Re: [OAUTH-WG] WGLC for Step-up Authentication
Denis <denis.ietf@free.fr> Tue, 11 October 2022 16:09 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93E6C14F74C for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2022 09:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.024
X-Spam-Level:
X-Spam-Status: No, score=-1.024 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgZmS2W6iXLn for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2022 09:09:22 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp-30.smtpout.orange.fr [80.12.242.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC64EC159A24 for <oauth@ietf.org>; Tue, 11 Oct 2022 09:06:48 -0700 (PDT)
Received: from [192.168.1.11] ([90.91.225.208]) by smtp.orange.fr with ESMTPA id iHmFo7MDXJvOZiHmGoPhPa; Tue, 11 Oct 2022 18:06:46 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 11 Oct 2022 18:06:46 +0200
X-ME-IP: 90.91.225.208
Content-Type: multipart/alternative; boundary="------------k3FsTfpS11BfqN8pWYUyGTOL"
Message-ID: <e53f3c82-ab89-c5ec-ac2e-ab9fade7a5f6@free.fr>
Date: Tue, 11 Oct 2022 18:06:50 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
Content-Language: en-GB
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Pieter Kasselman <pieter.kasselman@microsoft.com>, oauth <oauth@ietf.org>, Vittorio Bertocci <vittorio@auth0.com>
References: <CADNypP9ypW35=CSJaOfaEqZGDLXGLjnMs4_x5Ue10-yP6BcVoQ@mail.gmail.com> <CADNypP95pWPndeBydEbThrrWrPCVDg2Jmor-68HFGHpqRqFtyA@mail.gmail.com> <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com> <CAEMK1uaBedVBcoBuf9NY53sa2MRKh2j5gXrnW65PCiGj6Rzu7g@mail.gmail.com> <CAEFJvaoHyDoj3mbKhSqZmwCjE-iNNk0ZF1V6X_b35SDbp9iXjQ@mail.gmail.com> <CA+k3eCSfy6_kDf1BYciiqdZVE93-VBt3WYYiD9fJNFN33_K3xw@mail.gmail.com> <790fb615-c9ef-27eb-6050-c0f179eac452@free.fr> <CA+k3eCTb7A0pbqa=iRa3vaPDUMQ=sEvyFitvKmfduSXc0fXPWg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
In-Reply-To: <CA+k3eCTb7A0pbqa=iRa3vaPDUMQ=sEvyFitvKmfduSXc0fXPWg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9A_DLjXTBDFTHNTOxpugXeZchDE>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2022 16:09:26 -0000
Hi Brian, I agree with you that "must not" is more appropriate in that context. I also agree with you that the "privacy implications of opaque tokens are inherent to OAuth in general". However, I have not reviewed all the RFCs and I wonder whether such a privacy consideration has already been mentioned. It would be nice to start to mention it, rather than to continue to omit it. Do you see a better place to mention it ? Denis > Thanks Denis, I agree the word "cannot" isn't quite right there. I > struggled with trying to find the right wording (more than I probably > should have) attempting to add a note/reminder without getting into > normative sounding language. But I also wanted to make a firm > statement. Words are hard sometimes. Oftentimes! But reading it again > today, "cannot" doesn't work very well. I think changing to "must not" > is appropriate. The privacy implications of opaque tokens are inherent > to OAuth in general and I don't believe this draft is an appropriate > place to attempt to give them treatment. > > On Tue, Oct 11, 2022 at 2:57 AM Denis <denis.ietf@free.fr> wrote: > > Hi Brian, > > The text states: > > Also recall that OAuth 2.0 [RFC6749] assumes access tokens are > treated as > opaque by clients. So, during the course of any token caching > strategy, a client *cannot* inspect the content of the access > token to > determine the associated authentication information or other > details. > The token format might be unreadable to the client or might > change at > any time to become unreadable. > > A client *can *inspect the content of the access token. > > A better wording would be: > > ... a client *should not *inspect the content of the access > token ... > > It would be worthwhile to add a Privacy Considerations section: > > 10. Privacy Considerations > > Since access tokens are presumed to be opaque to clients, > clients (and hence users) are not supposed to inspect the > content of the access tokens. > Authorizations Servers are able to disclose more information > than strictly necessary about the authenticated user without > the end user being > able to know it. Such additional information may endanger the > privacy of the user. > > Denis > > >> I've published an -04. It has that very minor change. There was >> also an off-list discussion during WGLC that resulted in thinking >> it'd be worthwhile >> *_to add a reminder that access tokens are opaque to clients_*. >> So I took that as LC feedback and -04 adds a brief note towards >> that end. >> >> https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ >> >> >> >> On Mon, Oct 10, 2022 at 1:22 PM Vittorio Bertocci >> <vittorio=40auth0.com@dmarc.ietf.org> wrote: >> >> Thanks Dima for the comment. Some thoughts: >> >> > (editorial)... >> Good point. "statically" would characterize the simplest of >> the scenarios, but in fact any case where the AS is the only >> arbiter of the authn level works for the point we are trying >> to make. We'll drop "statically". Thanks! >> >> > Apart from... >> This spec focuses on empowering an RS to communicate its ACR >> and freshness requirements, regardless of the reasons leading >> the RS to make that determination: the logic by which that >> happens is explicitly out of scope, and in many real life >> cases it might simply be unknowable (eg anomaly detection >> engines based on ML are often back boxes). The mechanism >> described here can be used alongside other mechanisms that >> might require the client to get the user to interact with the >> AS, as it is the case for insufficient_scope, but those >> remain distinct cases (eg insufficient _scope might not >> require any step up but simply explicit user consent, and if >> it does require a stepup, that's entirely determined by the >> AS without any communication with client or RS required). >> >> On Fri, Oct 7, 2022 at 17:43 Dima Postnikov >> <dima@postnikov.net> wrote: >> >> *This message originated outside your organization.* >> >> >> ------------------------------------------------------------------------ >> >> Couple of quick comments from me: >> >> 1) (Editorial) >In simple API authorization scenarios, an >> authorization server will statically determine what >> authentication technique >> >> In many scenarios, authorization servers will use >> *dynamic* decisioning to determine authentication >> techniques; it's just not exposed to the client in a way >> to make it actionable (which is why this specification's >> intent makes perfect sense). >> >> 2) Apart from authentication level, there might be other >> reasons why users might be forced to go through the >> authorization flow, for example, >> insufficient authorization / scopes / claims / etc. >> >> If there is a mechanism to let the client know, as a >> practitioner, i'd rather have the same approach for both >> authentication and authorization. There are a range of >> authorization policy engines in the market that could >> return "STEP UP is required" after looking at >> authentication, authorisation and many other real-time >> signals. It's just not standardized... >> >> >> On Sat, Oct 8, 2022 at 7:30 AM Pieter Kasselman >> <pieter.kasselman=40microsoft.com@dmarc.ietf.org> wrote: >> >> I am very supportive of this work and have been >> working through different use cases to see whether it >> can satisfy the requirements that arise from them. >> >> One observation from working through these uses cases >> is that as customers move to Zero Trust >> architectures, we are seeing customers adopting finer >> grained policy segmentation. Consequently customers >> are planning to deploy segmented access control by >> data or action sensitivity, within a service. This >> approach to policy design makes it more common for a >> single service to depend on multiple authentication >> context values or combinations of authentication >> context values. >> >> An example of this is a policy that has multiple acr >> values (e.g. acr1=password, acr2=FIDO, acr3=selfie >> check, acr4=trusted network). A customer may define a >> policy that requires different combinations of these >> acr values, for example, a file server may requires >> password for general access (e.g. acr1), FIDO >> authentication (acr2) or password access and being on >> a trusted network to read sensitive data (acr 2 of >> (acr1 + acr 4), FIDO authentication and password >> (acr1 + acr2) for accessing editing sensitive >> documents and a real-time selfie check on top of FIDO >> and presence on a trusted network (acr1 + acr2 + >> acr3 + acr4) to initiate a sensitive workflow (e.g. >> check-in code). Other variations of this includes >> database access with different types of access >> requirement for certain rows (row-level permissions) >> or columns (column level permissions) with different >> combinations of acr values. >> >> I was curious if this type of scenario where multiple >> authentication contexts and combinations of contexts >> are required is something others see (or are >> beginning to see) as well? >> >> Cheers >> >> Pieter >> >> *From:*OAuth <oauth-bounces@ietf.org> *On Behalf Of >> *Rifaat Shekh-Yusef >> *Sent:* Thursday, September 22, 2022 3:02 PM >> *To:* oauth <oauth@ietf.org> >> *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication >> >> *Correction:* >> >> Please, review the document and provide your feedback >> on the mailing list by *Oct 7th, 2022*. >> >> On Thu, Sep 22, 2022 at 9:52 AM Rifaat Shekh-Yusef >> <rifaat.s.ietf@gmail.com> wrote: >> >> All, >> >> This is to start a *WG Last Call *for the >> *Step-up Authentication *document: >> https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html >> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Farchive*2Fid*2Fdraft-ietf-oauth-step-up-authn-challenge-03.html&data=05*7C01*7Cpieter.kasselman*40microsoft.com*7C0078f809101147bc978308da9ca32020*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637994521713812011*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=18sfemyWqYb06PvUA9eTLaq0ccDY14*2F6ETo58JpE*2FJQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!537tJQfGj3Z_Yi2waywl1VPGyDs9818JE-M-KNFgPtoB0O26a7ksRvAYrPyzfKKXsMKCVblAomtRXj8$> >> >> >> Please, review the document and provide your >> feedback on the mailing list by *Sep 30th, 2022*. >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!PwKahg!537tJQfGj3Z_Yi2waywl1VPGyDs9818JE-M-KNFgPtoB0O26a7ksRvAYrPyzfKKXsMKCVblAbcE1GME$> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> /CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended >> recipient(s). Any review, use, distribution or disclosure by >> others is strictly prohibited. If you have received this >> communication in error, please notify the sender immediately by >> e-mail and delete the message and any file attachments from your >> computer. Thank you./ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./
- [OAUTH-WG] WGLC for Step-up Authentication Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for Step-up Authentication Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for Step-up Authentication Pieter Kasselman
- Re: [OAUTH-WG] WGLC for Step-up Authentication Dima Postnikov
- Re: [OAUTH-WG] WGLC for Step-up Authentication Pieter Kasselman
- Re: [OAUTH-WG] WGLC for Step-up Authentication Vittorio Bertocci
- Re: [OAUTH-WG] WGLC for Step-up Authentication Vittorio Bertocci
- Re: [OAUTH-WG] WGLC for Step-up Authentication Brian Campbell
- Re: [OAUTH-WG] WGLC for Step-up Authentication Denis
- Re: [OAUTH-WG] WGLC for Step-up Authentication Brian Campbell
- Re: [OAUTH-WG] WGLC for Step-up Authentication Brian Campbell
- Re: [OAUTH-WG] WGLC for Step-up Authentication Denis
- Re: [OAUTH-WG] WGLC for Step-up Authentication Brian Campbell
- Re: [OAUTH-WG] WGLC for Step-up Authentication Yusuf Khan
- Re: [OAUTH-WG] WGLC for Step-up Authentication Vittorio Bertocci
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Brian Campbell
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Vittorio Bertocci
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Warren Parad
- Re: [OAUTH-WG] WGLC for Step-up Authentication Brian Campbell
- Re: [OAUTH-WG] WGLC for Step-up Authentication Brian Campbell
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Warren Parad
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Warren Parad
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Vittorio Bertocci
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Warren Parad
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Warren Parad
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh
- Re: [OAUTH-WG] WGLC for Step-up Authentication Warren Parad
- Re: [OAUTH-WG] WGLC for Step-up Authentication Jaimandeep Singh