IETF Logo Mail Archive

Re: [OAUTH-WG] ' force_auth' request parameter

"William Mills" <wmills@yahoo-inc.com> Tue, 13 July 2010 17:05 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A4333A6824 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 10:05:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.55
X-Spam-Level:
X-Spam-Status: No, score=-17.55 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6H8F0KKghtR for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 10:05:15 -0700 (PDT)
Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172]) by core3.amsl.com (Postfix) with ESMTP id AE38A3A69E5 for <oauth@ietf.org>; Tue, 13 Jul 2010 10:05:15 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout2.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o6DH2Vjj009602; Tue, 13 Jul 2010 10:02:31 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:x-mimeole:content-class:mime-version: content-type:subject:date:message-id:in-reply-to:x-ms-has-attach: x-ms-tnef-correlator:thread-topic:thread-index:references:from:to:cc:return-path:x-originalarrivaltime; b=IbHbZxJt2ipQfcy15m5xDW2P6t++7DgMGpapTzInvVWds83PaUqUspCTLrMP3VbB
Received: from SNV-EXVS08.ds.corp.yahoo.com ([207.126.227.8]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 13 Jul 2010 10:02:31 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CB22AD.2822C0BC"
Date: Tue, 13 Jul 2010 10:02:20 -0700
Message-ID: <012AB2B223CB3F4BB846962876F47217059B6C16@SNV-EXVS08.ds.corp.yahoo.com>
In-Reply-To: <AANLkTik396myJqCTJ-srvF_aw7uOjkUAKR0muM0x2TnH@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] ' force_auth' request parameter
Thread-Index: AcsirI6pMXUa8X0DQaGXduCKRIxSywAAIoYg
References: <C85F5E71.36FE7%eran@hueniverse.com><4C3C92D2.80209@zetafleet.com><012AB2B223CB3F4BB846962876F47217059B6C12@SNV-EXVS08.ds.corp.yahoo.com> <AANLkTik396myJqCTJ-srvF_aw7uOjkUAKR0muM0x2TnH@mail.gmail.com>
From: William Mills <wmills@yahoo-inc.com>
To: David Recordon <recordond@gmail.com>
X-OriginalArrivalTime: 13 Jul 2010 17:02:31.0920 (UTC) FILETIME=[2EBFCF00:01CB22AD]
Cc: Colin Snover <ietf.org@zetafleet.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] ' force_auth' request parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 17:05:17 -0000

I think it's a mistake not to have force_auth in the core.


________________________________

	From: David Recordon [mailto:recordond@gmail.com] 
	Sent: Tuesday, July 13, 2010 9:58 AM
	To: William Mills
	Cc: Colin Snover; Eran Hammer-Lahav; OAuth WG
	Subject: Re: [OAUTH-WG] ' force_auth' request parameter
	
	
	I support immediate and a form of forced auth (ala OpenID's PAPE) but not in the core spec. They both should be part of an identity extension. 


	On Tue, Jul 13, 2010 at 9:51 AM, William Mills <wmills@yahoo-inc.com> wrote:
	

		I agree with Colin that some form of force_auth is needed.  I haven't read enough on the "immediate" proposal, but I know that we have run into the problem of trusting currently set cookies in the browser (even when we're actually sending a username/password and really do want to have an authentication).
		 
		I'm a +1 on the force_auth proposal.


________________________________

			From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Colin Snover
			Sent: Tuesday, July 13, 2010 9:23 AM
			To: Eran Hammer-Lahav
			Cc: OAuth WG
			Subject: Re: [OAUTH-WG] ' force_auth' request parameter
			
			
			On 22/07/28164 13:59, Eran Hammer-Lahav wrote: 

				The following was submitted via the shared-copy page but does not belong with editorial feedback. This needs to be discussed and supported on the list before added the specification. I think it belongs where 'immediate' is specified.
				
				EHL
				
				------ Forwarded Message
				

					From: An anonymous reader <mailman@sharedcopy.com>
					Date: Sat, 10 Jul 2010 11:01:11 -0700
					To: Eran Hammer-Lahav <eran@hueniverse.com>
					Subject: Re: draft-ietf-oauth-v2-09 - The OAuth 2.0 Protocol
					
					

				
				

					 "Colin Snover" left these comments on your copy: 
					 
					draft-ietf-oauth-v2-09 - The OAuth 2.0 Protocol <http://r6.sharedcopy.com/6bnqq8v> 
					        
					
					     As proposed on the ML, a new parameter to counteract the current behaviour of OAuth 1.0a authorization servers which is to assume that the account logged into the user-agent is the account that should be checked for access:
					
					force_auth
					         OPTIONAL. The parameter value must be set to "true" or "false".
					
