[OAUTH-WG] Re: One-time confirmation tokens
Denis <denis.ietf@free.fr> Fri, 14 June 2024 08:19 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF525C1516E0 for <oauth@ietfa.amsl.com>; Fri, 14 Jun 2024 01:19:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6ThSHa9kpPi for <oauth@ietfa.amsl.com>; Fri, 14 Jun 2024 01:19:36 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7748C14CE29 for <oauth@ietf.org>; Fri, 14 Jun 2024 01:19:36 -0700 (PDT)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id 30722780371; Fri, 14 Jun 2024 10:19:34 +0200 (CEST)
Message-ID: <16127c76-89a6-48fc-8e19-93610dd0e953@free.fr>
Date: Fri, 14 Jun 2024 10:19:37 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
References: <CAOtx8Dn_ND1A3my28no5mhdejL8KR5bqbqLyN67O11Wy8a8Fow@mail.gmail.com>
Content-Language: en-GB
From: Denis <denis.ietf@free.fr>
In-Reply-To: <CAOtx8Dn_ND1A3my28no5mhdejL8KR5bqbqLyN67O11Wy8a8Fow@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: MYS7CI6BWOHIVR7BFSEP5NF2XDCMEKYB
X-Message-ID-Hash: MYS7CI6BWOHIVR7BFSEP5NF2XDCMEKYB
X-MailFrom: denis.ietf@free.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: One-time confirmation tokens
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/umnJG09KhomsD5KGTpDxBvJiAZ8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Dmitry, You have described a scheme with built-in "spy by design" opportunities, where the AS will be in a position to play the role of "Big Brother". If you follow a "privacy by design" approach, you will end up with a different architecture. “If the only tool you have is a hammer, you tend to see every problem as a nail.” OAuth should not be considered to be the only tool. 3D Secure is a way to address payment / money transfers in a privacy-preserving fashion. FYI, the SPICE WG has been created yesterday. A privacy-preserving architecture using digital credentials will be developed there. Denis > Let's take the following (very common) scenario: > * A user logs into the system; > * They request an operation that might require additional confirmation > from the user, at the system's discretion. The most common example > would be payment / money transfer, but could also be generating a > statement or showing card details or any other sensitive operation; > * The user is then directed to the AS where they are displayed > operation details, optionally pass additional authentication and > confirm the operation; > * The AS issues a one-time credential (let's call it "confirmation > token") that can be used to perform that particular operation only; > * Finally, the user performs the operation. > > Is this case completely covered by the current standards? I believe it > is not, and here are my points: > 1. "Confirmation token" looks very different from access token with > regards to its contents, purpose, scope, lifetime and lifecycle. I > think it should complement the access token rather than replace it, > even temporarily. This is why I believe this case is not covered by > Step Up, where the access token is replaced; > 1a. Step Up assumes upgrading the session's ACR; in the > "confirmation" scenario, ACR could remain unchanged; > 2. No standard way for the RS to signal to the client that the > requested operation requires confirmation. That could optionally > include server-supplied nonce (similar to DPoP) to help enforce > "confirmation token"'s shorter lifetime and one-time use, but it is > not clear how to communicate that to the client; > 3. No standard way for the client to request one-time "confirmation > token" from the AS; > 4. No standard way for the AS to indicate that the returned token is > actually "confirmation token" and not a Bearer token; > 5. No standard way for the RS to tell that the incoming token is > actually a "confirmation token" and requires special handling > (one-time use, checking against operation parameters etc.) > 6. On a plus side, RAR can be used to communicate operation details to > the AS while initiating "confirmation". > > 3-5 could be probably done with a combination of scopes + RAR. What > concerns me most is the lack of complementary token semantics (1) and > inability for the RS to signal the confirmation requirement to the > client (2), which could include operation details and nonce. > > Please correct me if I'm missing something and we have enough coverage > by the standards. But if we don't, would the WG welcome such a document? > > Dmitry Telegin > Backbase / Keycloak > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org
- [OAUTH-WG] One-time confirmation tokens Dmitry Telegin
- [OAUTH-WG] Re: One-time confirmation tokens Denis
- [OAUTH-WG] Re: One-time confirmation tokens Neil Madden
- [OAUTH-WG] Re: One-time confirmation tokens Dmitry Telegin