortable implementing this, but curious: >> >> 1. Is there already some prior art that I'm not aware of? I'd rather >> not do a custom grant_type if there's something standard I could do. >> 2. Are there any major pitfalls associated with this? >> >> Evert >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] One-time token login Evert Pot
- Re: [OAUTH-WG] One-time token login Justin Richer
- Re: [OAUTH-WG] One-time token login Hans Zandbelt
- Re: [OAUTH-WG] One-time token login Neil Madden
- Re: [OAUTH-WG] One-time token login Evert Pot
- Re: [OAUTH-WG] One-time token login Sam Goto
- Re: [OAUTH-WG] One-time token login Warren Parad