oauth

Summary

This meeting covered a range of topics related to OAuth and workload identity, including updates on existing drafts, discussion of client trust management, P security architecture, and the intersection of workload identity and SP. Discussions focused on clarifying existing specifications, identifying gaps in browser technology, and exploring potential solutions for secure storage of tokens. The meeting also addressed the need for clear guidance and collaboration between different communities working on related problems.

Key Discussion Points

SD: Discussion focused on media types for SD, selective disclosure of individual array elements, and JSON serialization of SD.
Browser Based Apps: Discussion on a new section covering storage token options in browsers, particularly regarding HTTP-only cookies and the challenges of secure token storage due to browser limitations. A proposal was made to document the need for better browser API for storage token.
OAuth 2.1: Discussion on explicit resource owner authentication, repeated authorization requests, and scoping the native apps best current practice. Clarification was sought on the meaning of "involving the user" in authorization requests.
Client Trust Management: Discussed the challenges in externally managing client IDs across diverse ecosystems, and presented a proposal for a new authorization request parameter "client_id_scheme" to indicate the method used for client identification.
P Security Architecture: Addressed the revival of the proof-of-possession (P) architecture draft and its relevance in the current landscape. Discussions focused on aligning existing drafts with the terminology and potentially extending OAuth 2.1.
Workload Identity and SP: Explored the intersection of workload identity, SP (Software Platform for Identity on Resources), and OAuth. Identified seven use cases related to interability and a need for best current practices to enable developers to connect ecosystems.

Decisions and Action Items

SD: The speakers will take feedback on media types and other discussion points.
Browser Based Apps:
- Incorporate HTTP-only cookies to the drafts.
- The working group will reach out to the browser community to suggest a better API for storage token
OAuth 2.1:
- Clarify language around "involving the user" in authorization requests, focusing on consent and context rather than explicit authentication.
- Clarify that in some cases a silent refresh flow is needed, but be clear of the security implications.
- Scope native apps, best current practice recommendations, specifically to mobile operating systems.
P Security Architecture:
- The group will have more discussions regarding reviving the document.
Workload Identity and SP:
- The group will reach out to connect communities.

Next Steps

SD: Review API feedback.
Browser Based Apps: Incorporate feedback and prepare for last call.
OAuth 2.1: Incorporate feedback from the meeting and prepare for last call.
P Security Architecture: Additional discuss regarding document revival and align with OAuth 2.1.
Workload Identity and SP: Documenting Use cases and creation of Best current practice for developer.

Session Date/Time: 31 Mar 2023 00:30

oauth

Summary

This meeting covered several key topics related to OAuth, including job embedded tokens, cross-device flows, identity chaining, native apps, resource server metadata and authorization server discovery, and a new power of attorney-based authorization technique. The discussions highlighted the need for improved security and usability across various OAuth implementations.

Key Discussion Points

Job Embedded Tokens:
- Discussion around embedding multiple tokens from different issuers into one.
- Concerns raised about potential confusion and security implications, particularly around embedding access tokens.
- Action item to address concerns and bring to the mailing list.
Cross-Device Flows:
- Focus on mitigating attacks that exploit cross-device authorization flows, where attackers trick users into granting unauthorized access.
- Discussion of pragmatic mitigations, alternative protocols, and foundational underpinnings.
- Consider using formal analysis to analyze protocols and mitigation effectiveness.
- Action item to connect with security usability researchers.
Identity Chaining:
- Exploration of preserving identity and authorization context information across microservices and trust boundaries.
- Discussion on different approaches: embedded tokens, embedded claims, and reference-based identification.
- Consideration of scalability and latency issues in microservices environments.
Native Apps:
- Addressing the challenges and security concerns associated with OAuth implementation in native mobile apps, particularly for first-party applications.
- Discussed potential solutions to provide a more seamless user experience while maintaining security, including a native apps flow parallel to the authorization code flow.
- Debate on whether to define the details of the back-and-forth communication within the flow or keep it out of scope.
Resource Server Metadata and Authorization Server Discovery:
- Presented two approaches for enabling a resource server to identify authorization servers: a well-known location for metadata and providing the issuer in a WWW-Authenticate header.
- Concerns raised about phishing attacks and privacy implications of disclosing authorization server information.
- Discussed the need for security considerations and ways to ensure the process breaks gracefully if the authorization server is unaware of the spec.
- Proposed combining both approaches.
Power of Attorney based Authorization Technique:
- Presented a new authorization technique based on the concept of power of attorney, allowing trusted devices or clients to act on behalf of a user, including multiple levels of delegation.
- Discussions on overlapping capabilities with existing authorization delegation models and Zebra.

Decisions and Action Items

Job Embedded Tokens: Bring the draft to the mailing list and answer questions.
Cross-Device Flows: Connect with security usability researchers.
Resource Server Metadata and Authorization Server Discovery: Mike and Aaron will create a combined draft based on feedback.
Power of Attorney based Authorization Technique: Nat to review Zebra specification and explore potential overlaps. Sri to send the draft with the specifications to the mailing list.

Next Steps

Continue discussions on the mailing list for each of the presented topics.
Schedule interim meetings to address topics not fully covered during the on-site meeting.
Develop combined drafts based on feedback and discussions.