[OAUTH-WG] Last Call: (OAuth 2.0 Step-up Authentication Challenge Protocol) to Proposed Standard

[The IESG]

The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document: - 'OAuth 2.0 Step-up
Authentication Challenge Protocol'
   as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-c...@ietf.org mailing lists by 2023-03-03. Exceptionally, comments may
be sent to i...@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


   It is not uncommon for resource servers to require different
   authentication strengths or recentness according to the
   characteristics of a request.  This document introduces a mechanism
   for a resource server to signal to a client that the authentication
   event associated with the access token of the current request doesn't
   meet its authentication requirements and specify how to meet them.
   This document also codifies a mechanism for a client to request that
   an authorization server achieve a specific authentication strength or
   recentness when processing an authorization request.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/



No IPR declarations have been submitted directly on this I-D.





___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] AD review of draft-ietf-oauth-step-up-authn-challenge-08

[Vittorio Bertocci]

Thank you Roman!
We just published draft 11
with
the two updates below, please let us know if they address your comments
satisfactorily.
Cheers
V.

*new language *for explaining levels, in *Protocol Overview*.

[..]Other methods of determining the authentication level by which the
access token was obtained are possible, per agreement by the authorization
server and the protected resource, but are beyond the scope of this
specification.

*It is worthwhile to remark that the notion of "authentication level", as
used in this document, represents an assessment the resource server
performs on specific authentication methods, to arbitrarily determine
whether it meets its own security criteria for the requested resource.
"Authentication level" in this specification does not imply, requires nor
refers to an absolute hierarchy of authentication methods expressed in
interoperable fashion. The notion of level emerges from the fact that the
resource server will accept some methods and reject others, hence
establishing a way of comparing methods that meets the intuitive notion of
"step up" .*

Although the case[..]


*new language *for token caching in the same section.

 This document doesn't recommend any specific token caching strategy, as
that will be dependent on the characteristics of every particular scenario *and
remains application-dependent as in the core OAuth cases.*



On Thu, Feb 2, 2023 at 11:31 AM Roman Danyliw  wrote:

> *This message originated outside your organization.*
>
> --
>
> Hi Vittorio!
>
>
>
> Thanks for all of the proposed changes and explanations on where it might
> not make sense.  I’ve snipped the below thread down to the open issues.
> Bottom line, I think just a bit more explanatory text will help the reader
> understand the framing concepts or push the responsibility to applications.
>
>
>
> Roman
>
>
>
> *From:* Vittorio Bertocci 
> *Sent:* Thursday, January 12, 2023 4:11 PM
> *To:* Roman Danyliw 
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] AD review of
> draft-ietf-oauth-step-up-authn-challenge-08
>
>
>
> Thank you Roman for the super prompt and thorough review!
>
> We went ahead and published draft -10 incorporating your feedback and the
> changes described below. We are happy to make further changes as necessary,
> of course.
>
> Comments Inline
>
>
>
> >** The text uses the phrase "authentication level" a few times.  Was that
> a phrase that was heavily negotiated?  To me a level implies that some
> notion of linear progression -- level-n+1 is "more security" than level-n;
> and that there is some notion of hierarchy of level-n-1, level-n, and
> level-n+1.  I didn't see that in the construct of an acr claim.  My skim of
> the OIDC materials suggests that an acr is a label assigned to set a
> requirements for a token.
>
>
>
> We use the term “authentication level” banking on the same intuition that
> propelled “step UP” in mainstream use. The concept of authentication level
> doesn’t require an absolute or even partial ordering on the domain, or that
> to be encoded in ACR. All that’s needed for the “authentication level”
> intuition to play out is for a RS to accept multiple ACR values, and to
> consider the authentication strength associated with certain values of ACR
> to meet its own bar for accessing a given resource. The RS interpretation
> of ACR can be entirely private, without relying on commonly accepted
> standard values, and its resulting hierarchy doesn’t need to be absolute or
> even a proper lattice. We presented this spec at various conferences, and
> the audience never seemed to have a hard time grasping the concept. On the
> other hand, we cannot be sure that they were thinking the above… they might
> just have assumed the absolute order you described :) Would some clarifying
> language summarizing the above help, in your opinion?
>
>
>
> [Roman] Thanks for explaining.  Can you add a bit more language to explain
> the terminology of “level” just as you did in the above text.
>
> >Is there  a reference that can be provided to explain the hierarchy of
> levels?
>
>
>
> See above about whether an absolute hierarchy is strictly required. That
> said, the ACR definition in
> https://openid.net/specs/openid-connect-core-1_0.html#IDToken
> 
> hints at the use of NIST assurance levels in ACR values, pointing at
> https://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#anchor11
> 
> and mapping to
> 

[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-11.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This Internet-Draft is a work item of the Web Authorization Protocol WG of the 
IETF.

Title   : OAuth 2.0 Step-up Authentication Challenge Protocol
Authors : Vittorio Bertocci
  Brian Campbell
  Filename: draft-ietf-oauth-step-up-authn-challenge-11.txt
  Pages   : 17
  Date: 2023-02-17

Abstract:
   It is not uncommon for resource servers to require different
   authentication strengths or recentness according to the
   characteristics of a request.  This document introduces a mechanism
   for a resource server to signal to a client that the authentication
   event associated with the access token of the current request doesn't
   meet its authentication requirements and specify how to meet them.
   This document also codifies a mechanism for a client to request that
   an authorization server achieve a specific authentication strength or
   recentness when processing an authorization request.


The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-11.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-11


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth