IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Step-up Authentication

Dima Postnikov <dima@postnikov.net> Sat, 08 October 2022 00:42 UTC

Return-Path: <dima.postnikov@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEB75C1524D2 for <oauth@ietfa.amsl.com>; Fri, 7 Oct 2022 17:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.308
X-Spam-Level:
X-Spam-Status: No, score=-1.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=postnikov-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w43kMgdTCPTD for <oauth@ietfa.amsl.com>; Fri, 7 Oct 2022 17:42:53 -0700 (PDT)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B821AC14CE26 for <oauth@ietf.org>; Fri, 7 Oct 2022 17:42:53 -0700 (PDT)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-358bf076f1fso57969657b3.9 for <oauth@ietf.org>; Fri, 07 Oct 2022 17:42:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=postnikov-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=S3RfIiTR/asyPccsRcEz82hzgf05adsaNicRgQNS+3Y=; b=Hj3pczDhY7VKeFA0jlMgV53VS+6Xe41m3R1ykjgKtmjeinQPJQEYDg7mfIpFD7/NIv kRsXljyXEl1Pm+/W7uYsUgLQJN/+xQLiRbq2LQiMNJ8jMdq9DPUtJHb0x+zV2BT5kJwJ ze7heGhaXCpMZuPj0i+mZ9RYnp2EeVdJR3TgIL1xH6ui8E3f8516OEi7r+eaohnulLpv u0pqYJJ8LN1flQQtq5mc+SGtOtJEQGm6nPV0h1t7ukv9OE2A6mo2Ii5gzzEfFJiU886l /2/vhkvKYsUyuCXEUcgiOyNVFvSjC4mJNIdwhdLHTgQoWsyw9IyJQOuP6f6s5xMe0dEj C+hQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=S3RfIiTR/asyPccsRcEz82hzgf05adsaNicRgQNS+3Y=; b=pJ69zDOuSApESvzgHxOrGSWdNLrVzmUY7k++9ycWM3QmowaNwA0uF1ZYpYB9GYle1i CakoP6JuZChF9Bn1eUQYARK/IbRv/CjKzyqRReqmElSQye20Ih22ARKF2yvLOuRoGiZ0 SpddhcWCDuwYXE70U8i6uZD34AvpDVZLqNcYntCJsRWjG1+1Es6mq5Pp+RIF5JZchtaG 7qCxTMsPqoTc3oUcz1wQ+mCLigWw7vvJaFwLJQpbdVbMDUE44/9OoKvGaGlT4nRiowMn oS/cGPI5uHXumcBBdCH4Jv0igzhKUwNIM9ILc9jjNwqvRLKahVn/ZFTIgSW+F2Cwr1vW O0Vw==
X-Gm-Message-State: ACrzQf0PMotxmcSAF8v/TVkNJqE8Mpa4NiofnIMsSSRzfE5Vv/fbtQkG vVt3KZgb0+XPOv/PVU87+u3SNWCFBTPqRQ9+TXw=
X-Google-Smtp-Source: AMsMyM5tZ9mlIaAg62w/uylq8doIbZx+9wj2sywaUzGSww+HujLixaKiJdRM2g8ApSQJHBNipYyXBTrdkp40zOjIMlI=
X-Received: by 2002:a81:ad5d:0:b0:357:1aeb:843d with SMTP id l29-20020a81ad5d000000b003571aeb843dmr6901786ywk.44.1665189772695; Fri, 07 Oct 2022 17:42:52 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9ypW35=CSJaOfaEqZGDLXGLjnMs4_x5Ue10-yP6BcVoQ@mail.gmail.com> <CADNypP95pWPndeBydEbThrrWrPCVDg2Jmor-68HFGHpqRqFtyA@mail.gmail.com> <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com>
From: Dima Postnikov <dima@postnikov.net>
Date: Sat, 08 Oct 2022 11:42:41 +1100
Message-ID: <CAEMK1uaBedVBcoBuf9NY53sa2MRKh2j5gXrnW65PCiGj6Rzu7g@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e29e6d05ea7b3496"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vaMILwwkDqoT_ZlKt9fF3XLFfHg>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2022 00:42:55 -0000

Couple of quick comments from me:

1) (Editorial) >In simple API authorization scenarios, an authorization
server will statically determine what authentication technique

In many scenarios, authorization servers will use *dynamic* decisioning to
determine authentication techniques; it's just not exposed to the client in
a way to make it actionable (which is why this specification's intent makes
perfect sense).

2) Apart from authentication level, there might be other reasons why users
might be forced to go through the authorization flow, for example,
insufficient authorization / scopes / claims / etc.

If there is a mechanism to let the client know, as a practitioner, i'd
rather have the same approach for both authentication and authorization.
There are a range of authorization policy engines in the market that could
return "STEP UP is required" after looking at authentication, authorisation
and many other real-time signals. It's just not standardized...


On Sat, Oct 8, 2022 at 7:30 AM Pieter Kasselman <pieter.kasselman=
40microsoft.com@dmarc.ietf.org> wrote:

> I am very supportive of this work and have been working through different
> use cases to see whether it can satisfy the requirements that arise from
> them.
>
>
>
> One observation from working through these uses cases is that as customers
> move to Zero Trust architectures, we are seeing customers adopting finer
> grained policy segmentation. Consequently customers are planning to deploy
> segmented access control by data or action sensitivity, within a service.
> This approach to policy design makes it more common for a single service to
> depend on multiple authentication context values or combinations of
> authentication context values.
>
>
>
> An example of this is a policy that has multiple acr values (e.g.
> acr1=password, acr2=FIDO, acr3=selfie check, acr4=trusted network). A
> customer may define a policy that requires different combinations of these
> acr values, for example, a file server may requires password for general
> access (e.g. acr1), FIDO authentication (acr2) or password access and being
> on a trusted network to read sensitive data (acr 2 of (acr1 + acr 4), FIDO
> authentication and password (acr1 + acr2) for accessing editing sensitive
> documents and a real-time selfie check on top of FIDO and presence on a
> trusted network  (acr1 + acr2 + acr3 + acr4) to initiate a sensitive
> workflow (e.g. check-in code). Other variations of this includes database
> access with different types of access requirement for certain rows
> (row-level permissions) or columns (column level permissions) with
> different combinations of acr values.
>
>
>
> I was curious if this type of scenario where multiple authentication
> contexts and combinations of contexts are required is something others see
> (or are beginning to see) as well?
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Rifaat Shekh-Yusef
> *Sent:* Thursday, September 22, 2022 3:02 PM
> *To:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication
>
>
>
> *Correction:*
>
>
>
> Please, review the document and provide your feedback on the mailing list
> by *Oct 7th, 2022*.
>
>
>
> On Thu, Sep 22, 2022 at 9:52 AM Rifaat Shekh-Yusef <
> rifaat.s.ietf@gmail.com> wrote:
>
> All,
>
>
>
> This is to start a *WG Last Call *for the *Step-up Authentication *
> document:
>
> https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-step-up-authn-challenge-03.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C0078f809101147bc978308da9ca32020%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994521713812011%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=18sfemyWqYb06PvUA9eTLaq0ccDY14%2F6ETo58JpE%2FJQ%3D&reserved=0>
>
>
> Please, review the document and provide your feedback on the mailing list
> by *Sep 30th, 2022*.
>
> Regards,
>  Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email