Re: [OAUTH-WG] Artart last call review of draft-ietf-oauth-step-up-authn-challenge-12
Vittorio Bertocci <vittorio@auth0.com> Thu, 02 March 2023 21:52 UTC
Return-Path: <vittorio.bertocci@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96F22C151AF2 for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2023 13:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Level:
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b="SqXkS6d6"; dkim=pass (2048-bit key) header.d=auth0.com header.b="Nsfscm/r"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDM3Z2MBWhKm for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2023 13:52:02 -0800 (PST)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A435C151535 for <oauth@ietf.org>; Thu, 2 Mar 2023 13:52:02 -0800 (PST)
Received: from pps.filterd (localhost6.localdomain6 [127.0.0.1]) by mx0b-00553301.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 322LND39029612 for <oauth@ietf.org>; Thu, 2 Mar 2023 13:52:02 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=proofpoint-2020; bh=dY/e9MQ58sBk3q2E3gAaYrWxQyJFrGaAQyhIxA7aKWI=; b=SqXkS6d6pPkGb4uvK5ihlBrsYlCTVTBPRXA1ZA6+BoYbhKbGnsBubbrEtNGtE9w70RuF xVHsdW3X0XEgzaczPjT4b2EP+WR02i+qz30FqDjtDNeAhA82I+sczFE2Jj86gb82lMt2 48BpoS4nVs+5yawJ+yTnUdpnHlADV99ks7yanQ6K52GTt0yNiZsTRjNFv0EjgvV7cbDL 2EeD8kowye4JnUabQ6EgsDZO8+ye/CcuOM4Wi7l/WPTzxM67oS9omMuYDlOhIhEm0EWz NxlUXBm/yhDBec9DXuQxaM9x4KDc932K8u6OyOtGY4dzztpIGB8o4CzeUpYEszbq/CvI GA==
Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 3nyev0kpju-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Thu, 02 Mar 2023 13:52:02 -0800
Received: by mail-io1-f72.google.com with SMTP id z128-20020a6bc986000000b0074d32ddcce7so258007iof.21 for <oauth@ietf.org>; Thu, 02 Mar 2023 13:52:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=newauth0; t=1677793921; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dY/e9MQ58sBk3q2E3gAaYrWxQyJFrGaAQyhIxA7aKWI=; b=Nsfscm/rrvcos+xd9tEiYhcSdMLVrm7YTinffIMwt0r1sF6fFgZ8Kvh5mwjzUOPRqa Ei/4ivDJy59/sr5rFeNKrrrOwNJ8zEHQy755Aix9hlTeAKZCv4xuRR4hV2ZtWE4RPphp WeGAvbzs8tdrPbBT8aP8F65NsKBQ6vMFMEj54fvhp2XF5AF6PwiNPJkwcQL+QwQQEhk5 Rsym94DfA9rt1sCnWPlCb+/K4NIDCBDepZkMNTK8XLs3PPre+tqGyRe6f454WhvVWmJz hhr+YkMw15YxmCLx0HUUjuu9jljbmgSFjXJZjmxmcilN9v02Awc8VfriNokACO57ff3X 7QWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677793921; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dY/e9MQ58sBk3q2E3gAaYrWxQyJFrGaAQyhIxA7aKWI=; b=EjsFZd8N6I2K14v4yYNb+BsYKcN35q4vgMwe1dSgGGnOBmd5HiScnL5LwaDfnkeXVT iyL4cuTHHNlF3NMJH7yT9ouMDGbE7YMbXaSScHURaJB51Ij9Emph6ZmGO6WlWXoM8CZ7 G3ztvLf1tNVz9R4gZ0yx29e40Sq2AccHRCn69sNEfhWjoprNUC97otRQx9IM20ar8mW2 vkrcVRktAvcQ0jodFPxxCazC/lqVM1ohfX1aBX7UC+G1ZNFKMhO46dJPYjTfIyZJb8+w KH1limZekwyE+Manx+SQwjgrBkFqV/o8YenEcbWXh81sOgHZ2w4Ul2zYq3F8CoiiSoGP gefg==
X-Gm-Message-State: AO0yUKXaNr3j3wbhOT1597Xz3C6+xj6vmxRbRyKW1KnL/vwd9xvXbD5e BeqIP5Y6r2Npo54gy8OGWY57hGJNhrW9fp2QSPjvK5yIaMaK6ihTuOzwkPDJF/hN4epgseSe3GM ZtVJd1xZCCMNEBixHOStn
X-Received: by 2002:a05:6e02:1094:b0:310:fc49:1d9 with SMTP id r20-20020a056e02109400b00310fc4901d9mr5130361ilj.6.1677793921076; Thu, 02 Mar 2023 13:52:01 -0800 (PST)
X-Google-Smtp-Source: AK7set/k12TJTs9Fo6BNBHB+m/v8ZBdMC8fS+LRE2snbJkiwQPGLY22XlPGMzeNAAqMXCnacx2YzOImzytHbbavHoCo=
X-Received: by 2002:a05:6e02:1094:b0:310:fc49:1d9 with SMTP id r20-20020a056e02109400b00310fc4901d9mr5130356ilj.6.1677793920617; Thu, 02 Mar 2023 13:52:00 -0800 (PST)
MIME-Version: 1.0
References: <167778249416.23678.7058306125542432959@ietfa.amsl.com>
In-Reply-To: <167778249416.23678.7058306125542432959@ietfa.amsl.com>
From: Vittorio Bertocci <vittorio@auth0.com>
Date: Thu, 02 Mar 2023 13:51:50 -0800
