Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

Thomas Broyer <t.broyer@gmail.com> Tue, 26 January 2016 18:57 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE3C31B2B9D for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 10:57:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6QhrOhIWXkQx for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 10:57:38 -0800 (PST)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 291C61B2B9B for <oauth@ietf.org>; Tue, 26 Jan 2016 10:57:38 -0800 (PST)
Received: by mail-lf0-x234.google.com with SMTP id s81so5184043lfd.0 for <oauth@ietf.org>; Tue, 26 Jan 2016 10:57:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=1+H5Qs5ZAIfkfL3OplkIwJFcYfCWkXqoCykmc19e/g0=; b=ersICioxBPrZWKbNRtURT/9PP/meWrp5JNUNXbTQGfAdCztz92CaddjR5px2uJHeIK Lo+WIyUvLK6gwNltuSCimaA+CzXrmLTgn9PQrNi/2jiDNIWeNzUwMuYKbpftDHj7yA85 o9nytCud8SYkeYj1K5aU9C4+bGEA+2+to+LNgtX+vlsULb+kWZCanvOfumVlLZpbi/QG AKrCrJ4bvXX9GD2DFAGXgn6Qa5A+8NuoyzdddyIriUwrpq5iB4584KXCczbQG/b1Lw3R cwjCTvaIB6K8WfCeJQJycsMZvEcSX385jJ5PD/g++AsKkIWCn2SJx2hHvVdjIrkvYC7o lpMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=1+H5Qs5ZAIfkfL3OplkIwJFcYfCWkXqoCykmc19e/g0=; b=fGpJLzcPuKkZevjplpfJu0d16rjvK3aOtuG6iGeDFmubuZotFdw8v3pZ4Ro6a7Q67r UBDLI7K4e3yMGSKggQaGw50uzee4jP5tM4H+mBXQcqiWRnNRgHkZq1LTacwjTYP3UJfl PP4a4PcJ13CV6y5BgIA4KnX5kcRNlWhBy/Z++FfHnR5CItyxAopRZEj2VTePqoQL4qTx J7eadRFapDRf9AoWze/K8y2hQ+JBGavggB+RqG4pqq7VM4O8QdtMcOG2xXJ+aNYPRvpS LHuQmVxxXvKwSwD4W6TfRRf4Lo5h6+86XdLrUJUo3VvmdSa4OM/Db4d8FkN+FpjLw6e9 JGiQ==
X-Gm-Message-State: AG10YORCGgN+6IIcVZONTOGrau3LyzYk1u/g0WOCI+SU8edwsLB47n1JZmmMnz06xqQmn9unysYwmzcYg7MGFQ==
X-Received: by 10.25.86.211 with SMTP id k202mr9431583lfb.69.1453834656387; Tue, 26 Jan 2016 10:57:36 -0800 (PST)
MIME-Version: 1.0
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com> <569CDE25.90908@gmail.com> <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com> <569E08F6.4040600@gmail.com> <56A7B52C.2040302@gmail.com>
In-Reply-To: <56A7B52C.2040302@gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Tue, 26 Jan 2016 18:57:26 +0000
Message-ID: <CAEayHEMrTjDQbdoX3C-2-oGUVVQTzCzDqbWU-hFeAtbSp-tCcg@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>, William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary=001a1141ef2641983f052a4142d3
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/BXPNmSP5vwGiP0jw9nZyLnNfszM>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2016 18:57:42 -0000

Fwiw, at Ozwillo, we track grants per user per client_id (we don't support
native apps; only web flows for now), and we don't do "incremental grants"
like Google: if you request scope B and the user had only granted scope A,
you'll get a token for scope B only. This is partly because our tokens are
not for our own APIs only, contrary to Google, so we want to allow clients
to get tokens with narrow scopes so they could have one token per
third-party API and prevent rogue resources from trying to use received
tokens at other APIs.

