[GNAP] Sessions and Post Interaction Completion
Dave Tonge <dave.tonge@moneyhub.com> Mon, 21 December 2020 11:06 UTC
Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B64F3A10BA for <txauth@ietfa.amsl.com>; Mon, 21 Dec 2020 03:06:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=moneyhub.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nc83Iep96VFr for <txauth@ietfa.amsl.com>; Mon, 21 Dec 2020 03:06:39 -0800 (PST)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29B73A10C3 for <txauth@ietf.org>; Mon, 21 Dec 2020 03:06:39 -0800 (PST)
Received: by mail-ej1-x633.google.com with SMTP id w1so12827874ejf.11 for <txauth@ietf.org>; Mon, 21 Dec 2020 03:06:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=moneyhub.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=IcnDh1bv42sQ2Ty5MobdDCxOX/TXDa264z/TJLKhh1Y=; b=dmAcnCaiNp7sJDKXkqANRO/rlRjX2R4NsWmjEon41BGQ1vfGRhEpcQninen50ZgLaN UYFeEWQ+M1DXlZHNO9ZWAZwK/4wuBcY/PGBSu4ei1+djW74w7AuorsSzUDCxfNYaaphb IVKqPf7QGitD1JfSh2yfj0CyrnlWM9Cr577Xc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=IcnDh1bv42sQ2Ty5MobdDCxOX/TXDa264z/TJLKhh1Y=; b=cUj1eX4qZ5YKlHJ6u6x9b42NU5T5rnnFaXTXBOcL94/xh3NyGWrAvQsBiSue4xarfH LX1sJ2asRROey6nYgXjifR08Vfx421dTzhiVYnPiIuPrmx0za5qvys57jaaQt9u+3MhL V8pBquamNkvejBRhjYGhczWC/QUsFgJAk6deFs/N0UiIHuhMCVFcxt9Ie6syA86QAJNI RLGrc5GkVSHUsUMjjig6A8yRXpihrGwE3J3zPLciHo106WS6WRjGrnS8W/gHLi04LtQi QQYDeWpVL4k9IuJS4m1o9IJWAXszGqXPCHNT7OUtQXQkIG0ZqRwgAmxaD5nejq1WDnpL T93w==
X-Gm-Message-State: AOAM533ymA7Hx2bVgVDs63QDiFfmb/fJGdXahiB/ScnqXIRxLJLANEQo PUnzWWpzsgBHv1MHJGpZrLC36Rt6WloE/513MrN20gYI9o6L8i9ENG0beopK5qc2KhKhDSuSesu j/NeUtRl9JP47UlcwfRGCEPVkMg==
X-Google-Smtp-Source: ABdhPJznueJpLbR0vKP5pvpYv3l9PvOnoP5ari5hqMzW9PV+otruVgp8mlZlNySAaMw5Q8hVjYQ5r/YY672KbIsmAUo=
X-Received: by 2002:a17:906:38c8:: with SMTP id r8mr15016205ejd.39.1608548797455; Mon, 21 Dec 2020 03:06:37 -0800 (PST)
MIME-Version: 1.0
From: Dave Tonge <dave.tonge@moneyhub.com>
Date: Mon, 21 Dec 2020 12:06:26 +0100
Message-ID: <CAP-T6TT95K4Vy=qP510Sk4+yubHU8Qa0otkeZeULCLm_4BRJbA@mail.gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad3b6805b6f7734e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/1vpvZWVoTfgcevRpwz12EhmA-ws>
Subject: [GNAP] Sessions and Post Interaction Completion
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2020 11:06:42 -0000
Hi I may have missed something - but I'm trying to follow the params involved in the "Post-Interaction Completion" section. As I understand the flow is: 1. RC indicates it can accept "callback" and provides a nonce and a uri 2. AS indicates the callback will be used and provides a nonce ...interaction happens... 3. AS either redirects the user or does a POST to the RC uri with a new param: `interact_ref` and a hash of the RC nonce, AS nonce and interact_ref. 4. RC validates hash and calls AS with `interact_ref` (and access token) If the uri provided by the RC isn't unique then I think the RC nonce should be included in the params. The hash will still be secure as the AS nonce will not be revealed, but this allows the RC to take actions on the request before validating the hash. For example: 1. In some redirect based systems the `state` param in OAuth 2 is used to redirect the user appropriately (within the RC's systems), prior to being confirmed by the matching `state` in the session. 2. In the "Direct HTTP Request Callback" mode, I don't understand how the RC is supposed to know which interaction the callback is for (assuming its not a dynamic uri)? Additionally it would be good to see some analysis of why the hash is needed. My opinion is that where possible validation should occur at the AS rather than the RC. Do we really need the hash? In OAuth 2 getting access to the `code` enables a lot of attacks, I don't the same is true for the `interact_ref`. The `interact_ref` will be bound to the access_token returned from the initial grant request. -- Dave Tonge -- Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/ <https://register.fca.org.uk/>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Moneyhub Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 6EA. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.