-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication method in authorization code flow #215
Comments
Let me copy here my position on this matter, which I expressed in the other issue mentioned:
|
DT's position on authentication by the API provider in Camara is that the API provider is in control of user authentication. ICM created a (security and) interoperability profile that exactly specifies what API Consumers and API producers need to agree upon to create an interoperable solution. If something is not specified in the interoperability profile, then we are back to OIDC, CIBA and OAuth2. All Camara subprojects leave authentication to the authorization server. Notable exception is the NumberVerify API which demands network-based authentication. Under GDPR consent must be freely given, specific, informed, and unambiguous. DT's position on consent collection is that we do not allow delegated consent. The consent must be collected by the API provider. |
Edit: removed a sentence Both kind of documents have in common that if the document does not talks about something, then the base-standards still apply. |
@Jesus Thanks for your comments I don’t believe the claim is that network-based authentication in the auth code flow is not documented in the CAMARA-API-access-and-user-consent.md. Rather, I want to emphasize that this does not automatically rule out non-network-based authentication. For example, we have clearly stated that only poll mode is permitted, even though CIBA allows clients to use three modes. Similarly, we state that clients should not use the acr_values parameter. IMHO, if CAMARA intends to restrict something permitted by the standard, it should be explicitly stated. However, the more important question from my side is, if an Application Service Provider (ASP) is willing to use the auth code flow with authentication methods other than network-based, and if the Mobile Network Operator (MNO) can support this, what are the reasons for CAMARA to forbid it? |
So my understanding is that this is only about authorisation code flow? Or does this issue include CIBA? To me, the questions to be addressed are:
On the first point, I would say yes, that document does, with the caveat that But the issue is "interoperability". Could an API provider using these "alternative" end user authentication methods break a client implementation if that client then tried to authenticate against a different authentication server? I don't see that would be the case, though if anyone has any examples of how that might break the client implementation, that would be important information. But the end user experience would be different - with some end users getting pop-ups or redirects to some authentication page or whatever, whereas others get nothing at all. And application developers might have an issue ensuring all these different approaches work "nicely" with their app. So that will inform the second question - how consistent do we want to make the end user and application developer experience across different API providers, even if everything still "works" as far as calling the API is concerned. |
It's not valid to assume whether something is normative or informative solely based on the document being labeled as a specification or guideline. For instance, the |
As for network authentication, the original requirement from App Providers was that they would not accept any deviation in behavior—avoiding operator screens if possible, and ensuring consistent behavior across operators. This is why the Auth code flow includes network-based authentication and the agreed technical ruleset treats this as the only authentication option.
If there’s a desire to open the Auth Code flow to other authentication mechanisms, it's not just about determining whether a document is normative or not. Even if CAMARA doesn’t explicitly prohibit alternative methods, it also doesn’t specify them—so interoperability cannot be guaranteed. You would need to propose an issue for CAMARA to define the support and interoperability model for any other authentication method(s) you are considering. For example, CAMARA would need to define the behavior when dealing with 3-legged tokens that don’t identify a device or phone number, which is currently not defined. Developers would need to know how to handle this, particularly in cases where the API request does not include a device object or phone number due to the use of a 3-legged access token. Keep in mind that CAMARA has continued to work based on the assumption of network-based authentication, which enables the association of 3-legged tokens with a device or phone number (in case of CIBA login_hint is always a phoneNumber or an IP address). And based on that has defined https://github.com/camaraproject/Commonalities/blob/main/documentation/API-design-guidelines.md#appendix-a-infodescription-template-for-device-identification-from-access-token for Fall24 or we are discussing camaraproject/Commonalities#259 for Spring25. Opening up the Auth Code flow to other authentication methods could introduce scenarios such as user/password-based authentication, where the access token may be linked only to the user, not a specific device or phone number. A single user could have multiple phone numbers under their subscription, with no clear way for the API to determine which device or number the request applies to. Take Telefónica as an example — Even though Telefónica supports other authentication mechanisms, they cannot yet be considered CAMARA-compliant because it’s not defined:
|
CAMARA-Security-Interoperability.md is a specification that specifies what is needed to ensure security and interoperability on top of OICD and CIBA. CAMARA-Security-Interoperability.md does not restrict the telco to use a specific authentication method. If the API consumer wants no user interaction they can use prompt=none. The prompt parameter is basic OIDC and CAMARA-Security-Interoperability.md does not mention it. Which is another example of OICD that is not changed by CAMARA-Security-Interoperability.md. API consumers can use prompt as defined by OIDC. What is not restricted is allowed as long as it is OIDC. CAMARA-API-access-and-user-consent.md is a guideline that shows how some flows could be implemented if network-based authentication is used. If the telco is forbidden to use other authentication methods than network-based authentication then there is no user consent in CAMARA in some cases and for some purposes. The reasoning for this statement is that network-based authentication only just authenticates the subscriber. ICM does not want to exclude family or business use cases. So, it is good for us that no ICM document restricts the telco to use the authentication method the telco deems to be appropriate under the use case, purpose and law. |
I'd like to treat separately the normative/not-normative aspect brought up by @AxelNennker, which is not part of the initial question raised by @shilpa-padgaonkar.