UI-wise, we tell the user what he already granted to the client, and even
let him grant scopes that the client has pre-registered as "possibly needed
at some time" (through a custom provisioning protocol), but the issued
token is always for the exact scopes that the client requested in this
specific request.
And if all requested scopes have already been granted, then we do a
transparent redirect without showing anything to the user (which is what
most other implementations do too)

Le mar. 26 janv. 2016 19:04, Sergey Beryozkin <sberyozkin@gmail.com>; a
écrit :

> Hi
>
> I'm not sure if the next question is off topic or too low level,
> hopefully not,
>
> When the repeated authorization is skipped or only new scopes are
> requested to be authorized as per the incremented auth approach, is it
> reasonable to assume that the record that is used to track it all is
> actually the existing access token or is totally OIDC implementation
> specific ?
> I think using the existing token as a record is reasonable because it is
> time scoped and if we do not use the access token for keeping the track
> of the multiple approvals, etc, then one need to introduce one more
> record mirroring to some extent the access token...
>
> For example, the user session may have expired but the access token that
> was issued to a client web app on behalf of this user is still active,
> so when the user returns and signs in again, and for example, approves
> few more scopes, then the existing access token (the record) gets
> updated, instead of a new token being created.
>
> If it is reasonable then does it mean the sticky or incremental
> authorization works as long as the access token is available
> (refreshable) ?
>
> Sergey
>
>
>
>
> On 19/01/16 09:59, Sergey Beryozkin wrote:
> > Hi William
> >
> > Thanks for the advice. FYI we are also on the way to supporting the
> > incremental authorization of scopes - thanks for highlighting the
> > importance of this process on this list...
> >
> > Cheers, Sergey
> > On 19/01/16 03:10, William Denniss wrote:
> >> Agree with Justin, this is pretty common. We support it for re-auth as
> >> well as incremental auth (where the user has already approved scope "a"
> >> and is presented with a request for scopes "a b", they will only need to
> >> approve scope "b").  In fact if you don't do this, then incremental auth
> >> isn't really viable.
> >>
> >> Regarding security: don't do this for non-confidential clients where you
> >> can't verify the identity of the app by the redirect (e.g. a localhost
> >> redirect to an installed app).
> >>
> >> On Mon, Jan 18, 2016 at 4:44 AM, Sergey Beryozkin <sberyozkin@gmail.com
> >> <mailto:sberyozkin@gmail.com>> wrote:
> >>
> >>     Hi Justin, thanks for the advice,
> >>
> >>     Cheers, Sergey
> >>
> >>     On 18/01/16 11:47, Justin Richer wrote:
> >>
> >>         Yes, this is common practice. Give the user the option to
> >>         remember the
> >>         decision. This is known as "trust on first use", or tofu. Our
> >>         server,
> >>         MITREid Connect, implements this as do many others.
> >>
> >>
> >>
> >>         -- Justin
> >>
> >>         / Sent from my phone /
> >>
> >>
> >>         -------- Original message --------
> >>         From: Sergey Beryozkin <sberyozkin@gmail.com
> >>         <mailto:sberyozkin@gmail.com>>
> >>         Date: 1/18/2016 5:59 AM (GMT-05:00)
> >>         To: oauth@ietf.org <mailto:oauth@ietf.org>
> >>         Subject: [OAUTH-WG] Can the repeated authorization of scopes be
> >>         avoided ?
> >>
> >>         Hi All
> >>
> >>         The question relates to the process of showing the authorization
> >>         code/implicit flow consent screen to a user.
> >>
> >>
> >>         I'm discussing with my colleagues the possibility of avoiding
> >>         asking the
> >>         same user whose session has expired and who is re-authenticating
> >>         with AS
> >>         which scopes should be approved.
> >>
> >>         For example, suppose the OAuth2 client redirects a user with the
> >>         requested scope 'a'. The user signs in to AS and is shown a
> >> consent
> >>         screen asking to approve the 'a' scope. The user approves 'a'
> >>         and the
> >>         flow continues.
> >>
> >>         Some time later, when the user's session has expired, the user
> is
> >>         redirected to AS with the same 'a' scope.
> >>
> >>         Would it be a good idea, at this point, not to show the user the
> >>         consent
> >>         screen asking to approve the 'a' scope again ? For example, AS
> >> can
> >>         persist the fact that a given user has already approved 'a' for
> >>         a given
> >>         client earlier, so when the user re-authenticates, AS will use
> >>         this info
> >>         and will avoid showing the consent screen.
> >>
> >>         That seems to make sense, but I'm wondering, can there be some
> >>         security
> >>         implications associated with it, any recommendations/advices
> >>         will be welcome
> >>
> >>         Sergey
> >>
> >>         _______________________________________________
> >>         OAuth mailing list
> >>         OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>         https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >>     _______________________________________________
> >>     OAuth mailing list
> >>     OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>     https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >
> >
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>