Proposal to protect the /authorize endpoint for the Authorization Code Flow (Auth Code Flow) - RFC9101 #128
Comments
|
Please refer to the following sequence diagrams. The interactions in blue is the proposed method. Standalone Open Gateway Federated Open Gateway |
|
In our view, it is unnecessary to introduce additional flows beyond those that already exist. Instead, we recommend using the mechanisms provided by the OAuth standard itself. Our proposal to mitigate this issue is to force the application to pass the request object parameter by value in the authorize request of the authorization code flow, as described in RFC9101. By using a signed JWT, we prevent requests that are not generated by the application. Additionally, we would need to require that the JWT contains the For applications, the integration cost would not be high because they would already be generating signed-JWTs to authenticate server-to-server requests using |
|
I commented on the original issue camaraproject/NumberVerification#71 (comment) |
|
@garciasolero Thanks for the proposal to enforce the application backend to pass the request object parameter by value in the authorize request of the authorization code flow, as described in RFC9101. The request object will be a signed JWT containing the auth code flow request payload. This will mitigate point 1. of the problem statements This will require an Internet connection to fetch the Please refer to the following diagram |
|
@garciasolero Point 2 of the problem statements is related to a "trusted" aggregator using error codes to decode behaviours of the number verification flow. Examples:
In terms of security, it would be better to depend on an internal generated token, as the steps to verify it will be shorter. |
|
Yes, you are right. In my comment, I focused on a few claims. Obviously, it should also include the most typical ones: Regarding point 2, in the aggregation model for number verification, the entity responsible for routing the request to the correct operator is the aggregator based on the IP address of the request using the TelcoRouting service. Therefore, it should not be the case that the SIM card does not belong to the operator, and if it were to happen, it would be an exceptional case related to synchronisation issues in the TelcoFinder translation tables. |
|
Is there any specification of TelcoRouting service? Our current practice is that every Telco shares us IP Pools so we are able to do the routing on our side locally very easy and fast. Like using GeoIP Database with Telco resolution level. On that way there is no need for any additional external call which slow down the flow. |
|
@ab-ip |
|
Point 2 in this problem description is not about routing. Please refer to the following diagram for illustration of this problem statement.
In the above diagram, assume the Operators are standalone (not federated). The aggregator:
From this setup, the aggregator can determine the operator of the SIM card which is providing the mobile data connection, when the correct /authorize endpoint returns a 302 Location with an auth code in the query string. The above usage of the /authorize endpoint should be prevented. |
|
The case you mentioned is too expensive for Clients/Aggregators to use Trial-and-Error method to resolve Telco. It takes to much time and increases flow duration, which is something nobody wants. There are many other (easier and faster) ways right now to do this:
That is why TelcoRouting service based on IP address is mandatory. Telco Public IP Pools should be publicly available and shared with Clients and Aggregators. The best approach will be to have separate API (under CAMARA) for export/synchronization of IP Pools, so that Clients and Aggregators can do synchronization of IP Pools with all Telcos in a unique way. If you want to prevent Clients/Aggregators not to misuse /auth endpoint you can simple apply business model which will define ratio between /auth endpoint (Auth Code result) and other CAMARA API endpoints. Eg. if there is more then 20% of Auth Code result then API calls, then Client needs to pay some fee for that gap. |
|
I would like you to explain the request In the current solution, using an endpoint restricted by signed requests according to RFC9101, if the aggregator were to use authorization as a method to determine whether a SIM belongs to an operator (at no cost in order to reduce requests to TelcoFinder), the operator could detect abuse and deactivate their credentials. |
See https://github.com/GSMA-Open-Gateway/Open-Gateway-Documents/blob/main/code/API_definitions/routing-api.yaml |
Agreed to drop this method as shown in
Are you referring to any of the following scenarios: |
I am referring to what the flow would be if an operator received a request from a SIM that does not belong to it, regardless of whether there is an aggregator in front of it or not. |