Message-ID: <CAEFJvaqpu0JUwr-cLQaS_yqJedU1seDLXbN+_wiqv0kDmf+jPw@mail.gmail.com>
To: Robert Sparks <rjsparks@nostrum.com>
Cc: art@ietf.org, draft-ietf-oauth-step-up-authn-challenge.all@ietf.org, last-call@ietf.org, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a52cdc05f5f1d6f5"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-02_14,2023-03-02_02,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IouXuvWRGs81uzbHJ2f57D3b1bA>
Subject: Re: [OAUTH-WG] Artart last call review of draft-ietf-oauth-step-up-authn-challenge-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 21:52:06 -0000
Hi Robert, thanks for your comments! Some of the ideas you mention here were also touched upon during the AD review w Roman, the exchange we had might provide some context https://mailarchive.ietf.org/arch/msg/oauth/PBDCtVB7vtou5Dlz6nPJxX_5Yyo/ but more succinctly: - "step down". One of the key reasons this spec exists is that the RS, and only the RS, is the arbiter of what's good enough for a request at a given moment. The exact same API call and exact same token that worked few seconds earlier (and still meets the requirements of a preceding challenge, including max_age) could be rejected later, and trigger a completely different set of requirements, for example as the result of black box logic executed by an anomaly detection engine on the API side. Neither the client nor the AS can know in advance whether a particular token will work again, all they can do is caching tokens according to the call circumstances they know (URL, call parameters etc) and hope it will work again, while remaining ready to receive and process a new challenge if it doesn't. - Caching. Please see the discussion with Roman in the referenced thread, it should address the question. - Nit: we'll remove the ref from the doc history on the next update :) thanks V. On Thu, Mar 2, 2023 at 10:42 AM Robert Sparks via Datatracker < noreply@ietf.org> wrote: > > This message originated outside your organization. > > > Reviewer: Robert Sparks > Review result: Ready with Issues > > Summary: essentially ready but with issues to consider before being > published > as a proposed standard RFC. > > Issues: > > I expected to find some discussion of considerations of avoiding "step > down" > given the intuitive appeal to "step up". Can the client or Authorization > server > notice if the resource server has through whatever fault asserted that it > will > only accept the use of an authentication context class that is blatantly > inferior to what has already been provided? And if they notice, what is > expected to happen? Or is it expected that this is allowed, particularly > when a > short max_age is also supplied? > > The document also suggests that the client hold on to, and possibly re-use > in > the future, access tokens that have been challenged as having insufficient > user > authorization. Is this behavior something that follows a well-known and > well-implemented pattern documented elsewhere? If so, a pointer would be > useful. If not, this seems like something that deserves more discussion if > not > more definition. > > Nits: > The reference to abr-twitter-reply will go away with the changelog when > the RFC > Editor removes it. It would be kind to acknowledge that in the note to the > RFC > Editor so that they know it's expected and don't have to ask. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Artart last call review of draft-ietf-… Robert Sparks via Datatracker
- Re: [OAUTH-WG] Artart last call review of draft-i… Vittorio Bertocci
- Re: [OAUTH-WG] Artart last call review of draft-i… Robert Sparks