IETF Logo Mail Archive

Re: [OAUTH-WG] Question regarding RFC 8628

Robache Hervé <herve.robache@stet.eu> Mon, 18 November 2019 13:17 UTC

Return-Path: <herve.robache@stet.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E81120059 for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 05:17:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C_NDNbPC5CWe for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 05:17:38 -0800 (PST)
Received: from mx.stet.eu (mx.stet.eu [85.233.205.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B31412004F for <oauth@ietf.org>; Mon, 18 Nov 2019 05:17:37 -0800 (PST)
Received: from mail.stet.eu ([10.17.2.21]) by mx.stet.eu with ESMTP id xAIDHQmV017357-xAIDHQmX017357 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=CAFAIL); Mon, 18 Nov 2019 14:17:35 +0100
Received: from STEMES002.steteu.corp (10.17.2.22) by STEMES001.steteu.corp (10.17.2.21) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 18 Nov 2019 14:17:26 +0100
Received: from STEMES002.steteu.corp ([fe80::61f9:86a6:9add:e621]) by STEMES002.steteu.corp ([fe80::61f9:86a6:9add:e621%14]) with mapi id 15.00.1497.000; Mon, 18 Nov 2019 14:17:26 +0100
From: Robache Hervé <herve.robache@stet.eu>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Question regarding RFC 8628
Thread-Index: AdWeEIyy5guyIrBDSg2ccp+OglQ2ewAAB2Eg
Date: Mon, 18 Nov 2019 13:17:25 +0000
Message-ID: <bab1c3a71a924582b25b76ac71d6b960@STEMES002.steteu.corp>
References: <7EFD9524-9C66-4A64-865F-9F3862896BF0@lodderstedt.net>
In-Reply-To: <7EFD9524-9C66-4A64-865F-9F3862896BF0@lodderstedt.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.17.2.170]
x-tm-as-product-ver: SMEX-12.5.0.1684-8.5.1010-25050.007
x-tm-as-result: No-22.661100-8.000000-10
x-tmase-matchedrid: Xng75ui6jXmeGXFpAoGIoe5i6weAmSDKqr0Np6cKdO5fQRiqw0gT4DcI a9gjeLdiWRv4gMq+CegHdptXFFME7wRytbWF0BphCgHQMFomsrRv+B0owAW3BpcDGDiTFmuGs03 PiUbxvvhR1tTDNqr8dVjZYFGVYSCavqDeDn7UX95DO9NSmfde1K6IBbSnfz+3CwWRLqiC/UqTvZ kBseIwt0mu4uFjBmMBf9krIFPI8jVu7xCoxCPC8oDcpVWyPxAMqAn+yHbzwCc61tq0X03xqwF9A YTAlUKX0sPBEFrRIh0PbErEfKxaT/q1PT1fWLFiJhFEQZiq2ZQ2Ajd4eN7gE4xRWJphhsrcTXOj 1XBAu3ApTvNzKFoS2tYHxVr9gN7RblRUOPmdAoaphk0MrYwMJaGEqigf79/LDC/Vm90If4V0NOB 2+sLcHjtM69D53EEGZkGyUM9wXm88rP3vBQrJ4Dnb8O0YN0Q5B3pH4ml/JkesxvTCCnhvxs3dZ3 ToIUUwCPVrqEYobqeNfRPX9m9ebcL6eJudwMqmD1EMyEt30vH2155bpR+TIAg2kgWdt3qamlSdz QN+qA9Rp/ESK4mG//NrCTKGuaZarXfUFLTGayCrSt6KHcT2sac7Cle6iy50ThCCwTgXpi/ccF+v Y4fYYeL4dmU2GvmqCUWFRzsRSQJq142gj0zclaGGAym3r7HtyoUTqBF1E5tsnR1RUJec9K2b9fo 4bSy/scIYR1UDazv/ptHenHPSOY+axNKleguEnxvPm4vv97xezmeoa8MJ81IxScKXZnK01Is5Gv hmGbyh2KiwOdX83yGvKsBQW4B9lZhMdHLR3SKrm7DrUlmNkF+24nCsUSFNmBJMroHl9O0fZMPNH XeG7gwWxr7XDKH8vpz0BhZ1OU5p8d+GjxEpp+CBkyeSa0k1pGsOJ4jdMahSm4a8BHzi8Q==
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
x-tmase-result: 10--22.661100-8.000000
x-tmase-version: SMEX-12.5.0.1684-8.5.1010-25050.007
x-tm-snts-smtp: 4EFC063D34F8631872BD0049E0C68E61829154259D9C9620344FD83DAF4D96C72000:9
Content-Type: multipart/alternative; boundary="_000_bab1c3a71a924582b25b76ac71d6b960STEMES002steteucorp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/h4DBbjyYHABoP6COtUWvwcnxduU>
Subject: Re: [OAUTH-WG] Question regarding RFC 8628
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 13:17:50 -0000

Thanks Torsten

Yes, we study this flow as well. Actually we consider the two following flows for a mobile-based authentication


-          DECOUPLED : via a RFC8628-derived or CIBA approach (as suggested by Rob)

-          REDIRECT : via the flow specified in the OpenId link you gave.

