[Openid-specs-risc] RISC Notes 3/19
Marius Scurtescu
mscurtescu at google.com
Mon Mar 26 05:54:21 UTC 2018
Forgot to provide a changelog for RISC Event Type. Here it is:
- account-deleted renamed to account-purged
- cause-time attribute dropped
- new-value attribute made optional
- identifier-changed event clarifications
I also created a new spec with OAuth event types, attached. We can discuss
them on the call tomorrow.
Best,
Marius
Marius
On Sat, Mar 24, 2018 at 12:34 PM, Marius Scurtescu <mscurtescu at google.com>
wrote:
> Attached is the updated risc-event-types.txt, based on feedback from past
> two meetings.
>
> Another question came up, do we really need both "Opt In" and "Opt Out
> Cancelled". Both signal that the account is back to Opt In state, the only
> difference is from what state did the transition happened. Maybe just "Opt
> In" with an optional attribute like "previous-state", if that is important?
>
> Happy weekend and safe travels for those returning from IETF 101,
> Marius
>
> PS Working on OAuth events, will send later today or tomorrow.
>
>
> Marius
>
> On Mon, Mar 19, 2018 at 5:19 PM, Luke Camery via Openid-specs-risc <
> openid-specs-risc at lists.openid.net> wrote:
>
>> *Summary*
>> Thanks everyone for attending despite the busy week with IETF. We will
>> continue next week at 3:30pm PST with a discussion of the updated specs and
>> updates on the issues in the tracker.
>>
>> *Attendees*= [Luke Camery, Tushar Pradhan, Marius Scurtescu, Adam Dawes]
>>
>> *ACTION ITEMS*
>> *- AI: Marius will renew this document by next week*
>> * - AI: Marius to take on figuring out oauth events*
>> * - AI: Marius remind Annabelle and Chair to resolve this at secevents*
>>
>> *FULL NOTES*
>> - Opt out / opt in / opt in cancel / opt out requested
>> - Most likely opt out will become an extra hijacking signal
>> - Four state change give you a great picture
>> - Tushar: Publish some timeframe to make abuse work easier
>> - Recovery Activated
>> - Positive sentiment from google
>> - Confusion about identifier versus recovery
>> - Need to clarify this in a description body
>> - Recovery Information Change
>> - Positive sentiment from google
>> - Token and Sessions Revoked
>> - Not risk (or risc) events
>> - Token lifecycle / oauth events
>> - oauth client disabled or recycled
>> - oauth IETF working group or RISC working group?
>> - Tushar agrees in separating it out and linking oauth specific events to
>> oauth
>> - Tushar agrees it's important though with a different mechanism
>> * - AI: Marius will renew this document by next week*
>> * - AI: Marius to take on figuring out oauth events*
>> - Update: Marius and Phil discussed the delivery spec
>> - Multiple delivery methods required one mandatory (Phil)
>> - Others disagree with Phil on this point
>> - AI: Raise issues with the chairs on mandatory to implement
>> - Phil is thinking of hybrid method that covers both
>> - Marius thinks hybrid could be better than polling, but push is by far
>> the best and needs to be preserved
>> * - AI: Marius remind Annabelle and Chair to resolve this at secevents*
>> - Update on secevents work for RISC, but not working group AIs
>>
>> --
>>
>> * • **Luke Camery*
>> * • *Associate Product Manager
>> * • *Federated Identity
>>
>>
>> _______________________________________________
>> Openid-specs-risc mailing list
>> Openid-specs-risc at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-risc
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20180325/8ffec10f/attachment.html>
-------------- next part --------------
M. Scurtescu
Google
A. Backman
Amazon
P. Hunt
Oracle
J. Bradley
Yubico
March 25, 2018
OAuth Event Types
oauth-event-types-00
Abstract
This document defines the OAuth Event Types. Event Types are
introduced and defined in Security Event Token (SET) [SET].
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 1
2. Event Types . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1. Token Revoked . . . . . . . . . . . . . . . . . . . . . . 2
2.2. Tokens Revoked . . . . . . . . . . . . . . . . . . . . . 3
2.3. Client Disabled . . . . . . . . . . . . . . . . . . . . . 4
2.4. Client Enabled . . . . . . . . . . . . . . . . . . . . . 5
2.5. Client Credential Changed . . . . . . . . . . . . . . . . 5
3. Normative References . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
This specification is based on RISC Profile [RISC-PROFILE] and uses
the subject identifiers defined there.
