-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: [RP] same device uri and cross device security and implementation considerations #87
Conversation
Another important consideration is that the request_uri MUST NOT then be included in the metadata, since it may be extended with unique session identifiers Is there the same assumption for the redirect_uri? |
Which authentication are you referring to? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the sake of taking a thoughtful decision, I'd highlight:
- what are the security benefit of this choice?
- What are the implications?
Below follows its Base64 decoded content: | ||
|
||
.. code-block:: text | ||
eudiw://authorize?client_id=https://verifier.example.org&request_uri=https://verifier.example.org/request_uri | ||
eudiw://authorize?client_id=https://verifier.example.org&request_uri=https://verifier.example.org/request_uri/$unique-session-identifier |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I'm working on this every day, I understood what $unique-session-identifier
represents and where such value comes from. However, from the perspective of a new reader, I'm afraid it might look like a reference to an actual value mentioned somewhere else.
Would we spend a couple of lines on this value, explaining the meaning and the expected usage from the RP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can do that once the discussion in the introduction of this PR find an agreement
once we decide that's the way to go, this PR will have a section with the security and implementation considerations
the User authentication via Wallet
the user-agent needs to be redirected on the protected resource after the authentication happens. Otherwise the wallet made the authentication and the web page remains stucked on the qrcode page. So we have a UX requirement more than others.
request_uri cannot be used in the metadata, since every qrcode and every request_uri will be unique and one-time-use. |
Thanks for the explanation, I think I better understood what is this PR purpose. As far as my concerns, I see the following open points:
What do you think? |
|
|
@balanza the PR is now converted to a draft, since the decisions on this PR will produce the security/implementation considerations. I'm changing my mind day after day: I've realized that because:
the security consideration is that: with this nth proposal we can get back the static request_uri (but not a static signed request object, since the state and the nonce must change) |
@peppelinux let's break the proposal: The problem is well-defined: the RP must be aware of the status of each user authentication request, so that it can "refresh" the access page. I like your proposal of differentiating the QR for each interaction (session?). I think we can agree on that. What does the RP need? A Are you fine with this statement? Now let's find a form that is both elegant, safe, and easy to implement. Some options are:
(🚧=decision to take) |
Regarding the I'll give an example, if the within the metadata it is however possible to include a It will then be specified in the technical rules that |
@grausof unfortunately your proposal is out of standard, since a value in the metadata doesn't have placeholder or other elements that can be replaced please take my last proposal, where redirect_uri remains as it is in the current specs without any additional prefix (even if recommended by JAR) the RP internal architecture then has a custom endpoint that is used by the JS executed in the QRCode page to check the status of the request this is a security and implementative consideration, not normative, since every RP can implement it's internal api and resource whatever they wants, they just have to use the minimum requirements for interop. The security consideration is then needed, but a consideration is not normative. |
This is option 1 on my last comment and it doesn't imply placeholders in metadata. Here is an example:
All you need to do is confirm that the URL in the QR is a subpath of the URL in metadata. Have you considered option 2? At the extent of an extra query string field, we keep adherence to OIDC Federation standards regarding |
while the one contained in the metadata must be respected. We can take a decision looking also to JAR recommendation but for now I'm saying that we just need a specialized endpoint to check the session status and then authenticate the user-agent (cookie) and give the redirect to the protected resource for this reason, I'm going to remove the $session-unique-id from this PR and add a security/implementation consideration note once @fmarino-ipzs give review regarding the JAR recommandation to randomize the request_uri this makes sense if we remove the request_uri from the metadata and add normative language about the mandate to check that the FQDN contained in the URI MUST be the same of the one contained in the if ok for you I'll proceed, I look forward for your kind reply |
this PR brings the URI used in the Cross Device flow also in the Same Device flow
it also appends in the non-normative example of the request URI a
unique-session-id
webpathIn a Cross Device Flow the user-agent uses the JS (with WS or polling) made available in the QRCode Page to check if the authentication is successfully. For doing that it has to request to a specific URL (and also be authenticated with a session cookie that binds the unique-session-identifier, to avoid adversary to be able to made hijacks).
This opens a interesting scenario where the cross device flow is "animated" within the desktop user-agent with three different steps
In absence of a session-cookie linked to a cross device session-id the flow may be hijacked by an adversary that by stolen the sole session-id could authenticate using another user-agent