[Openid-specs-igov] Assurance Profile for OAuth or OIDC

Thu Oct 5 18:40:13 UTC 2017

Some more comments/questions:

Section 2.1.2

Where it talks about the client authenticating by generating an JWT assertion, the text around “exp” seem generic.

Can this really be anything?  Should client’s be generating a new assertion per request?  If multiple requests what exp values are reasonable?  Can a client generate it with a year or more expiry and use the same assertion for that period?

I ask because if you are expecting a proof-of-possesion test from the client, the JWT should really be signed with a small expiry so that a new one is required per request.

Section 3.1.4

I’m not sure this section contains enough information on what should be displayed to an end-user. The indications described are deeply technical and not likely to be understood by users. This leads to negative training and other bad aspects - as in always click Yes/agree.

I think I understand that it may be useful to convey some information about risk.  However, in any given situation, one could argue one method is better than another (public static vs confid static vs. dynamic vs. statement or not). Yet in another situation, a different conclusion could be made.

This boils down to asking the user if the tool selection is good enough OR whether they think it is secure enough.  The user has no information to judge this.

Unless specific recommendations can be made, I would drop this section.  Further, if iGov has in fact tightened security, then iGov compliant implementations should not need this “are you sure” question.

3.1.6

It would be useful to discuss that AS’s having received a token revocation request or having decided to revoke a token (for other reasons), should notify resource servers where possible of token revocations. This is typically done by internal means (e.g. shared state), by token introspection (RFC7662 and section 3.2.2), or by a security event notification (future).

3.4 Token lifetime

Shouldn’t there be a distinction between a PoP token and bearer tokens?  E.g. bearer tokens need more refresh so client's can re-authenticate (demonstrating proof of possession of the client credential).  If a client is doing PoP access tokens (e.g. based on MTLS or TOKBIND), is there any reason why the token can't last a long time?

5.1  Proof of Possession

Possibly update document to include MTLS and TOKBIND.  Also per 3.4, how does this impact token lifetime requirements (is it the same, or is longer allowed).  If MTLS is included, there may be important privacy restrictions to discuss.  Also, I seem to recall that the client authentication section doesn’t allow for MTLS at this time.

Phil

Oracle Corporation, Identity Cloud Services Architect
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
> On Oct 4, 2017, at 3:27 PM, Phil Hunt via Openid-specs-igov <openid-specs-igov at lists.openid.net> wrote:
> 
> For the draft openid-igov-oauth2, I am finding it confusing because the examples are all OIDC based rather than OAuth2 as per the document title.  
> 
> For example, Section 2.1.1 talks about using the “state" parameter and then uses an OIDC example without a state parameter but with “nonce" instead.
> 
> Is the intent to cover OIDC and plain OAuth or both?  Or should the draft be entitled Profile for OIDC?
> 
> Perhaps some more explanatory text and/or examples for both types should be included?
> 
> Regards,
> 
> Phil
> 
> Oracle Corporation, Identity Cloud Services Architect
> @independentid
> www.independentid.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=SX4O0OKlFudVaJo6nsVRKnsIFGX9u9NhspkfL4vLuVA&s=4XJlcyhw5lE5FpGsOleAECld3a1vQAeVVDYxhJaFumE&e=>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
> _______________________________________________
> Openid-specs-igov mailing list
> Openid-specs-igov at lists.openid.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Digov&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=SX4O0OKlFudVaJo6nsVRKnsIFGX9u9NhspkfL4vLuVA&s=uThs9GfHjXqZ4g3JJ44suJ_B3jOE2Y_qa5kOnkmY7U4&e= 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-igov/attachments/20171005/93440fc6/attachment-0001.html>