Re: [OAUTH-WG] Issuers, Discovery Docs & Brands
Joseph Heenan <joseph@authlete.com> Fri, 22 May 2020 08:35 UTC
Return-Path: <joseph@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50C5E3A0747 for <oauth@ietfa.amsl.com>; Fri, 22 May 2020 01:35:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JAJ3K4hAGSbh for <oauth@ietfa.amsl.com>; Fri, 22 May 2020 01:35:01 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2413A0764 for <oauth@ietf.org>; Fri, 22 May 2020 01:35:00 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id t8so3908943wmi.0 for <oauth@ietf.org>; Fri, 22 May 2020 01:35:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=OBkWujec2HI8t9+fXqGFhZkbrhWhgkJIA+I1WowJH60=; b=ZhTk8mHJhgdykNHpRUeUnJtqIYboGUoK6CvUH1t3vGYQ85Ht+1hGMoN8zcNsy5YfWl D6KP5DOl/c1ZHnTvfLPYipZ7aP4eqrQgxYeAweI/goRW30NzCqql+WTwCF92swWf4Sqn qatuaIPpK2uHYPwHS/f9smpXOmYDD4zGLG2vub6ba3lWuCfakDxTV77+Rh+5OgXHvWYJ XQPNZU9BNoDBHzsmgQ18OJihzGGBCwJrjxSgdOLmCJ4a4eyesp9T8ZS6K74Unut6Nb9D XonjNq37jnSEqQKZKv2JTSWQZxMpDFIlgHXwyTlp7Ud1HiS4sfg6s2Hd630HHouCxzcD V+uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=OBkWujec2HI8t9+fXqGFhZkbrhWhgkJIA+I1WowJH60=; b=Zb6fGG3vgAafiPn9Vj05B716yGODeWdrWsYOGnAKSz5Jr3jbKVXqgiTvEibZaK8vnH G2z3jXC9plLp9i64d0sfV/1sCchcZek8pZFj3pwJay0KPj0Sfs7sr96tnaCkp6webQsT 9R4/QtBOt5mI4Lq0KUhZ4oywb35WM7HRQ+c0xG9ruQbzVtowjamcKMBkfPD6hCqZW31N Rkdky0+ahvjd8wEkO+LbEOYc3reqBzZDjKODOoNb2GQIvNomAnnnu3rCuU6XbqxSBK5T 49qM3rlrlHu0zlQDM6QrlVz6q6D/PxRLbkRo5mxzfKmYnotiGHn7n1x9pfBCikwpmwuj gKjw==
X-Gm-Message-State: AOAM530vlHDCBGcFQ799uMc0DDqb2tmFGviMqgpfSBZjuluJL7pqNGGD bNoWUjBtUOf4oYKDSVu1cj2svQ==
X-Google-Smtp-Source: ABdhPJxuRXI8RRkuTOIgW4G0pmT9VadkuShLeZdYPNiv6X3udCagQelQ4fDZZQW7/yttov7qsf06nQ==
X-Received: by 2002:a05:600c:290f:: with SMTP id i15mr12619013wmd.153.1590136497445; Fri, 22 May 2020 01:34:57 -0700 (PDT)
Received: from [192.168.1.112] (home.heenan.me.uk. [212.159.108.133]) by smtp.gmail.com with ESMTPSA id v126sm9560023wmb.4.2020.05.22.01.34.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 May 2020 01:34:56 -0700 (PDT)
From: Joseph Heenan <joseph@authlete.com>
Message-Id: <E4CE8513-ABC0-4DE0-A1EE-4005AE15B580@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_77E6ADDF-C887-4F28-8E95-42AF7186D4DE"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Fri, 22 May 2020 09:34:56 +0100
In-Reply-To: <66FD701A-6036-4D6E-A2AB-E206A0043BBF@authlete.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, oauth <oauth@ietf.org>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
References: <CAP-T6TTehOT7U_fniZdHsei1C1phOWQfK7o=fHSNciXSTjviPA@mail.gmail.com> <2066e8dd-fac8-db15-6d5c-19b11db050a2@connect2id.com> <72D97116-747B-47FE-A4D7-E729B708E723@fintechlabs.io> <365a545e-cd20-65c7-c7ae-d71c63865fce@connect2id.com> <78531853-D0B1-492C-85DA-E140A921B04B@lodderstedt.net> <99394ea7-4588-5a5e-6997-bb96a19a1196@connect2id.com> <66FD701A-6036-4D6E-A2AB-E206A0043BBF@authlete.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZKhO0QcMPzvo2jYdZhT3otkFJT4>
Subject: Re: [OAUTH-WG] Issuers, Discovery Docs & Brands
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 08:35:06 -0000
I just realised that “client chooser” in the below is a very ambiguous term. Please read it to mean “a chooser presented by the client”. (And in the UK today, that chooser is manually populated by the client developer based on the central directory.) Joseph > On 22 May 2020, at 09:32, Joseph Heenan <Joseph@authlete.com> wrote: > > Thanks Vladimir/Torsten. > > I agree, it would make sense to have some form of static id for each entry. My first attempt started out similar but for some reason I decided to simplify… > > On the conceptual side for choosers (and biased towards how the UK openbanking ecosystem works as that’s what I know best), what this allows for is: > > client chooser -> authorisation endpoint > > Where the list is: > > “Bank a” > “Loadsamoney personal” > “Loadsamoney business” > “Bank c" > > > Instead of the only ’standards compliant’ way to do app2app in this case today of: > > client chooser -> AS interstitial chooser on authorization endpoint -> real authorization endpoint > > Where the first chooser is: > > “Bank a” > “Loadsamoney” > “Bank c” > > And the second: > > “Personal" > “Business" > > The first case is much better, particularly for the real multi-brand case where the end user might not even associate the two bank brandnames with each other. > > What actually happens today is the first case (single RP chooser), but based on banks emailing around lists of alternative authorization endpoints to the RP, or publishing the details on obscure developer portals - which destroys much of the convenience / agility / security the server metadata RFC was trying achieve. > > The issue of how the RP finds the server metadata document is unchanged from today. (In the UK, we have a centralised directory that lists them.) > > Joseph > > > >> On 22 May 2020, at 08:52, Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote: >> >> With that said it makes sense to devise a structure which can accommodate UI driven as well as automatic choice. >> >> The UI driven chooser will need a human readable description and other UI hints. This can work for instance with "classic" OIDC Discovery. >> >> The "auto" chooser will need some sort of an ID. For a bank chooser this means providing the issuer URI and an optional brand ID and both must get registered together. Or, one could define a standard brand ID (label) for banking operations and if the "alternative_authorization_endpoints" is present look for it in the structure, else fall back to the default "authorization_endpoint". >> Here is one possible layout which has IDs and UI hints: >> >> { >> ... >> "alternative_authorization_endpoints": { >> "banking": { >> "authorization_endpoint": "https://loadsamoney/business/auth" <https://loadsamoney/business/auth>, >> "description": "loadsmoney business banking customers", >> "logo_url": "https://loadsamoney/business/logo.png" <https://loadsamoney/business/logo.png> >> }, >> "personal": { >> "authorization_endpoint": "https://loadsamoney/consumer/auth" <https://loadsamoney/consumer/auth>, >> "description": "loadsmoney personal customers", >> "logo_url": "https://loadsamoney/consumer/logo.png" <https://loadsamoney/consumer/logo.png> >> } >> } >> } >> >> >> On 22/05/2020 09:59, Torsten Lodderstedt wrote: >>> I think an id or label per endpoint set would be needed to determine the set of endpoints to be used by a certain client. >>> >>> On the conceptual side, I’m asking myself how the complete process is supposed to work. Who is deciding what issuer/endpoint set combination to use. I assume in an open banking scenario, there will always be some kind of bank chooser. Will this chooser provide the client with issuer and brand id? >>> >>>> On 22. May 2020, at 08:10, Vladimir Dzhuvinov <vladimir@connect2id.com> <mailto:vladimir@connect2id.com> wrote: >>>> >>>> A mapping like the one you propose can definitely work. Since the user will be making the choice which endpoint to take with the client app, having the logo_uri is a good idea. If the branded endpoints differ somehow in policy one could also allow inclusion of the op_policy_uri and op_tos_uri params from Discovery. >>>> >>>> https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery <https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery> >>>> >>>> Vladimir >>>> >>>> On 20/05/2020 19:16, Joseph Heenan wrote: >>>>> Thanks for your thoughts Vladimir! >>>>> >>>>> The client_id based solution I wasn’t previously aware of - unfortunately it doesn’t solve the problem for app2app, as the mobile OS selects the app to use based purely on the URL (and in at least the iOS case will not offer the user a choice if multiple apps claim to handle the same url). >>>>> >>>>> I think some kind of mapping like you suggest will work and fallback, I wonder about a structure in the authorization server metadata something like this: >>>>> >>>>> { >>>>> ... >>>>> "alternative_authorization_endpoints": [ >>>>> { >>>>> "authorization_endpoint": "https://loadsamoney/business/auth" <https://loadsamoney/business/auth>, >>>>> "description": "loadsmoney business banking customers", >>>>> "logo_url": "https://loadsamoney/business/logo.png" <https://loadsamoney/business/logo.png> >>>>> }, >>>>> { >>>>> "authorization_endpoint": "https://loadsamoney/consumer/auth" <https://loadsamoney/consumer/auth>, >>>>> "description": "loadsmoney personal customers", >>>>> "logo_url": "https://loadsamoney/consumer/logo.png" <https://loadsamoney/consumer/logo.png> >>>>> } >>>>> ] >>>>> } >>>>> >>>>> And as you say, the existing authorization_endpoint can be a fallback for clients that are unaware of the new spec or prefer the simpler option of just using a single authorization endpoint. Supporting the new spec would allow a better UX though so there’s advantages to client to do so. >>>>>> Speaking of mTLS, I'm not sure how the "mtls_endpoint_aliases" can be sensibly combined with the proposed multi-brand spec. >>>>>> >>>>> I think that particular part is not really an issue as mtls isn’t used at the authorization endpoint. >>>>> >>>>> Thanks >>>>> >>>>> Joseph >>>>> >>>>> >>>>>> On 20 May 2020, at 16:07, Vladimir Dzhuvinov <vladimir@connect2id.com> <mailto:vladimir@connect2id.com> wrote: >>>>>> >>>>>> Hi Dave, >>>>>> >>>>>> In