IETF Logo Mail Archive

Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01

Francis Pouatcha <fpo@adorsys.de> Mon, 13 July 2020 00:52 UTC

Return-Path: <fpo@adorsys.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E76F73A0C07 for <oauth@ietfa.amsl.com>; Sun, 12 Jul 2020 17:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JvhGQkq9n9Il for <oauth@ietfa.amsl.com>; Sun, 12 Jul 2020 17:52:08 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A90923A0C06 for <oauth@ietf.org>; Sun, 12 Jul 2020 17:52:07 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id k6so12751143wrn.3 for <oauth@ietf.org>; Sun, 12 Jul 2020 17:52:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S+kyygKu+7yYMzTYljTdnAVChKirWnBZYe29qYQNaJk=; b=e3/F7u7Pd1wNc4YdgriGM6KWx0OGuSIL6C/YoNKxRr6E418/jqTzE4gvH9V888pm+L uulIK+necM0vaofCH0kgE3A6INZ6n9DKKwL9trn9jAPyPldEvprIbxsFgqFqWXvTXcnN s3VMOGZambUOsPOo1mxhSlpVTBS1U6iw6JuXI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S+kyygKu+7yYMzTYljTdnAVChKirWnBZYe29qYQNaJk=; b=VLiJuq9UoAungansh9v90s8kYr/p/WxVFiMO6/tBSLKYVBL5yTpOCejmEKFSFgwnIo VSxflOSP1QQChILdMWacxVPnbWLtYe0+lHzikY92UmuyZHlCDVkIyRr7GP9nkSmsO69g JI3JIvm5mvCrZPLYw0cVbtUU3Yxbb9/pjheebLLisa5sH2OyZBM9wPN+5CsBsffzfQss TCLYxh/qMpyKsK/2FNI4GcyYHpEqe0ADmUnlqCQYpqQz3sMgQfyUVQK9w4DKorX40EPr duF9FOEXeBO/0YIcaZeNEn1HizN6Dgnt8JY8irPUcCYGjLkwka8BMqBRLc5IiT070oEP BMAQ==
X-Gm-Message-State: AOAM532onuPsebA9aXcPfE29klBGojyeswS9fBZrxSBHQEQ5glr/PFxf 3M5lA1s6NqwqrSig5TKl+0CMiXqxxqOASINgOjVYpUyrcq8=
X-Google-Smtp-Source: ABdhPJyeBRYlRMUw4uomw5VWs3yiIpx7VRmDao8APXxGbNWLD3tQP0WWULbUr43/h1ZuJPJccclHLJpWh8QW8JLmrAk=
X-Received: by 2002:a5d:4a84:: with SMTP id o4mr36016932wrq.104.1594601525930; Sun, 12 Jul 2020 17:52:05 -0700 (PDT)
MIME-Version: 1.0
References: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net> <E991259C-46FB-4B32-B87C-205B4507379F@forgerock.com> <888E8738-A5A6-4086-BAB0-418216342A7E@lodderstedt.net> <43899574-72B3-488A-83A6-1CBCF41EEB30@forgerock.com> <4D681F6F-D67B-4BBD-99F9-08853F15AF73@lodderstedt.net> <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com>
In-Reply-To: <8300E578-D565-4650-8DC1-8259735FE96A@forgerock.com>
From: Francis Pouatcha <fpo@adorsys.de>
Date: Sun, 12 Jul 2020 20:51:54 -0400
Message-ID: <CAOW4vyNji0peKzH+gre3E6b778HfxWJ_18NP457LsPzg34m_xw@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082fdbe05aa4819db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/U43TDBZuWhByhAijb9GgTzOfqkg>
Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 00:52:10 -0000

Hi Neil,

IMHO the purpose of RAR is to provide a rich substitute for oAuth2 scopes.

The point you are addressing in this thread is nevertheless very pertinent,
even though not directly related to RAR.

Proof of RO (PSU) authorized interaction between the RO and the Client
(TPP) prior to starting an payment authorization request is essential.

The NextGenPSD2 specification addresses the problem with a so-called oAuth2
pre-step option. As this requires two authorization operations (SCA) for
the release of a single payment, banks implementing oAuth2 pre-step fell
under the scrutiny of the EBA (European Banking Association) last June. Now
those banks have the burden of proving to their NCA's (national
market/country authorities) that pre-step is necessary to mitigate the very
problem you are raising in this thread.

