Update Diagram with RFC 9101 to secure the /authorize endpoint

[mhfoo]

Problem description
To secure the /authorize endpoint from being abused

Possible evolution
Proposal to follow Telefonica's proposal to use RFC 9101 Signed Request Object

Alternative solution
N.A

Additional context
#71

[mhfoo]

@AxelNennker @bigludo7 @fernandopradocabrillo @ECORMAC @jgarciahospital

Please review the diagram above and provide your comments.

[ECORMAC]

Hi Ming,
Is the aggregated view in issue #128 and if so is it the version issued on Feb 26 that was approved?
We mentioned that perhaps the aggregated view may be good to show here also for completness.
Thanks,
Cormac

[mhfoo]

@ECORMAC

I will share the aggregator version later, after the standalone version is reviewed. Please review the standalone version first and comment.

[mhfoo]

In the YAML

• (1): Authentication must be automatic without any user interactions. Authentication methods such as SMS OTP or user/password are incompatible, as the goal is to validate the mobile phone number that is accessing the App. So it is required to be authentication via mobile network and without the user being involved. the use of parameter prompt=none, as described in OIDC Connect, ensures no user interaction.

In ICM auth code flow, under interaction 8 of the sequence diagram, there is a consent capturing mechanism.

Will the prompt be disabled in this case?

In OIDC 3.1.2.1

prompt input parameter
OPTIONAL. Space-delimited, case-sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

none
The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

login
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.

consent
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.

select_account
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.

Should the prompt value be consent instead of none?

[mhfoo]

Federated Diagram

[garciasolero]

For security reasons, this authorization flow should ignore the max_age parameter, as the user must actively authenticate on every request. Therefore, I would remove the reference to that parameter in the diagram.

[pendula95]

There is an issue with brokering/Federated diagram. This sequence implies that code exchange from Z to Y is done before client requests code exchange from Z. This should not be the case and is wasting resources and time before the request is even made. Maybe client will never call /token on Z? I suggest that as soon as Y returns user to Z, Z should redirect back to client. When client requests token exchange on Z, Z should only then send token exchange call to Y.

[mhfoo]

There is an issue with brokering/Federated diagram. This sequence implies that code exchange from Z to Y is done before client requests code exchange from Z. This should not be the case and is wasting resources and time before the request is even made. Maybe client will never call /token on Z? I suggest that as soon as Y returns user to Z, Z should redirect back to client. When client requests token exchange on Z, Z should only then send token exchange call to Y.

@pendula95
Federated flows are discusssed in GSMA Open Gateway GitHub repository Chapter 6.

The rational was discussed previously.

[mhfoo]

For security reasons, this authorization flow should ignore the max_age parameter, as the user must actively authenticate on every request. Therefore, I would remove the reference to that parameter in the diagram.

@garciasolero
I believe the auth code flow is also used in direct carrier billing scenarios. There could be use cases where carrier billing could be setup once by a merchant, and any future individual purchases could be charged, using the access token.

[garciasolero]

For security reasons, this authorization flow should ignore the max_age parameter, as the user must actively authenticate on every request. Therefore, I would remove the reference to that parameter in the diagram.

@garciasolero I believe the auth code flow is also used in direct carrier billing scenarios. There could be use cases where carrier billing could be setup once by a merchant, and any future individual purchases could be charged, using the access token.

If you want to create a diagram for a generic authorization code flow, I have nothing to add on that matter. However, for the Number Verification use case, the max_age parameter is irrelevant, as network authentication must occur for each and every authorization.

[mhfoo]

@garciasolero

However, for the Number Verification use case, the max_age parameter is irrelevant, as network authentication must occur for each and every authorization.

Yes, agree. The home operator should ignore the requested max_age value and default its own value for the Number Verification use cases. This should be reflected in the expires_in response parameter of the /token endpoint.

I believe your concern for max_age should be documented in the Number Verification YAML files?

[ECORMAC]

GSMA have just approved a spec "ASAC.01-Seamless Authenticator subsystem enhancement for TS.43 Operator Token" which also deals with the security of the authorize endpoint. Think David W was chair of this group. The plan is that GSMA will submit it to Camara (it will probably go initially to the consent&identity group-not sure??). It may be a good idea to align the above with that initiative (they also have aggregator flows inbuilt).
Regarding the standalone flow perhaps we shall remove the "consent management" box as discussions are ongoing in Identity&Consent regarding consent (legitimate interest etc).
Step 22: identity token returned - also returned in step 21?