Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 26 January 2016 18:04 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341771AC3AC for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 10:04:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uc6ixZ1v5h67 for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 10:04:32 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF8DD1AC3AB for <oauth@ietf.org>; Tue, 26 Jan 2016 10:04:31 -0800 (PST)
Received: by mail-wm0-x22e.google.com with SMTP id l65so115106711wmf.1 for <oauth@ietf.org>; Tue, 26 Jan 2016 10:04:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=YPq09lwfxt66yh71R7lpdX+atCxOjrMZ+yEMrRMCePY=; b=Ov41bZKSWTeWR+Koj/lnaGm9/RKzDI/P8zc+2atWsM4q3i5uqVGeuzE2BotVLm3njb 0WKPFo2obdaCAEZsf74D0+KyxQ2awB2beq7SWvO+7P/aGkOY2ATOWedJsd3hjXDbwI5n gHdGQpbtRjH/lw2Mg7MEHrq5tHT9YbSDx/3hHxc8lX8uOjhs0UgwXb+zWpn5nN5UQe7J j+R4cj3pc8oOdOLioD5yaeBJFf/5kZrI5LdfRnmCjH23vqUaiFlV8F2Tdx2fn8pJmiZj JWsZblSTWkl4gkcscfpFNDV/IfFIc+sJLnxNmML2Fy+Qc9VW2HDuvrUsJr5ll2hYbHWg wsAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=YPq09lwfxt66yh71R7lpdX+atCxOjrMZ+yEMrRMCePY=; b=e5DOtFtH1EW+tv87LGmha1CFCtRWzMEAVz1AO3UeFeWZWw4DGmNtRr9A9rtp/hrgEJ wAGX4DKna4Jcz8LhCeU13DmALtWOtjGUmybsXopRor7VxMW1dxuQzMGMiR94DehU9HXr DO1UNtN1fPTxEP/v6FE1P92UOSMMllX5hK6GQ9Jz5oCav8BK+UtAJkBXHBYLuoVNJ3fP wZrjWXHE51yssztpQ/tXHQW8weGay9km6x4pJ2qi5uz6PLukA76VCe7ipedjkYbi2P2l 6TgU4EQFYybOYycZfuXuRv6RnMKte55q35pkdStQyngfVZjPGUPqpqKUF6F8DtkMoeIr oymw==
X-Gm-Message-State: AG10YORe9OcBW7NuV/BJd8ZPjEsFfz1UA3LXgevaK0TS6teCTlE6bXY7t4QjcpOFlEVP0g==
X-Received: by 10.194.172.97 with SMTP id bb1mr27911340wjc.173.1453831470337; Tue, 26 Jan 2016 10:04:30 -0800 (PST)
Received: from [192.168.2.7] ([5.179.70.21]) by smtp.googlemail.com with ESMTPSA id v191sm3949303wme.1.2016.01.26.10.04.28 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 26 Jan 2016 10:04:29 -0800 (PST)
To: William Denniss <wdenniss@google.com>
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com> <569CDE25.90908@gmail.com> <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com> <569E08F6.4040600@gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56A7B52C.2040302@gmail.com>
Date: Tue, 26 Jan 2016 18:04:28 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <569E08F6.4040600@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/OssvJPF3Vj1zKi1MBH1hCjnQNc4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2016 18:04:34 -0000

Hi

I'm not sure if the next question is off topic or too low level, 
hopefully not,

When the repeated authorization is skipped or only new scopes are 
requested to be authorized as per the incremented auth approach, is it 
reasonable to assume that the record that is used to track it all is 
actually the existing access token or is totally OIDC implementation 
specific ?
I think using the existing token as a record is reasonable because it is 
time scoped and if we do not use the access token for keeping the track 
of the multiple approvals, etc, then one need to introduce one more 
record mirroring to some extent the access token...

For example, the user session may have expired but the access token that 
was issued to a client web app on behalf of this user is still active, 
so when the user returns and signs in again, and for example, approves 
few more scopes, then the existing access token (the record) gets 
updated, instead of a new token being created.

If it is reasonable then does it mean the sticky or incremental 
authorization works as long as the access token is available 
(refreshable) ?

Sergey




On 19/01/16 09:59, Sergey Beryozkin wrote:
> Hi William
>
> Thanks for the advice. FYI we are also on the way to supporting the
> incremental authorization of scopes - thanks for highlighting the
> importance of this process on this list...
>
> Cheers, Sergey
> On 19/01/16 03:10, William Denniss wrote:
>> Agree with Justin, this is pretty common. We support it for re-auth as
>> well as incremental auth (where the user has already approved scope "a"
>> and is presented with a request for scopes "a b", they will only need to
>> approve scope "b").  In fact if you don't do this, then incremental auth
>> isn't really viable.
>>
>> Regarding security: don't do this for non-confidential clients where you
>> can't verify the identity of the app by the redirect (e.g. a localhost
>> redirect to an installed app).
>>
>> On Mon, Jan 18, 2016 at 4:44 AM, Sergey Beryozkin <sberyozkin@gmail.com
>> <mailto:sberyozkin@gmail.com>> wrote:
>>
>>     Hi Justin, thanks for the advice,
>>
>>     Cheers, Sergey
>>
>>     On 18/01/16 11:47, Justin Richer wrote:
>>
>>         Yes, this is common practice. Give the user the option to
>>         remember the
>>         decision. This is known as "trust on first use", or tofu. Our
>>         server,
>>         MITREid Connect, implements this as do many others.
>>
>>
>>
>>         -- Justin
>>
>>         / Sent from my phone /
>>
>>
>>         -------- Original message --------
>>         From: Sergey Beryozkin <sberyozkin@gmail.com
>>         <mailto:sberyozkin@gmail.com>>
>>         Date: 1/18/2016 5:59 AM (GMT-05:00)
>>         To: oauth@ietf.org <mailto:oauth@ietf.org>
>>         Subject: [OAUTH-WG] Can the repeated authorization of scopes be
>>         avoided ?
>>
>>         Hi All
>>
>>         The question relates to the process of showing the authorization
>>         code/implicit flow consent screen to a user.
>>
>>
>>         I'm discussing with my colleagues the possibility of avoiding
>>         asking the
>>         same user whose session has expired and who is re-authenticating
>>         with AS
>>         which scopes should be approved.
>>
>>         For example, suppose the OAuth2 client redirects a user with the
>>         requested scope 'a'. The user signs in to AS and is shown a
>> consent
>>         screen asking to approve the 'a' scope. The user approves 'a'
>>         and the
>>         flow continues.
>>
>>         Some time later, when the user's session has expired, the user is
>>         redirected to AS with the same 'a' scope.
>>
>>         Would it be a good idea, at this point, not to show the user the
>>         consent
>>         screen asking to approve the 'a' scope again ? For example, AS
>> can
>>         persist the fact that a given user has already approved 'a' for
>>         a given
>>         client earlier, so when the user re-authenticates, AS will use
>>         this info
>>         and will avoid showing the consent screen.
>>
>>         That seems to make sense, but I'm wondering, can there be some
>>         security
>>         implications associated with it, any recommendations/advices
>>         will be welcome
>>
>>         Sergey
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>