Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication method in authorization code flow #215

Open
shilpa-padgaonkar opened this issue Oct 12, 2024 · 30 comments
Open

Authentication method in authorization code flow #215

shilpa-padgaonkar opened this issue Oct 12, 2024 · 30 comments
Labels
documentation Improvements or additions to documentation

Comments

@shilpa-padgaonkar
Copy link
Collaborator

Problem description
While discussing another issue, it was found that ICM participants have different interpretations on whether the CAMARA-API-access-and-user-consent.md and CAMARA-Security-Interoperability.md documents mandate an authentication method in authorization code flow to network based authentication or not.

Expected action
Clarify and get a consensus in the working group.

Additional context

@shilpa-padgaonkar shilpa-padgaonkar added the documentation Improvements or additions to documentation label Oct 12, 2024
@jpengar
Copy link
Collaborator

jpengar commented Oct 14, 2024

Let me copy here my position on this matter, which I expressed in the other issue mentioned:

The CAMARA-API-access-and-user-consent.md document actually predates the profile document (https://github.com/camaraproject/IdentityAndConsentManagement/releases/tag/v0.1.0) and reflects the consensus of the working group on authN/authZ flows. It has normative value because it was the first implementation reference for CAMARA and was later refined with the profile to address logical ambiguities that arose during implementation.

In particular, the use of network authentication in the auth code flow has always been specified in this document and explicitly mentioned. While the profile itself is generic and doesn't mandate a specific authentication method - just as OIDC doesn't - the groundwork has been clearly laid.

Importantly, the idea of using auth code without network authentication was not initially considered, as it was felt that this would degrade the end-user experience and be unacceptable to most service providers. The developers wanted to avoid breaking the flow, and in the absence of an on-net scenario with network authentication, CIBA is the alternative.

If other authentication methods are to be considered, this should be formally proposed in a new issue and discussed for inclusion in upcoming or future meta-releases.

@AxelNennker
Copy link
Collaborator

DT's position on authentication by the API provider in Camara is that the API provider is in control of user authentication.

ICM created a (security and) interoperability profile that exactly specifies what API Consumers and API producers need to agree upon to create an interoperable solution. If something is not specified in the interoperability profile, then we are back to OIDC, CIBA and OAuth2.

All Camara subprojects leave authentication to the authorization server. Notable exception is the NumberVerify API which demands network-based authentication.

Under GDPR consent must be freely given, specific, informed, and unambiguous.
It is DT's position that consent cannot be given "silently" with user authentication being only network-authentication. The API provider must authenticate the user, otherwise we do not know who the user is. The API provider must "inform" the user so that the consent can be freely given, specific, informed and unambiguous. There must be a user interaction otherwise the consent cannot be informed.

DT's position on consent collection is that we do not allow delegated consent. The consent must be collected by the API provider.

@AxelNennker
Copy link
Collaborator

AxelNennker commented Oct 16, 2024

From https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md

This document is the CAMARA Security and Interoperability Profile. To ensure interoperability and increased security, this technical specification restricts some options available in OIDC and CIBA, but does not change these standards.

From https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md

This document defines guidelines for operator exposure platform to manage CAMARA API access and user consent to comply with GDPR or equivalent requirements in an easy way, introducing the concept of "purpose" in CAMARA APIs access.

Edit: removed a sentence

Both kind of documents have in common that if the document does not talks about something, then the base-standards still apply.

@shilpa-padgaonkar
Copy link
Collaborator Author

@Jesus Thanks for your comments

I don’t believe the claim is that network-based authentication in the auth code flow is not documented in the CAMARA-API-access-and-user-consent.md. Rather, I want to emphasize that this does not automatically rule out non-network-based authentication.

For example, we have clearly stated that only poll mode is permitted, even though CIBA allows clients to use three modes. Similarly, we state that clients should not use the acr_values parameter. IMHO, if CAMARA intends to restrict something permitted by the standard, it should be explicitly stated.

However, the more important question from my side is, if an Application Service Provider (ASP) is willing to use the auth code flow with authentication methods other than network-based, and if the Mobile Network Operator (MNO) can support this, what are the reasons for CAMARA to forbid it?

