Oath

george.fletcher@oath.com

OpenID Connect Working Group OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. This document describes a current best practice that allows a mobile app to share the identity/authentication obtained by a different mobile app where both apps are issued by the same vendor.

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. As the industry moves to a more mobile oriented environment, vendors need a way to share identity across the multiple mobile apps they deploy. While the current OAuth2 best practice allows for SSO across any mobile app by sharing the session cookies in the system browser, this has risks such as a user clearing their system browser of cookies (possibly as requested by a customer care agent) or using private browsing on iOS and Android. On most mobile platforms, mobile apps signed by the same vendor certs can share information via the system "keychain (Account Manager on Android)". This document specifies a new scope, extends the token endpoint and profiles the OAuth2 token exchange spec allowing mobile apps to share identity (SSO) between apps produced and signed by the same vendor (i.e. signed with the same vendor cert).

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. In the .txt version of this specification, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. In the HTML version of this specification, values to be taken literally are indicated by the use of this fixed-width font.

This specification uses the terms "Authorization Server", "Client", "Client Identifier", and "Redirection URI" defined by OAuth 2.0, the term "User Agent" defined by RFC 7230, the term "native app" defined by RFC 8252 and the terms defined by OpenID Connect Core 1.0. This specification also defines the following terms: Opaque value to the client, issued by the Authorization Server, that uniquely identifies the device instance and provides credentials for the device. Identifier for a Session.

| | | | | [2] /authorize | | | +----------------> | | | | | | | | [3] authenticate | | | <----------------| | | | | | | | [4] user creds | | | +----------------> | | | | | | | | [5] callback | | | | <----------------+ | [6] callback with code | | | <--------------+------------------+ | | | | | | [7] exchange code for tokens | | +----------------+-----------------------------------> | | | | | | [8] tokens (including device_secret) | | <--------------+------------------+------------------+ | | | | | | | | | | | | + + + + ]]>

Steps [1] - [8] are the standard OpenID Connect authorization_code flow with the following extensions. In step 2, the device_sso scope is specified signifying that the client is requesting a device_secret to be returned when the code is exchanged for tokens.

| | | | | | | | | | | [10] refresh, access, [device_secret] | | <----------------+------------------| | | | | | | | | | | | | + + + + ]]>

Step [9] invokes the /token endpoint with the token exchange profile passing the id_token obtained from the shared device storage, the client_id and the device secret. Step [10] returns the SSO generated refresh and access tokens for Native App #2.

The following sections describe the extensions required to the standard OIDC Authentication flow which will enable a second mobile app to share the authentication of the first mobile app where both mobile applications are signed by the same vendor certificates.

This specification defines a new scope value that is used to convey to the Authorization Server that when the code is exchanged for a token, a new device_secret will be returned in addition to the other tokens identified as part of the authorization request. The new scope value is defined as device_sso. When this scope is present on the authorization request, when the code is exchanged for tokens, a new device_secret will be returned.

The device secret contains relevant data to the device and the current users authenticated with the device. The device secret is completely Opaque to the client and as such it is RECOMMENDED that the device secret be implemented as a JWE encrypted for the Authorization Server. In the context of this extension the device secret may be shared between mobile apps that can obtain the value via the shared security mechanism (e.g. keychain on iOS). If a mobile app requests a device secret via the device_sso scope and a device_secret exists, then the client MUST provide the device_secret on the request to the /token endpoint to exchange code for tokens. The client MAY provide the device_secret to the /token endpoint during refresh token requests. The exact construction of the device_secret is out of scope for this specification.

During a normal user authentication via the system browser, after the mobile app receives the code and state response from the Authorization Server, this spec defines the following additional parameters to the /token endpoint for the authorization_code grant_type. OPTIONAL. This token SHOULD be provided if the client requested the device_sso scope and the client already has a device_secret available. If no device_secret is specified and the refresh_token contains the device_sso scope, a new device_secret will be generated.

When the authorization server receives the device_secret value it MUST process the authorization_code grant type per the OIDC spec with the following additions applying to the id_token. Add a ?ds_hash? claim to the id_token to represent a function of the device identifier. REQUIRED. The ds_hash value provides a binding between the id_token and the issued device_secret. The exact binding between the ds_hash and device_secret is not specified by this profile. As this binding is managed solely by the Authorization Server, the AS can choose how to protect the relationship between the id_token and device_secret. Add a session id to the id_token that represents the user?s current authentication session. REQUIRED. A string that uniquely identifies this user?s authentication ?session?. This value can be used in logout flows as well as the flow this spec is describing. For mobile apps where there is not explicit ?browser authentication? this value SHOULD represent the underlying session associated with the refresh_token. Note that the implementation of this spec and the specification of the ds_hash and sid value MUST NOT leak any data that would provide a security advantage to an attacker who gains access to the id_token. When the authorization server receives the device_secret it must validate the token. If the token is invalid it must be discarded and the request processed as if no device_secret was specified. If the authorization request included the device_sso scope then the authorization server MUST return a device_secret in the response. The device_secret is returned in the ?device_token? claim of the returned JSON data. If no devices_secret is specified, then the AS MUST generate the token. If a device_secret is specified and is valid, the AS MUST update the device_secret as necessary.

This section profiles the OAuth2 Token Exchange spec and describes the processing rules used to exchange a previous authentication for new refresh and access tokens requested by a mobile app created by the same vendor as the first mobile app and both apps signed by the same developer key.

