[OAUTH-WG] Re: One-time confirmation tokens
Dmitry Telegin <dmitryt@backbase.com> Wed, 19 June 2024 18:37 UTC
Return-Path: <dmitryt@backbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73225C1D4CE7 for <oauth@ietfa.amsl.com>; Wed, 19 Jun 2024 11:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=backbase.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkcFxZ-pDQTL for <oauth@ietfa.amsl.com>; Wed, 19 Jun 2024 11:37:47 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83F34C1D4CE4 for <oauth@ietf.org>; Wed, 19 Jun 2024 11:37:47 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2ec1620a956so730831fa.1 for <oauth@ietf.org>; Wed, 19 Jun 2024 11:37:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=backbase.com; s=google; t=1718822264; x=1719427064; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KJpYLgIYWphSuyaH6VfPc+M9BlA2V9cqLQuNCg8fCsw=; b=LQL4fszu9GJezAn/DrvQ5vzAi8/DgMNZcebtxVeTj22Pr6db/GNbd4VPoSBoqiXb3D /5Z/1caz//ECeyGWPrMopMlgeirMMt26DtRc7MW4jX7NmwfjPdy/QCJZSeVFfMyPFynp RBQt9HCvDDWIUb0Uao+HRcLE9wNDmGO+WFANWyrkEHekfg+Nj78TbAq95y+Ae8xiPxZI 5eog9Nr3X0Z8FKyJnEZXFb43CUB73RbNeERxSzghE3SXiNE8G74uQFDSUkW4eNJRiwX2 I3jA0iLP7ogRFawJ2nRprnMjmIvyHccWtUZqE7fJHf092+gIEMg91R+rqGoruOwEuUA4 4oyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718822264; x=1719427064; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KJpYLgIYWphSuyaH6VfPc+M9BlA2V9cqLQuNCg8fCsw=; b=o4XNHD6fgR4SAsXm5XjvRJevdjScd93kX1MHnjD5dt8d8VG45b35TjRYIKj4Y7aRIo 3j+XFhsEpo2BS7w+fP3N5ZCyi+JNkvuEVKc7IHbRzhNswvGPKQdOFG75AWvOd07iwH2d /dQ7NjKdU/r2CVBLt2xlY7o5wURNuA5k6+FNIlkn1rkVyy1BcSzUfXZMDtSWfROlGC2A 7zHVMNWFsY/wZJQcEt/QklhYHP+IU2InIaZ9WHl8YO4bgsAfFRVNDROJLX3nlZR0RfPA c8ukOv/VdGC0mmI5xb0U85y+n188lAlM9BDw4QLZ7dSygrqhOvUwOF+OxvWmeF38jitH grNw==
X-Gm-Message-State: AOJu0Yz6ikcgnIFumIFC8V8ORGByG0vtiKLW3DLS4MchP6SEUQid9Mtu tGk4rVZZuYSLKRzMO1aeUwYmfqOF8ObPr9oSJEbnL+l91zeO6n7J9tJtftsgwwWghz0nexcBcch 4m7Rs43eBbfpExxW6wYqpkfWtkyl7de2bnImv
X-Google-Smtp-Source: AGHT+IHaPUgXrcbeiv25431OJBX32YgX1s5EVi5uoUTpxPss0NR1qRNeKCRTcf8EAXRZ0KjBivDiUApW7cRIpaB4V/g=
X-Received: by 2002:a05:651c:1a23:b0:2ec:3d5f:7a36 with SMTP id 38308e7fff4ca-2ec3d5f7c1fmr23858131fa.23.1718822264104; Wed, 19 Jun 2024 11:37:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAOtx8Dn_ND1A3my28no5mhdejL8KR5bqbqLyN67O11Wy8a8Fow@mail.gmail.com> <16127c76-89a6-48fc-8e19-93610dd0e953@free.fr>
In-Reply-To: <16127c76-89a6-48fc-8e19-93610dd0e953@free.fr>
From: Dmitry Telegin <dmitryt@backbase.com>
Date: Wed, 19 Jun 2024 19:37:32 +0100
Message-ID: <CAOtx8Dmubp1-wqN--9m4br0k-94F8o48yf=JizqjHRmhXyby_w@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Content-Type: multipart/alternative; boundary="0000000000007c0ba7061b427e3e"
Message-ID-Hash: ONLTYUOYG4O776YK6QABK2HKOVK3EGDC
X-Message-ID-Hash: ONLTYUOYG4O776YK6QABK2HKOVK3EGDC
X-MailFrom: dmitryt@backbase.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: One-time confirmation tokens
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q-wf59v-yBClbOgrorqaea5AptA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Denis, I think I'd agree on most points. As far as I understand, your major concern is that the details of the operation to be confirmed will be exposed to the AS. And this is exactly what is addressed in 3DS, where neither merchant can spy on card/account number, nor AS on the transaction details. I forgot to mention that I was describing the first-party AS scenario, where the AS, client and RS are provided by the same party, and the trust between the components is already established. I believe in the cases like that we can make exceptions, similar to Aaron's OAuth 2.0 for First-Party Applications, where it is considered safe to expose user's credentials to trusted clients. I wonder if we could abstract from payment confirmations and focus on the general-purpose