On Mon, Dec 16, 2019 at 9:20 PM Vittorio Bertocci <Vittorio=
40auth0....@dmarc.ietf.org> wrote:
>
> authentication session properties:
>
> Let me try another angle. Say that I perform an authz code grant asking
> for AT, ID_T and RT- obtaining AT', ID_T' and RT'.
> The values of auth_time, acr and amr in AT' will be the same as the
> corresponding claims in ID_T'. When the client uses RT' to obtain AT`N,
> AT'N+1 etc etc, the values of those claims will remain the same for every
> AT'n obtained by RT'.
> Now, imagine that something happens (ignore what for the time being) that
> causes the client to perform a step up auth, which requires the user to
> perform interactive auth hence results in a new authz grant. The client
> will obtain a new tuple AT", ID_T" and RT". The exact same rules described
> for the ' tuple apply, with the new values determined by the new
> authentication: AT" auth_time/acr/amr will be the same as ID_T", and those
> values will remain unchanged for every AT"n derived by RT".
> If we want this to apply to the implicit flow as well, you can substitute
> the RT with the session artifact.
> Does that help clarifying the intent? If yes, do you feel that the current
> language does not describe this?
>
That makes sense. The current language for auth_time could be tightened up
somewhat, however. I think there's still potential for it to be interpreted
such that AT'N+1 would somehow magically get a new auth_time value based on
a step-up or re-auth that happened after, and independent of, the
authentication event that led to the code that obtained RT'. Which is
nonsensical. Also "authenticaiton" is spelled funny. Here's an attempt at
some words for auth_time:
Suggested(ish) Text:
auth_time OPTIONAL - as defined in section 2 of [OpenID.Core].
This claim represents the time at which the end user
last authenticated during the session that was used to obtain the
token.
This means that all the JWT access tokens
obtained with a given refresh token will all have the same value
of auth_time, corresponding to the instant in which the user
authenticated to obtain the refresh token.
Current Text:
auth_time OPTIONAL - as defined in section 2 of [OpenID.Core].
Important: as this claim represents the time at which the end user
last authenticated, its value will either remain the same for all
the JWT access tokens issued within that session or be updated to
the time of latest authentication if reauthentication occurred
mid-session (as it is the case for step up authenticaiton and
similar occurrences). For example: all the JWT access tokens
obtained with a given refresh token will all have the same value
of auth_time, corresponding to the instant in which the user first
authenticated to obtain the refresh token.
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