					         If set to "true", the authorization server MUST prompt the end-user to authenticate and approve access. The authorization server MUST NOT make any assumptions as to the identity of the entity requesting access, even if another automatic mechanism is available to do so (e.g. browser cookies).
					
					         If set to "false" or not present, the authorization server MAY automatically grant access to the client if it is able to determine that access was previously granted.         link » <http://r6.sharedcopy.com/6bnqq8v#shcp21> 
					 
					
					tools.ietf.org/html/draft-ietf-oauth-v2-09 <http://r6.sharedcopy.com/6bnqq8v>  · Original page <http://tools.ietf.org/html/draft-ietf-oauth-v2-09> 
					  
					 
					
________________________________

					via sharedcopy.com <http://sharedcopy.com/?ef>  
					

				
				------ End of Forwarded Message
				


			Hi Eran,
			
			Sorry if that was not the right place for that to go; I didn't know what else to do. I have tried to solicit feedback from the ML regarding this parameter twice and nobody seems very keen in providing any, which is kind of a bummer. I waited until the last possible moment to add it in the hopes that someone would notice my messages and discuss it, but you made it sound like your plan was for draft 10 to be potentially final so I wanted to get it in before the deadline.
			
			I'm sure this is not a big deal for most applications that expect at most a single connection, but for me this is a huge deal since it completely immolates our application's authentication flow, and I can't go to every provider asking them to please change the way they implement the authentication portion of their OAuth API.
			
			In contrast to 'immediate', which had some concerns vis à vis security, force_auth is actually safer than the current normal flow used by most OAuth providers since it requires the provider to make no guesses about who is trying to authorize the app.
			
			Frankly, I think that OAuth providers do the wrong thing now in all cases by assuming that browser cookies are a safe way of confirming the identity of the end-user making an authorization request (they aren't!), but the spec says the way the authorization server authenticates the end-user is outside the scope of the spec. I have no objection to this-OAuth *should* be authentication-agnostic-but at the same time this is a very real and present implementation flaw and the only way to solve it is to make sure the spec defines a way for an application to say "hey, I know you *think* you know who should be authenticated, but *I* know that the user has requested to connect a *new* account, so don't use any automatic authentication method".
			
			I think it is incredibly important that the OAuth spec gets providers to distinguish between automatic & potentially unsafe authentication methods (like session cookies) versus more "guaranteed" authentication (like password), especially since 99.999% of the time OAuth relies on the end-user's Web browser which is all but guaranteed to contain some cookies for the provider that are unrelated to the requesting application.
			
			Examples:
			
			1. Multiple end-users with malicious intent. User 1 is logged into their Facetweetr account. User 2 wants to do bad things using User 1's account. Because the user-agent has cookies for user 1, user 2 gets to authorize their account with our app. Even when user 1 changes their password, unless the provider automatically invalidates their existing connections (the spec does not even mention doing this in an informative manner as far as I can tell), they are almost certainly unaware that the linked application is still able to perform actions on their behalf.
			
			2. Single end-user with multiple accounts. User is logged into Facetweetr account 1, but they want to authorize account 2. They go to authorize the application and are presented with a confirmation for account 1. They log out (because this is the only way to switch accounts on the provider) and suddenly the authorization flow is dropped on the floor. The user may not know immediately what they need to do at this point. They will need to manually return to the original application and restart the authorization request.
			
			3. User has two accounts that they want to authorize with a provider. User authorizes account 1 successfully, then wants to authorize account 2. Because account 1 is still logged in, and because the application already has a link to the account, it automatically redirects back to the application's redirection URI. In order for the user to get what they want, they are forced to manually navigate to the provider's site, log out, *then* begin the authorization request.
			
			These aren't imaginary scenarios; they are things that are going on *right now* with several different OAuth providers.
			
			The original request: <http://www.mail-archive.com/oauth@ietf.org/msg02331.html> <http://www.mail-archive.com/oauth@ietf.org/msg02331.html> 
			
			Regards,
			
			-- 
			Colin Snover
			http://zetafleet.com


		_______________________________________________
		OAuth mailing list
		OAuth@ietf.org
		https://www.ietf.org/mailman/listinfo/oauth

v2.46.0 | Report a Bug | By Email | System Status