@eric-murray
Copy link
Collaborator

Hi @shilpa-padgaonkar

So my understanding is that this is only about authorisation code flow? Or does this issue include CIBA?

To me, the questions to be addressed are:

  • Does the "CAMARA Security and Interoperability Profile" document currently allow other authentication mechanisms?
  • Do we (CAMARA) want to allow other authentication mechanisms?

On the first point, I would say yes, that document does, with the caveat that login_hint, if used, must be tel or ipport (so not much use for authentication). But if the authorisation server wants to redirect the client to some authentication or consent page first before returning the code, maybe even respecting the prompt or display parameters, why not have a go? So long as the authorisation server is not requiring some non-compliant parameter use, that shouldn't stop other authorisation servers using network-based authentication should the client be dealing with different authentication servers.

But the issue is "interoperability". Could an API provider using these "alternative" end user authentication methods break a client implementation if that client then tried to authenticate against a different authentication server? I don't see that would be the case, though if anyone has any examples of how that might break the client implementation, that would be important information.

But the end user experience would be different - with some end users getting pop-ups or redirects to some authentication page or whatever, whereas others get nothing at all. And application developers might have an issue ensuring all these different approaches work "nicely" with their app.

So that will inform the second question - how consistent do we want to make the end user and application developer experience across different API providers, even if everything still "works" as far as calling the API is concerned.

@jpengar
Copy link
Collaborator

jpengar commented Oct 21, 2024

The common definition of a specification is that it is normative and guidelines are informative.

Both kind of documents have in common that if the document does not talks about something, then the base-standards still apply.

It's not valid to assume whether something is normative or informative solely based on the document being labeled as a specification or guideline. For instance, the CAMARA-API-access-and-user-consent.md defines a info.description field template, which was reviewed and approved by the TSC, and is absolutely mandatory for all CAMARA API specifications. Another great example of normative content within a guidelines document is the API-design-guidelines.md in the Commonalities WG, which contains a variety of normative definitions.

@jpengar
Copy link
Collaborator

jpengar commented Oct 21, 2024

I don’t believe the claim is that network-based authentication in the auth code flow is not documented in the CAMARA-API-access-and-user-consent.md. Rather, I want to emphasize that this does not automatically rule out non-network-based authentication.

For example, we have clearly stated that only poll mode is permitted, even though CIBA allows clients to use three modes. Similarly, we state that clients should not use the acr_values parameter. IMHO, if CAMARA intends to restrict something permitted by the standard, it should be explicitly stated.

However, the more important question from my side is, if an Application Service Provider (ASP) is willing to use the auth code flow with authentication methods other than network-based, and if the Mobile Network Operator (MNO) can support this, what are the reasons for CAMARA to forbid it?

As for network authentication, the original requirement from App Providers was that they would not accept any deviation in behavior—avoiding operator screens if possible, and ensuring consistent behavior across operators.

This is why the Auth code flow includes network-based authentication and the agreed technical ruleset treats this as the only authentication option.

CAMARA-API-access-and-user-consent.md was approved by the WG and officially released in version 0.1.0, before the profile document. Notably, the profile itself does not specify the authentication mechanisms (nor do the OIDC/CIBA standards), but CAMARA-API-access-and-user-consent.md did limit the use to network-based authentication as agreed by the WG.

If there’s a desire to open the Auth Code flow to other authentication mechanisms, it's not just about determining whether a document is normative or not. Even if CAMARA doesn’t explicitly prohibit alternative methods, it also doesn’t specify them—so interoperability cannot be guaranteed. You would need to propose an issue for CAMARA to define the support and interoperability model for any other authentication method(s) you are considering.

For example, CAMARA would need to define the behavior when dealing with 3-legged tokens that don’t identify a device or phone number, which is currently not defined. Developers would need to know how to handle this, particularly in cases where the API request does not include a device object or phone number due to the use of a 3-legged access token. Keep in mind that CAMARA has continued to work based on the assumption of network-based authentication, which enables the association of 3-legged tokens with a device or phone number (in case of CIBA login_hint is always a phoneNumber or an IP address). And based on that has defined https://github.com/camaraproject/Commonalities/blob/main/documentation/API-design-guidelines.md#appendix-a-infodescription-template-for-device-identification-from-access-token for Fall24 or we are discussing camaraproject/Commonalities#259 for Spring25.

