[Openid-specs-mobile-profile] Mobile Profile parameters

John Bradley ve7jtb at ve7jtb.com
Tue Apr 7 14:11:48 UTC 2015 

max-age is something we do need to talk about.

There is a question of what it means in the mobile connect case where the user is logging in from a desktop/laptop.

If the user has a cookie with the IdP in the browser because they used mobile connect to log-into site a 8h ago from a home computer.
The same user 7h later goes to site B on a different device and performs mobile connect login from there office to a site with max-age = 1h.

Now the persons child goes to the first computer and loges into site C still with a valid session cookie and the max-age is 2h.

The person last authenticated interactively with mobile connect 1h ago is that what is reported to site C, or is it 8h that is reported?

None of the authentication specs really consider the sort of out of band authentication across multiple devices that we are proposing.

This is something that the mobile profile will need to expand on so that IdP are consistent on how they treat that value.

The other thing to consider is what constitutes interactive login.  
That may require a OK confirmation if the login device is separate from the authentication device, or it might require a pin if it is the same device.

However if you know the device has a screen lock then perhaps ok may not be needed if the cookie is strongly bound to the device as it would be a security no op that just annoys the user for no reason.

Ther are a number of issues that will need to be considered.  

I don't know that I would even recommend sending auth time, by the client.   In principal the AS/MNO should be best positioned to determine if the risk score requires additional factors such as re-prompting.

John B.


> On Apr 7, 2015, at 6:49 AM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com> wrote:
> 
> Hi John,
> 
> Very interesting your arguments, I fully agree.
> 
> I had a mistake with prompt and max_age because they change from Optional to Recommended, sorry!
> 
> Best,
> Gonza.
> 
> De: John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>>
> Fecha: martes 7 de abril de 2015 15:32
> Para: Gonzalo Fernandez Rodriguez <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>>
> CC: "openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>" <openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>>
> Asunto: Re: [Openid-specs-mobile-profile] Mobile Profile parameters
> 
> nonce and state are opaque to the AS and required for the AS to support now.
> 
> Forcing a client to send them may not achieve anything if the client sticks some static value in them to fulfill the spec.
> Teaching clients to use them properly to protect themselves is more important.
> 
> We debated making nonce required for code, but decided that there were sufficient protections by validating the redirect_uri at the token endpoint.
> 
> max_age is probably a bad thing to force clients to send.  It will end in tears because clients will not understand what it means and cause a bad user experience.
> 
> sending prompt every-time will also have bad user experience consequences,  mostly you don't want to send it unless you really want something other than the default of prompting the user only if they need to re-auth, or not prompt, 
> and return an error to the client if they need to re-auth (this allows a background check in a iframe). 
> 
> Forcing the client to request a acr if it is willing to take anything also seems a bit misguided.
> 
> So I would say that who ever came up with that has a limited understanding of Connect.
> 
> John B.
>> On Apr 7, 2015, at 1:59 AM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>> wrote:
>> 
>> 
>> Hi Guys,
>> 
>> I have been reviewing the Mobile Connect Profile doc released by the GSMA. There are some parameters in the authentication request, id_token and userinfo that have changed their use from optional to recommend or mandatory (These cases are showed in green). I don't think it is a problem to turn an optional parameter into mandatory in responses (id_token or userinfo), but I would like to highlight the cases where the spec says that the parameters are optional in the authentication request and the Mobile Profile says that they are mandatory, because I think they break the backward compatibility of the OIDC servers unless we can to differentiate the mobile profile requests from the other requests.
>> 
>> PARAMETER  SPEC MOBILE PROFILE
>> -------------------        ---------------------     ------------------------
>> state RecommendedMandatory
>> nonce  Recommended Mandatory
>> prompt  Recommended Mandatory
>> max_age  Recommended Mandatory
>> acr_values  Recommended Mandatory
>> 
>> I understand that state and nonce offer and added value from the point of view of security, however I don't see the benefit of the acr_values as mandatory parameter.
>> 
>> 
>> Best,
>> Gonza.
>> 
>> 
>> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
>> 
>> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
>> 
>> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
>> _______________________________________________
>> Openid-specs-mobile-profile mailing list
>> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>
> 
> 
> 
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
> 
> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
> 
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20150407/7f2d75e8/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list