IETF Logo Mail Archive

[OAUTH-WG] Re: Call for adoption - First Party Apps

Vladimir Dzhuvinov / Connect2id <vladimir@connect2id.com> Tue, 17 September 2024 08:54 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA775C14F6E4 for <oauth@ietfa.amsl.com>; Tue, 17 Sep 2024 01:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=connect2id.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pqJX3oJ5oYXS for <oauth@ietfa.amsl.com>; Tue, 17 Sep 2024 01:54:25 -0700 (PDT)
Received: from mout-b-112.mailbox.org (mout-b-112.mailbox.org [195.10.208.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87791C14F6EE for <oauth@ietf.org>; Tue, 17 Sep 2024 01:54:23 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-112.mailbox.org (Postfix) with ESMTPS id 4X7Fvb2V9FzDt3b; Tue, 17 Sep 2024 10:54:19 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=connect2id.com; s=MBO0001; t=1726563259; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5xAfA3oPGcA9yt8EbxQ+/7h/dH/C12cWyIXS1nxkCwY=; b=fB8CPkFrozGKlmxKjHrTlPWLqllRs666FTO0AE9aSvqe4TlfG+Xmi2TCD0MSeLmDuY6pul X042ODjvHYhw4shAej32IokdBWWBbSMu374L9ZsP3qML3coxa76whiYfThWuVeHGKsCMh4 aVSHqI5YCEDOC2Nr3GE4apSPCdSexYpsV95Lo2zmZgyG3Yv/1Q0ZjgoLAg5mmE5E4OMgHh yLEjEgp/boj2FnrxDwR0H/qBlAjcvA2jekCowPYHJ1xzPM826lE6AfVpUwdFzsZgCfLeZS UMQ2tyUIqVGsVjro+zNmjcSvstOkiLc4GrMJms2OsO3wFo0ycbN0M6Uv+Q4JtQ==
Message-ID: <9c472a91-7ce5-4222-8719-37943897a79e@connect2id.com>
Date: Tue, 17 Sep 2024 11:54:17 +0300
MIME-Version: 1.0
To: Pieter Kasselman <pieter.kasselman@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <CADNypP9ZHktRzztqCxGfHPOq5A5xo2GohFZms41ZjoTKjkcjkg@mail.gmail.com> <dad5f990-7ca2-4c47-b9a2-feb59e390cca@connect2id.com> <DBAPR83MB04372E79F285B3BAF48DBCF691602@DBAPR83MB0437.EURPRD83.prod.outlook.com>
From: Vladimir Dzhuvinov / Connect2id <vladimir@connect2id.com>
Content-Language: en-US
Organization: Connect2id Ltd.
In-Reply-To: <DBAPR83MB04372E79F285B3BAF48DBCF691602@DBAPR83MB0437.EURPRD83.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060808010601060503080907"
X-Rspamd-Queue-Id: 4X7Fvb2V9FzDt3b
Message-ID-Hash: 7MCFBP73HPKX3ZQER7SJQSI6ERWWTOQX
X-Message-ID-Hash: 7MCFBP73HPKX3ZQER7SJQSI6ERWWTOQX
X-MailFrom: vladimir@connect2id.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5vcShhY-P0s001Q9HRjyKavR3gY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Pieter,

Thanks for your responses. I'm writing to state my support for the 
adoption of this draft.

I'm starting to see it as a meaningful evolution of the deprecated 
password grant. I read the arguments to stay focused on the 
browser-based code flow. Browser APIs have evolved over the course of 
OAuth 2.0, but the reality is that devs and architects do not see them 
as ideal in all situations and the password grant is still being used 
and considered. This improved sped for 1st party apps should make it 
easier to have solutions that are standard and interoperable.

About the auth techniques, I would like to ask you and the other authors 
working on the spec to consider defining parameters for the ones that 
are most likely to see use in practice, in the coming years. I'm asking 
you this because my past experience with profiles is that when they do 
appear, it may be too late. The JWT profile for access tokens - RFC 9068 
- comes to mind. It was published 9 years after the bearer token RFC.

Cheers,

Vladimir


On 16/09/2024 16:40, Pieter Kasselman wrote:
>
> Hi Vladimir
>
> Thanks for reading the draft and raising questions. See responses inline.
>
> Cheers
>
> Pieter
>
> *From:*Vladimir Dzhuvinov / Connect2id <vladimir@connect2id.com>
> *Sent:* Friday 13 September 2024 07:50
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Re: Call for adoption - First Party Apps
>
> I read the proposed spec and it's evident substantial work has gone 
> into it. Congratulations for this.
>
> How does the 1st party flow compare to the (deprecated in OAuth 2.1) 
> password grant? People with existing 1st party apps that rely on the 
> password grant or consider using it are going to look for a discussion 
> on this.
>
> <pk>
>
> The first party flow is meant to provide a framework to allow for 
> multiple authentication factors to enable MFA type scenarios where 
> there is a first party trust relationship between the application 
> gathering the credentials and the authorization server. It provides a 
> pathway from single factor authentication methods to stronger MFA and 
> ultimately phishing resistant authentication methods.
>
> </pk>
>
> In terms of security properties (leaving aside the design to support 
> factors other than user password and the support for interaction), 
> does it offer advantages? In the simple case (no interaction), do 
> developers have a reason to choose the 1st party flow when the 
> password grant only needs a single call to the token endpoint?
>
> <pk>
>
> The main advantage is the ability to step up to MFA (or even to 
> require a web redirect to collect credentials on the web if the 
> authorization server deems the risk of a “first party” flow excessive).
>
> </pk>
>
> The password grant has been subjected to (non-standard) customisations 
> to support challenges, for example to be able to ask the user for an 
> OTP after the password is verified. The 1st party flow takes such 
> scenarios into account, but appears to have taken the framework 
> approach, leaving it up to developers to complete the definition of 
> the flow for the factors an AS is required to use / combine. Is it 
> envisioned for the 1st party flow spec to get complemented with 
> profiles or is it expected developers / deployments to take care of this?
>
> <pk>
>
> We expect there will be profiles for popular authentication techniques.
>
> </pk>
>
> Vladimir Dzhuvinov
>
> On 03/09/2024 13:46, Rifaat Shekh-Yusef wrote:
>
>     All,
>
>     As per the discussion in Vancouver, this is a
>     call for adoption for the First Party Apps draft:
>     https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
>
>     Please, reply on the mailing list and let us know if you are in
>     favor or against adopting this draft as WG document, by *Sep 17th*.
>
>     Regards,
>      Rifaat & Hannes
>
>
>
>     _______________________________________________
>
>     OAuth mailing list --oauth@ietf.org
>
>     To unsubscribe send an email tooauth-leave@ietf.org
>

v2.35.0 | Report a Bug | By Email | System Status