Opening up the Auth Code flow to other authentication methods could introduce scenarios such as user/password-based authentication, where the access token may be linked only to the user, not a specific device or phone number. A single user could have multiple phone numbers under their subscription, with no clear way for the API to determine which device or number the request applies to.

Take Telefónica as an example — Even though Telefónica supports other authentication mechanisms, they cannot yet be considered CAMARA-compliant because it’s not defined:

  • a) Should acr_values be ignored when using these other mechanisms? So far CAMARA defines that acr_values must be ignored under the previous assumption.
  • b) If another login method is applied, should I notify an aggregator or interoperable client so that "if Telefónica" scenarios manage the user experience (UX) accordingly?
  • c) How do I handle API calls involving the device object if the request does not include it, especially in cases of user/password authentication?
  • d) If the device connects via a mobile network, should I prioritize network-based login over other login methods? What happens if the network indicates MSISDN_A, but the user/password login shows MSISDN_B? Or if the user performs the user/password login on a device that does not belong to them?
  • e) Other login methods are valid (and necessary) when user consent needs to be captured, but they should always follow network-based authentication as a second step. This approach resolves point (d) because consent would be tied to the entity that performed the network-based authentication.

@AxelNennker
Copy link
Collaborator

CAMARA-Security-Interoperability.md is a specification that specifies what is needed to ensure security and interoperability on top of OICD and CIBA.

CAMARA-Security-Interoperability.md does not restrict the telco to use a specific authentication method. If the API consumer wants no user interaction they can use prompt=none. The prompt parameter is basic OIDC and CAMARA-Security-Interoperability.md does not mention it. Which is another example of OICD that is not changed by CAMARA-Security-Interoperability.md. API consumers can use prompt as defined by OIDC.

What is not restricted is allowed as long as it is OIDC.

CAMARA-API-access-and-user-consent.md is a guideline that shows how some flows could be implemented if network-based authentication is used.

If the telco is forbidden to use other authentication methods than network-based authentication then there is no user consent in CAMARA in some cases and for some purposes.

The reasoning for this statement is that network-based authentication only just authenticates the subscriber.
Network-based authentication is not user authentication.
Example: If a child is the user, then the subscriber, the parent, may not consent to the child using the CAMARA API.
If a subscriber has more than one contract, then we do not know who the user is, and then there cannot be user consent.
We would exclude all family accounts from using CAMARA.
Another example: a business account where a company provides phones and subscriptions to the company employees. We (probably) need user consent, that is employee consent, which is not subscriber consent. I have a DT phone and would not consent to DT e.g. tracking my location. There is nothing in my contract that allows DT to track me.

ICM does not want to exclude family or business use cases.

So, it is good for us that no ICM document restricts the telco to use the authentication method the telco deems to be appropriate under the use case, purpose and law.

@diegogonmar
Copy link
Collaborator

The common definition of a specification is that it is normative and guidelines are informative.
Both kind of documents have in common that if the document does not talks about something, then the base-standards still apply.

It's not valid to assume whether something is normative or informative solely based on the document being labeled as a specification or guideline. For instance, the CAMARA-API-access-and-user-consent.md defines a info.description field template, which was reviewed and approved by the TSC, and is absolutely mandatory for all CAMARA API specifications. Another great example of normative content within a guidelines document is the API-design-guidelines.md in the Commonalities WG, which contains a variety of normative definitions.

I'd like to treat separately the normative/not-normative aspect brought up by @AxelNennker, which is not part of the initial question raised by @shilpa-padgaonkar.
@shilpa-padgaonkar @AxelNennker please confirm that DT asserts that the CAMARA-API-access-and-user-consent.md document is not normative, as then there can be no further debate with a point of this magnitude, which challenges some of the basics written in CAMARA specs.
In that case I would not have a discussion in this thread about this but just a direct query to TSC to evaluate this aspect. @camaraproject/tsc-participants
Some, not all, implications of considering this document not normative:

  • Before ICM v0.2.0, CAMARA in fact specified nothing, as this document was part of the deliverable. v0.1.0 of ICM was informative
  • Any CAMARA member can search for a word e.g.: guidelines in a document to argument that is not normative. Note: cases exist both in Commonalities and in Release Management
  • Some relevant TSC discussions ended with a conclusion to be written in an informative document. I refer to discussions and conclusion about guidelines to document securitySchemes/security and rules to define when to use 3-legged/2-legged (also discussed in GSMA).