The "aud" claim identifies the OAuth 2 client and its value SHOULD be
the OAuth 2 [RFC6749] client id.
1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Scurtescu, et al. Expires September 26, 2018 [Page 1]
oauth-event-types March 2018
2. Event Types
The base URI for OAuth Event Types is:
http://schemas.openid.net/secevent/oauth/event-type/
2.1. Token Revoked
Event Type URI:
http://schemas.openid.net/secevent/oauth/event-type/token-revoked
Token Revoked signals that the token identified by this event was
revoked. The token is identified by the event specific attributes
described bellow. The "subject" nested attribute is optional for
this event and it points to the account associated with the token.
Attributes:
o token_type - required, describes the token type. Possible values:
* refresh_token
* access_token
* authorization_code
o token_identifier_type - requierd, describes how is the token
identified. Possible values:
* token_string
* token_string_prefix
* token_string_hash
o token - required, the token identifier, as described by
"token_identifier_type".
o token_string_hash_alg - optional, the token string hash algorithm,
required if "token_identifier_type" is "token_string_hash". TODO:
possible values.
Scurtescu, et al. Expires September 26, 2018 [Page 2]
oauth-event-types March 2018
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"http://schemas.openid.net/secevent/oauth/event-type/\
token-revoked": {
"token_type": "refresh_token",
"token_identifier_type": "token_string",
"token": "7265667265736820746F6B656E20737472696E67",
}
}
}
_(the event type URI is wrapped, the backslash is the continuation
character)_
Figure 1: Example: Token Revoked
2.2. Tokens Revoked
Event Type URI:
http://schemas.openid.net/secevent/oauth/event-type/tokens-revoked
Tokens Revoked signals that all tokens issued for the account
identified by the subject have been revoked.
Attributes: none
Scurtescu, et al. Expires September 26, 2018 [Page 3]
oauth-event-types March 2018
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"http://schemas.openid.net/secevent/oauth/event-type/\
tokens-revoked": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.example.com/",
"sub": "7375626A656374",
},
}
}
}
_(the event type URI is wrapped, the backslash is the continuation
character)_
Figure 2: Example: Tokens Revoked
2.3. Client Disabled
Event Type URI:
http://schemas.openid.net/secevent/oauth/event-type/client-disabled
Client Disabled signals that the client identified by the "aud" claim
has been disabled. The client may be enabled (Section 2.4) in the
future.
Attributes: none
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"http://schemas.openid.net/secevent/oauth/event-type/\
client-disabled": {}
}
}
_(the event type URI is wrapped, the backslash is the continuation
character)_
Figure 3: Example: Client Disabled
Scurtescu, et al. Expires September 26, 2018 [Page 4]
oauth-event-types March 2018
2.4. Client Enabled
Event Type URI:
http://schemas.openid.net/secevent/oauth/event-type/client-enabled
Client Enabled signals that the client identified by the "aud" claim
has been enabled.
Attributes: none
2.5. Client Credential Changed
Event Type URI:
http://schemas.openid.net/secevent/oauth/event-type/client-
credential-changed
Client Credential Changed signals that one of the credentials of the
client identified by the "aud" claim has changed. For example the
client secret has changed.
Attributes: none
3. Normative References
[JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
2014, <https://www.rfc-editor.org/info/rfc7159>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<https://www.rfc-editor.org/info/rfc6749>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RISC-PROFILE]
OpenID Foundation, "RISC Profile".
[SET] IETF, "Security Event Token (SET)",
<https://tools.ietf.org/html/draft-ietf-secevent-token>.
Scurtescu, et al. Expires September 26, 2018 [Page 5]
oauth-event-types March 2018
Authors' Addresses
Marius Scurtescu
Google
Email: mscurtescu at google.com
Annabelle Backman
Amazon
Email: richanna at amazon.com
Phil Hunt
Oracle Corporation
Email: phil.hunt at yahoo.com
John Bradley
Yubico
Email: secevemt at ve7jtb.com
Scurtescu, et al. Expires September 26, 2018 [Page 6]
More information about the Openid-specs-risc
mailing list