IETF Logo Mail Archive

[OAUTH-WG] Re: Call for adoption - First Party Apps

Pieter Kasselman <pieter.kasselman@microsoft.com> Mon, 16 September 2024 13:40 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 276D6C137363 for <oauth@ietfa.amsl.com>; Mon, 16 Sep 2024 06:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4tMbKxoUi8B for <oauth@ietfa.amsl.com>; Mon, 16 Sep 2024 06:40:54 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2090.outbound.protection.outlook.com [40.107.247.90]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37653C15106A for <oauth@ietf.org>; Mon, 16 Sep 2024 06:40:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=WvWoaEd3hendfg7ytGcIrykBgFHft7XaqswNg2DycsUd/YH9npKsLzww4HnoY4VLuJBx99Tzn6iEqiOEYI5+yWk0dPl/fWnu+9DDYDrGFeMMqYspXHZx2qd74Eq+dHYwj3b+5mfjCsPiyOXDFaxR9VYlmu/opzB92gXlF/pQSvJEFUgEwNFBgvojNKkd4RAA/u1rEwhFE9MV1okSGSYKTHlMJDSi9qUBUvaX3ckXTjmHz0W4bQ7uP+1rQtUdYNLd6IFNU7lRDV/KB68oDFCgqKHm7SmZqko+WGnF4Tlc8AKiGJMH/i5jGwIcTyQsOdtwRvunGMLk3Y7gTPTGOklZbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RbFZlMBbc+OyC0R3FKlNQHAUBws72k/T/QdMA4LtFrs=; b=Ud7/opHl/nueQLXMCXqbsC/5ZkSVHwX+0xoeE+wFZZ4ZRbklWgNx7UIo8gk3VA//4Bw/tnGaATThtF0FulRLscV2MI3ROX34P/SZGIC3lZSyNkyeEjk9nujRip+jGAAvjMFmKKC0JvVwMgW1sDM2/tCU1gZQy8FO/P0Rj+5SQG0bHuF7PMtUJFLxR2bsiUwWKJBhP8D7og6EuwyjXPXbbwCqb8JymuUbbGYrpPAt5TsHWoiOod+Kyf5mv5SjqFzAhdwdo/UHpma0YN/L241bopEPFxzROZm+GrKp8N+aLyS8CrwklQrh+yp2gyVmgDOuLuEelfTauE0T11kPhXKyaA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RbFZlMBbc+OyC0R3FKlNQHAUBws72k/T/QdMA4LtFrs=; b=ehkpI6mCi7etOJFH1/17fDvU+r559ZtSw5BkCMLxhHOSdky7QAHND24UboEH4qEmPdL0dY7r8k4Fa72Iai/3tupl49Q8VL+LHCrZ6puKxJ6K2jiyLa7jngMFxX6hISRJ6hvDl6yvlYOn4xCdIkaISmKZl0Mh8NPxE4iuHrgvFAk=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by PAXPR83MB0533.EURPRD83.prod.outlook.com (2603:10a6:102:243::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8005.5; Mon, 16 Sep 2024 13:40:51 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%6]) with mapi id 15.20.8005.001; Mon, 16 Sep 2024 13:40:51 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Vladimir Dzhuvinov / Connect2id <vladimir@connect2id.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Re: Call for adoption - First Party Apps
Thread-Index: AQHbBalU+Wk/gkvQb0WAYWiIA7jmLLJaR3wA
Date: Mon, 16 Sep 2024 13:40:50 +0000
Message-ID: <DBAPR83MB04372E79F285B3BAF48DBCF691602@DBAPR83MB0437.EURPRD83.prod.outlook.com>
References: <CADNypP9ZHktRzztqCxGfHPOq5A5xo2GohFZms41ZjoTKjkcjkg@mail.gmail.com> <dad5f990-7ca2-4c47-b9a2-feb59e390cca@connect2id.com>
In-Reply-To: <dad5f990-7ca2-4c47-b9a2-feb59e390cca@connect2id.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=66543c7f-201c-4f66-a50c-98a4a5b1872f;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-09-16T11:13:06Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|PAXPR83MB0533:EE_
x-ms-office365-filtering-correlation-id: a40c402f-f236-4cde-c865-08dcd6552de9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|4022899009|376014|38070700018;
