[Openid-specs-risc] RISC Notes 3/19

Marius Scurtescu mscurtescu at google.com
Mon Mar 26 05:54:21 UTC 2018


Forgot to provide a changelog for RISC Event Type. Here it is:
- account-deleted renamed to account-purged
- cause-time attribute dropped
- new-value attribute made optional
- identifier-changed event clarifications

I also created a new spec with OAuth event types, attached. We can discuss
them on the call tomorrow.

Best,
Marius


Marius

On Sat, Mar 24, 2018 at 12:34 PM, Marius Scurtescu <mscurtescu at google.com>
wrote:

> Attached is the updated risc-event-types.txt, based on feedback from past
> two meetings.
>
> Another question came up, do we really need both "Opt In" and "Opt Out
> Cancelled". Both signal that the account is back to Opt In state, the only
> difference is from what state did the transition happened. Maybe just "Opt
> In" with an optional attribute like "previous-state", if that is important?
>
> Happy weekend and safe travels for those returning from IETF 101,
> Marius
>
> PS Working on OAuth events, will send later today or tomorrow.
>
>
> Marius
>
> On Mon, Mar 19, 2018 at 5:19 PM, Luke Camery via Openid-specs-risc <
> openid-specs-risc at lists.openid.net> wrote:
>
>> *Summary*
>> Thanks everyone for attending despite the busy week with IETF. We will
>> continue next week at 3:30pm PST with a discussion of the updated specs and
>> updates on the issues in the tracker.
>>
>> *Attendees*= [Luke Camery, Tushar Pradhan, Marius Scurtescu, Adam Dawes]
>>
>> *ACTION ITEMS*
>> *- AI: Marius will renew this document by next week*
>> * - AI: Marius to take on figuring out oauth events*
>> * - AI: Marius remind Annabelle and Chair to resolve this at secevents*
>>
>> *FULL NOTES*
>> - Opt out / opt in / opt in cancel / opt out requested
>> - Most likely opt out will become an extra hijacking signal
>> - Four state change give you a great picture
>> - Tushar: Publish some timeframe to make abuse work easier
>> - Recovery Activated
>> - Positive sentiment from google
>> - Confusion about identifier versus recovery
>> - Need to clarify this in a description body
>> - Recovery Information Change
>> - Positive sentiment from google
>> - Token and Sessions Revoked
>> - Not risk (or risc) events
>> - Token lifecycle / oauth events
>> - oauth client disabled or recycled
>> - oauth IETF working group or RISC working group?
>> - Tushar agrees in separating it out and linking oauth specific events to
>> oauth
>> - Tushar agrees it's important though with a different mechanism
>> * - AI: Marius will renew this document by next week*
>> * - AI: Marius to take on figuring out oauth events*
>> - Update: Marius and Phil discussed the delivery spec
>> - Multiple delivery methods required one mandatory (Phil)
>> - Others disagree with Phil on this point
>> - AI: Raise issues with the chairs on mandatory to implement
>> - Phil is thinking of hybrid method that covers both
>> - Marius thinks hybrid could be better than polling, but push is by far
>> the best and needs to be preserved
>> * - AI: Marius remind Annabelle and Chair to resolve this at secevents*
>> - Update on secevents work for RISC, but not working group AIs
>>
>> --
>>
>> *  •  **Luke Camery*
>> *  •  *Associate Product Manager
>> *  •  *Federated Identity
>>
>>
>> _______________________________________________
>> Openid-specs-risc mailing list
>> Openid-specs-risc at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-risc
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20180325/8ffec10f/attachment.html>
-------------- next part --------------




                                                            M. Scurtescu
                                                                  Google
                                                              A. Backman
                                                                  Amazon
                                                                 P. Hunt
                                                                  Oracle
                                                              J. Bradley
                                                                  Yubico
                                                          March 25, 2018


                           OAuth Event Types
                          oauth-event-types-00

Abstract

   This document defines the OAuth Event Types.  Event Types are
   introduced and defined in Security Event Token (SET) [SET].

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   1
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   1
   2.  Event Types . . . . . . . . . . . . . . . . . . . . . . . . .   2
     2.1.  Token Revoked . . . . . . . . . . . . . . . . . . . . . .   2
     2.2.  Tokens Revoked  . . . . . . . . . . . . . . . . . . . . .   3
     2.3.  Client Disabled . . . . . . . . . . . . . . . . . . . . .   4
     2.4.  Client Enabled  . . . . . . . . . . . . . . . . . . . . .   5
     2.5.  Client Credential Changed . . . . . . . . . . . . . . . .   5
   3.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   This specification is based on RISC Profile [RISC-PROFILE] and uses
   the subject identifiers defined there.

   The "aud" claim identifies the OAuth 2 client and its value SHOULD be
   the OAuth 2 [RFC6749] client id.

1.1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.




Scurtescu, et al.      Expires September 26, 2018               [Page 1]


                            oauth-event-types                 March 2018


2.  Event Types

   The base URI for OAuth Event Types is:
   http://schemas.openid.net/secevent/oauth/event-type/

2.1.  Token Revoked

   Event Type URI:
   http://schemas.openid.net/secevent/oauth/event-type/token-revoked

   Token Revoked signals that the token identified by this event was
   revoked.  The token is identified by the event specific attributes
   described bellow.  The "subject" nested attribute is optional for
   this event and it points to the account associated with the token.

   Attributes:

   o  token_type - required, describes the token type.  Possible values:

      *  refresh_token

      *  access_token

      *  authorization_code

   o  token_identifier_type - requierd, describes how is the token
      identified.  Possible values:

      *  token_string

      *  token_string_prefix

      *  token_string_hash

   o  token - required, the token identifier, as described by
      "token_identifier_type".

   o  token_string_hash_alg - optional, the token string hash algorithm,
      required if "token_identifier_type" is "token_string_hash".  TODO:
      possible values.











Scurtescu, et al.      Expires September 26, 2018               [Page 2]


                            oauth-event-types                 March 2018


   {
     "iss": "https://idp.example.com/",
     "jti": "756E69717565206964656E746966696572",
     "iat": 1508184845,
     "aud": "636C69656E745F6964",
     "events": {
       "http://schemas.openid.net/secevent/oauth/event-type/\
       token-revoked": {
         "token_type": "refresh_token",
         "token_identifier_type": "token_string",
         "token": "7265667265736820746F6B656E20737472696E67",
       }
     }
   }

   _(the event type URI is wrapped, the backslash is the continuation
   character)_

                     Figure 1: Example: Token Revoked

2.2.  Tokens Revoked

   Event Type URI:
   http://schemas.openid.net/secevent/oauth/event-type/tokens-revoked

   Tokens Revoked signals that all tokens issued for the account
   identified by the subject have been revoked.

   Attributes: none






















Scurtescu, et al.      Expires September 26, 2018               [Page 3]


                            oauth-event-types                 March 2018


   {
     "iss": "https://idp.example.com/",
     "jti": "756E69717565206964656E746966696572",
     "iat": 1508184845,
     "aud": "636C69656E745F6964",
     "events": {
       "http://schemas.openid.net/secevent/oauth/event-type/\
       tokens-revoked": {
         "subject": {
           "subject_type": "iss-sub",
           "iss": "https://idp.example.com/",
           "sub": "7375626A656374",
         },
       }
     }
   }

   _(the event type URI is wrapped, the backslash is the continuation
   character)_

                     Figure 2: Example: Tokens Revoked

2.3.  Client Disabled

   Event Type URI:
   http://schemas.openid.net/secevent/oauth/event-type/client-disabled

   Client Disabled signals that the client identified by the "aud" claim
   has been disabled.  The client may be enabled (Section 2.4) in the
   future.

   Attributes: none

   {
     "iss": "https://idp.example.com/",
     "jti": "756E69717565206964656E746966696572",
     "iat": 1508184845,
     "aud": "636C69656E745F6964",
     "events": {
       "http://schemas.openid.net/secevent/oauth/event-type/\
       client-disabled": {}
     }
   }

   _(the event type URI is wrapped, the backslash is the continuation
   character)_

                    Figure 3: Example: Client Disabled



Scurtescu, et al.      Expires September 26, 2018               [Page 4]


                            oauth-event-types                 March 2018


2.4.  Client Enabled

   Event Type URI:
   http://schemas.openid.net/secevent/oauth/event-type/client-enabled

   Client Enabled signals that the client identified by the "aud" claim
   has been enabled.

   Attributes: none

2.5.  Client Credential Changed

   Event Type URI:
   http://schemas.openid.net/secevent/oauth/event-type/client-
   credential-changed

   Client Credential Changed signals that one of the credentials of the
   client identified by the "aud" claim has changed.  For example the
   client secret has changed.

   Attributes: none

3.  Normative References

   [JSON]     Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014, <https://www.rfc-editor.org/info/rfc7159>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>.

   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
              RFC 6749, DOI 10.17487/RFC6749, October 2012,
              <https://www.rfc-editor.org/info/rfc6749>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RISC-PROFILE]
              OpenID Foundation, "RISC Profile".

   [SET]      IETF, "Security Event Token (SET)",
              <https://tools.ietf.org/html/draft-ietf-secevent-token>.





Scurtescu, et al.      Expires September 26, 2018               [Page 5]


                            oauth-event-types                 March 2018


Authors' Addresses

   Marius Scurtescu
   Google

   Email: mscurtescu at google.com


   Annabelle Backman
   Amazon

   Email: richanna at amazon.com


   Phil Hunt
   Oracle Corporation

   Email: phil.hunt at yahoo.com


   John Bradley
   Yubico

   Email: secevemt at ve7jtb.com



























Scurtescu, et al.      Expires September 26, 2018               [Page 6]


More information about the Openid-specs-risc mailing list