@AxelNennker
Copy link
Collaborator

Other login methods are valid (and necessary) when user consent needs to be captured

I wholeheartedly agree with the above, but I would remove the parentheses.

Other login methods and network-based authentication are not exclusive.

I do not agree with that the other authentication method MUST be followed by network-based authentication.

Example use case: The user bought a dog-tracker from a vendor and then a sim-card from a telco and the telco provides e.g. username/password for that SIM-card. Then the vendor can use OIDC authentication code flow to request an access token with login_hint=msisdn from the telco for the Camara location API, and the user uses their username/password and because there is just this SIM-card associated with that account (account-id = username maybe = msisdn) then there would be no need for network-based authentication. Which would not work anyway because the authentication device is different)

So, we agree that other authentication methods are valid and necessary although these other authentication methods are not mentioned in CAMARA-API-access-and-user-consent.md, right?

@AxelNennker
Copy link
Collaborator

@diegogonmar I agree we should come back to the original issue.

Are other authentication methods allowed although they are not mentioned in ICM documents?
I think the answer is yes.

Other login methods are valid (and necessary) when user consent needs to be captured

Does CAMARA mandate network-based authentication?
I think the answer is no. I think network-based authentication is sometimes needed, but not always.
Please see the dog-tracker example. OAuth2 has the limited-input-capability-devices use case e.g. picture frame.
OAuth2 was created to enable this use-case. And because OIDC is based on OAuth2, CAMARA can build on that.

I think that login_hint is the intended way to convey from the API consumer to the authorization server who/what we are talking about. I think we might currently be missing a formal specification for this in CAMARA-Security-Interoperability.md.

OIDC says:

login_hint
OPTIONAL. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion.

If the user has several subscriptions with the telco, we should specify that login_hint tel: is the way to convey which subscription the authentication request is about.

@diegogonmar
Copy link
Collaborator

diegogonmar commented Oct 22, 2024

@AxelNennker can you please edit your comment (#215 (comment)) or reply to it to confirm that DT is no longer indicating that CAMARA-API-access-and-user-consent.md is not normative? I'd like to officialize that, sorry but just saying above that you agree that we should come back to original issue does not confirm the withdrawal of former statement. Thank you

@jpengar
Copy link
Collaborator

jpengar commented Oct 23, 2024

Example use case: The user bought a dog-tracker from a vendor and then a sim-card from a telco and the telco provides e.g. username/password for that SIM-card. Then the vendor can use OIDC authentication code flow to request an access token with login_hint=msisdn from the telco for the Camara location API, and the user uses their username/password and because there is just this SIM-card associated with that account (account-id = username maybe = msisdn) then there would be no need for network-based authentication. Which would not work anyway because the authentication device is different)

If the authentication device is different from the consumption device, this is one of the main reasons to use CIBA flow instead. This is also mentioned in CAMARA-API-access-and-user-consent.md (CIBA ruleset):

If some usecase/s for an API point to off-net scenarios and where consumption and authentication devices could be different, the Backend flow should be used.

@AxelNennker
Copy link
Collaborator

If the authentication device is different from the consumption device, this is one of the main reasons to use CIBA flow instead. This is also mentioned in CAMARA-API-access-and-user-consent.md (CIBA ruleset):

If some usecase/s for an API point to off-net scenarios and where consumption and authentication devices could be different, the Backend flow should be used.

@jpengar
There are two aspects regarding your comment that I want to address here:

  1. I gave an example how authorization code flow might be the best choice for the client and in which we do not need network-based authentication and other authentication methods are sufficient. In the example the API provider needs to collect consent from the user before the API provider creates an access token for the tracker vendor (API consumer). The API provider authenticates the user and then the user grants access e.g. to CAMARA's DeviceLocation API for the dog-tracker. In the example the user is already on a device with high input capabilities and the device the API applies to is not identified by network-based authentication.