The client MUST use the HTTP Basic Authentication method from RFC 6749 to authenticate the request to the token endpoint. Note that since the mobile app is using PKCE, the mobile app does not have a secret and will only specify the client_id in the HTTP Authorization header. This profile defines the use of the following token exchange parameters. REQUIRED. The value MUST be urn:ietf:params:oauth:grant-type:token-exchange REQUIRED. This parameter defines the logical purview of the returned tokens. For the purposes of this profile, this value MUST be the issuer URI for the OpenID Provider that issued the id_token used in this profile. REQUIRED. This parameter MUST contain the id_token obtained by the first native app. The id_token is used in the same manner as id_token_hint to identify the user to SSO into the invoking native app. REQUIRED. This parameter MUST contain the value: urn:ietf:params:oauth:token-type:id_token REQUIRED. This value defines the actor making the request which in this case is the device_secret issued to the device of the native application making the request. The device_secret MUST be presented per the definition of the urn:x-oath:params:oauth:token-type:device-secret token identifier described below. REQUIRED. This value MUST be: urn:x-oath:params:oauth:token-type:device-secret OPTIONAL. The scopes required by the requesting native application. OPTIONAL. The desired token(s) to be returned. This profile also defines the following token type identifiers. This token type identifier is used to describe the device_secret specified in the actor_token parameter.

When a mobile app wants to request ?native SSO? (i.e. obtain refresh and access tokens for an already signed in user) it makes a standard OAuth2 /token endpoint request following the profile for Token Exchange defined above.

&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aid-token &actor_token=95twdf3w4y6wvftw35634t &actor_token_type=urn%3Ax-oath%3Aparams%3Aoauth%3Atoken-type%3Adevice-secret ]]>

The client_id in this request is sent via the HTTP Basic Authentication method using the HTTP Authorization header.

When the authorization server receives a request at the token endpoint conforming to this profile it MUST perform the following checks before issuing any tokens. Validate the device_secret to ensure the token is still valid. The format of this secret is defined by the Authorization server and is out of scope for this specification. Verify that the binding between the id_token and the device_secret as defined in the extension to the /token response. Verify that the session id in the id_token (?sid? claim) is still valid. If the session is no longer valid, the AS MUST return an error of ?invalid_grant?. Validate that the client requesting native SSO is authorized to do so. The AS SHOULD maintain a list of client_ids that can share user authentications. For example, the AS MAY take the ?aud? claim from the id_token and the client_id from the token request and ensures that both client_ids are allowed to share user authentications. The AS SHOULD verify that the scopes requested by the client in the token request (either default scopes or explicitly specified in the optional ?scope? parameter) do NOT require explicit user consent. If any requested scopes require explicit user consent the AS SHOULD fail the request and return an error of ?invalid_scope?. Based on the AS definition of the device_secret, the AS may perform addition check to ensure the security of the request. Provided the above criteria is met, the AS will issue a normal Token Response object containing a refresh_token, access_token and id_token issued to the client_id of the mobile app making the request. The session associated with the new refresh_token SHOULD be the same as that used to verify the validity of the SSO exchange. If that session expires, all refresh_tokens associated with it MUST be invalidated.

The Token Exchange response for this profile has the following characteristics: REQUIRED. This response field contains the access token issued to the mobile client identified by the client_id sent in the Authorization header. REQUIRED. This value of this parameter MUST be: urn:ietf:params:oauth:token-type:access_token REQUIRED. The value of this parameter MUST be bearer. REQUIRED. Identifies when the access_token expires. OPTIONAL. Follows the token exchange spec definition. REQUIRED. A refresh_token that the mobile app can use to obtain additional access_tokens when the access_token expires. REQUIRED. The AS MUST return either a new or updated device_secret in the response. In the case of any errors, the AS MUST return a valid OAuth2 Error response as described in Section 2.2.2 of the Token Exchange spec.

Sufficient care must be made to protect the device_secret. The device secret SHOULD be encrypted by the Authorization Service and periodically refreshed via the mechanisms described in this specification.

This specification registers the following Claim in the IANA "JSON Web Token Claims" registry established by .

Claim Name: sid Claim Description: Session ID Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net Specification Document(s): OPLogout of this specification

This specification registers the following client metadata definitions in the IANA "OAuth Dynamic Client Registration Metadata" registry established by :

Client Metadata Name: frontchannel_logout_uri Client Metadata Description: RP URL that will cause the RP to log itself out when rendered in an iframe by the OP Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net Specification Document(s): RPLogout of this specification Client Metadata Name: frontchannel_logout_session_required Client Metadata Description: Boolean value specifying whether the RP requires that a sid (session ID) query parameter be included to identify the RP session with the OP when the frontchannel_logout_uri is used Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net Specification Document(s): RPLogout of this specification

Ping Identity Nomura Research Institute, Ltd. Ping Identity Microsoft Google Salesforce Nomura Research Institute, Ltd. Ping Identity Microsoft Illumila Nomura Research Institute, Ltd. Ping Identity Microsoft Nomura Research Institute, Ltd. Ping Identity Microsoft Google Salesforce Illumila Microsoft Ping Identity IANA IANA Microsoft Ping Identity Nomura Research Institute, Ltd.

The OpenID Community would like to thank the following people for their contributions to this specification: Nat Sakimura, Nomura Reserach Institute, Ltd.

[[ To be removed from the final specification ]] -00 Initial Draft.