x-microsoft-antispam-message-info: U2R/S1QA5OwmXR7MlnbzgcghhrnQ1JhkWfUJkeZJ1HlK0TLc6kAkKytu7wjoNi5Z4Z8LzwbaNfUBAtWPavlSceAAWvOraF25pHmgd+Zn2V8Fq/uSlQqPbacyeKSvJjgvaJq/+hm66gPLt2hQCoec86QRLFtNOs7aTg1HVC/skmS9mvngMBoSAfAl9BYKw4SZLzUwEc680EMiWh41ofZ6EIR2eiixeSST0FqJ4DkVcKTKYFufdcLf4Ft7+s8TcUgjFRsZLAM+PDtUPXua0pv/H2Bj9bkzS8mPfPymRzZ4/vaOMVn1BAWr6EmgbtMrWt5/dfx+Hc/MoYwoIgSk1Yr70Z/aFwD0FvEHZUhUMsieO4wqS83PYknOg6ttgk/heJ8aVHTjYzhT6skYXpaIyc+0wCLLdVQDCCjOLFieUSiFUHkHDsNIHbCMI70F8nkfYNLa+MiSFL7VZJQkxh4bl1sGK33e+FoUeCKDDKx+I4b2cu2n7BCsCMRMyqx3mk5lD7y/VZNjpBwGe0qOHc6jrC0IC5Db4z1JCiv7IONG6m175UdhjpNs0Tn1o376efl7udWxHwNt1859LbWf34LY+NRQvwG5GVOQKF6k2KaLwEl/D9WfqBQfanW2tIcuUHokF/AIp3YiTawbdVErjf+wLmYpyCBMUQbJun7xwWI2hxQnENsthw/aONHKx7GRYcINadOy0fKm142KaQjcFvdFivg4HHCOLDOE6HHUurQHDepcOi/2MncKEAQfcewpsYp6/reCIl6WYlS5i0BOeUgaRRarm1zYfnpXiuA23rmxrTKr0/9AlrPAW3vtgvXjOn6j7ZqXDuhjfTExJCNOyn6Mg36X0+uTF5Z2QM8PKdSahMEz57yMv6aEvCKL1zEEgeD0QBbtOSTKdX9KMNvrpKKVbHzo+ehIbyvoCDW17eCJq0/OEUPgd19LCo3BhNCw8Fp1b082Za90G5oJUJtYV8gP9ORSJNBEB9eja6KXxkWXS0GEvvYzxXmeoFY/ZqFPrtlxLJg5yR0quksjr4aodJYb/FSeoALDWkLwi7n0MFQHyx9BkUIvET7zwSX1BYEPDIflalsCSYQKtEcj5A2ovHrYuVZUjMwk7HdgcevP/BUW0I3JO2B6co4c+rprbaAMtevP4MfBRX4wDtNmtNzB8ook1ov9sJL61CiMZI3/heD2NmeFgzsv/k/T2CrSOHSd2BEbT2RrSBxjL5JRzZ4UIUEW9LpNtio1+yeH3YeCAx1D8VZHmrkADApyi7+uVI4jI4JJipToFyde3UinXg6Iz37C8ofmD1riUvwZcbKtAORBbnpZdeJ+4y0rvkJx6tf0zHOK1QxYCN10/Qfw5/DBDxVooXDFNA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(4022899009)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 13W3/+r4r2sUXne0YZMogteIU9FzKzzRGC7D17wUh5To3BXA4fsWSRJt71QnzzRLXjl11ISJr530RjL6RB4uszthcqbKY+DxfAbnqac5d0Z1JV9qXqBOjEcVL35oGyxvaCQKseYLjs2vOygJ9uT8rWkgxcL6K/wNx57hhd3OtK9qTW15c5sA1l7BneD6RskRiWEYzmF7hqv1TK5W/FHLiYvZWyOJcsqkINDJdajb69knt8OZWE2lzbhjFYkVtAeR/C35kdXnVETH21l/eFrgmv6wx2ZExjIkshqqrlie04eaEol5pTPRj+CEcEJaUvK7UnCEYdUm3mqC2j59cAA1aksd7CHd1RFUeUSZRQk2wBjRDe30y1Jka+jWXJ4NcVv5LBxM0soxMxuS8ScstJz4wY4CJ1mkiy31fjpOhnjUYV1z2/1c8ynqvBFqZhT1QdzxbilGRlbJsDNeSDm6+6/nHPH3+ZLeF6OEd5bwSTue5HrdmzmUAewo5Yssfsd19cH04Uz2BTdWvCGtepmnQ/n7qzz3ukc0ovhyZlNyrFbpROb0v+Gs7UaFkrbnPJX+m4Kwnx6acEiYktRgZQqcOx+UeRbobjw1EJWp4LNscheXNWE0a48SEl/QzWnQTJpWUDIOtV8Zevehrq9Vp5z5z2B+96N+nBcjqNXXrc8XGW143L9C8OhuJMiiSyFhzlkVFU8CJBT+4zrLBXufyvYpkUnWcRabdQIIYjJ6zWqRwi4zUaeV4j1UQXoNCaNH814aVDF2ZTDvaM2sd6RBccQwjJ4jtl3wNy4BB5MpvcDS/owfVmtw79UmQ0uD2BCGuOIFkHXJ0z2l5NZcGWZ+NSQ95aUolw3Ux8Gyd+8mKCVn4rzUU6CVOTyyVt+kQbHp4dq1dBJ+RNQ4pNhyhBflIiQ9JRJowmjN8vwaDkA5UI78EdEm793HP2UWalsICgPnhT/CBxzuCgnJbp2wN2Qrg0JQByuqCBLHibvY8mpfspxL0A3etLJfRAmBgZg7ydsmx7QGhLx7v9H/ZudZ9U6rN7nGJmngh4kP4M52uv9sW7xfFuYS+OeF1dyHpl92wq/1w56P5ccpRu7S9qJh233yk+Sr1qaDwroGsuaXoKk6cBUFCCZe5lvijsgxZ7rIeBwBAUu8v0Dxlx1791wpPxIj8MIJOtRNPjWi72ija35sGJm/HXXId4MLhxSYcLpw2glY/v2TdOTVycPv0+ivtoxsfj1X+SxmyUr2x5takU2ApbXHvveF1BIHFi+VLuXC2Sx9bemyMSOX4NIFOp+advqX1Rh/XnPZci0N6/82u/ry+iHmWAgFnnhTsCV4cFHfwWQu2Mc+gz0XBeDz1627icEaGejLdCFWeQUfSgmULxa5ChEl1bkfzJgH6JOVSz8tslZduJNETzD5JFIuH+bjssQKm9QdoUVlML+3nvQvvIIT4IS4UVnEUQMAPZagfbQ+yf7RzH0OC7BDh/dEqm+9MoZL/RiFjii7yKachDjorFo8f1b6ba71TsM/ixk/JO7MWm6zztVVKZ6v
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB04372E79F285B3BAF48DBCF691602DBAPR83MB0437EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a40c402f-f236-4cde-c865-08dcd6552de9
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2024 13:40:51.0483 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: l4o0X+wPp2BY/vUCXuvH+/oKD3zIxGnm4aai+nNfZ3ZQE3Nin+oB4ygMWKh6BGEzPIyQGTQjDctEdDciJO5sken01qCMsEVeOikX0Rn7bZQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR83MB0533
Message-ID-Hash: DMDQWN6QERSQXNY6RVZ5N76NNWKPMNLB
X-Message-ID-Hash: DMDQWN6QERSQXNY6RVZ5N76NNWKPMNLB
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WCad60zbW_ESHKFlQrcBMTFKcls>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Vladimir