Let settle with:
- RAR as a payload for carrying authorization details
- The decision on whether to protect an authorization transaction with a
preceding RO authorization to do so shall be left to the target oAuth2
profile.

Best regards
/Francis

On Thu, Jul 9, 2020 at 1:58 PM Neil Madden <neil.madden@forgerock.com>
wrote:

>
> > On 9 Jul 2020, at 18:34, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
> >
> >> On 9. Jul 2020, at 19:28, Neil Madden <neil.madden@forgerock.com>
> wrote:
> >>
> >> On 9 Jul 2020, at 18:10, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
> >>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> What in particular should the use consent with in this step?
> >>>>>>>>>>
> >>>>>>>>>> “FooPay would like to:
> >>>>>>>>>> - initiate payments from your account (you will be asked to
> approve each one)”
> >>>>>>>>>>
> >>>>>>>>>> The point is that a client that I don’t have any kind of
> relationship with can’t just send me a request to transfer $500 to some
> account.
> >>>>>>>>>
> >>>>>>>>> Are we talking about legal consent or a security measures here?
> >>>>>>>>
> >>>>>>>> Normal OAuth consent. My phone is my resource, and I am its
> resource owner. If a client wants to send payment requests to my phone
> (e.g. via CIBA backchannel) then it should have to get my permission first.
> Even without backchannel requests, I’d much rather that only the three
> clients I’ve explicitly consented to can ask me to initiate payments rather
> than the hundreds/thousands clients my bank happens to have a relationship
> with.
> >>>>>>>
> >>>>>>> To me it sounds like you would like to require a client to get
> user authorization to send an authorization request. Would you require the
> same if I would use scope values to encode a payment initiation request?
> >>>>>>
> >>>>>> Yes. If something is sufficiently high value to require
> per-transaction authorization then initiating transactions itself becomes a
> privileged operation.
> >>>>>
> >>>>> The per transaction authorization alone is a significant increase in
> security. What is the added value of requiring an authorization to send a
> per-transaction authorisation request in an additional step?
> >>>>
> >>>> Because Open Banking allows any client at any time to send an
> asynchronous back channel request to my phone to approve a payment. This is
> pretty risky.
> >>>
> >>> Can you please explain how you came to that conclusion and how it
> relates to RAR?
> >>
> >>
> https://openbankinguk.github.io/read-write-api-site3/v3.1.6/profiles/payment-initiation-api-profile.html
> >>
> >> Client (PISP) initiates a payment-order consent using a
> client_credentials access token, then launches a CIBA backchannel
> authorization request. What prevents this?
> >
> > The fact that the PISP cannot issue this request without a valid user
> identifier. The demos I’m remembering use a traditional first authorization
> flow to establish this identifier.
>
> An identifier is not an access token or credential.
>
> >>
> >> This relates to RAR, because RAR also has no protection against this.
> If you use RAR in combination with a backchannel authorization method then
> the same issue applies. This is a general issue with backchannel approaches,
> >
> > Exactly! It's a problem with any kind of backchannel initiated _user
> interaction_.
> >
> >
> >> but it is particularly a risk here because RAR is pitching itself as a
> way to do payment transactions.
> >
> > The problem is the backchannel request, not RAR. RAR is just a more
> elaborated scope.
>
> I don’t agree. It’s particularly acute with backchannel requests, but it
> still exists with front channel. If I can redirect your browser to a
> payment confirmation screen, what percentage of users will click ok? I
> would guess more than 0. It’s a problem precisely because a one-off
> interaction is enough to authorize a transaction.
>
> It might be that in OB they accept this risk and mitigate it in other
> ways, e.g. making it easy to reverse transactions, or through sufficient
> vetting of clients and big legal consequences. As a UK banking user, that
> wouldn’t make me very happy but OK. The point is that RAR can’t make
> payment transactions the primary use-case, emphasised throughout the draft,
> and then fail to even discuss this issue or make any kind of suggestion as
> how to handle it.
>
> — Neil
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG
https://adorsys-platform.de/solutions/

v2.23.0 | Report a Bug | By Email