Proposal to protect the "OAuth2 AuthCode Grant authorisation request" endpoint

[mhfoo]

Problem description

Referring to the following sequence diagram,
is the endpoint "OAuth2 AuthCode Grant authorisation request (prompt=none&redirect_uri)" on the AuthServer protected?

Possible evolution
Proposal to have a one-time use token to prevent abuse of this un-protected endpoint on AuthServer.
The App Backend will need to obtain this one-time use token from the AuthServer and pass it to the Device App.

Proposal as attached:

[mhfoo]

We are also seeing aggregators using the unprotected API of interaction Number 10 (between UE and Operator's Auth Server) to detect the operator of the SIM card to perform their own version of the Telco Finder.

[mhfoo]

@mhfoo will use a reference diagram from OGW to illustrate aggregators

[mhfoo]

Standalone Example

Federated Example

[mhfoo]

@mhfoo will append the complete flows for illustration purpose.

[sfnuser]

Problem description

Referring to the following sequence diagram, is the endpoint "OAuth2 AuthCode Grant authorisation request (prompt=none&redirect_uri)" on the AuthServer protected?

@mhfoo - Could you please clarify why this is a problem? The authorization request will also have an associated client_id that the auth server can validate. If it is about general protection of the public authorize endpoint the standard rate limiting, ddos prevention methods should work.

[mhfoo]

@sfnuser
Referencing the above diagram; this is to solve the following points.

1. A bad actor can perform a DDOS attack with multiple Operator Y SIM cards on Operator Y /authorize endpoint - light blue dash route; this is an internal mobile network route without traversing the Internet. The one-time use token will be validated at the Auth Service, and therefore protecting the downstream network nodes.

2. Aggregators are using mobile apps to query different operator /authorize endpoints to discover (at no cost) which operator the SIM card belongs too. The one-time use token will be associated with an Application Backend for charging purposes.

[mhfoo]

Standalone

Federated

@DT-DawidWroblewski as requested above.

[mhfoo]

Standalone:
Proposal.txt

Federated:
Simple Federated Proposal.txt

@DT-DawidWroblewski
Please see attached.

This is based on this tooling: sequencediagram.org
Just need to load the text.

[fernandopradocabrillo]

@mhfoo This proposal is defining a pre-step to the number verification API call, which I believe is in the scope of authN authZ. Perhaps this topic fits better in the I&C working group, as it can be applied to more APIs.

[mhfoo]

@mhfoo This proposal is defining a pre-step to the number verification API call, which I believe is in the scope of authN authZ. Perhaps this topic fits better in the I&C working group, as it can be applied to more APIs.

Yes, agree.
Number verification is the first intended CAMARA API application (for Singtel) to "fix".

Once this sub project does not have any objection or further clarifications. I will raise to both I&C working group and GSMA Open Gateway, Chapter 6.

[fernandopradocabrillo]

Once this sub project does not have any objection or further clarifications. I will raise to both I&C working group and GSMA Open Gateway, Chapter 6.

I think the process should be the other way around. If it is something specific to number verification it makes sense, but this is something generic to all apis. In my opinion the first thing should be to present the proposal to I&C and GSMA and then go to the WG to apply it. It won't do much good if there are no objections here but when it gets to I&C the proposal doesn't fit. Or if there are objections in other subgroups.

[mhfoo]

@fernandopradocabrillo
To my understanding, Authorization Code Flow (Auth Code Flow) is used in the Number Verification APIs. I am not aware if other CAMARA APIs are using this Auth Code Flow.

This proposal is to protect the /authorize endpoint in the Number Verification use case, based on the Auth Code Flow.

The rest of the CAMARA APIs are using CIBA or Client Credentials flows. The OIDC profile is being discussed here

I will raise in I&C and GSMA in due time, waiting until the baseline OIDC profile is defined.

FYI: This will impact the CAMARA certification for Number Verification, as this is a security concern.