OIDC authorization code flow and/or CIBA #176
Comments
|
Maybe it would help if ICM provided example openid metadata configuration and CIBA metadata configuration for Camara API's to choose from e.g. one that supports {
"issuer": "https://az.example.com/openid",
"subject_types_supported": [
"public", "pairwise"
],
"jwks_uri": "https://az.example.com/openid/jwks",
"authorization_endpoint": "https://az.example.com/authorize",
"token_endpoint": "https://az.example.com/token",
"userinfo_endpoint": "https://az.example.com/openid/userinfo",
"response_types_supported": [
"code",
"id_token token",
"id_token"
],
"grant_types_supported": [
"authorization_code",
"urn:openid:params:grant-type:ciba"
],
"token_endpoint_auth_methods_supported": [
"private_key_jwt"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"claims_parameter_supported": false,
"request_parameter_supported": false,
"request_uri_parameter_supported": false,
"require_request_uri_registration": false,
"frontchannel_logout_supported": false,
"backchannel_logout_supported": false,
"mutual_tls_sender_constrained_access_tokens": false,
"backchannel_token_delivery_modes_supported": "poll",
"backchannel_authentication_endpoint": "https://az.example.com/ciba/bc-authorize",
"backchannel_authentication_request_signing_alg_values_supported": "RS256"
}@eric-murray suggested API-specific metadata. So, the API could express support for the supported flows by pointing to an API-specific metadata configuration. |
|
The "How do you inform what you support" is important but my concern is as much about a standard "Thou shalt support" specific call out in the API groups that will then inform the operators what they must support. |
|
Hi @MarkCornall, the "thou shalt support" would be in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#user-authenticationauthorization--consent-management
And then in the section "Technical ruleset for the Frontend flow". Comments on documentation/CAMARA-API-access-and-user-consent.md are very welcome. |
|
Let me refer you to the ICM documentation:
ICM has defined a "generic" security scheme that provides the flexibility to support any of the defined flows (Auth code, CIBA or Client Credentials) to access CAMARA APIs. In this way, the API specification remains generic and the technical specification of the API is completely decoupled from local regulations, legal decisions, definition of specific application use cases and so on... So the allowed authorization flow(s) will be determined at onboarding time, taking into account all those context variables that have been decoupled from the API spec. IMHO, technically speaking, a CAMARA-compliant operator must be aligned with the CAMARA ICM Security and Interoperability Profile (which among other things defines Client Credentials, Auth Code and CIBA as the Auth flows used by CAMARA). I understand that this issue is coming from GSMA because of Opengateway scenario. So, if then an operator is allowed to be onboarded in Opengateway implementing only one of the auth flows because (say) that operator only exposes one API and that API only requires this specific auth flow... for me personally, that is a business decision of Opengateway and not a technical decision of CAMARA ICM nor CAMARA API subprojects. (*) (*) NOTE: There may be exceptions of specific API subprojects that restrict the auth flow to use among those defined by CAMARA ICM due to the functionality provided, e.g. Number Verification API that necessarily requires to use the auth code flow. As mentioned by @AxelNennker, the ICM also defines...
...which is the criteria to decide whether client credentials (2-legged) is allowed or not. Or the other way around, when 3-legged access becomes mandatory. This MUST be followed by all APIs. And finally, if during the onboarding process of a specific application, in a specific country, under a specific local regulation, it is determined that more than one auth flow is allowed, say Auth Code and CIBA as @MarkCornall mention... then the application developer will decide which auth flow to use depending on its particular use case or capabilities, e.g. Auth Code and CIBA allowed, application with no FE capabilities then CIBA will be used and the developer will develop its use case accordingly. For this the ICM also provides recommendations in a technical ruleset for Auth Code and CIBA as also mentioned by @AxelNennker above. |
|
For APIs that may need to support 3-legged token access, I agree that a clear statement in the documentation as to whether the authorisation code flow, CIBA flow, or both could be applicable would be useful, and CAMARA should start to enforce that. Given that CIBA allows the end user to be identified by IP address and port, and this should be known to any application server contacted by the end user device, I suspect that many APIs will find that authorisation code flow does not need to be supported at all. Even Number Verification would work using CIBA, though I understand that authorisation code flow and header enrichment is the traditional way of identifying the end user device. Discovering that most APIs only require to support one of the 3-legged flows would greatly simplify things. The API consumer would then find out when on-boarding whether a 3-legged token was required for legal reasons, or a 2-legged token could be used. But the API provider would already know this, and hence would only need to implement one of the possible authorisation flows. And if only one flow is applicable, it does kind of become mandatory. For the existing implementations "out in the wild", I'd be interested to know how many found it necessary to implement more than one authorisation flow. |
I think it is too early for CAMARA to enforce one of the 3-legged flows before collecting wider end user feedback. While CIBA does look good, I don't think there is a standard method defined to deliver the authentication notification to the end user - A MNO could choose push notifications and the other could choose SMS with a link or a totally different way. An asynchronous notification that requires user interaction is prone to spoofing and user will/can be cautious to take action. Traditional OIDC Authorization code flow is familiar to the end user, synchronous and may still be preferred by some. |
My comment "CAMARA should start to enforce that" referred to requiring it to be documented whether the authorisation code flow, CIBA flow or both could be applicable, rather than enforcing any implementation. If a sub-project did an analysis of the uses cases for their API, they may well conclude "Of the possible 3-legged authentication flows, only CIBA is applicable to this API", which would be useful information for application developers. But I agree that application developer feedback is required. If the feedback is "we really don't like CIBA and are not going to use it", then CAMARA has gone down something of a dead end. |
Problem description
During the 2024-06-06 TSC meeting @MarkCornall raised the question whether it is clear in one API whether it supports CIBA and/or OIDC authorization code flow. And whether telcos have to support one or the other or both.
Expected action
Take the discussion to ICM.
Which I interpret as. Provide guidelines and clarification in CAMARA APIs access and user consent management
Probably here:
And here:
Additional context
Please see TSC meeting minutes.
In camaraproject/PopulationDensityData#24 (comment) @eric-murray raised the point that the openIdConfigurationUrl can point to different metadata. Using that an API could point to a CIBA-metadata or to a OIDC-metadata or to a metadata that contains both.
The text was updated successfully, but these errors were encountered: