Hi Ned/Thomas, Thanks so much for the conversation at IETF on the potential value of combining the attestation work with OpenID Connect and OAuth. Given the spec references a lot of OpenID Connect artifacts, I’ve used OpenID Connect points in this response. However, from an IETF perspective, this would be connected to OAuth and the Authorization Server. It might be useful to map the work to OAuth directly and then let OpenID Connect (which is built on top of OAuth) to “inherit” the capability.
As promised, here is some feedback on the presented draft… Section 2.1 * The userinfo endpoint is an API specified by the OpenID Connect protocol. It’s usually part of the OpenID Provider. Regardless it’s not a useragent/browser. Section 3.1 * userinfo (see previous comment) * End user (EU/Alice) is not an application. In OAuth the end user is called the Resource Owner. The application is called the ‘client’. So the Resource Owner uses the client to access the RO’s resources. * Relying Party - generally in OAuth/OpenID Connect the relying party is not looking for attestations. It’s looking for an authorization token to be presented by a client. In the case of attestations… it would be the OpenID Provider that would be interested in the attestations (in this context it may be possible to consider the OpenID Provider playing the role of a RRP). Section 3.2.1 * this isn’t really how the OpenID connect protocol works. In a general mobile app flow, the mobile app (aka the client) will open a browser to the OpenID Provider’s /authorization endpoint which starts the authentication/consent/authorization flow. Once the user has authenticated, the OpenID Provider provides a ‘code’ back to the native application which then exchanges that ‘code’ for the ‘id-token and access-token’ at the /token endpoint of the OpenID Provider Beyond this part of the spec I got confused on how the protocol is supposed to work and who the core agents are in the flow. A diagram would be really helpful showing the core steps. In my view, it’s more likely that the OpenID Provider will be the entity desiring an attestation about the client making the request. This could be just an attestation about the client software, or could also include an attestation about general characteristics of the device (e.g. is it jail broken or not). There are two main use cases… 1. The client is a mobile app in which case it may be able to obtain an attestation before starting the authorization flow 2. The client is a web service (or relying party) and the OpenID Provider wants some attestation about the software and environment in which that client is running. I suspect we can address both cases with the same flow. We might need an initial step for the client to obtain a nonce from the OpenID Provider before presenting the attestation so that the attestation can contain the nonce allowing the OpenID provider to know this is a fresh attestation and bound into the authorization process requested by the client. Thanks, George -- [image: Capital One] George Fletcher (he/him) Executive Distinguished Engineer • Identity Architect [image: address]8020 Towers Crescent Drive, Vienna, VA 22128 [image: mobile]616-498-8240 assistant: [image: email] genevieve.mor...@capitalone.com ______________________________________________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
