Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01

Neil Madden <neil.madden@forgerock.com> Thu, 09 July 2020 17:58 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E6B3A0D9D for <oauth@ietfa.amsl.com>; Thu, 9 Jul 2020 10:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUhGqDCsWIZe for <oauth@ietfa.amsl.com>; Thu, 9 Jul 2020 10:58:19 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66F093A0D9C for <oauth@ietf.org>; Thu, 9 Jul 2020 10:58:19 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id a6so3327893wrm.4 for <oauth@ietf.org>; Thu, 09 Jul 2020 10:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5iBdpnyM7zLxB4QmxHUjaXe67ENbl1XMabzW0h3fLu4=; b=Q/g1HDAMhivM6fzPJvtKGIu+YPFrKEU/ML6RNFtSVW0LzSAwkc2RcK4VxXkryLT4f9 yjEehKX9fBjw+b/suGA7ZInTTVJaTOQVg9jAOhrdEYKOerroB9eo2qNRgWi/eNeFi3nc w39VYEk7febBpsfUGia+8xoIsk6g0ux4JwYek=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5iBdpnyM7zLxB4QmxHUjaXe67ENbl1XMabzW0h3fLu4=; b=fzoXOwX6afUEjxLm3vk6Cqeo4oqQ15Wi27Z+NybrYZIsMK+0rTGWXYe8NZUr3RCg3m g9Fzw39ou6+ThE3D7G/O2baG1VY7KpiyhngrkGs+GRqX8XVOJrxR1bI05dX3vvw5YCrx DXutP5Qno+0KS4Tptfhvtc3B63+vXXS/4EDLvPabUGr+z17Habrhwylbn3O9YUuEX6i3 +VEMRFPsIiBpcCkfmvutlIT+HJ8lpOL1NXn3NHHpmjGySpR8EMSbgG+FCUT6f1dzwHK6 r7GE/hiAetenJLhvv6NFAZNBgJEiYzeOabwGW3cOX9VbWKrIgCbym5OrThy4MH8lYbes UJ9Q==
X-Gm-Message-State: AOAM5322nlrIPGF4Q9QqxbEv+2WY2tRgXevtLcoeKVu38rBLpzrd9uU0 bL7LjRwUam2cs7nawV83azCYBg==
X-Google-Smtp-Source: ABdhPJwcl8D00wYSUgaJ/gacNTmYS8YlcL/eM6HLDbi8tjhvLOHrP6Hi+z0z/eiAtIYIsIsgfDK5PA==
X-Received: by 2002:adf:c44d:: with SMTP id a13mr66281080wrg.205.1594317497313; Thu, 09 Jul 2020 10:58:17 -0700 (PDT)
Received: from [10.0.0.2] (128.211.93.209.dyn.plus.net. [209.93.211.128]) by smtp.gmail.com with ESMTPSA id m62sm5693911wmm.42.2020.07.09.10.58.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 10:58:16 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net>
Date: Thu, 9 Jul 2020 18:58:16 +0100
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com>
References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> <E991259C-46FB-4B32-B87C-205B4507379F@forgerock.com> <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FEJbEAgXcVwehBw490bpNb4ttn0>
Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2020 17:58:22 -0000

> On 9 Jul 2020, at 18:34, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
>> On 9. Jul 2020, at 19:28, Neil Madden <neil.madden@forgerock.com> wrote:
>> 
>> On 9 Jul 2020, at 18:10, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> What in particular should the use consent with in this step?
>>>>>>>>>> 
>>>>>>>>>> “FooPay would like to:
>>>>>>>>>> - initiate payments from your account (you will be asked to approve each one)”
>>>>>>>>>> 
>>>>>>>>>> The point is that a client that I don’t have any kind of relationship with can’t just send me a request to transfer $500 to some account. 
>>>>>>>>> 
>>>>>>>>> Are we talking about legal consent or a security measures here?
>>>>>>>> 
>>>>>>>> Normal OAuth consent. My phone is my resource, and I am its resource owner. If a client wants to send payment requests to my phone (e.g. via CIBA backchannel) then it should have to get my permission first. Even without backchannel requests, I’d much rather that only the three clients I’ve explicitly consented to can ask me to initiate payments rather than the hundreds/thousands clients my bank happens to have a relationship with.
>>>>>>> 
>>>>>>> To me it sounds like you would like to require a client to get user authorization to send an authorization request. Would you require the same if I would use scope values to encode a payment initiation request?
>>>>>> 
>>>>>> Yes. If something is sufficiently high value to require per-transaction authorization then initiating transactions itself becomes a privileged operation. 
>>>>> 
>>>>> The per transaction authorization alone is a significant increase in security. What is the added value of requiring an authorization to send a per-transaction authorisation request in an additional step?
>>>> 
>>>> Because Open Banking allows any client at any time to send an asynchronous back channel request to my phone to approve a payment. This is pretty risky. 
>>> 
>>> Can you please explain how you came to that conclusion and how it relates to RAR?
>> 
>> https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/payment-initiation-api-profile.html
>> 
>> Client (PISP) initiates a payment-order consent using a client_credentials access token, then launches a CIBA backchannel authorization request. What prevents this?
> 
> The fact that the PISP cannot issue this request without a valid user identifier. The demos I’m remembering use a traditional first authorization flow to establish this identifier.

An identifier is not an access token or credential.

>> 
>> This relates to RAR, because RAR also has no protection against this. If you use RAR in combination with a backchannel authorization method then the same issue applies. This is a general issue with backchannel approaches,
> 
> Exactly! It's a problem with any kind of backchannel initiated _user interaction_. 
> 
> 
>> but it is particularly a risk here because RAR is pitching itself as a way to do payment transactions.
> 
> The problem is the backchannel request, not RAR. RAR is just a more elaborated scope.

I don’t agree. It’s particularly acute with backchannel requests, but it still exists with front channel. If I can redirect your browser to a payment confirmation screen, what percentage of users will click ok? I would guess more than 0. It’s a problem precisely because a one-off interaction is enough to authorize a transaction.

It might be that in OB they accept this risk and mitigate it in other ways, e.g. making it easy to reverse transactions, or through sufficient vetting of clients and big legal consequences. As a UK banking user, that wouldn’t make me very happy but OK. The point is that RAR can’t make payment transactions the primary use-case, emphasised throughout the draft, and then fail to even discuss this issue or make any kind of suggestion as how to handle it. 

— Neil