[Openid-specs-mobile-profile] Mobile Profile parameters

John Bradley ve7jtb at ve7jtb.com
Tue Apr 28 18:16:15 UTC 2015


PKCE 
https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/>

We are in the last stages of review before becoming a RFC.


> On Apr 28, 2015, at 2:49 PM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com> wrote:
> 
> Thanks again John,
> 
> I am going to check the RFC of the jwt encoded state. By the moment my understanding is that state shouldn’t be a mandatory parameter in the Mobile OIDC profile.
> 
> BTW what is PKCE?
> 
> Best,
> Gonza.
> 
> From: John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>>
> Date: Tuesday 28 April 2015 18:17
> To: Gonzalo Fernández <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>>
> Cc: "openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>" <openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>>
> Subject: Re: [Openid-specs-mobile-profile] Mobile Profile parameters
> 
> The AS MUST support state.   
> 
> It is recommended that the client send it to protect against XSRF.     Requiring the client to send it is a bit extreme as the the value is opaque to the AS.
> State  makes little sense for native apps, Especially if they are using the code flow and PKCE (formerly SPOP)
> 
> All you are really doing is forcing some people to include a parameter that they will ignore by making it required for the client to send it.
> 
> One thing that you should do is require all AS to support PKCE and all public clients to use it.
> That both provides XRSF protection and protection from having the code intercepted in the response.
> 
> Besides XSRF protection state provides a way for the client to track state information about the request.  
> The problem is that clients try to tack on additional query parameters for themselves in the redirect_uri, and that can be a security problem.
> 
> In Connect we require exact matching of the redirect_uri as a MUST for the AS that largely forces any client wanting to maintain some sort of state around the request to send it as the value of the state parameter.
> 
> I did a RFC on how a client can use state that might be a useful reference.
> https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state <https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state>
> 
> John B.
> 
>> On Apr 28, 2015, at 11:18 AM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>> wrote:
>> 
>> Hi guys,
>> 
>> Just a quick question. Do we have a final decision about to turn the state parameter into mandatory for the Mobile Profile?
>> 
>> The GSMA document "Mobile OIDC Profile" will have "nonce" and "acr_values" parameter as "Recommended" in the next version, but they are waiting for a response from this WG and I don't remember if there is an agreement about how should be the status of the "state" parameter: Recommended or Mandatory.
>> 
>> Best,
>> Gonza.
>> 
>> De: John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>>
>> Fecha: martes 7 de abril de 2015 16:11
>> Para: Gonzalo Fernandez Rodriguez <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>>
>> CC: "openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>" <openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>>
>> Asunto: Re: [Openid-specs-mobile-profile] Mobile Profile parameters
>> 
>> max-age is something we do need to talk about.
>> 
>> There is a question of what it means in the mobile connect case where the user is logging in from a desktop/laptop.
>> 
>> If the user has a cookie with the IdP in the browser because they used mobile connect to log-into site a 8h ago from a home computer.
>> The same user 7h later goes to site B on a different device and performs mobile connect login from there office to a site with max-age = 1h.
>> 
>> Now the persons child goes to the first computer and loges into site C still with a valid session cookie and the max-age is 2h.
>> 
>> The person last authenticated interactively with mobile connect 1h ago is that what is reported to site C, or is it 8h that is reported?
>> 
>> None of the authentication specs really consider the sort of out of band authentication across multiple devices that we are proposing.
>> 
>> This is something that the mobile profile will need to expand on so that IdP are consistent on how they treat that value.
>> 
>> The other thing to consider is what constitutes interactive login.  
>> That may require a OK confirmation if the login device is separate from the authentication device, or it might require a pin if it is the same device.
>> 
>> However if you know the device has a screen lock then perhaps ok may not be needed if the cookie is strongly bound to the device as it would be a security no op that just annoys the user for no reason.
>> 
>> Ther are a number of issues that will need to be considered.  
>> 
>> I don't know that I would even recommend sending auth time, by the client.   In principal the AS/MNO should be best positioned to determine if the risk score requires additional factors such as re-prompting.
>> 
>> John B.
>> 
>> 
>>> On Apr 7, 2015, at 6:49 AM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>> wrote:
>>> 
>>> Hi John,
>>> 
>>> Very interesting your arguments, I fully agree.
>>> 
>>> I had a mistake with prompt and max_age because they change from Optional to Recommended, sorry!
>>> 
>>> Best,
>>> Gonza.
>>> 
>>> De: John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>>
>>> Fecha: martes 7 de abril de 2015 15:32
>>> Para: Gonzalo Fernandez Rodriguez <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>>
>>> CC: "openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>" <openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>>
>>> Asunto: Re: [Openid-specs-mobile-profile] Mobile Profile parameters
>>> 
>>> nonce and state are opaque to the AS and required for the AS to support now.
>>> 
>>> Forcing a client to send them may not achieve anything if the client sticks some static value in them to fulfill the spec.
>>> Teaching clients to use them properly to protect themselves is more important.
>>> 
>>> We debated making nonce required for code, but decided that there were sufficient protections by validating the redirect_uri at the token endpoint.
>>> 
>>> max_age is probably a bad thing to force clients to send.  It will end in tears because clients will not understand what it means and cause a bad user experience.
>>> 
>>> sending prompt every-time will also have bad user experience consequences,  mostly you don't want to send it unless you really want something other than the default of prompting the user only if they need to re-auth, or not prompt, 
>>> and return an error to the client if they need to re-auth (this allows a background check in a iframe). 
>>> 
>>> Forcing the client to request a acr if it is willing to take anything also seems a bit misguided.
>>> 
>>> So I would say that who ever came up with that has a limited understanding of Connect.
>>> 
>>> John B.
>>>> On Apr 7, 2015, at 1:59 AM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com <mailto:gonzalo.fernandezrodriguez at telefonica.com>> wrote:
>>>> 
>>>> 
>>>> Hi Guys,
>>>> 
>>>> I have been reviewing the Mobile Connect Profile doc released by the GSMA. There are some parameters in the authentication request, id_token and userinfo that have changed their use from optional to recommend or mandatory (These cases are showed in green). I don't think it is a problem to turn an optional parameter into mandatory in responses (id_token or userinfo), but I would like to highlight the cases where the spec says that the parameters are optional in the authentication request and the Mobile Profile says that they are mandatory, because I think they break the backward compatibility of the OIDC servers unless we can to differentiate the mobile profile requests from the other requests.
>>>> 
>>>> PARAMETER  SPEC MOBILE PROFILE
>>>> -------------------        ---------------------     ------------------------
>>>> state RecommendedMandatory
>>>> nonce  Recommended Mandatory
>>>> prompt  Recommended Mandatory
>>>> max_age  Recommended Mandatory
>>>> acr_values  Recommended Mandatory
>>>> 
>>>> I understand that state and nonce offer and added value from the point of view of security, however I don't see the benefit of the acr_values as mandatory parameter.
>>>> 
>>>> 
>>>> Best,
>>>> Gonza.
>>>> 
>>>> 
>>>> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
>>>> 
>>>> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
>>>> 
>>>> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
>>>> _______________________________________________
>>>> Openid-specs-mobile-profile mailing list
>>>> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>
>>> 
>>> 
>>> 
>>> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
>>> 
>>> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
>>> 
>>> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
>> 
>> 
>> 
>> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
>> 
>> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
>> 
>> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
> 
> 
> 
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
> 
> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
> 
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20150428/7fefe946/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20150428/7fefe946/attachment-0001.p7s>


More information about the Openid-specs-mobile-profile mailing list