the absence of such a "multi-brand" spec we have tackled this issue in the past by letting the "brand" be encoded in the client_id. An alternative scenario is to do a "brand" lookup by client_id. Then let the AS render the "branded" authZ endpoint. >>>>>> >>>>>> You're probably aware the mTLS spec is allowing for endpoint aliases, so this is not the first time such as need has occurred: >>>>>> >>>>>> https://tools.ietf.org/html/rfc8705#section-5 <https://tools.ietf.org/html/rfc8705#section-5> >>>>>> >>>>>> One could devise a similar JSON object with mappings "label" - "authorization_endpoint". >>>>>> >>>>>> Clients that are aware of the new spec will look it up, those that are not will fall back to the std "authorization_endpoint". >>>>>> >>>>>> Speaking of mTLS, I'm not sure how the "mtls_endpoint_aliases" can be sensibly combined with the proposed multi-brand spec. >>>>>> >>>>>> >>>>>> >>>>>> Vladimir >>>>>> >>>>>> >>>>>> >>>>>> On 20/05/2020 15:07, Dave Tonge wrote: >>>>>>> Dear OAuth WG >>>>>>> >>>>>>> We have an issue in the OpenID FAPI Working Group that we believe affects the wider OAuth community. >>>>>>> >>>>>>> In summary: what is the recommended approach to discovery (RFC8414) for Authorization Servers who support multiple "brands" . >>>>>>> >>>>>>> If brands are completely separate, then it seems sensible that each brand must have its own `issuer` and therefore its own discovery document at the correct location (i.e. brand 1 would have an issuer of "https://as/brand1" <https://as/brand1> and a discovery document available at https://as/.well-known/oauth-authorization-server/brand1 <https://as/.well-known/oauth-authorization-server/brand1>). >>>>>>> >>>>>>> However in the real world it is not always so simple. We have many existing implementations in UK open banking that support multiple authorization endpoints. Here is an example (thanks to @Joseph Heenan ) >>>>>>> >>>>>>>> Bank “loadsamoney” has one idp and, for internet banking, one “login page” for both business and personal customers. >>>>>>>> They have separate mobile apps for business/personal, and are required to support app2app. This means they will definitely be exposing multiple authorization endpoints (as there’s a 1:1 mapping of authorization endpoints to mobile apps) - the choice is how they do this. >>>>>>>> Their choices are: >>>>>>>> 1. Multiple discovery endpoints (one for business, one for personal), each with a different authorization endpoint, multiple issuers (if their vendor allows this) >>>>>>>> 2. Single discovery endpoint, single issuer, multiple authorization endpoints listed in one discovery doc (one for business, one for personal) some of which are hardcoded by the 3rd party >>>>>>>> 3. Multiple discovery endpoints each with a different authorization endpoint, same issuer in all cases (breaks RFC8414 and OIDC Discovery) >>>>>>> Option 3 is invalid and that leaves us with options 1 and 2. >>>>>>> Option 1 can be problematic as often it is in reality the same `issuer` behind the scenes. >>>>>>> >>>>>>> We would like to get feedback on this issue and potentially an extension to RFC8414 to allow the definition of multiple authorization endpoints. >>>>>>> >>>>>>> Thanks in advance >>>>>>> >>>>>>> Dave Tonge >>>>>>> Co-Chair FAPI WG >>>>>>> Open ID Foundation >>>>>>> >>>>>>> >>>> -- >>>> Vladimir Dzhuvinov >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> -- >> Vladimir Dzhuvinov >
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Vladimir Dzhuvinov
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Torsten Lodderstedt
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Vladimir Dzhuvinov
- [OAUTH-WG] Issuers, Discovery Docs & Brands Dave Tonge
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Vladimir Dzhuvinov
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Joseph Heenan
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Joseph Heenan
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Joseph Heenan
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Torsten Lodderstedt
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Francis Pouatcha
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Vladimir Dzhuvinov
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Francis Pouatcha
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Dave Tonge
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Francis Pouatcha
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Joseph Heenan
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Manger, James
- Re: [OAUTH-WG] [Openid-specs-fapi] Issuers, Disco… Torsten Lodderstedt
- Re: [OAUTH-WG] Issuers, Discovery Docs & Brands Joseph Heenan