For the standalone Open Gateway, currently there is no route from the Internet to reach /authorize endpoint. Only the operator's SIM card can reach the internal /authorise endpoint. Blue dash path. In the federated model, the Internet facing /authorize endpoint should only accept requests from partner / federated operators' CGNAT Internet IP address. A) We may assess this security posture of whitelisting partner CGNAT IP addresses and block the rest of the traffic. Pink dash path. During the client onboarding process, the client will provide a redirect_uri. What are your thoughts on this? |
|
Provided a diagram for review NumberVerification issues 93 |
Please consider +1 this Android feature request, which would allow client's mobile applications to get the operator's openid configuration |
|
@AxelNennker +1 vote from my side. |
|
Thanks for the +1. I agree that the proposed API does not solve all problems but if Android provides then others might follow. No solution for everything or all use cases but we are getting there if MNO work together and build an ecosystem for all of us |
|
@AxelNennker The following is the proposed text for PR #121 under OIDC Authorization Code Flow section. The OIDC Authorization Code Flow is defined in OpenID Connect and incorporates RFC 9101, Passing a Request Object by Value. |
|
I suggest to move this issue or it resolution to the next version because I think incorporating this now would open up a longer discussion and I would like to get PR #121 soon. |
AxelNennker
added
the
v0.2-candidate
mhfoo
changed the title
|
Please add your comment whether we should mandate implementation of 9101 and that clients must us it |
|
There are different solutions described as options to address the DDOS attack of the authZ server.
Regarding solution 2: Regarding solution 1: We recommend traditional API end point protection solutions (e.g. a firewall) on top of the AuthZ server to protect the AuthZ server from being overloaded. In addition: there was a prior discussion in NumberVerification workgroup about securing the authorization end point sating: "GSMA have just approved a spec "ASAC.01-Seamless Authenticator subsystem enhancement for TS.43 Operator Token" which also deals with the security of the authorize endpoint… It may be a good idea to align with that initiative." - and the suggestion to align to this document in ICM. So we should not make a different solution mandatory now. |
|
The RFC9101 was never a proposal to address DDoS attacks. That specification was proposed to avoid processing requests that do not come from authenticated clients. In other words, it aims to mitigate the processing of fraudulent requests that could lead to increased costs, such as queries to TelcoFinder. Similarly, one-time tokens do not solve the DDoS problem, as the request still reaches the API Gateway and must be processed to check whether the token has been used before or not. |
In addition to Fabio's comment, RFC9101was also proposed as a solution to avoid the potential PII leakage problem raised by Vonage in the past, as mentioned at #138 (comment). In any case, as mentioned in the 5 June WG meeting, RFC9101 was proposed by Telefónica as a possible solution to some of the issues raised in #128 and #138 for consideration by the WG. As discussed, if the WG decides to support RFC9101, it would be necessary to mandate its implementation/use to both, clients and operators. Otherwise, if clients could choose not to use it, we would not be addressing the concerns raised here. From Telefonica's point of view, we are fine with not mandating the implementation and support of RFC9101 for the time being. We propose to close this issue and leave RFC9101 support out of the scope of the next Fall24 meta-release. And revisit it in the future if necessary. |
|
@jpengar |
|
As agreed in the June 19 WG meeting call, we exclude RFC 9101 from the scope of the next meta release, also considering the time constraints. It is recommended that the issue be closed for now and reopened in the future if necessary. |
Problem description
The /authorize endpoint is not protected, and the following undesired scenarios are security concerns.
A bad actor can perform a DDoS attack with multiple Operator SIM cards on the Operator /authorize endpoint; this is an internal mobile network route without traversing the Internet.
Aggregators are using mobile apps to query different operator /authorize endpoints to discover (at no cost) which operator the SIM card belongs too.
Possible evolution
Proposal to have a one-time use token to prevent abuse of this un-protected endpoint on AuthServer.
The App Backend will need to obtain this one-time use token from the AuthServer and pass it to the Device App and then use it against the /authorize endpoint.
Alternative solution
N.A
Additional context
NumberVerification subproject issue 71
The text was updated successfully, but these errors were encountered: