[OAUTH-WG] Re: One-time confirmation tokens

Neil Madden <neil.e.madden@gmail.com> Fri, 14 June 2024 08:25 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E428C1516F8 for <oauth@ietfa.amsl.com>; Fri, 14 Jun 2024 01:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMyn1pwEWyFn for <oauth@ietfa.amsl.com>; Fri, 14 Jun 2024 01:25:48 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ADDEC151096 for <oauth@ietf.org>; Fri, 14 Jun 2024 01:25:48 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-4217fd95c78so731075e9.3 for <oauth@ietf.org>; Fri, 14 Jun 2024 01:25:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718353546; x=1718958346; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=GM9YP5Oup35b6lE3/6cB0VxiX8UxubW8Dnz80xMJnBg=; b=CoYiFWV9LX9mBDwJXjPFU0mqX5fNei7mQ+0kUSnMO34pPn4UzU4kMc1iaAgKn69562 zCw3NqzwoOyC15OsXY7/0dHU52nCnBGjEQRo0/h6gbfzdw/Ul3IPCtdGH/Y76MvWGXRI hZgOkvnb8l87eFk9tzPuWsS7iLgmNbIb14S72/9E7aYKcKGjNXgdKSPDENDYIAZvOwtx /+aE5Oy8OYlzkUBMWlso355nIjh/CObUZzG9R2FfvWfR10VnygA8Q8egUfZKZ807Tzkz JWzvOqK459xDeZhNRz/so+GoW4j/lUmgTKsIiRnJuPMwWs2T8vq9yEYI8VqfZyq60qv5 DhsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718353546; x=1718958346; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GM9YP5Oup35b6lE3/6cB0VxiX8UxubW8Dnz80xMJnBg=; b=jODh1eCh0CgtIeETogpFlX6E5CnKPP+6uG9FH7+suMKwifKdtYiB1VHUc75aYuIiwR g67zlj82nRsXW9fYsZBIbwaZUZcJEC5B/RdxCHJ/YJmL+FG7V10q06z/0+zcSJm0jjy/ +yZ3iZKqzB7FbcwbBL2mJd+6E9Hcw23iWzOdv6DRd0fqzP9poUuYKA6XcZQpZuaLfpW2 izOxXzVdCxUk+CM7URAnFluhqqe5WNt8rUDvw7Ai0DIg5mYLCKpiSgeXhbqP15B1Ym5v hJEIiXs4Qj57zm237xRQZ3T6RkIqhrD7ny4Bt8NZV+HchKlb6u+yUyWx5Yqfl0Pn+KCh L07g==
X-Gm-Message-State: AOJu0YxNeDG1/XgwFJitHbf1Ctk+ooiv3f1nAa1ODdTaxLSV0XX6Az0Q fB+uW8soehjDVmAk3Lmh/ZX6UVixkyKdpzNxjz52WI+EZ35vnukz
X-Google-Smtp-Source: AGHT+IH9ONuYKuGU+xRSiZZ5/y9GHDkKCWN44snCBv3UuaU47dNI63t+6IXcEPqO3xlxAIvYa8A6ug==
X-Received: by 2002:a05:600c:3b1d:b0:422:70d4:7e72 with SMTP id 5b1f17b1804b1-4230484ea2emr15723555e9.2.1718353545513; Fri, 14 Jun 2024 01:25:45 -0700 (PDT)
Received: from smtpclient.apple (238.60.90.146.dyn.plus.net. [146.90.60.238]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-36075093a4asm3693212f8f.21.2024.06.14.01.25.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Jun 2024 01:25:42 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <9FB6AA7B-1E17-4A11-9442-0D6EC9164B0A@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1138A76C-E795-41F0-B3A7-B4A91C84C41F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Date: Fri, 14 Jun 2024 09:25:40 +0100
In-Reply-To: <CAOtx8Dn_ND1A3my28no5mhdejL8KR5bqbqLyN67O11Wy8a8Fow@mail.gmail.com>
To: Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
References: <CAOtx8Dn_ND1A3my28no5mhdejL8KR5bqbqLyN67O11Wy8a8Fow@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Message-ID-Hash: UBZMZJ4MSUDFZ65WK26Y7G4OGK2SK5DT
X-Message-ID-Hash: UBZMZJ4MSUDFZ65WK26Y7G4OGK2SK5DT
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: One-time confirmation tokens
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wy-nzhj7c3HgU02iIKzYfjt3ZwY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

On 14 Jun 2024, at 02:48, Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org> wrote:
> 
> Let's take the following (very common) scenario:
> * A user logs into the system;
> * They request an operation that might require additional confirmation from the user, at the system's discretion. The most common example would be payment / money transfer, but could also be generating a statement or showing card details or any other sensitive operation;
> * The user is then directed to the AS where they are displayed operation details, optionally pass additional authentication and confirm the operation;
> * The AS issues a one-time credential (let's call it "confirmation token") that can be used to perform that particular operation only;
> * Finally, the user performs the operation.
> 
> Is this case completely covered by the current standards? I believe it is not, and here are my points:
> 1. "Confirmation token" looks very different from access token with regards to its contents, purpose, scope, lifetime and lifecycle. I think it should complement the access token rather than replace it, even temporarily. This is why I believe this case is not covered by Step Up, where the access token is replaced;
>   1a. Step Up assumes upgrading the session's ACR; in the "confirmation" scenario, ACR could remain unchanged;
> 2. No standard way for the RS to signal to the client that the requested operation requires confirmation. That could optionally include server-supplied nonce (similar to DPoP) to help enforce "confirmation token"'s shorter lifetime and one-time use, but it is not clear how to communicate that to the client;
> 3. No standard way for the client to request one-time "confirmation token" from the AS;
> 4. No standard way for the AS to indicate that the returned token is actually "confirmation token" and not a Bearer token;
> 5. No standard way for the RS to tell that the incoming token is actually a "confirmation token" and requires special handling (one-time use, checking against operation parameters etc.)
> 6. On a plus side, RAR can be used to communicate operation details to the AS while initiating "confirmation".
> 
> 3-5 could be probably done with a combination of scopes + RAR. What concerns me most is the lack of complementary token semantics (1) and inability for the RS to signal the confirmation requirement to the client (2), which could include operation details and nonce.
> 
> Please correct me if I'm missing something and we have enough coverage by the standards. But if we don't, would the WG welcome such a document?

You may be interested in my blog post about exactly this topic: https://neilmadden.blog/2020/09/09/macaroon-access-tokens-for-oauth-part-2-transactional-auth/ <https://neilmadden.blog/2020/09/09/macaroon-access-tokens-for-oauth-part-2-transactional-auth/>

However, I think the ship has pretty much sailed on this topic and the world (Open Banking etc) has gone with just using RAR for each transaction and glossing over the points you make.

— Neil