IETF Logo Mail Archive

Re: [OAUTH-WG] Question regarding RFC 8628

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 26 November 2019 17:48 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BFD9120A4E for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 09:48:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ES3mRys9e2N for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 09:48:40 -0800 (PST)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8F9A1209CA for <oauth@ietf.org>; Tue, 26 Nov 2019 09:48:39 -0800 (PST)
Received: by mail-wm1-x332.google.com with SMTP id b11so4155224wmb.5 for <oauth@ietf.org>; Tue, 26 Nov 2019 09:48:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=kMjVwOQGVOIUtfSVGaQ6c3xNzxFgWu2WLOI+hf1lfrY=; b=t5RKDOeNu8RHUoFtpaLZ271jArv4ry2l5OKu5V9XzgAJrAqMkIQDVJBOJxvmgDL6ov 4q6uWwAZmt4jcFlL63C4LwZdzZrkk41hnEhxL7b/C+mSthue2V7z//KTN5CV9p9osJo5 HKOgGOynTnddckWanX24NxArw6suFaOrnUgdHliguP8SksdBAXLU8dZ/nKAcvl0nAKCG J414WbLXgpV/fUV799qkIWe+/KGjm/Ea8WRHCf9N8qVf1oOWcjrX2I2UHVdff+OesLta IJ77z1Sc8jshZOc+Xu/o9gc21MPEZvtRQMVoOT0wm7vD399afU844bl0ecC7jKzNd6U1 MfSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=kMjVwOQGVOIUtfSVGaQ6c3xNzxFgWu2WLOI+hf1lfrY=; b=lrf+qSrSkL+8su4Lhbm4jrO2i8UF022jWCOyUIjWNmbHOyWtqLRTtnpGMNzg9XwWJZ PZiibhXe5GkJB/C5AeaAwhFI/d80n+JfgHWamq5B7nygaIp8iXp2kAZdaaR4Sp2bn2it uY7a3JzPYqMJqqXt46VP3+TCrn6eoYtDy+AdQj+eJsH0f5Ok+uzVzHszkWpioGtuBm7X cqXPcwZGsUNd2eWoWjBn8/CyW8Gz/mUjU/QhEswcQlvctTPxrxEYDIfnIDLIPNitcT3s wyyTLNxnS6mkA3XeneKfBZgIGQ3NJkEN8/DRR+IBhFEzKDolCj0MjjU7t2WlKRKdGrDS RL0A==
X-Gm-Message-State: APjAAAWYUmzKMVrWO/TRRMup8aXkYrLqd7VQduPYc5zmZyNFpeylQ6ub gSJDcqIgQ6dU+wM2W+qvQ26KuA==
X-Google-Smtp-Source: APXvYqwJwUC3DW1VO/N582wQkHYumLE4f8RjMAWNdfBz837hZ7Y1rrEhh0VBiNnM34Tp3kPuBJODDw==
X-Received: by 2002:a7b:cb4a:: with SMTP id v10mr243041wmj.106.1574790517919; Tue, 26 Nov 2019 09:48:37 -0800 (PST)
Received: from ?IPv6:2a01:598:a90a:3ef4:34b2:dbfd:83dd:888b? ([2a01:598:a90a:3ef4:34b2:dbfd:83dd:888b]) by smtp.gmail.com with ESMTPSA id r2sm4010451wma.44.2019.11.26.09.48.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Nov 2019 09:48:37 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail-A2A6CA25-DAA1-45ED-BC3A-0761F82C1589"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Tue, 26 Nov 2019 18:48:34 +0100
Message-Id: <19562413-6D20-4DEF-BDF2-F73F5DF00A76@lodderstedt.net>
References: <f1d8191c1f5f45ab934166f555fd541c@STEMES002.steteu.corp>
Cc: Joseph Heenan <joseph.heenan@fintechlabs.io>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <f1d8191c1f5f45ab934166f555fd541c@STEMES002.steteu.corp>
To: Robache Hervé <herve.robache@stet.eu>
X-Mailer: iPhone Mail (17A878)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WJw1o-a84rSOJTsg5DCYuMN37g4>
Subject: Re: [OAUTH-WG] Question regarding RFC 8628
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 17:48:43 -0000

No problem. You are always welcome.

