[OAUTH-WG] Re: One-time confirmation tokens

Denis <denis.ietf@free.fr> Fri, 14 June 2024 08:19 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF525C1516E0 for <oauth@ietfa.amsl.com>; Fri, 14 Jun 2024 01:19:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6ThSHa9kpPi for <oauth@ietfa.amsl.com>; Fri, 14 Jun 2024 01:19:36 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7748C14CE29 for <oauth@ietf.org>; Fri, 14 Jun 2024 01:19:36 -0700 (PDT)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id 30722780371; Fri, 14 Jun 2024 10:19:34 +0200 (CEST)
Message-ID: <16127c76-89a6-48fc-8e19-93610dd0e953@free.fr>
Date: Fri, 14 Jun 2024 10:19:37 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
References: <CAOtx8Dn_ND1A3my28no5mhdejL8KR5bqbqLyN67O11Wy8a8Fow@mail.gmail.com>
Content-Language: en-GB
From: Denis <denis.ietf@free.fr>
In-Reply-To: <CAOtx8Dn_ND1A3my28no5mhdejL8KR5bqbqLyN67O11Wy8a8Fow@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: MYS7CI6BWOHIVR7BFSEP5NF2XDCMEKYB
X-Message-ID-Hash: MYS7CI6BWOHIVR7BFSEP5NF2XDCMEKYB
X-MailFrom: denis.ietf@free.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: One-time confirmation tokens
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/umnJG09KhomsD5KGTpDxBvJiAZ8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Dmitry,

You have described a scheme with built-in "spy by design" opportunities, 
where the AS will be in a position to play the role of "Big Brother".
If you follow a "privacy by design" approach, you will end up with a 
different architecture.

“If the only tool you have is a hammer, you tend to see every problem as 
a nail.”
OAuth should not be considered to be the only tool.

3D Secure is a way to address payment / money transfers in a 
privacy-preserving fashion.

FYI, the SPICE WG has been created yesterday. A privacy-preserving 
architecture using digital credentials will be developed there.

Denis


> Let's take the following (very common) scenario:
> * A user logs into the system;
> * They request an operation that might require additional confirmation 
> from the user, at the system's discretion. The most common example 
> would be payment / money transfer, but could also be generating a 
> statement or showing card details or any other sensitive operation;
> * The user is then directed to the AS where they are displayed 
> operation details, optionally pass additional authentication and 
> confirm the operation;
> * The AS issues a one-time credential (let's call it "confirmation 
> token") that can be used to perform that particular operation only;
> * Finally, the user performs the operation.
>
> Is this case completely covered by the current standards? I believe it 
> is not, and here are my points:
> 1. "Confirmation token" looks very different from access token with 
> regards to its contents, purpose, scope, lifetime and lifecycle. I 
> think it should complement the access token rather than replace it, 
> even temporarily. This is why I believe this case is not covered by 
> Step Up, where the access token is replaced;
>   1a. Step Up assumes upgrading the session's ACR; in the 
> "confirmation" scenario, ACR could remain unchanged;
> 2. No standard way for the RS to signal to the client that the 
> requested operation requires confirmation. That could optionally 
> include server-supplied nonce (similar to DPoP) to help enforce 
> "confirmation token"'s shorter lifetime and one-time use, but it is 
> not clear how to communicate that to the client;
> 3. No standard way for the client to request one-time "confirmation 
> token" from the AS;
> 4. No standard way for the AS to indicate that the returned token is 
> actually "confirmation token" and not a Bearer token;
> 5. No standard way for the RS to tell that the incoming token is 
> actually a "confirmation token" and requires special handling 
> (one-time use, checking against operation parameters etc.)
> 6. On a plus side, RAR can be used to communicate operation details to 
> the AS while initiating "confirmation".
>
> 3-5 could be probably done with a combination of scopes + RAR. What 
> concerns me most is the lack of complementary token semantics (1) and 
> inability for the RS to signal the confirmation requirement to the 
> client (2), which could include operation details and nonce.
>
> Please correct me if I'm missing something and we have enough coverage 
> by the standards. But if we don't, would the WG welcome such a document?
>
> Dmitry Telegin
> Backbase / Keycloak
>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org