Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 21 October 2015 14:01 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B701A8860 for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 07:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UbCcT5qvYXoI for <oauth@ietfa.amsl.com>; Wed, 21 Oct 2015 07:01:45 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EECE21A8870 for <oauth@ietf.org>; Wed, 21 Oct 2015 07:01:44 -0700 (PDT)
Received: by wijp11 with SMTP id p11so96647483wij.0 for <oauth@ietf.org>; Wed, 21 Oct 2015 07:01:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=EzDqEma1fBt1G96EHXZH5CURFA+EzJD3XYcmFR2eeLY=; b=y2RdqlRU/cRtGRlrFjKlH94A423Nx0F+sKzw6r4sdkmB/Vxrikk3naPjQacU1AiH6R iWTV6f9oEci8j8RJgZe2qqt/Y0Y5UHznPVd/nyBmOfp+52wcSyjwIZluK3y3ZqSFDjNE nfjWhAfEHXY021Py0yUvWsgzhV1C0lg6XuXRbdpCep7dVTbilpK1QfGIkQB8BhafxE9t 5RRRZSPp0vht6KenEicQ0l0XLpkKJVVmEtipCNq5jwh1CCYfk2JJY9+bl4hr8fRXnm/T XEGVrEtft7p7EooiScV6dtbgmkW6LTcgNT4Sq3XheiIsH5SDr3cZuRszymf8nZPMwbmD mMjw==
X-Received: by 10.181.13.48 with SMTP id ev16mr33356504wid.40.1445436103517; Wed, 21 Oct 2015 07:01:43 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.63]) by smtp.googlemail.com with ESMTPSA id cc8sm10603222wjc.46.2015.10.21.07.01.42 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Oct 2015 07:01:42 -0700 (PDT)
To: Justin Richer <jricher@mit.edu>, oauth@ietf.org
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <CAEayHEM=nHk9TbTFno+7otwNry++cYGcGcGuNM7mi19gE5KjcA@mail.gmail.com> <41395617-E5A9-4294-9F8B-DFE9E27F74F8@xmlgrrl.com> <56278DC4.3060600@gmail.com> <5627952C.8060509@mit.edu>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56279AC5.5040605@gmail.com>
Date: Wed, 21 Oct 2015 15:01:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <5627952C.8060509@mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/j7AScmuTXnItF8UwUH_Yja-ExEQ>
Subject: Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 14:01:47 -0000
Hi Justin It helps, many thanks. I understand why 'MUST' is there now... Cheers, Sergey On 21/10/15 14:37, Justin Richer wrote: > You're assuming that the user actually took an action to get to that > page. It's trivial for a website, any website, to craft a URL and > redirect a user to the IdP. I could give you a link here in this email > hidden behind a URL shortener or some other redirector. It would be very > bad practice to release identity information to any site that was > capable of doing this, and it would be likewise bad to assume > authorization just because the user showed up at a URL. The ID token > contains information like a unique identifier and potentially other > claims (google puts in email addresses, for instance). > > The common practice, codified in both OAuth2 and OIDC, is "Trust On > First Use", or TOFU. If it's a new situation (new client/RP, new scopes, > something else you're not sure about), you ask the user. Then you > (optionally) save that for next time, so if the same situation arises, > you already have the user's decision and you don't need to prompt them. > This can be further augmented by whitelisting trusted sites, where the > IdP/AS is making the authorization decision and not the user. > > Hope this helps, > -- Justin > > On 10/21/2015 9:06 AM, Sergey Beryozkin wrote: >> Hi >> >> I can not subscribe to an OIDC spec list, had some earlier questions >> not flowing to the list and given I'm not sure this question is >> irrelevant for this group (OIDC IDP is an OAuth2 server), I'm posting >> it here. If you'd like me to re-post to the OIDC list then let me know >> please...Sorry for a noise, just in case :-) >> >> So, all the flows in OIDC Core have this section: >> >> http://openid.net/specs/openid-connect-core-1_0.html#Consent >> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitConsent >> http://openid.net/specs/openid-connect-core-1_0.html#HybridConsent >> >> This is pure OAuth2 still. >> >> What I do not understand, if the response_type is 'id_token' and the >> requested scope is 'openid' only, >> >> http://openid.net/specs/openid-connect-core-1_0.html#Authentication >> >> then what is a consent screen really about ? >> >> If the response_code is 'id_token' then a user has already given the >> implicit authorization after visiting a client application web page >> and clicking "Sign In With Google"/etc, and signing in into OIDC IDP. >> I thought this is what "openid" alone is all about. >> >> Can someone clarify please if it is reasonable to skip challenging a >> user with a consent screen in this case. >> >> Thanks, Sergey >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/
- [OAUTH-WG] Auth Server / Resource Server Coordina… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Jim Manico
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Justin Richer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Thomas Broyer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Eve Maler
- [OAUTH-WG] Is authorization challenge always need… Sergey Beryozkin
- Re: [OAUTH-WG] Is authorization challenge always … Justin Richer
- Re: [OAUTH-WG] Is authorization challenge always … Sergey Beryozkin