|
I wholeheartedly agree with the above, but I would remove the parentheses. Other login methods and network-based authentication are not exclusive. I do not agree with that the other authentication method MUST be followed by network-based authentication. Example use case: The user bought a dog-tracker from a vendor and then a sim-card from a telco and the telco provides e.g. username/password for that SIM-card. Then the vendor can use OIDC authentication code flow to request an access token with login_hint=msisdn from the telco for the Camara location API, and the user uses their username/password and because there is just this SIM-card associated with that account (account-id = username maybe = msisdn) then there would be no need for network-based authentication. Which would not work anyway because the authentication device is different) So, we agree that other authentication methods are valid and necessary although these other authentication methods are not mentioned in CAMARA-API-access-and-user-consent.md, right? |
@diegogonmar I agree we should come back to the original issue. Are other authentication methods allowed although they are not mentioned in ICM documents?
Does CAMARA mandate network-based authentication? I think that login_hint is the intended way to convey from the API consumer to the authorization server who/what we are talking about. I think we might currently be missing a formal specification for this in CAMARA-Security-Interoperability.md. OIDC says:
If the user has several subscriptions with the telco, we should specify that login_hint tel: is the way to convey which subscription the authentication request is about. |
@AxelNennker can you please edit your comment (#215 (comment)) or reply to it to confirm that DT is no longer indicating that |
If the authentication device is different from the consumption device, this is one of the main reasons to use CIBA flow instead. This is also mentioned in CAMARA-API-access-and-user-consent.md (CIBA ruleset): IdentityAndConsentManagement/documentation/CAMARA-API-access-and-user-consent.md Line 288 in 54c68c4
|
@jpengar
CAMARA-API-access-and-user-consent.md recommendation for CIBA is valid for consumption-device and authentication device use cases. The example does not fall into the category because the doc-tracker is no consumption device. CIBA does not make sense in the example because the user is already on the authentication device. OIDC authorization code flow is the flow that is best in the example. As defined in OIDC the login_hint parameter contains the MSISDN the request is about. |
@eric-murray
Our document https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md shows this in the sequence diagram between step 5 and 6
Comming back to OIDC authorization code flow and this issue.
I think that CAMARA-API-access-and-user-consent.md clearly states that the basis for End-User Consent is OIDC 3.1.2.4.
|
I removed my comment as requested. The more important point is that CAMARA-API-access-and-user-consent.md deferres to OIDC core consent collection. |
According to the solution agreed upon and documented in CAMARA-API-access-and-user-consent.md, as of today, CAMARA currently only considers network-based authentication in the Authorization Code Flow. Therefore, tokens are issued for the network authenticated identifier. Based on this, Telefónica proposes to close the issue with this conclusion. We agree that, as part of the in-band consent capture (as per section 3.1.2.4 of the OIDC Core 1.0 specification), CAMARA does not prevent operators from using any additional authentication mechanisms deemed necessary to authenticate the user who owns the network-authenticated device e.g. such as a username/password prompt, if a higher level of assurance is required for the operator to capture consent. This approach ensures that the access token obtained at the end of the flow accurately reflects the authenticated status of the user's network-authenticated device, preserves UX continuity, minimises unnecessary prompts, and meets OIDC security standards by defaulting to network authentication and requiring further user interaction only when necessary. NOTE: As mentioned by @eric-murray in #191 (comment), the agreed definitions in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#glossary-of-terms-and-concepts are used, in particular the definition of user. |
updated. CAMARA does not restrict the telco/MNO/API producer to a single authentication method.
CAMARA authorization code flow is based on OIDC authorization code flow with some interop and security specifications in CAMARA-Security-Interoperability.md. If the API consumer does not want any user interaction, then they can use the OIDC standard parameter Please have a look at Mandatory to Implement Features for All OpenID Providers: Mandatory to Implement Features for All OpenID ProvidersAll OpenID Providers MUST implement the following features defined in this specification. This list augments the set of features that are already listed elsewhere as being "REQUIRED" or are described with a "MUST", and so is not, by itself, a comprehensive set of implementation requirements for OPs.
Also please have a look at OIDC definition of the prompt parameter which is mandatory to implement for all OpenId providers. Please note that OIDC uses "End-User"
Consent according to GDPR is given by the data-subject. The glossary entry for "user" does not change that. CAMARA APIs are much more attractive to API consumers if we follow the standards as specified in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md |
Thanks @jpengar To understand your argument I would like to ask clarifying questions.
Does the operator decide whether end-user authentication and consent collection is needed? If there is Example use cases: Are we all OK with that if network-base authentication identifies a subscription where the contract holder has several subscriptions, that then the MNO can use other authentication methods? I think the general point here is that the MNO decides about if and how end-user authentication and consent collection is done. With the exception that of prompt=none. Network-base authentication identifies the device from which the request is being made from, but if the MNO decides that end-user interaction is needed then the MNO is not retricted by CAMARA how to implement that user interaction. To your argument about consent collection: Does CAMARA restrict the MMN when to do consent collection? Maybe we need a guideline/clarification in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md? |
With the following 3 comments: I can close the issue with the following concluding statement:
|
As agreed in yesterday's WG call (minutes), here is a proposed amendment to the issue conclusion that Telefónica is comfortable with:
Are we all OK to close the issue as per the above conclusion? |
Can we find a wording that the above also works for operator tokens?
|
This issue was originally intended to clarify the authentication method for the Auth Code flow as defined by CAMARA today. I don't see operator tokens in the scope of this issue discussion. Also, the use of operator tokens is something that will be discussed and included in Spring25 and not in the current Fall24 meta-release. CAMARA has so far defined an additional possible value for the operator token as So I am still kindly asking the WG if this issue can be closed in the conclusion written above. |
Hi, sorry for late comments. In TMUS, network-based authentication is one of the ways of authenticating a subscriber. So far, we have not been seeing this as 'exclusively' network auth -- we have username/password support in some cases as well. It will be good to not making these too specific to only network auth. |
@murthygorty The current CAMARA specification already allows the authorisation code flow to "Start user consent capture process following Section 3.1.2.4 of the OIDC Core 1.0 spec". So if you do it that way, then no changes to the CAMARA specification are required. But it has been suggested to use |
Hi @eric-murray, we use login_hint with email: for scenarios where users are authenticated via email/pwd today.
Restricting just tel/ipport/operatortoken seems restrictive to me. sorry for the delay - this is what happens if I put it away for a few hrs, it becomes days :-) |
Thanks @murthygorty Yes, I can see the use cases, but I'm wondering what this means for CAMARA. For CIBA, the For authorisation code flow, I can see there is more room for flexibility. There are two reasons to use authorisation code flow:
If neither of these things are happening, I don't see the need for it. But what should CAMARA say about the If a CAMARA API is being used in a non-aggregated / non-federated environment between a known client and known network operator, there is nothing to stop them agreeing such "extensions" to the CAMARA standard between themselves independently of CAMARA. |
Ahaa, very interesting @eric-murray -- thanks for the info, rechecked documentation for how CAMARA intends to use login_hint. One suggestion that is not critical to the main question here: Onto the key question: BUT, I do believe that CAMARA should not be constricted to aggregated environments and hence should have terminology/documentation that accommodates these extensions for CIBA too.
cc: @gmuratk @mengan, @AxelNennker @rampto |
Hi @murthygorty. We also support user/password in Telefonica, also SMS OTP and other mechanisms in auth_code. We support login_hint in auth code also, as well as acr_values to deal with different possible values. But in the context of CAMARA we do ignore acr_values, as the profile says to do so. And we were fine when we decided to ignore it because there are no other auth mechanism defined in CAMARA (thus interoperable) other than Network Auth. We also ignore login_hint because given that network auth is applied, using login_hint is not needed. This is the point of this thread, clarify the scope of current CAMARA specifications. We don't want to forbid other mechanisms, if needed we should include them and ensure interoperability |
Coming back to core of this discussion. @AxelNennker can you confirm the agreement made in the call so if no other WG members raise an objection we can close this discussion with that conclusion? |
Problem description
While discussing another issue, it was found that ICM participants have different interpretations on whether the CAMARA-API-access-and-user-consent.md and CAMARA-Security-Interoperability.md documents mandate an authentication method in authorization code flow to network based authentication or not.
Expected action
Clarify and get a consensus in the working group.
Additional context
The text was updated successfully, but these errors were encountered: