[GNAP] Sessions and Post Interaction Completion
Dave Tonge <dave.tonge@moneyhub.com> Mon, 21 December 2020 11:06 UTC
Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B64F3A10BA for <txauth@ietfa.amsl.com>; Mon, 21 Dec 2020 03:06:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=moneyhub.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nc83Iep96VFr for <txauth@ietfa.amsl.com>; Mon, 21 Dec 2020 03:06:39 -0800 (PST)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29B73A10C3 for <txauth@ietf.org>; Mon, 21 Dec 2020 03:06:39 -0800 (PST)
Received: by mail-ej1-x633.google.com with SMTP id w1so12827874ejf.11 for <txauth@ietf.org>; Mon, 21 Dec 2020 03:06:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=moneyhub.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=IcnDh1bv42sQ2Ty5MobdDCxOX/TXDa264z/TJLKhh1Y=; b=dmAcnCaiNp7sJDKXkqANRO/rlRjX2R4NsWmjEon41BGQ1vfGRhEpcQninen50ZgLaN UYFeEWQ+M1DXlZHNO9ZWAZwK/4wuBcY/PGBSu4ei1+djW74w7AuorsSzUDCxfNYaaphb IVKqPf7QGitD1JfSh2yfj0CyrnlWM9Cr577Xc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=IcnDh1bv42sQ2Ty5MobdDCxOX/TXDa264z/TJLKhh1Y=; b=cUj1eX4qZ5YKlHJ6u6x9b42NU5T5rnnFaXTXBOcL94/xh3NyGWrAvQsBiSue4xarfH LX1sJ2asRROey6nYgXjifR08Vfx421dTzhiVYnPiIuPrmx0za5qvys57jaaQt9u+3MhL V8pBquamNkvejBRhjYGhczWC/QUsFgJAk6deFs/N0UiIHuhMCVFcxt9Ie6syA86QAJNI RLGrc5GkVSHUsUMjjig6A8yRXpihrGwE3J3zPLciHo106WS6WRjGrnS8W/gHLi04LtQi QQYDeWpVL4k9IuJS4m1o9IJWAXszGqXPCHNT7OUtQXQkIG0ZqRwgAmxaD5nejq1WDnpL T93w==
X-Gm-Message-State: AOAM533ymA7Hx2bVgVDs63QDiFfmb/fJGdXahiB/ScnqXIRxLJLANEQo PUnzWWpzsgBHv1MHJGpZrLC36Rt6WloE/513MrN20gYI9o6L8i9ENG0beopK5qc2KhKhDSuSesu j/NeUtRl9JP47UlcwfRGCEPVkMg==
X-Google-Smtp-Source: ABdhPJznueJpLbR0vKP5pvpYv3l9PvOnoP5ari5hqMzW9PV+otruVgp8mlZlNySAaMw5Q8hVjYQ5r/YY672KbIsmAUo=
X-Received: by 2002:a17:906:38c8:: with SMTP id r8mr15016205ejd.39.1608548797455; Mon, 21 Dec 2020 03:06:37 -0800 (PST)
MIME-Version: 1.0
From: Dave Tonge <dave.tonge@moneyhub.com>
Date: Mon, 21 Dec 2020 12:06:26 +0100
Message-ID: <CAP-T6TT95K4Vy=qP510Sk4+yubHU8Qa0otkeZeULCLm_4BRJbA@mail.gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad3b6805b6f7734e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/1vpvZWVoTfgcevRpwz12EhmA-ws>
Subject: [GNAP] Sessions and Post Interaction Completion
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2020 11:06:42 -0000
Hi
I may have missed something - but I'm trying to follow the params involved
in the "Post-Interaction Completion" section.
As I understand the flow is:
1. RC indicates it can accept "callback" and provides a nonce and a uri
2. AS indicates the callback will be used and provides a nonce
...interaction happens...
3. AS either redirects the user or does a POST to the RC uri with a new
param: `interact_ref` and a hash of the RC nonce, AS nonce and interact_ref.
4. RC validates hash and calls AS with `interact_ref` (and access token)
If the uri provided by the RC isn't unique then I think the RC nonce should
be included in the params. The hash will still be secure as the AS nonce
will not be revealed, but this allows the RC to take actions on the request
before validating the hash.
For example:
1. In some redirect based systems the `state` param in OAuth 2 is used to
redirect the user appropriately (within the RC's systems), prior to being
confirmed by the matching `state` in the session.
2. In the "Direct HTTP Request Callback" mode, I don't understand how the
RC is supposed to know which interaction the callback is for (assuming its
not a dynamic uri)?
Additionally it would be good to see some analysis of why the hash is
needed. My opinion is that where possible validation should occur at the AS
rather than the RC. Do we really need the hash? In OAuth 2 getting access
to the `code` enables a lot of attacks, I don't the same is true for the
`interact_ref`. The `interact_ref` will be bound to the access_token
returned from the initial grant request.
--
Dave Tonge
--
Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 809360) at https://register.fca.org.uk/
<https://register.fca.org.uk/>. Moneyhub Financial Technology is registered
in England & Wales, company registration number 06909772. Moneyhub
Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building,
Temple Quay, 1 Friary, Bristol, BS1 6EA.
DISCLAIMER: This email
(including any attachments) is subject to copyright, and the information in
it is confidential. Use of this email or of any information in it other
than by the addressee is unauthorised and unlawful. Whilst reasonable
efforts are made to ensure that any attachments are virus-free, it is the
recipient's sole responsibility to scan all attachments for viruses. All
calls and emails to and from this company may be monitored and recorded for
legitimate purposes relating to this company's business. Any opinions
expressed in this email (or in any attachments) are those of the author and
do not necessarily represent the opinions of Moneyhub Financial Technology
Limited or of any other group company.