  2. Yes, CIBA was designed to handle some use cases (CIBA examples) where consumption device and authentication device are different.
    That does not mean that all use cases with two devices are optimally handled by CIBA and it does not mean that the client MUST use CIBA.
    In CIBA the client offloads the task of contacting the authentication device to the communications provider. There is no need for that in this example because the user already is on the authentication device when registering the doc-tracker in either the vendor's website or the vendor's mobile app. I think that OIDC authorization code flow is the best fit for the example that enables the API consumer to use CAMARA's DeviceLocation API.

CAMARA-API-access-and-user-consent.md recommendation for CIBA is valid for consumption-device and authentication device use cases. The example does not fall into the category because the doc-tracker is no consumption device.

CIBA does not make sense in the example because the user is already on the authentication device.
Network-based authentication does not make sense in the example because the doc-tracker device is not communicating.

OIDC authorization code flow is the flow that is best in the example. As defined in OIDC the login_hint parameter contains the MSISDN the request is about.

@AxelNennker
Copy link
Collaborator

So my understanding is that this is only about authorisation code flow? Or does this issue include CIBA?

@eric-murray
Yes, this issue is about authorization code flow, not about CIBA.
In CIBA the method how the MNO contacts the authentication device is for the MNO to decide.
In CIBA the MNO can send an SMS, MMS, RCS or a Push Notification. It is up to the MNO to decide which channel is best.
Also the MNO can decide whether the message contains a text and code, or a link, or whatever.

Operators can choose the consent capture mechanism that best suits their capabilities, preferences and needs

Our document https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md shows this in the sequence diagram between step 5 and 6
https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#ciba-flow-backend-flow

Out Of Band Consent Capture (Push/SMS/other)

Comming back to OIDC authorization code flow and this issue.
https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#authorization-code-flow-frontend-flow states refers to OIDC consent in the sequence diagram.
image

3.1.2.4. Authorization Server Obtains End-User Consent/Authorization

Once the End-User is authenticated, the Authorization Server MUST obtain an authorization decision before releasing information to the Relying Party. When permitted by the request parameters used, this MAY be done through an interactive dialogue with the End-User that makes it clear what is being consented to or by establishing consent via conditions for processing the request or other means (for example, via previous administrative consent). Sections 2 and 5.3 describe information release mechanisms.

I think that CAMARA-API-access-and-user-consent.md clearly states that the basis for End-User Consent is OIDC 3.1.2.4.

Scenario 2: Consent is required and not yet provided by user (Step 8)

The operator performs the consent capture following Section 3.1.2.4 of the OpenID Connect Core 1.0 specification. Since the authorization code grant involves the frontend, the consent can be captured directly from the user.
Once the user has given consent, the authorization code flow continues by redirecting to the API invoker redirect_uri (invoker_callback) and including the authorization code (OperatorCode).

@AxelNennker
Copy link
Collaborator

I removed my comment as requested. The more important point is that CAMARA-API-access-and-user-consent.md deferres to OIDC core consent collection.

@jpengar
Copy link
Collaborator

jpengar commented Nov 5, 2024

According to the solution agreed upon and documented in CAMARA-API-access-and-user-consent.md, as of today, CAMARA currently only considers network-based authentication in the Authorization Code Flow. Therefore, tokens are issued for the network authenticated identifier. Based on this, Telefónica proposes to close the issue with this conclusion.

We agree that, as part of the in-band consent capture (as per section 3.1.2.4 of the OIDC Core 1.0 specification), CAMARA does not prevent operators from using any additional authentication mechanisms deemed necessary to authenticate the user who owns the network-authenticated device e.g. such as a username/password prompt, if a higher level of assurance is required for the operator to capture consent.

This approach ensures that the access token obtained at the end of the flow accurately reflects the authenticated status of the user's network-authenticated device, preserves UX continuity, minimises unnecessary prompts, and meets OIDC security standards by defaulting to network authentication and requiring further user interaction only when necessary.

NOTE: As mentioned by @eric-murray in #191 (comment), the agreed definitions in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#glossary-of-terms-and-concepts are used, in particular the definition of user.

@AxelNennker
Copy link
Collaborator

AxelNennker commented Nov 5, 2024

updated.

CAMARA does not restrict the telco/MNO/API producer to a single authentication method.
If we restrict the authentication to network-based authentication, then we exclude valuable business cases.

  • if the subscriber has more than one subscription, then the MNO cannot be sure that the subscriber equals the user. CAMARA can do more because OIDC core standard is all about End-User authentication and End-User consent collection. If the End-User authenticates and gives their consent, we can issue an access token for the requested CAMARA API.
  • if the subscription is a business contract then we would have to reject the request if we only have network-based authentication, because we do not know whether the user is the contract owner. With user authentication the contract owner can authenticate and consent can be collected.

CAMARA authorization code flow is based on OIDC authorization code flow with some interop and security specifications in CAMARA-Security-Interoperability.md.

If the API consumer does not want any user interaction, then they can use the OIDC standard parameter prompt=none in the OIDC authentication request.
It is then for the API producer to decide whether this is legal under e.g. GDPR or whether the data-subject has to be authenticated and grant consent.


Please have a look at Mandatory to Implement Features for All OpenID Providers:

Mandatory to Implement Features for All OpenID Providers

All OpenID Providers MUST implement the following features defined in this specification. This list augments the set of features that are already listed elsewhere as being "REQUIRED" or are described with a "MUST", and so is not, by itself, a comprehensive set of implementation requirements for OPs.

  • Signing ID Tokens with RSA SHA-256
    OPs MUST support signing ID Tokens with the RSA SHA-256 algorithm (an alg value of RS256), unless the OP only supports returning ID Tokens from the Token Endpoint (as is the case for the Authorization Code Flow) and only allows Clients to register specifying none as the requested ID Token signing algorithm.
  • Prompt Parameter
    OPs MUST support the prompt parameter, as defined in Section 3.1.2, including the specified user interface behaviors such as none and login.
  • Display Parameter
    OPs MUST support the display parameter, as defined in Section 3.1.2. (Note that the minimum level of support required for this parameter is simply that its use must not result in an error.)
  • Preferred Locales
    OPs MUST support requests for preferred languages and scripts for the user interface and for Claims via the ui_locales and claims_locales request parameters, as defined in Section 3.1.2. (Note that the minimum level of support required for these parameters is simply to have their use not result in errors.)
  • Authentication Time
    OPs MUST support returning the time at which the End-User authenticated via the auth_time Claim, when requested, as defined in Section 2.
  • Maximum Authentication Age
    OPs MUST support enforcing a maximum authentication age via the max_age parameter, as defined in Section 3.1.2.
  • Authentication Context Class Reference
    OPs MUST support requests for specific Authentication Context Class Reference values via the acr_values parameter, as defined in Section 3.1.2. (Note that the minimum level of support required for this parameter is simply to have its use not result in an error.)

Also please have a look at OIDC definition of the prompt parameter which is mandatory to implement for all OpenId providers. Please note that OIDC uses "End-User"

Consent according to GDPR is given by the data-subject. The glossary entry for "user" does not change that.


CAMARA APIs are much more attractive to API consumers if we follow the standards as specified in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md

@AxelNennker
Copy link
Collaborator

Thanks @jpengar

To understand your argument I would like to ask clarifying questions.

We agree that, as part of the in-band consent capture (as per section 3.1.2.4 of the OIDC Core 1.0 specification), CAMARA does not prevent operators from using any additional authentication mechanisms deemed necessary to authenticate the user who owns the network-authenticated device e.g. such as a username/password prompt, if a higher level of assurance is required for the operator to capture consent.

Does the operator decide whether end-user authentication and consent collection is needed? If there is prompt=none in the request then there is not end-user interaction and if the operator thinks that end-user interaction is needed then the operator returns an error to the prompt=none request.

Example use cases:
Are we all OK with that if network-based authentication identifies a business subscription that the MNO can then use other authentication methods?

Are we all OK with that if network-base authentication identifies a subscription where the contract holder has several subscriptions, that then the MNO can use other authentication methods?

I think the general point here is that the MNO decides about if and how end-user authentication and consent collection is done. With the exception that of prompt=none.