> Am 26.11.2019 um 14:07 schrieb Robache Hervé <herve.robache@stet.eu>:
> 
> Thanks Torsten, I didn't notice this point in CIBA.
> 
> Sorry about asking a so silly question.
> 
> Hervé
> 
> -----Message d'origine-----
> De : Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> Envoyé : mardi 26 novembre 2019 11:33
> À : Robache Hervé
> Cc : Joseph Heenan; oauth@ietf.org
> Objet : Re: [OAUTH-WG] Question regarding RFC 8628
> 
> Hi Hervé,
> 
> the flow you outline is equivalent to CIBA (https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-ID1.html).
> 
> RFC8628/device grant type and CIBA differ as follows:
> 
> - RFC8628 provides the client with an URL for the authorisation process
> - CIBA requires the client to provide a user identifier to the AS/OP, the AS in turn uses an out of band mechanism to communicate with the user
> 
> best regards,
> Torsten.
> 
>> On 26. Nov 2019, at 09:26, Robache Hervé <herve.robache@stet.eu> wrote:
>> 
>> Dear all
>> 
>> Thanks again for your clarifications. After discussion with the French community, we think that a full decoupled flow could be the following one
>> 
>> <image002.png>
>> 
>> From my perspective, this flow  is very similar to RFC8628 or CIBA, except the following difference: instead of providing the customer with the authentication URI through the third party, the bank notifies directly the customer on a specific device or mobile app.
>> 
>> Do you have any thought on this flow?
>> 
>> Thanks in advance
>> 
>> Hervé
>> 
>> De : Robache Hervé
>> Envoyé : lundi 18 novembre 2019 15:21
>> À : 'Joseph Heenan'; Torsten Lodderstedt
>> Cc : oauth@ietf.org
>> Objet : [OAUTH-WG] Question regarding RFC 8628
>> 
>> Thanks Joseph
>> 
>> I agree with you. There should be no issue when the URL is registered during the TPP app installation.
>> 
>> From my perspective, this URL should be passed during the authorization request within the [redirect_uri] field.
>> 
>> By the way, most of the French banks will use Oauth2 AC and not OpenId Connect. I guess that the sequence diagram is roughly the same, isn’t it?
>> 
>> Best regards
>> 
>> Hervé
>> 
>> De : Joseph Heenan [mailto:joseph.heenan@fintechlabs.io]
>> Envoyé : lundi 18 novembre 2019 14:49
>> À : Torsten Lodderstedt
>> Cc : Robache Hervé; oauth@ietf.org
>> Objet : Re: [OAUTH-WG] Question regarding RFC 8628
>> 
>> Hi all,
>> 
>> Thanks, Torsten.
>> 
>> 
>> On 18 Nov 2019, at 13:22, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> 
>> Hi Hervé,
>> 
>> looping in Joseph.
>> 
>> 
>> On 18. Nov 2019, at 21:17, Robache Hervé <herve.robache@stet.eu> wrote:
>> 
>> Thanks Torsten
>> 
>> Yes, we study this flow as well. Actually we consider the two following flows for a mobile-based authentication
>> 
>> -          DECOUPLED : via a RFC8628-derived or CIBA approach (as suggested by Rob)
>> -          REDIRECT : via the flow specified in the OpenId link you gave.
>> 
>> The main issue encountered so far is to give back the focus on the third party app. Third Parties fear that their app will be kept in the back of the mobile screen.
>> 
>> @Joseph: what’s your take on this concern?
>> 
>> In app2app, it really shouldn’t happen - if the device OS has not properly registered the universal link, the TPP website would open instead and authorization code can still be processed (though admittedly supporting this use case may require a bit more care to ensure session mixup attacks can’t happen).
>> 
>> 
>> 
>> 
>> This could happen when the TPP app [app link]/[universal link] is not properly registered or forwarded to the bank app.
>> -          In the REDIRECT approach this means that the authorization code cannot be forwarded to the TPP
>> 
>> I don’t really understand how the ‘app link’ would not be properly registered to the bank app. The universal link should be the same URL as for the redirect uri on the TPP website. Obviously if the TPP registers their redirect uri incorrectly with the bank the flow won’t work, but this applies equally to the web based flows, and it’s not the kind of problem you see occur on a production system.
>> 
