Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)
Brian Campbell <bcampbell@pingidentity.com> Thu, 13 April 2023 12:14 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E621C15E3FC for <oauth@ietfa.amsl.com>; Thu, 13 Apr 2023 05:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zymsv52HxJ0 for <oauth@ietfa.amsl.com>; Thu, 13 Apr 2023 05:14:17 -0700 (PDT)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFDD0C15C528 for <oauth@ietf.org>; Thu, 13 Apr 2023 05:14:17 -0700 (PDT)
Received: by mail-pl1-x634.google.com with SMTP id ke16so14677459plb.6 for <oauth@ietf.org>; Thu, 13 Apr 2023 05:14:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1681388057; x=1683980057; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pWGthXFsu5SqEhg7h18j7ImsjPfkPJrTAs71hwEMOGU=; b=fVVR6yp75TTHE/lud/eQjM4eQQMYMcltDN+yku9q5AWci4cUWGgJkWfA4EMmVhH69J 6fFE93H1oTX0Q8bvXlGQv5qiKszRcFKZG+WSAm9O7K2rOajjrWPQu5wHaeSPfJ3cYClx jiIYn++Oi4o69yUeqkQzU1NNdH6szq5BO1I11c1ar599e4rZ7VyCvGQ9xOV5wLOb2LjG p0b8cs41hORNnzO9bsFUy7WmgsxRtA6/jKhFGd7sIbHuOKLbtZ+SwQEdeSGYVA3777MD e25pJCakM/ONUvFpuazF3wrnBI2wli2zA9dm5XPfFxVzJT4Ff6XK3Ih2NEAIYEBb2k6K V4Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681388057; x=1683980057; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pWGthXFsu5SqEhg7h18j7ImsjPfkPJrTAs71hwEMOGU=; b=OW7udFWykxD07eg8HCvY3KTJTFa7xTykNXiXtvkkbuhX6RDfV0p06PlFBD6aAMKNO+ e5fDdFWrhblc2kpBKCI3pVFrxJDPY8q2QYBv/VXrv/S8YqVIaHirAewSLIqcDOkjI6Qo erXq1LnSZz9apmbXoiUa0vRBCdmH2zfqEQUXIsFXtmi4DB4bw0GIhSfhs8RedbBg9pIZ dht+nK4EqsoyCQSVxdhB17RQVAZMB2dLoA4Ysc9x6YQZetwnMxOoFPflUtJJb6tPPQCi 4u7PtnH+gVcYhgWI/p396Q2GvCy6F+lrTLANGQJkAVL5Q/G1a/B6i26HlvHcG7ixhrTu 9M6A==
X-Gm-Message-State: AAQBX9eQK1qqNsoeFrGpbF+ktofKwwXCivvOikQcTDRmuEfGzbJYIZTX P4jmBWMRPCXU+YhrdVbjeTmFTw6fwxlvdhfvfclKO7+c8Q0heABsiwAyPDxpN0YK7cloIxXvSe/ cjmn8kFxnQ2ZHeg==
X-Google-Smtp-Source: AKy350ao7bvfzVwl4lfs5zXVC7sMIIUdmtMTP8HT9i5BaGFf/lAmutRkc9Q781R51oeW3QdBp3WQOtDUqaTMCwtU3Ds=
X-Received: by 2002:a17:902:ef85:b0:1a6:6c7c:57dc with SMTP id iz5-20020a170902ef8500b001a66c7c57dcmr618071plb.0.1681388056034; Thu, 13 Apr 2023 05:14:16 -0700 (PDT)
MIME-Version: 1.0
References: <168136196076.46946.14361049726064538738@ietfa.amsl.com> <CAEFJvao7pTNFdR3hAx1N2yFioWF9Zux4cNk0+uKd3NAuPVhoag@mail.gmail.com> <CAL0qLwYwJjN3ZFmomgxfwAt7GftzmHUsrogEPqz07WBAUs=P1w@mail.gmail.com>
In-Reply-To: <CAL0qLwYwJjN3ZFmomgxfwAt7GftzmHUsrogEPqz07WBAUs=P1w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 13 Apr 2023 06:13:38 -0600
Message-ID: <CA+k3eCQ4cLDC1pBBFUa9p1bbOZ5RuZ3L=YQTfy_sc3T4xx4ZHg@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: Vittorio Bertocci <vittorio.bertocci@okta.com>, The IESG <iesg@ietf.org>, draft-ietf-oauth-step-up-authn-challenge@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rifaat.s.ietf@gmail.com
Content-Type: multipart/alternative; boundary="000000000000cfd62f05f936a907"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JmazWbtXxWRc5bRUNgDXl0KBXc0>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-step-up-authn-challenge-14: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 12:14:21 -0000
