IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Step-up Authentication

Brian Campbell <bcampbell@pingidentity.com> Tue, 11 October 2022 13:57 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD16C159A21 for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2022 06:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ij9lxeTBm0mx for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2022 06:57:17 -0700 (PDT)
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 884AAC1595E2 for <oauth@ietf.org>; Tue, 11 Oct 2022 06:57:17 -0700 (PDT)
Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-333a4a5d495so127754967b3.10 for <oauth@ietf.org>; Tue, 11 Oct 2022 06:57:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yv7uWcRn7GmZYNyK8goy+N0Thq8ATNoztkUQ3dZ1Pd8=; b=Tn5oIO6oi9SiCiSKxWP+lgDLUDMX5KBdOAc2gOoXGHgZTqjPav590aV4SwvBmKITH0 Nk7JwHt0caUOGPPVUJ6Myg2qStTgSf3IVD4YE0NVgJzP1WgUJS0XGwifR+mawV8KVkQB RjLPvSUMRdYjvkU0RThvNNFeiCO9PQNKLMgGf1MY1vhdxwgrp2yGS8hJwERXSKOjeThZ yPl1jVAnGmktXxBHwlr+BYUNY02xxMmNPGqaAgYfDQSmMayHIGoLBmVXnKEEk6Ph6+Aj FqcZATFtCy0Y43EGJ7ZXkvOyRCpPZ1jEfuHygnVjsl0/0TxWpr/OAvpJQWjEf6/Q7Y2M zrTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yv7uWcRn7GmZYNyK8goy+N0Thq8ATNoztkUQ3dZ1Pd8=; b=hjQdpadhL2hpLWrqJhG3yoD6N4twZ2071A64nth154c2vlA1V8q6tJBOZCo3YMK0Sx mv6hHtMer8Btb6inZN3yRWj/HB5YPRRwdvU9rBroLsdMwNJ3OKP4vVWvyrlKNo0omPjv fR4z07GPn6WESCMSWkkHsTedZV/G2GdxrBROzTpI9X9xTSt3y5Mvqlkbj8laq3ZyQKWV EF3Z8XQcGL+62kKm1jAEBZQZB3KjXczhRpOKP6xU58Ai178BKaV9xm9S69R+6PY7F8iq aNefUERGNuxzMVrjK3hCJEzlSopYDElYJhPhR3RYZp0V7McK0r1bHIZjxF8yxxVYJd+y Tnsw==
X-Gm-Message-State: ACrzQf0lTqPYARxYMD/+WSHDVh2RVQi4TUvQh41a8ziltZN1mniy/K+u Q9UtCMxkQL+qRCGBJzjUY+sT5KUVVPUNLxIU/Ba3Q4Mpus05fUZ2wgIIqXObOuDvZhfOGbmssWe Eaf1PA9+0kHC6afFd+wU=
X-Google-Smtp-Source: AMsMyM4zgJduwiixNGtLFHU0UusHO5hMv76D+2PyT3gv5ZzEGMRG1jSjZJgenQ1EBjEDVQ7NSNK51kqs7f4LzIElIYc=
X-Received: by 2002:a0d:de43:0:b0:349:31bd:e8d5 with SMTP id h64-20020a0dde43000000b0034931bde8d5mr21271731ywe.283.1665496636299; Tue, 11 Oct 2022 06:57:16 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9ypW35=CSJaOfaEqZGDLXGLjnMs4_x5Ue10-yP6BcVoQ@mail.gmail.com> <CADNypP95pWPndeBydEbThrrWrPCVDg2Jmor-68HFGHpqRqFtyA@mail.gmail.com> <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com> <CAEMK1uaBedVBcoBuf9NY53sa2MRKh2j5gXrnW65PCiGj6Rzu7g@mail.gmail.com> <CAEFJvaoHyDoj3mbKhSqZmwCjE-iNNk0ZF1V6X_b35SDbp9iXjQ@mail.gmail.com> <CA+k3eCSfy6_kDf1BYciiqdZVE93-VBt3WYYiD9fJNFN33_K3xw@mail.gmail.com>
In-Reply-To: <CA+k3eCSfy6_kDf1BYciiqdZVE93-VBt3WYYiD9fJNFN33_K3xw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 11 Oct 2022 07:56:26 -0600
Message-ID: <CA+k3eCSdmZ-Du-8-f82UapRmS+fsVjhGthTC_BOSs+UGsXjUGg@mail.gmail.com>
To: Vittorio Bertocci <vittorio=40auth0.com@dmarc.ietf.org>
Cc: Dima Postnikov <dima@postnikov.net>, Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000061b15c05eac2a7de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZNFqzbbX2UKjse4V4GBwLyFAltE>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2022 13:57:22 -0000

I forgot to add Dima to the acknowledgements yesterday when doing -04
(thanks Vittorio for catching that). I'll rectify that shortly.

