IETF Logo Mail Archive

Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call

Hans Zandbelt <hzandbelt@pingidentity.com> Thu, 16 October 2014 21:23 UTC

Return-Path: <hzandbelt@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F2E51A88D4 for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 14:23:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.601
X-Spam-Level:
X-Spam-Status: No, score=-3.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1B3h44A7fZDs for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 14:23:15 -0700 (PDT)
Received: from na3sys009aog127.obsmtp.com (na3sys009aog127.obsmtp.com [74.125.149.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 366B01A8029 for <oauth@ietf.org>; Thu, 16 Oct 2014 14:23:15 -0700 (PDT)
Received: from mail-wg0-f44.google.com ([74.125.82.44]) (using TLSv1) by na3sys009aob127.postini.com ([74.125.148.12]) with SMTP ID DSNKVEA3Qr+AvacPq+4i7OzG60CU/GHeG7lx@postini.com; Thu, 16 Oct 2014 14:23:15 PDT
Received: by mail-wg0-f44.google.com with SMTP id y10so4660408wgg.15 for <oauth@ietf.org>; Thu, 16 Oct 2014 14:23:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=qMiK3AIjKqxRXWUiewME6mLiNOG74YYGIL22JxUP00o=; b=ONG7fkXs2l/AZXaasOmqzrnNCu/shWfXJtJ1514fyGm/WllXPQIjBWQB24bpyoX+yb X1qV5X1qFPHYpFCdWMmK6LHwlSe1QRrTs+g1ydn/Ih325HIszLu+g8ZySl0Wh27V3/Eg YRzgoZB3yu+IUAH6N4GIbFZh6lUR+oC9TRA0xDSKkviKqAoBO5KmYDBi2rrAps0XgR78 dw17kLyjEnvSlR44UHzh4pzf2ARsWgyLV12BuExZcHqBFME5vuRfYhXYxyvd1p+OuPXY UYVmDINsi96PoQd4/Xdl/iIaszxjtwDDvWnQjsHxGLMfS1e8v4hK5L0afoKZdn64Yqa3 Yopg==
X-Gm-Message-State: ALoCoQmuEtx7ROAl/6Ss/9jgw4gug4yhoeADPKIcaL913Hbo8q67CR1x17TWNbxXZtdiIhNRqtXqw73SA8DDtWXhsEos3H0ff7b+Q0goiCkPMlYp5ugSnifpKpIN/CwOQGA/bsrqfsQ9
X-Received: by 10.180.8.233 with SMTP id u9mr9128768wia.19.1413494593670; Thu, 16 Oct 2014 14:23:13 -0700 (PDT)
X-Received: by 10.180.8.233 with SMTP id u9mr9128760wia.19.1413494593577; Thu, 16 Oct 2014 14:23:13 -0700 (PDT)
Received: from [192.168.99.228] (fw-obester.inth.hu. [93.189.112.82]) by mx.google.com with ESMTPSA id td9sm3335951wic.15.2014.10.16.14.23.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 16 Oct 2014 14:23:12 -0700 (PDT)
Message-ID: <5440373F.9090601@pingidentity.com>
Date: Thu, 16 Oct 2014 23:23:11 +0200
From: Hans Zandbelt <hzandbelt@pingidentity.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Richer, Justin P." <jricher@mitre.org>
References: <543FF850.6070409@gmx.net> <543FFB13.2060903@pingidentity.com> <FB96BBBA-2A5F-4342-99E0-D47C020E1A3B@mitre.org>
In-Reply-To: <FB96BBBA-2A5F-4342-99E0-D47C020E1A3B@mitre.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Ip_IU83eGTu_Jj0Z5a0Dg_owlbY
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 21:23:17 -0000

a deployment-related question that I have around this topic:

it seems that authentication using OAuth 2.0 is possible today for 
confidential clients using the code flow, with a registered 
redirect_uri, not consuming/storing/using refresh_tokens, and assuming 
that there's an API that returns user identity info in JSON format and 
the claim that uniquely identifies the user is known by the client.

The usage/presence of the short-lived code in this scenario/flow 
guarantees that the user has just authenticated, and the audience issue 
is covered by the fact that the code (thus the access_token in the token 
endpoint response) are bound to the confidential client, all as per 
standard OAuth 2.0 semantics.

2 questions about that:
- is this right or am I overlooking some security/semantics issues here
- if right, would it make sense to acknowledge that or is that muddying 
the waters even more (the current text does seem to only implicitly 
acknowledge this)

There may be value in acknowledging this because the majority of OAuth 
2.0 OPs exposing a userinfo-like API would adhere to a REST GET+JSON 
response anyhow [1] thus achieving login semantics with plain OAuth 2.0 
and a bit of common practice wrt. the user info API.

Thanks for the excellent write-up!

Hans.

PS: I've been asked this concrete question about Spotify's OAuth 2.0 
support and in fact I'm able to configure Spotify as an IDP to my OIDC 
client with a minor workaround to abstain from expecting an id_token in 
the token endpoint response, but calling the Spotify specific user info 
endpoint like it was a standards-compliant OpenID Connect endpoint. (the 
client has a per-OP configurable unique user id claim name anyhow).

On 10/16/14, 7:27 PM, Richer, Justin P. wrote:
> Ah yes, good catch! If only someone would put up a webpage describing the difference between authorization and authentication and why people need to stop confusing the two.
>
> Oh wait...
>
>
> On Oct 16, 2014, at 1:06 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:
>
>> About the write-up: at the end of the metaphor section it says:
>> "These recipes each add a number of items, such as a common profile API, to OAuth to create an authorization protocol."
>>
>> whereas I believe that should read "to create an authentication protocol"
>>
>> Hans.
>>
>> On 10/16/14, 6:54 PM, Hannes Tschofenig wrote:
>>> Participants:
>>>
>>>   * Brian Campbell
>>>   * John Bradley
>>>   * Derek Atkins
>>>   * Phil Hunt
>>>   * William Kim
>>>   * Josh Mandel
>>>   * Hannes Tschofenig
>>>
>>>
>>> Notes:
>>>
>>> Justin distributed a draft writeup and explained the reasoning behind
>>> it. The intended purpose is to put the write-up (after enough review) on
>>> oauth.net. See attachments. Justin solicited feedback from the
>>> conference call participants and from the working group.
>>>
>>> One discussion item was specifically related to the concept of audience
>>> restrictions, which comes in two flavours: (a) restriction of the access
>>> token regarding the resource server and (b) restriction of the id token
>>> regarding the client. Obviously, it is necessary to have both of these
>>> audience restrictions in place and to actually check them.
>>>
>>> The group then went into a discussion about the use of pseudonyms in
>>> authentication and the problems deployments ran into when they used
>>> pseudonyms together with a wide range of attributes that identified
>>> users nevertheless. Phil suggested to produce a write-up about this topic.
>>>
>>> Finally, the group started a discussion about potential actions for the
>>> OAuth working groups. Two activities were mentioned, namely to produce
>>> an IETF draft of the write-up Justin has prepared as a "formal" response
>>> to the problems with authentication using OAuth and, as a second topic,
>>> potential re-chartering of the OAuth working group to work on some
>>> solutions in this area. Hannes suggested to postpone these discussions
>>> and to first finish the write-up Justin had distributed.
>>>
>>> Ciao
>>> Hannes & Derek
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> --
>> Hans Zandbelt              | Sr. Technical Architect
>> hzandbelt@pingidentity.com | Ping Identity
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com | Ping Identity

v2.23.0 | Report a Bug | By Email