The main issue encountered so far is to give back the focus on the third party app. Third Parties fear that their app will be kept in the back of the mobile screen. This could happen when the TPP app [app link]/[universal link] is not properly registered or forwarded to the bank app.

-          In the REDIRECT approach this means that the authorization code cannot be forwarded to the TPP

-          In the DECOUPLED approach it less critical since the TPP polls the bank and eventually gets its token once the PSU has authenticated.

Best regards

Hervé

De : Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
Envoyé : lundi 18 novembre 2019 11:39
À : Robache Hervé
Cc : oauth@ietf.org
Objet : [OAUTH-WG] Question regarding RFC 8628

Hi Hervé,

I assume you want to allow the TPP to send the PSU to the bank’s app on the same device?

In that case, why don’t you just make the bank’s authorization endpoint URL the universal link? If the universal link is defined on the smartphone (since the bank’s app is installed), the redirect will open the app. If the app is not installed, well, it will open the authorization endpoint in the browser. A very robust and simple approach.

There is an excellent article about this topic by Joseph Hernan on openid.net https://openid.net/2019/10/21/guest-blog-implementing-app-to-app-authorisation-in-oauth2-openid-connect/.

best regards,
Torsten.


Am 18.11.2019 um 16:24 schrieb Robache Hervé <herve.robache@stet.eu>:

Dear all

We are considering using RFC8628 for a specific use case that is related to the version 2 of Payment Service Directive in Europe (PSD2).

The purpose of the work is to provide a decoupled authentication flow for a payment Service User (PSU) aiming to grant access to a Third Party Provider (TPP) for his/her data hosted by a Bank.
The sequence should be as followed:

-          Nominal flow (as specified by the RFC)

o   The TPP asks the PSU about the Bank identity

o   The TPP posts a Device Access Token Request to the Bank

o   The Bank sends back a Device Access Token response to the TPP

o   The TPP starts to poll the bank for gaining the access token

-          Derived flow

o   The “verification_uri_complete” will not be displayed to the PSU but used as an [app link]/[universal link] on a smartphone in order to launch the bank’s app.

o   The bank’s app authenticates the PSU and asks for consent confirmation

-          Back to the nominal flow

o   The TPP gets its access token

Two questions have raised during the work

-          As RFC8628 is supposed to work on separate devices, can the usage be extrapolated to separate apps on the same device (i.e. the PSU’s smartphone)?

-          One issue of the derived flow is that, after authentication, the PSU is still facing the bank’s app

o   We would like to go back to the TPP’s app as fluently as possible. The use of another [app link]/[universal link]could do the job is provided by the TPP. We consider adding this uri as an additional parameter to the “verification_uri_complete”.

o   Is this compliant with RFC8628?

Thanks in advance for your answers.

Hervé Robache


Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destiné, merci de le détruire ainsi que toute copie de votre système et d'en avertir immédiatement l'expéditeur.
Toute lecture non autorisée, toute utilisation de ce message qui n'est pas conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite.
L'Internet ne permettant pas d'assurer l'intégrité de ce message électronique susceptible d'altération, STET décline toute responsabilité au titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou falsifié.
N'imprimez ce message que si nécessaire, pensez à l'environnement.

This message and any attachments is intended solely for the intended addressees and is confidential.
If you receive this message in error, or are not the intended recipient(s), please delete it and any copies from your systems and immediately notify the sender.
Any unauthorized view, use that does not comply with its purpose, dissemination or disclosure, either whole or partial, is prohibited.
Since the internet cannot guarantee the integrity of this message which may not be reliable, STET shall not be liable for the message if modified, changed or falsified.
Do not print this message unless it is necessary, please consider the environment.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur ou s'il ne vous est pas destiné, merci de le détruire ainsi que toute copie de votre système et d'en avertir immédiatement l'expéditeur.
Toute lecture non autorisée, toute utilisation de ce message qui n'est pas conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite.
L'Internet ne permettant pas d'assurer l'intégrité de ce message électronique susceptible d'altération, STET décline toute responsabilité au titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou falsifié.
N'imprimez ce message que si nécessaire, pensez à l'environnement.

This message and any attachments is intended solely for the intended addressees and is confidential.
If you receive this message in error, or are not the intended recipient(s), please delete it and any copies from your systems and immediately notify the sender.
Any unauthorized view, use that does not comply with its purpose, dissemination or disclosure, either whole or partial, is prohibited.
Since the internet cannot guarantee the integrity of this message which may not be reliable, STET shall not be liable for the message if modified, changed or falsified.
Do not print this message unless it is necessary, please consider the environment.

v2.23.0 | Report a Bug | By Email