On Mon, Oct 10, 2022, 4:53 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> I've published an -04. It has that very minor change. There was also an
> off-list discussion during WGLC that resulted in thinking it'd be
> worthwhile to add a reminder that access tokens are opaque to clients. So I
> took that as LC feedback and -04 adds a brief note towards that end.
>
> https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/
>
>
>
> On Mon, Oct 10, 2022 at 1:22 PM Vittorio Bertocci <vittorio=
> 40auth0.com@dmarc.ietf.org> wrote:
>
>> Thanks Dima for the comment. Some thoughts:
>>
>> > (editorial)...
>> Good point. "statically" would characterize the simplest of the
>> scenarios, but in fact any case where the AS is the only arbiter of the
>> authn level works for the point we are trying to make. We'll drop
>> "statically". Thanks!
>>
>> > Apart from...
>> This spec focuses on empowering an RS to communicate its ACR and
>> freshness requirements, regardless of the reasons leading the RS to make
>> that determination: the logic by which that happens is explicitly out of
>> scope, and in many real life cases it might simply be unknowable (eg
>> anomaly detection engines based on ML are often back boxes). The mechanism
>> described here can be used alongside other mechanisms that might require
>> the client to get the user to interact with the AS, as it is the case for
>> insufficient_scope, but those remain distinct cases (eg insufficient _scope
>> might not require any step up but simply explicit user consent, and if it
>> does require a stepup, that's entirely determined by the AS without any
>> communication with client or RS required).
>>
>> On Fri, Oct 7, 2022 at 17:43 Dima Postnikov <dima@postnikov.net> wrote:
>>
>>> *This message originated outside your organization.*
>>>
>>> ------------------------------
>>>
>>> Couple of quick comments from me:
>>>
>>> 1) (Editorial) >In simple API authorization scenarios, an authorization
>>> server will statically determine what authentication technique
>>>
>>> In many scenarios, authorization servers will use *dynamic* decisioning
>>> to determine authentication techniques; it's just not exposed to the
>>> client in a way to make it actionable (which is why this specification's
>>> intent makes perfect sense).
>>>
>>> 2) Apart from authentication level, there might be other reasons why
>>> users might be forced to go through the authorization flow, for example,
>>> insufficient authorization / scopes / claims / etc.
>>>
>>> If there is a mechanism to let the client know, as a practitioner, i'd
>>> rather have the same approach for both authentication and authorization.
>>> There are a range of authorization policy engines in the market that could
>>> return "STEP UP is required" after looking at authentication, authorisation
>>> and many other real-time signals. It's just not standardized...
>>>
>>>
>>> On Sat, Oct 8, 2022 at 7:30 AM Pieter Kasselman <pieter.kasselman=
>>> 40microsoft.com@dmarc.ietf.org> wrote:
>>>
>>>> I am very supportive of this work and have been working through
>>>> different use cases to see whether it can satisfy the requirements that
>>>> arise from them.
>>>>
>>>>
>>>>
>>>> One observation from working through these uses cases is that as
>>>> customers move to Zero Trust architectures, we are seeing customers
>>>> adopting finer grained policy segmentation. Consequently customers are
>>>> planning to deploy segmented access control by data or action sensitivity,
>>>> within a service. This approach to policy design makes it more common for a
>>>> single service to depend on multiple authentication context values or
>>>> combinations of authentication context values.
>>>>
>>>>
>>>>
>>>> An example of this is a policy that has multiple acr values (e.g.
>>>> acr1=password, acr2=FIDO, acr3=selfie check, acr4=trusted network). A
>>>> customer may define a policy that requires different combinations of these
>>>> acr values, for example, a file server may requires password for general
>>>> access (e.g. acr1), FIDO authentication (acr2) or password access and being
>>>> on a trusted network to read sensitive data (acr 2 of (acr1 + acr 4), FIDO
>>>> authentication and password (acr1 + acr2) for accessing editing sensitive
>>>> documents and a real-time selfie check on top of FIDO and presence on a
>>>> trusted network  (acr1 + acr2 + acr3 + acr4) to initiate a sensitive
>>>> workflow (e.g. check-in code). Other variations of this includes database
>>>> access with different types of access requirement for certain rows
>>>> (row-level permissions) or columns (column level permissions) with
>>>> different combinations of acr values.
>>>>
>>>>
>>>>
>>>> I was curious if this type of scenario where multiple authentication
>>>> contexts and combinations of contexts are required is something others see
>>>> (or are beginning to see) as well?
>>>>
>>>>
>>>>
>>>> Cheers
>>>>
>>>>
>>>>
>>>> Pieter
>>>>
>>>>
>>>>
>>>> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Rifaat
>>>> Shekh-Yusef
>>>> *Sent:* Thursday, September 22, 2022 3:02 PM
>>>> *To:* oauth <oauth@ietf.org>
>>>> *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication
>>>>
>>>>
>>>>
>>>> *Correction:*
>>>>
>>>>
>>>>
>>>> Please, review the document and provide your feedback on the mailing
>>>> list by *Oct 7th, 2022*.
>>>>
>>>>
>>>>
>>>> On Thu, Sep 22, 2022 at 9:52 AM Rifaat Shekh-Yusef <
>>>> rifaat.s.ietf@gmail.com> wrote:
>>>>
>>>> All,
>>>>
>>>>
>>>>
>>>> This is to start a *WG Last Call *for the *Step-up Authentication *
>>>> document:
>>>>
>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html
>>>> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Farchive*2Fid*2Fdraft-ietf-oauth-step-up-authn-challenge-03.html&data=05*7C01*7Cpieter.kasselman*40microsoft.com*7C0078f809101147bc978308da9ca32020*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637994521713812011*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=18sfemyWqYb06PvUA9eTLaq0ccDY14*2F6ETo58JpE*2FJQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!537tJQfGj3Z_Yi2waywl1VPGyDs9818JE-M-KNFgPtoB0O26a7ksRvAYrPyzfKKXsMKCVblAomtRXj8$>
>>>>
>>>>
>>>> Please, review the document and provide your feedback on the mailing
>>>> list by *Sep 30th, 2022*.
>>>>
>>>> Regards,
>>>>  Rifaat & Hannes
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!PwKahg!537tJQfGj3Z_Yi2waywl1VPGyDs9818JE-M-KNFgPtoB0O26a7ksRvAYrPyzfKKXsMKCVblAbcE1GME$>
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email