From: Mario Loffredo <[email protected]>
Sent: Wednesday, October 19, 2022 5:13 AM
To: Pawel Kowalik <[email protected]>; [email protected]; Hollenbeck, Scott
<[email protected]>
Subject: [EXTERNAL] Re: [regext] I-D Action:
draft-ietf-regext-rdap-openid-18.txt
Caution: This email originated from outside the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
Il 18/10/2022 09:27, Pawel Kowalik ha scritto:
Am 17.10.22 um 15:32 schrieb Hollenbeck, Scott:
[SAH] This update addresses most of the feedback received during the
recent WG last call. There are still a few open issues for which I'm hoping to
see WG discussion:
Thank you Scott.
1. How do we address web service clients?
[PK] I think the elements we need for web service clients were already
elaborated in the discussion over the version 17.
I'm happy to support with text proposal if needed.
One additional point that appeared in the side discussion is whether such
client shall be able to request additional claims from the OP.
Currently the specification only allows RDAP server to request claims which
leaves the web client without such possibility, which in turn may end up in a
broken experience.
The proposal here is to add a "scope" query parameter to the /login path
which RDAP server may use to request additional claims from the OP on behalf of
the client.
2. Are there any security concerns associated with return of the
"userID", "iss", and "userClaims" members of the "farv1_session" data structure?
[PK] The specification does not foresee any (even optional) authentication
of the client application. In this sense each client has to be treated as a
public client.
There is a risk of malicious client obtaining access to those PII data
because all the user sees in the consent step is RDAP requesting data to the OP.
Device flow is in this sense more vulnerable to phishing attacks to obtain
PII and also access to RDAP data as such.
A countermeasure could be the RDAP server offering an own
consent/confirmation screen displaying some identifiable information about the
client requesting access.
[ML] Sounds unusual to me that an RP asks the end-user for the consent for
using claims on behalf of another application.
An RP should ask the user for that consent with respect to a precise purpose.
In addition, according to what is written about PII in the "Privacy
Considerations" section of OIDCC, "only necessary UserInfo data should be
stored at the Client and the Client SHOULD associate the received data with the
purpose of use statement." (please note that "Client" means the RP here)
That said, it seems to me that we are talikng about two different purposes
for two different applications.
In the proposed OpendID implementation, the RDAP server is the RP and its
purpose is to make access control decisions based on client identity while the
RDAP client purpose might be to improve the UX.
Therefore, IMO, an RDAP client other than a browser should be a registered
application that at login could ask the user for using some claims for its own
purpose.
As a consequence, the RDAP server shouldn't provide the client with the user
claims or, alternatively, should return only those claims that don't correspond
to PII.
[SAH] This sounds like another reason to NOT return the userClaims. Is that
the better way forward?
3. Anything else I might have inadvertently missed.
[ML] In the following sentence of section 3.1.3.6, I would clarify who
the word "server" refers to:
The server provides returned claims in the ID Token.
Given that the RDAP server no longer returns the ID Token since version -10,
guess it refers to the AS. Correct ?
[SAH] Correct. That exchange is between the OP and the RP.
Scott
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