Network-base authentication identifies the device from which the request is being made from, but if the MNO decides that end-user interaction is needed then the MNO is not retricted by CAMARA how to implement that user interaction.

To your argument about consent collection: Does CAMARA restrict the MMN when to do consent collection?
Your argument is: If there is "in-band consent capture" the the MNO is free.
My question: Is the MNO also free to decide IF consent collection is needed?

Maybe we need a guideline/clarification in https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md?

@shilpa-padgaonkar
Copy link
Collaborator Author

With the following 3 comments:
#215 (comment), #215 (comment) and #215 (comment),

I can close the issue with the following concluding statement:

  1. It is up to the operator to make a decision when consent collection is needed or not,
  2. CAMARA does not restrict the telco/MNO/API producer from using additional authentication methods when consent is needed.

@jpengar
Copy link
Collaborator

jpengar commented Nov 7, 2024

I can close the issue with the following concluding statement:

  1. It is up to the operator to make a decision when consent collection is needed or not,
  2. CAMARA does not restrict the telco/MNO/API producer from using additional authentication methods when consent is needed.

As agreed in yesterday's WG call (minutes), here is a proposed amendment to the issue conclusion that Telefónica is comfortable with:

  • It is up to the operator to make a decision when consent collection is needed or not,
    • based on the scope(s)/purpose declared by the API client and aligned with local legislation, ensuring that all operators under the same regulatory framework adopt a consistent approach.
  • Currently, CAMARA only considers network-based authentication in the Authorization Code Flow. Therefore, access tokens are issued for the network authenticated identifier.
  • CAMARA does not prevent the telco/MNO/API producer from using additional authentication methods as part of the in-band consent capture process when consent is needed.

Are we all OK to close the issue as per the above conclusion?

@AxelNennker
Copy link
Collaborator

Can we find a wording that the above also works for operator tokens?

Currently, CAMARA only considers network-based authentication in the Authorization Code Flow. Therefore, access tokens are issued for the network authenticated identifier.

@jpengar
Copy link
Collaborator

jpengar commented Nov 12, 2024

Can we find a wording that the above also works for operator tokens?

This issue was originally intended to clarify the authentication method for the Auth Code flow as defined by CAMARA today. I don't see operator tokens in the scope of this issue discussion.

Also, the use of operator tokens is something that will be discussed and included in Spring25 and not in the current Fall24 meta-release. CAMARA has so far defined an additional possible value for the operator token as login_hint (besides MSISDN and IP), which CAMARA has so far only discussed for CIBA. The login_hint has never been discussed for the auth code flow, because it is not needed, since the subscription identity is known anyway from network-based authentication.

So I am still kindly asking the WG if this issue can be closed in the conclusion written above.

@murthygorty
Copy link
Collaborator

Hi, sorry for late comments. In TMUS, network-based authentication is one of the ways of authenticating a subscriber. So far, we have not been seeing this as 'exclusively' network auth -- we have username/password support in some cases as well.

It will be good to not making these too specific to only network auth.
cc: @gmuratk @mikeengan

@eric-murray
Copy link
Collaborator

@murthygorty
Can you give any details on how you support username/password authentication?

The current CAMARA specification already allows the authorisation code flow to "Start user consent capture process following Section 3.1.2.4 of the OIDC Core 1.0 spec". So if you do it that way, then no changes to the CAMARA specification are required.

But it has been suggested to use login_hint to identify the end user, which would not currently be compliant with the CAMARA specification, as that is restricted to tel:, ipport:, or operatortoken:.

@murthygorty
Copy link
Collaborator

Hi @eric-murray, we use login_hint with email: for scenarios where users are authenticated via email/pwd today.

  • For CAMARA usecases we have even been discussing business use cases where an admin for an organization might be prompted (oidc or ciba) and perhaps the organization name might be part of it as well. We haven't quite defined the prefix.
  • We have also thought of use cases where there are 'System Integrator' companies which are authorized admins for multiple Customer Businesses for us.
  • For completeness: My colleagues in our Identity team tell me that our identity platform supports a lot of login_hints for various use-cases (storefront user experience where elevated login is required etc.).
  • While these are arguably less defined right this moment for CAMARA, my preference is for CAMARA not to be too prescriptive reducing its use for the different operator use cases.

Restricting just tel/ipport/operatortoken seems restrictive to me.

sorry for the delay - this is what happens if I put it away for a few hrs, it becomes days :-)
cc: @gmuratk @mengan @RamTMO

@eric-murray
Copy link
Collaborator

Thanks @murthygorty

Yes, I can see the use cases, but I'm wondering what this means for CAMARA.

For CIBA, the login_hint is the only "hint" that we get as to the User's identity, so strict compliance with a standard is required for interoperability. Because if the login_hint is not recognised, the flow will fail.

For authorisation code flow, I can see there is more room for flexibility. There are two reasons to use authorisation code flow:

  • Identification of the User by network authentication; and/or
  • "In-band" interaction with the End User for End User authentication

If neither of these things are happening, I don't see the need for it.

But what should CAMARA say about the login_hint for that scenario to ensure "interoperability"? Do we need any more than "unknown login hints must be ignored"? Or do we need to agree exactly how API providers will identify, interact with, and authenticate the End User?

If a CAMARA API is being used in a non-aggregated / non-federated environment between a known client and known network operator, there is nothing to stop them agreeing such "extensions" to the CAMARA standard between themselves independently of CAMARA.

@murthygorty
Copy link
Collaborator

murthygorty commented Dec 10, 2024

Ahaa, very interesting @eric-murray -- thanks for the info, rechecked documentation for how CAMARA intends to use login_hint.

One suggestion that is not critical to the main question here:
I wonder if its best to view login_hint and authenticating device to be two different entities, in some scenarios:
login_hint: a hint to the operator on the authenticating user -- can be a device or login or some account identifier
authenticating device: an entity that the operator chooses to get auth+consent from using operators own mechanism like sms, like our documentation says.

Onto the key question:
You are correct that we would need to standardize how OGW apps interact with the aggregators with some known entities that are common (and an expanding list as more use cases emerge).

BUT, I do believe that CAMARA should not be constricted to aggregated environments and hence should have terminology/documentation that accommodates these extensions for CIBA too.

Perhaps, can I suggest a naming convention like iana claims where we will continue to build a set of standard 'hint-prefixes' and a customizable "x-" prefix for non-aggregated use cases?
edit: Thinking more, I believe, we should not have x- prefixes. Instead, I recommend that we have a section for recognized login_hint enum --> these would help OGW initiatives. AND, we mention explicitly as a reminder that non-aggregated environments can have their own login_hint prefixes. I think it is good to also mandate prefixes. OIDC doesnt, afaik

cc: @gmuratk @mengan, @AxelNennker @rampto

@diegogonmar
Copy link
Collaborator

Hi @murthygorty. We also support user/password in Telefonica, also SMS OTP and other mechanisms in auth_code. We support login_hint in auth code also, as well as acr_values to deal with different possible values.

But in the context of CAMARA we do ignore acr_values, as the profile says to do so. And we were fine when we decided to ignore it because there are no other auth mechanism defined in CAMARA (thus interoperable) other than Network Auth. We also ignore login_hint because given that network auth is applied, using login_hint is not needed.

This is the point of this thread, clarify the scope of current CAMARA specifications. We don't want to forbid other mechanisms, if needed we should include them and ensure interoperability

@diegogonmar
Copy link
Collaborator

Can we find a wording that the above also works for operator tokens?

This issue was originally intended to clarify the authentication method for the Auth Code flow as defined by CAMARA today. I don't see operator tokens in the scope of this issue discussion.

Also, the use of operator tokens is something that will be discussed and included in Spring25 and not in the current Fall24 meta-release. CAMARA has so far defined an additional possible value for the operator token as login_hint (besides MSISDN and IP), which CAMARA has so far only discussed for CIBA. The login_hint has never been discussed for the auth code flow, because it is not needed, since the subscription identity is known anyway from network-based authentication.

So I am still kindly asking the WG if this issue can be closed in the conclusion written above.

Coming back to core of this discussion. @AxelNennker can you confirm the agreement made in the call so if no other WG members raise an objection we can close this discussion with that conclusion?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

6 participants