Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
Justin Richer <jricher@mit.edu> Mon, 18 January 2016 11:48 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D17F11B3572 for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 03:48:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuoOkkkzUCln for <oauth@ietfa.amsl.com>; Mon, 18 Jan 2016 03:48:00 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C2BB1B3573 for <oauth@ietf.org>; Mon, 18 Jan 2016 03:48:00 -0800 (PST)
X-AuditID: 12074425-f793c6d000006975-c1-569cd0eee865
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id E5.27.26997.EE0DC965; Mon, 18 Jan 2016 06:47:58 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u0IBlw8p013925; Mon, 18 Jan 2016 06:47:58 -0500
Received: from [IPv6:2607:fb90:e6d:4da5:0:4e:efc7:b501] (m9c2436d0.tmodns.net [208.54.36.156]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0IBlti4018320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 18 Jan 2016 06:47:57 -0500
Date: Mon, 18 Jan 2016 06:47:54 -0500
Message-ID: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com>
Importance: normal
From: Justin Richer <jricher@mit.edu>
To: Sergey Beryozkin <sberyozkin@gmail.com>, oauth@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_525150427075080"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNIsWRmVeSWpSXmKPExsUixG6novvuwpwwg2fXzSxOvn3FZvFvqb0D k8fOWXfZPZYs+ckUwBTFZZOSmpNZllqkb5fAlTH9wyf2gpfaFd9WdbM0MB7U6mLk5JAQMJG4 0NDBAmGLSVy4t54NxBYSWMwk0fcgoYuRC8jeyCix7Pw/ZgjnNpPEhBWTWUGqWARUJVoWTgXq 4OAQFvCXuHAkA8TkFXCT+LqhFMTkFBCS6NolAVLMBlQ8fU0LE4gtImAtcePxdEYQm1dAUOLk zCdgJzALhEjMPjqLaQIj7ywkqVlIUhC2usSfeZeYIWxFiSndD9lnAW1jFlCTWNaqhCy8gJFt FaNsSm6Vbm5iZk5xarJucXJiXl5qka6FXm5miV5qSukmRnB4uqjuYJxwSOkQowAHoxIPr8PZ 2WFCrIllxZW5hxglOZiURHmzz88JE+JLyk+pzEgszogvKs1JLT7EKMHBrCTCG7weKMebklhZ lVqUD5OS5mBREuf9VjklTEggPbEkNTs1tSC1CCYrw8GhJMFbDjJUsCg1PbUiLTOnBCHNxMEJ MpwHaPhRkBre4oLE3OLMdIj8KUZTKXHelyAJAZBERmkeXK+SkJCAGvvvCXy5vksZGBj83h/f yghKMxfMVOa8YhQHek+YtwikkweYouAmvgJaxgS07KfHbJBlJYkIKakGxlLfhZFXGw+FvmCr +PNpRdoPExO+608vnrRh5OgtnL5A+tWioIY315Meeob9cb847YBtTeAXqx2PtL6EKFSYbLU6 6FSmePr76+lsh3Xf8vQeNrC4uanhqPV2l8q5b9rvqVjsvFeofTxkh7n7iz132Da7c7kwno4s 2Du/dmtG0fN5t+Qnr3L4KqfEUpyRaKjFXFScCAACFzslDgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/rtZaCFEAdf7hNwmWORZ0yWySw3U>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jan 2016 11:48:03 -0000
Yes, this is common practice. Give the user the option to remember the decision. This is known as "trust on first use", or tofu. Our server, MITREid Connect, implements this as do many others. -- Justin / Sent from my phone / -------- Original message -------- From: Sergey Beryozkin <sberyozkin@gmail.com> Date: 1/18/2016 5:59 AM (GMT-05:00) To: oauth@ietf.org Subject: [OAUTH-WG] Can the repeated authorization of scopes be avoided ? Hi All The question relates to the process of showing the authorization code/implicit flow consent screen to a user. I'm discussing with my colleagues the possibility of avoiding asking the same user whose session has expired and who is re-authenticating with AS which scopes should be approved. For example, suppose the OAuth2 client redirects a user with the requested scope 'a'. The user signs in to AS and is shown a consent screen asking to approve the 'a' scope. The user approves 'a' and the flow continues. Some time later, when the user's session has expired, the user is redirected to AS with the same 'a' scope. Would it be a good idea, at this point, not to show the user the consent screen asking to approve the 'a' scope again ? For example, AS can persist the fact that a given user has already approved 'a' for a given client earlier, so when the user re-authenticates, AS will use this info and will avoid showing the consent screen. That seems to make sense, but I'm wondering, can there be some security implications associated with it, any recommendations/advices will be welcome Sergey _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Can the repeated authorization of scop… Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … Justin Richer
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … William Denniss
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … Thomas Broyer
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … John Bradley
- Re: [OAUTH-WG] Can the repeated authorization of … Thomas Broyer
- Re: [OAUTH-WG] Can the repeated authorization of … Justin Richer
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … George Fletcher
- Re: [OAUTH-WG] Can the repeated authorization of … Thomas Broyer
- Re: [OAUTH-WG] Can the repeated authorization of … George Fletcher
- Re: [OAUTH-WG] Can the repeated authorization of … George Fletcher
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … William Denniss
- Re: [OAUTH-WG] Can the repeated authorization of … Sergey Beryozkin
- Re: [OAUTH-WG] Can the repeated authorization of … John Bradley
- Re: [OAUTH-WG] Can the repeated authorization of … John Bradley