-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarity on the use of login_hint #191
Comments
I don't see the value of |
CAMARA OIDC profile definition on login_hint refers to CIBA flow. The profile makes the login_hint parameter REQUIRED and it only allows the use of login_hint for CAMARA among the hint options specified in the CIBA standard: login_hint_token, id_token_hint or login_hint. And in particular, for CIBA login_hint, defines the format described in: Format of login_hint If this is not properly understood from a document reader perspective, the document content could be improved to address this issue in the next release along with other backlogged text improvements already raised in the WG. |
The format of login_hint is intentionally outside the flows and just specifies the format. In OIDC, login_hint is a hint, intended to indicate to the openid provider, which user identifier to prefill into a HTML form and there into a text field that holds the user identifier. To quote OIDC:
Camara does not specify anything more than the format of In CIBA To answer @shilpa-padgaonkar 's questions
|
@eric-murray Camara and OIDC and CIBA, in general, leaves the (user) authentication method open. If the user authentication is username password, then login_hint makes sense. NumberVerification insists on network authentication. For NumberVerification If an API has an use-case where login_hint is required, then the API should specify that in its "authentication section". |
@shilpa-padgaonkar can we close this? |
In general, yes, but for CAMARA, no. The authorisation server must ignore any If an API wants to add a use case that requires, for example, username / password to be provided in the |
Where is this written? I think this assumes a flow that is maybe assumed by the majority of the MNOs but not necessarily true. Imaging a client sending an authorization code flow request to the authorization server and the AZ allows the user to authenticate with username/password, and the user gives their consent to QoD for their phone number, and then an access token is created, and then that access token is used in e.g. QoD by API consumer, and the CSP is fulfilling the QoD API request. Maybe the user has exactly one phone number to which QoD is applicable or the AZ asked for consent for all of the user's phonenumbers or allows the user to choose for which they grant QoD consent. Why should we/Camara restrict ourselves to network authentication? More and more user stories use the term Communication Service Provider which I think is a good thing because CSP can be more than MNO. How the CSP authenticates their user is up to them. Maybe the CSP is providing Internet access and there is not even a phonenumber but a network identifier. Still the CSP might offer QoD. Maybe that CSP is using email addresses as user identifiers - we would adapt login_hint format then. That would apply then to CIBA as well. I think forbidding login_hint for authorization code flow is unnecessary. It is just a hint anyway. I think Camara is about network APIs, which is not restricted to mobile networks. But even for mobile networks non-network-authentication can make sense. |
While I agree with @AxelNennker on the idea that using |
IP packets have a well defined structure specified by IETF. Hopefully it is a reasonable assumption that the client is using TCP/IP or UDP/IP. Header enrichment is "defined" as an option by Mobile Connect (IDY.04), but implementation itself is not standardised.
CAMARA already do restrict the authorisation code flow to network based authentication, where it is clearly defined in our own guidelines that network based authentication must be used.
That's not what I said. I did not propose forbidding the use of |
My 2 cents on this: I do not agree that our Camara profile or the guideline doc restricts authorization code flow to use only the network based authentication. From the APIs perspective, only the number verify API spec explicitly mentions "Network-Based Authentication". I agree that the guideline doc explains the frontend flow with network based authentication, but I see this as follows: I see no statement in both guideline doc or the profile which explicitly says that amongst the authentication methods allowed by OIDC, in Camara we ONLY allow network based authentication. |
The CAMARA-API-access-and-user-consent.md document actually predates the profile document (https://github.com/camaraproject/IdentityAndConsentManagement/releases/tag/v0.1.0) and reflects the consensus of the working group on authN/authZ flows. It has normative value because it was the first implementation reference for CAMARA and was later refined with the profile to address logical ambiguities that arose during implementation. In particular, the use of network authentication in the auth code flow has always been specified in this document and explicitly mentioned. While the profile itself is generic and doesn't mandate a specific authentication method - just as OIDC doesn't - the groundwork has been clearly laid. Importantly, the idea of using auth code without network authentication was not initially considered, as it was felt that this would degrade the end-user experience and be unacceptable to most service providers. The developers wanted to avoid breaking the flow, and in the absence of an on-net scenario with network authentication, CIBA is the alternative. If other authentication methods are to be considered, this should be formally proposed in a new issue and discussed for inclusion in upcoming or future meta-releases. |
Since the original issue was created to discuss a completely different point, I have opened a new issue for this topic as it is an important discussion and needs its own dedicated issue #215 |
So you talk about "user authentication" and "user consent", but we have an agreed definition of "user" as follows:
So I have a feeling that you really mean "end user". Inconsistent use of terminology makes it really hard to follow these discussions.
Our current specification limits If the answer is to introduce new options for |
OIDC speaks about end-users never about subscribers.
GDPR uses the term data subject in the sense of "person" that is "end-user". A data-subject as defined by "Art. 4 GDPR Definitions":
If you forbid end-user authentication in CAMARA then we would lose a huge percentage business. CAMARA-API-access-and-user-consent.md refers to OIDC and OIDC means end-user authentication. I claim that CAMARA-API-access-and-user-consent.md thus enables login_hint because that is OIDC Core spec. |
But CAMARA have a glossary, and that defines "User" in terms of a telco subscriber. As CAMARA have an approved glossary, we should use it. If it needs to be modified or extended, that should be done rather than ignoring it and using alternative definitions.
I agree. I never claimed it was not allowed, only that it served no purpose as currently defined. The prefixes for So an API consumer (client) using "non-standard" values for Alternatively, add a rule that any |
@eric-murray @AxelNennker @Elisabeth-Ericsson all, At KPN we are currently using the login_hint for 2 purposes: First of all, we use it as an extra security measure to prevent that end users can start 2 simultaneous authorization code flow number verifcation sessions. One of them has the right sim, the other one (a fraudster) doesn't, but in our implementation may try to eavesdrop on the communication of the right sim. If we spot 2 simultaneous session with the same msisdn, we abort the flow with an error. To make this work, you need to put the msisdn in the login_hint. We also use it to signal that a particular session is a session for a sandbox withouth a real sim card. |
Thanks @HuubAppelboom The issue where this was being discussed for authorisation code flow was #232, but I will answer here. For both these use cases, I assume you are using For the first, the scenario is not clear. Is this is a MITM scenario, or has the fraudster connected via the customer's device (e.g. if they enabled Wi-Fi tethering), or are they running some rogue app on the customer's device that is somehow intercepting the genuine authorisation request? The suggestion is MITM, but the For the second, Vodafone have a "non-prod" |
@eric-murray For the first case we are still using header enrichment, for which a MITM attacker intercepts traffic between the customer device and the heather enrichment service in the home network. The phone number in the login_hint should be the one the end user claims to have. Please note that the attacker could be anywhere, especially in a roaming situation. We have this now for header enrichment, and it won't be needed if we move to a 100% TLS solution, but it could be also useful for other MITM scenarios. Why would a user be doing simultaneous number verifications ? In our sandbox scenario, we can let developers test from any device without sim cards, and they get the same account credentials as when they move to production with real sim cards (by us flipping a switch). |
@Elisabeth-Ericsson @HuubAppelboom @eric-murray @AxelNennker I would like to make one comment regarding the use of login_hint, which was the original issue at hand. Telefónica does indeed support and utilise login_hint in Auth code flow for our own internal uses cases (as we do for other standard features and/or authentication flows not mentioned or specified by CAMARA). However, I would like to reiterate that our discussion here is focused on the multi-operator use cases defined by CAMARA. For those use cases, the CAMARA documentation does not address the use of login_hint in the authentication code flow (considered not needed when using network-based auth). The discussion of login_hint has always been in the context of CIBA. The objective of CAMARA is to define the behaviour to be applied in multi-operator scenarios in order to guarantee the highest level of interoperability. This is the reason why we decided to create a CAMARA profile in the first place. This is the current status quo, but new discussions are underway about the possibility of incorporating login_hint into the Auth code flow in CAMARA (such as new issue #232 in the context of operator token) for Spring25 or future releases. This could result in the creation of new CAMARA definitions for login_hint in the auth code flow, or it may not. @shilpa-padgaonkar If you agree that login_hint was not previously addressed in the context of auth code flow, this should be sufficient to close this issue. Let us then proceed to discuss in the new issues whether CAMARA is required to consider the login hint in the authentication code flow (and how), or not, in accordance with the WG opinion. |
Kind reminder. Can we agree on the previous comment as the existing situation in the Fall24 meta-release and close this issue? Then let's move on to Spring25 discussions and see if the WG ends up defining the use/treatment of login_hint for auth code flow for other potential scenarios that may now arise... |
I'm happy to close this issue. My takeaway from the discussion was that some implementations of authorisation code flow do make use of The CAMARA documentation should probably mention this explicitly, but it's a small point. I think the same point stands for Spring 25, as I don't see us getting any sort of agreement on using |
I am also happy to close the issue. The use we have can be considered a proprietary extension. |
As requested by the WG, new PR #242 created to close this issue. Further context in https://lf-camaraproject.atlassian.net/wiki/spaces/CAM/pages/56754234/2024-12-18+ICM+Minutes CC @Elisabeth-Ericsson @eric-murray @HuubAppelboom |
Problem description
The Camara OIDC profile includes text on login_hint format.
Can we interpret this section as :
Expected behaviour
Confirm or provide different interpretation of the above understanding and document this clearly in the profile.
Alternative solution
Additional context
The text was updated successfully, but these errors were encountered: