<div dir="ltr">Good discussion. Torsten, could you put this in the issue tracker? </div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 7, 2018 at 12:02 AM George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
I'm good with adding an additional error response, I just like
"authentication_failed" much better than something that indicated
part of the authentication succeeded and part failed. Just being
generic and saying that authentication failed still allows the
client to try a different set of ACR values if it wants and it
doesn't leak anything to the attacker (e.g. the password you gave is
good, just not the second factor).<br>
<br>
Thanks,<br>
George</div><div text="#000000" bgcolor="#FFFFFF"><br>
<br>
<div class="m_9083019212188115991moz-cite-prefix">On 6/5/18 4:13 PM, Phil Hunt wrote:<br>
</div>
<blockquote type="cite">
I think I see now…the last sentence isn’t clear on *how* the AS/OP
treats the authen as failed.
<div> <br>
<div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div><span class="m_9083019212188115991Apple-style-span" style="border-collapse:separate;line-height:normal;border-spacing:0px">
<div style="word-wrap:break-word">
<div>
<div>
<div>Phil</div>
<div><br>
</div>
<div>Oracle
Corporation, Identity
Cloud Services Architect</div>
<div>@independentid</div>
<div><a href="http://www.independentid.com" target="_blank">www.independentid.com</a></div>
</div>
</div>
</div>
</span><a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br>
<blockquote type="cite">
<div>On Jun 5, 2018, at 1:09 PM, Torsten
Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>>
wrote:</div>
<br class="m_9083019212188115991Apple-interchange-newline">
<div>
<div style="word-wrap:break-word;line-break:after-white-space"><br>
<br>
<blockquote type="cite">Am 04.06.2018 um 18:42
schrieb Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>>:<br>
<br>
I seem to recall Mike indicating that just because the
OP could not meet the ACR requested, the RP/Client may
still choose to accept the authentication at some
reduced or alternate set of methods. IOW a fail to
meet the ACR is not necessarily a fail.<br>
</blockquote>
<div><br>
</div>
<div><br>
</div>
That’s correct - if the acr claim was not requested as
essential claim.
<div><br>
</div>
<div>For your convenience, here is the
respective spec text again: <br>
<div><br>
</div>
<div>"If the acr Claim is requested as an
Essential Claim for the ID Token with<br>
a values parameter requesting specific
Authentication Context Class<br>
Reference values and the implementation supports the
claims parameter, the<br>
Authorization Server MUST return an acr Claim Value
that matches one of the<br>
requested values. The Authorization Server MAY ask
the End-User to<br>
re-authenticate with additional factors to meet this
requirement. <b>If this<br>
is an Essential Claim and the requirement cannot
be met, then the<br>
Authorization Server MUST treat that outcome as a
failed authentication<br>
attempt</b>."</div>
<div><br>
</div>
<div>I personally think the spec lacks an
suitable error definition. <span class="m_9083019212188115991Apple-tab-span" style="white-space:pre-wrap"> </span></div>
<div><br>
<blockquote type="cite"><br>
That said, no authentication at all should lead to
an access_denied error at minimum.<br>
<br>
Phil<br>
<br>
Oracle Corporation, Identity Cloud Services
Architect<br>
@independentid<br>
<a href="http://www.independentid.com/" target="_blank">www.independentid.com</a><br>
<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a><br>
<br>
<blockquote type="cite">On Jun 4, 2018,
at 9:34 AM, Torsten Lodderstedt
<a class="m_9083019212188115991moz-txt-link-rfc2396E" href="mailto:torsten@lodderstedt.net" target="_blank"><torsten@lodderstedt.net></a> wrote:<br>
<br>
<br>
<br>
<blockquote type="cite">Am 01.06.2018
um 19:39 schrieb George Fletcher
<a class="m_9083019212188115991moz-txt-link-rfc2396E" href="mailto:gffletch@aol.com" target="_blank"><gffletch@aol.com></a>:<br>
<br>
I think I'd prefer either 'access_denied' as
defined by RFC 6749 or an
'authentication_failed' error that is a little
more generic than
'unable_to_meet_authentication_requirements'
which I feel is leaking aspects of
the authentication that shouldn't be exposed
to the client.<br>
</blockquote>
<br>
Take into account the RP asked for a certain
ACR, which the OP was unable to comply with. <br>
<blockquote type="cite"><br>
In the you case you provided Torsten, there
isn't anything the RP can do as the user first
needs to enable 2SV on their account at the
OP.<br>
</blockquote>
<br>
It can use another OP or implement the desired
use case using local means.<br>
<br>
<blockquote type="cite"><br>
Thanks,<br>
George<br>
<br>
On 5/29/18 6:06 AM, Torsten Lodderstedt via
Openid-specs-ab wrote:<br>
<blockquote type="cite">That’s rather
tricky. The OP must use this parameter to
indicate to the RP what acr policy it
fulfilled in the respective transaction. The
value in acr is not necessarily the value
the RP asked for. But this holds only true
if the acr claim was not requested as
essential claim. In this case, the OP must
„MUST treat that outcome as a failed
authentication attempt.“ In my
interpretation, this requires the OP to send
an error response to the client, which only
carries the error data. <br>
<br>
<br>
<blockquote type="cite">Am
28.05.2018 um 05:29 schrieb Phil Hunt
<a class="m_9083019212188115991moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com" target="_blank"><phil.hunt@oracle.com></a><br>
:<br>
<br>
Isn’t this what the acr response param is
for...<br>
<br>
acr<br>
OPTIONAL. Authentication Context Class
Reference. String specifying an
Authentication Context Class Reference
value that identifies the Authentication
Context Class that the authentication
performed satisfied. The value "0"
indicates the End-User authentication did
not meet the requirements of ISO/IEC 29115
[ISO29115] level 1. <br>
<br>
Phil<br>
<br>
On May 27, 2018, at 9:00 AM, Torsten
Lodderstedt via Openid-specs-ab <br>
<a class="m_9083019212188115991moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><openid-specs-ab@lists.openid.net></a><br>
wrote:<br>
<br>
<br>
<blockquote type="cite">Hi
Vladimir,<br>
<br>
<br>
<blockquote type="cite">Am
26.05.2018 um 23:42 schrieb Vladimir
Dzhuvinov via Openid-specs-ab
<a class="m_9083019212188115991moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><openid-specs-ab@lists.openid.net></a><br>
:<br>
<br>
If you're looking for a standard error
code for "user failed to authenticate
(with required ACR)", access_denied
appears to be the closest and only
choice. What the RP would make of that
error code is another question :)<br>
<br>
<a class="m_9083019212188115991moz-txt-link-freetext" href="http://openid.net/specs/openid-connect-core-1_0.html#AuthError" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#AuthError</a><br>
<br>
<br>
In practice, many OPs won't send the
browser back to the RP if the user
failed to authenticate, i.e. the
browser will remain at the login
screen, with the user given the option
for some sort of recovery and
perhaps the option to cancel the
request and return to the RP.<br>
As for login_required and
interaction_required - my reading of
the spec is that these are intended
for error responses to prompt=none
authentication requests and shouldn't
be used to signal other conditions.<br>
<br>
<a class="m_9083019212188115991moz-txt-link-freetext" href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest</a><br>
</blockquote>
That’s my problem. In my use case, the
OP is unable to meet the RP’s
requirements either entirely or for the
particular user (e.g. no second factor
available). I think stopping request
processing at the OP is not a good
option. I would like to send the user
agent back to the RP along with enough
information to act upon. My current
feeling is we need another, distinct
error code - something like
authentication_failed
or unable_to_meet_authentication_requirements.<br>
<br>
best regards,<br>
Torsten. <br>
<br>
<br>
<blockquote type="cite"><br>
<blockquote type="cite">none<br>
The Authorization Server MUST NOT
display any authentication or
consent user interface pages. An
error is returned if an End-User is
not already authenticated or the
Client does not have pre-configured
consent for the requested Claims or
does not fulfill other conditions
for processing the request. The
error code will typically be
login_required,
interaction_required, or another
code defined in Section 3.1.2.6.
This can be used as a method to
check for existing authentication
and/or consent.<br>
<br>
</blockquote>
<br>
Vladimir<br>
<br>
<br>
On 25/05/18 18:41, Filip Skokan via
Openid-specs-ab wrote:<br>
<br>
<blockquote type="cite">Depending
on the situation at the OP I believe
this could be any of (in<br>
order of my preference)
login_required,
interaction_required, access_denied<br>
<br>
Best,<br>
*Filip Skokan*<br>
<br>
On Fri, May 25, 2018 at 4:13 PM,
Torsten Lodderstedt via
Openid-specs-ab <<br>
<br>
<br>
<a class="m_9083019212188115991moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<blockquote type="cite">wrote:<br>
<br>
</blockquote>
<br>
<blockquote type="cite">Hi
all,<br>
<br>
I just came across the following
text (again) in the OpenID Connect
Core<br>
Spec:<br>
<br>
"If the acr Claim is requested as
an Essential Claim for the ID
Token with<br>
a values parameter requesting
specific Authentication Context
Class<br>
Reference values and the
implementation supports the claims
parameter, the<br>
Authorization Server MUST return
an acr Claim Value that matches
one of the<br>
requested values. The
Authorization Server MAY ask the
End-User to<br>
re-authenticate with additional
factors to meet this requirement.
If this<br>
is an Essential Claim and the
requirement cannot be met, then
the<br>
Authorization Server MUST treat
that outcome as a failed
authentication<br>
attempt.“<br>
<br>
What error code is the OP supposed
to use to signal the failed<br>
authentication to the RP?<br>
<br>
best regards,<br>
Torsten.<br>
_______________________________________________<br>
<br>
<br>
</blockquote>
</blockquote>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<br>
<a class="m_9083019212188115991moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a class="m_9083019212188115991moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</blockquote>
</blockquote>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<br>
<a class="m_9083019212188115991moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a class="m_9083019212188115991moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><p dir="ltr">Nat Sakimura</p>
<p dir="ltr">Chairman of the Board, OpenID Foundation</p>
</div>