Thanks for reading the draft and raising questions. See responses inline.

Cheers

Pieter

From: Vladimir Dzhuvinov / Connect2id <vladimir@connect2id.com>
Sent: Friday 13 September 2024 07:50
To: oauth@ietf.org
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps


I read the proposed spec and it's evident substantial work has gone into it. Congratulations for this.

How does the 1st party flow compare to the (deprecated in OAuth 2.1) password grant? People with existing 1st party apps that rely on the password grant or consider using it are going to look for a discussion on this.

<pk>
The first party flow is meant to provide a framework to allow for multiple authentication factors to enable MFA type scenarios where there is a first party trust relationship between the application gathering the credentials and the authorization server. It provides a pathway from single factor authentication methods to stronger MFA and ultimately phishing resistant authentication methods.

</pk>



In terms of security properties (leaving aside the design to support factors other than user password and the support for interaction), does it offer advantages? In the simple case (no interaction), do developers have a reason to choose the 1st party flow when the password grant only needs a single call to the token endpoint?

<pk>
The main advantage is the ability to step up to MFA (or even to require a web redirect to collect credentials on the web if the authorization server deems the risk of a "first party" flow excessive).

</pk>



The password grant has been subjected to (non-standard) customisations to support challenges, for example to be able to ask the user for an OTP after the password is verified. The 1st party flow takes such scenarios into account, but appears to have taken the framework approach, leaving it up to developers to complete the definition of the flow for the factors an AS is required to use / combine. Is it envisioned for the 1st party flow spec to get complemented with profiles or is it expected developers / deployments to take care of this?

<pk>
We expect there will be profiles for popular authentication techniques.

</pk>



Vladimir Dzhuvinov
On 03/09/2024 13:46, Rifaat Shekh-Yusef wrote:
All,

As per the discussion in Vancouver, this is a call for adoption for the First Party Apps draft:
https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/

Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by Sep 17th.

Regards,
 Rifaat & Hannes



_______________________________________________

OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>

To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org>

v2.34.0 | Report a Bug | By Email | System Status