Thanks, Murray, for the quick turnaround! On that first SHOULD. The reasons for not prompting the user in that particular example are more about user experience than protocol considerations. Here we avoid the MUST to ensure that those scenarios can be handled without creating bad user experiences, but I am not sure whether giving experience advice here is in scope for the spec- especially considering that this would just be an example among many. On the second SHOULD. The current language in the draft says: Section 5.5.1.1 of [OIDC] establishes that an authorization server receiving a request containing the acr_values parameter MAY attempt to authenticate the user in a manner that satisfies the requested Authentication Context Class Reference, and include the corresponding value in the acr claim in the resulting ID Token. The same section also establishes that in case the desired authentication level cannot be met, the authorization server SHOULD include in the acr claim a value reflecting the authentication level of the current session (if any). Furthermore, Section 3.1.2.1 [OIDC] states that if a request includes the max_age parameter, the authorization server MUST include the auth_time claim in the issued ID Token. That seems to make it explicit that what we are doing here is quoting from [OIDC]. We are a bit reluctant to compress that into a simple reference to OIDC because we feel it would raise the cyclomatic complexity of the spec, forcing the reader to open a different spec, locate the right section, perhaps build a bit of context by reading the adjacent parts... whereas here we are providing a digest of the salient aspects that apply to the access token centric scenario described here. On Thu, Apr 13, 2023 at 12:25 AM Murray S. Kucherawy <superuser@gmail.com> wrote: > Hi Vittorio, thanks for the quick response. > > On Wed, Apr 12, 2023 at 11:11 PM Vittorio Bertocci < > vittorio.bertocci@okta.com> wrote: > >> On the SHOULD on top of S4. There are pretty common situations in which >> failing to get a response from an API is an acceptable outcome, and >> presenting an interactive prompt isn't. A classic example is a background >> update that the client can use to proactively fetch fresh data, that isn't >> critical for the application function and wasn't initiated by the user. As >> such, an interactive prompt could disrupt the user experience by requiring >> an action without clear context and not in pursuit of a goal the user >> expressed. A MUST would force a complying client to act on the challenge, >> making those scenarios hard to handle. >> >> On the SHOULD on top of S5. There we are just describing what the OIDC >> specification mandates for ID tokens, hence not providing any new normative >> guidance.We echo what OIDC mandates for ID tokens there because we want to >> apply the same logic for access tokens, as we later describe in the same >> section. In that description we don't introduce a more restrictive MUST >> because that would make it hard for the (many) existing authorization >> server+OIDC implementations to comply, limiting adoption and for a >> relatively small return. >> > > I think it would be good to say something like what you just said for the > first one, and maybe make it clear that you're relaying normative guidance > from OIDC and not making a new assertion. Or you could just say > implementers need to meet the constraints around ID tokens specified by > OIDC. > > -MSK > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Murray Kucherawy's No Objection on dra… Murray Kucherawy via Datatracker
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Murray S. Kucherawy
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Vittorio Bertocci
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Vittorio Bertocci
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Daniel Fett
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Brian Campbell