[Openid-specs-risc] Session Extension Event

Sun Aug 23 23:37:19 UTC 2020

We don’t have an event type for “Session Events” (which I’d argue this is ultimately a session event), but I think this use case makes sense and should be added.

@Atul Tulshibagwale<mailto:atultulshi at google.com> are we still just making proposed changes on this doc (https://docs.google.com/document/d/1jT12NVfmEryytrPMpQiCzfOXQ-8HfQFnLQStoSAbFhY/)?

tim

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net>
Date: Friday, August 21, 2020 at 20:24
To: openid-specs-risc at lists.openid.net <openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] Session Extension Event
Hey all,

I'm picking up a conversation we didn't get to on our last call.

I'm interested in finding a way to act as an agent-based trust provider.

Our customers want to set a shorter session, and only extend the session if there is a reason to trust it. Our endpoint agent supplies trust to a user/device/session, but is not a prerequisite for a connection.  If the agent is not present, the user can still access the system but is required to derisk the situation themselves and provide the "extra" trust required, for example with an MFA challenge every 30 mins.  Customers actually see this as a motivation for their users to put security agents on their BYOD devices (e.g. install us or an MDM).

This is why I'm advocating for a "Session Extension" event.

Is there another way to implement this using events that are already defined?

Otherwise I will draft the event and send that around for review before our next call.

Cheers,
-dawud

--
Dawud Gordon, PhD
TWOSENSE.AI<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwosense.ai%2F&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C197758652369492b68a308d84631acc3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637336526461379556&sdata=o1%2BT%2BmhRMsREbhZ9DCqOFZdQwGu7GOl2i8s2jMvCybg%3D&reserved=0> | CEO & Co-Founder
195 Montague St, Brooklyn, NY 11201
+1 (845) 652 3579

On Tue, Aug 18, 2020 at 10:40 AM Dawud Gordon <dawud at twosense.ai<mailto:dawud at twosense.ai>> wrote:
Hello All,

On our last call, I proposed adding an event to extend a session for a user+device+session.

My goal was to enable CAE to perform with an IdP with a short session configuration, where signals and events keep sessions open when trusted, rather than only closing them when risk is identified.

This was met with some resistance and I understand that CAEP is designed for long sessions with external risk signals instead of trust signals.

>From my perspective, we would only need one component for CAEP to support both modalities, which would be an event to push a trust-based session extension signal from a 3rd party to the IdP.

Without this, it would be an IdP specific implementation outside of CAEP.

Are there previous discussions on this I can catch up on? Or any blatant reasons I'm overlooking why this is a bad idea?

Thanks!

Cheers,
-dawud

--
Dawud Gordon, PhD
TWOSENSE.AI<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwosense.ai%2F&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C197758652369492b68a308d84631acc3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637336526461389549&sdata=Zzxrvz1So5zRzyg9HOcWkfd81MpDhZ1zYYMgmEY5PSI%3D&reserved=0> | CEO & Co-Founder
195 Montague St, Brooklyn, NY 11201
+1 (845) 652 3579

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200823/f1500d3e/attachment.html>