semantics of auxiliary/secondary/complimentary one-time tokens? Dmitry On Fri, Jun 14, 2024 at 9:19 AM Denis <denis.ietf@free.fr> wrote: > Hi Dmitry, > > You have described a scheme with built-in "spy by design" opportunities, > where the AS will be in a position to play the role of "Big Brother". > If you follow a "privacy by design" approach, you will end up with a > different architecture. > > “If the only tool you have is a hammer, you tend to see every problem as > a nail.” > OAuth should not be considered to be the only tool. > > 3D Secure is a way to address payment / money transfers in a > privacy-preserving fashion. > > FYI, the SPICE WG has been created yesterday. A privacy-preserving > architecture using digital credentials will be developed there. > > Denis > > > > Let's take the following (very common) scenario: > > * A user logs into the system; > > * They request an operation that might require additional confirmation > > from the user, at the system's discretion. The most common example > > would be payment / money transfer, but could also be generating a > > statement or showing card details or any other sensitive operation; > > * The user is then directed to the AS where they are displayed > > operation details, optionally pass additional authentication and > > confirm the operation; > > * The AS issues a one-time credential (let's call it "confirmation > > token") that can be used to perform that particular operation only; > > * Finally, the user performs the operation. > > > > Is this case completely covered by the current standards? I believe it > > is not, and here are my points: > > 1. "Confirmation token" looks very different from access token with > > regards to its contents, purpose, scope, lifetime and lifecycle. I > > think it should complement the access token rather than replace it, > > even temporarily. This is why I believe this case is not covered by > > Step Up, where the access token is replaced; > > 1a. Step Up assumes upgrading the session's ACR; in the > > "confirmation" scenario, ACR could remain unchanged; > > 2. No standard way for the RS to signal to the client that the > > requested operation requires confirmation. That could optionally > > include server-supplied nonce (similar to DPoP) to help enforce > > "confirmation token"'s shorter lifetime and one-time use, but it is > > not clear how to communicate that to the client; > > 3. No standard way for the client to request one-time "confirmation > > token" from the AS; > > 4. No standard way for the AS to indicate that the returned token is > > actually "confirmation token" and not a Bearer token; > > 5. No standard way for the RS to tell that the incoming token is > > actually a "confirmation token" and requires special handling > > (one-time use, checking against operation parameters etc.) > > 6. On a plus side, RAR can be used to communicate operation details to > > the AS while initiating "confirmation". > > > > 3-5 could be probably done with a combination of scopes + RAR. What > > concerns me most is the lack of complementary token semantics (1) and > > inability for the RS to signal the confirmation requirement to the > > client (2), which could include operation details and nonce. > > > > Please correct me if I'm missing something and we have enough coverage > > by the standards. But if we don't, would the WG welcome such a document? > > > > Dmitry Telegin > > Backbase / Keycloak > > > > > > _______________________________________________ > > OAuth mailing list -- oauth@ietf.org > > To unsubscribe send an email to oauth-leave@ietf.org > > >
- [OAUTH-WG] One-time confirmation tokens Dmitry Telegin
- [OAUTH-WG] Re: One-time confirmation tokens Denis
- [OAUTH-WG] Re: One-time confirmation tokens Neil Madden
- [OAUTH-WG] Re: One-time confirmation tokens Dmitry Telegin