>> The evidence from the UK so far is that drop-off rates (where the user does not successfully complete the authentication and return to the third party) are far lower for app2app compared to a normal oauth2 browser based redirect flow; I can’t put my hand on the actual figures right now but from memory around 5 times more users successfully completed an app2app flow than the usual web flows.
>> 
>> 
>> -          In the DECOUPLED approach it less critical since the TPP polls the bank and eventually gets its token once the PSU has authenticated.
>> 
>> But in the decoupled flow, the PSU first has to enter her PSU ID in order to allow the TPP to identity the PSU towards the ASPSP. This is less convenient and leaks PII.
>> 
>> Not necessarily the PSU ID, but generally something that can be used to identify the user. In theory it could be an ephemeral id, though in reality there’s all sorts of issues with implementing that, particularly on a ’same device’ flow. It’s definitely less convenient, particularly for the first TPP<->ASPSP interaction where the TPP will necessarily have to collect more info from the user than would be necessary in a redirect based flow.
>> 
>> The user also has to manually switch back to the TPP app at the end of the flow.
>> 
>> My general opinion is that for most use cases where the consumption and authentication devices are the same device a decoupled flow should not be used, as for that use case app2app presents a far better user experience - both in terms of the number of steps and the time taken to successfully complete all the steps.
>> 
>> Joseph
>> 
>> 
>> 
>> Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels.
>> Si vous recevez ce message par erreur ou s'il ne vous est pas destiné, merci de le détruire ainsi que toute copie de votre système et d'en avertir immédiatement l'expéditeur.
>> Toute lecture non autorisée, toute utilisation de ce message qui n'est pas conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite.
>> L'Internet ne permettant pas d'assurer l'intégrité de ce message électronique susceptible d'altération, STET décline toute responsabilité au titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou falsifié.
>> N'imprimez ce message que si nécessaire, pensez à l'environnement.
>> 
>> This message and any attachments is intended solely for the intended addressees and is confidential.
>> If you receive this message in error, or are not the intended recipient(s), please delete it and any copies from your systems and immediately notify the sender.
>> Any unauthorized view, use that does not comply with its purpose, dissemination or disclosure, either whole or partial, is prohibited.
>> Since the internet cannot guarantee the integrity of this message which may not be reliable, STET shall not be liable for the message if modified, changed or falsified.
>> Do not print this message unless it is necessary, please consider the environment.
>> <oledata.mso>
> 
> 
> 
> Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels.
> Si vous recevez ce message par erreur ou s'il ne vous est pas destiné, merci de le détruire ainsi que toute copie de votre système et d'en avertir immédiatement l'expéditeur.
> Toute lecture non autorisée, toute utilisation de ce message qui n'est pas conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite.
> L'Internet ne permettant pas d'assurer l'intégrité de ce message électronique susceptible d'altération, STET décline toute responsabilité au titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou falsifié.
> N'imprimez ce message que si nécessaire, pensez à l'environnement.
> 
> This message and any attachments is intended solely for the intended addressees and is confidential.
> If you receive this message in error, or are not the intended recipient(s), please delete it and any copies from your systems and immediately notify the sender.
> Any unauthorized view, use that does not comply with its purpose, dissemination or disclosure, either whole or partial, is prohibited.
> Since the internet cannot guarantee the integrity of this message which may not be reliable, STET shall not be liable for the message if modified, changed or falsified.
> Do not print this message unless it is necessary, please consider the environment.

v2.23.0 | Report a Bug | By Email