Internet-Draft | OAuth Authn Challenge | May 2022 |
Bertocci & Campbell | Expires 12 November 2022 | [Page] |
It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 12 November 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In simple API authorization scenarios, an authorization server will statically determine what authentication technique to use to handle a given request on the basis of aspects such as the scopes requested, the resource, the identity of the client and other characteristics known at provisioning time. Although the approach is viable in many situations, it falls short in several important circumstances. Consider, for instance, an eCommerce API requiring different authentication strengths depending on whether the item being purchased exceeds a certain threshold, dynamically estimated by the API itself using a logic that is opaque to the authorization server. An API might also determine that a more recent user authentication is required based on its own risk evaluation of the API request.¶
This document extends the error codes collection defined by [RFC6750] with a new value, insufficient_user_authentication
, which can be used by resource servers to signal to the client that the authentication event associated with the access token presented with the request doesn't meet the authentication requirements of the resource server.
This document also introduces acr_values
and max_age
parameters for the WWW-Authenticate
response header defined by [RFC6750], which the resource server can use to explicitly communicate to the client the required authentication strength or recentness.¶
The client can use that information to reach back to the authorization server with an authorization request specifying the authentication requirements indicated by protected resource, by including the acr_values
or max_age
parameter as defined in [OIDC].¶
Those extensions will make it possible to implement interoperable step up authentication with minimal work from resource servers, clients and authorization servers.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Following is an end-to-end sequence of a typical step-up authentication scenario implemented according to this specification. The scenario assumes that, before the sequence described below takes place, the client already obtained an access token for the protected resource.¶
acr_values
and max_age
) what authentication requirements must be met for the resource server to authorize a request.¶
acr_values
and/or max_age
indicated by the resource server in the previous step.¶
acr_values
and/or max_age
values of the authorization request, the authorization server returns a new access token to the client. The access token contains or references information about the authentication event.¶
The validation operations mentioned in step 2 and 6 imply that the resource server has a way of evaluating the authentication level by which the access token was obtained. This document will describe how the resource server can perform that determination when the access token is a JWT Access token [RFC9068] or is validated via introspection [RFC7662]. Other methods of determining the authentication level by which the access token was obtained are possible, per agreement by the authorization server and the protected resource, but are beyond the scope of this specification.¶
This specification introduces a new error code value for the error
parameter of [RFC6750] or authentication schemes, such as [I-D.ietf-oauth-dpop], which use the error
parameter:¶
insufficient_user_authentication
Note: the logic through which the resource server determines that the current request doesn't meet the authentication requirements of the protected resource, and associated functionality (such as expressing, deploying and publishing such requirements) is out of scope for this document.¶
Furthermore, this specification defines additional WWW-Authenticate
auth-param values to convey the authentication requirements back to the client.¶
acr_values
max_age
Below you can find an example of WWW-Authenticate
header using the insufficient_user_authentication
error code value to inform the client that the access token presented isn't sufficient to gain access to the protected resource, and the acr_values
parameter to let the client know that the expected authentication level corresponds to the authentication context class reference identified by myACR
.¶
If the resource server determines that the request is also lacking the scopes required by the requested resource, it MAY include the scope
attribute with the scope necessary to access the protected resource, as described in section 3.1 of [RFC6750].¶
Section 5.5.1.1 of [OIDC] establishes that an authorization server receiving a request containing the acr_values
parameter MAY attempt to authenticate the user in a manner that satisfies the requested Authentication Context Class Reference, and include the corresponding value in the acr
claim in the resulting ID Token. The same section also establishes that in case the desired authentication level cannot be met, the authorization server SHOULD include in the acr
claim a value reflecting the authentication level of the current session (if any). The same section also states that if a request includes thee max_age
parameter, the authorization server MUST include the auth_time
claim in the issued ID Token.
An authorization server complying with this specification will react to the presence of the acr_values
and max_age
parameters by including acr
and auth_time
in the access token (see Section 6 for details).
Although [OIDC] leaves the authorization server free to decide how to handle the inclusion of acr
in ID Token when requested via acr_values
, when it comes to access tokens in this specification it is RECOMMENDED that the requested acr
value is treated as required for successfully fulfilling the request. That is, the requested acr
value is included in the access token if the authentication operation successfully met its requirements, or that the authorization request fails in all other cases, returning unmet_authentication_requirements
as defined in [OIDCUAR]. The recommended behavior will help prevent clients getting stuck in a loop where the authorization server keeps returning tokens that the resource server already identified as not meeting its requirements hence known to be rejected as well.¶
To evaluate whether an access token meets the protected resource's requirements, the resource servers needs a way of accessing information about the authentication event by which that access token was obtained. This specification provides guidance on how to convey that information in conjunction with two common access token validation methods: the one described in [RFC9068], where the access token is encoded in JWT format and verified via a set of validation rules, and the one described in [RFC7662], where the token is validated and decoded by sending it to an introspection endpoint. Authorization servers and resource servers MAY elect to use other encoding and validation methods, however those are out of scope for this document.¶
When access tokens are represented as JSON Web Tokens (JWT) [RFC7519], the auth_time
and acr
claims (per Section 2.2.1 of [RFC9068]) are used to convey the time and context of the user authentication event that the authentication server performed during the course of obtaining the access token. It is useful to bear in mind that the values of those two parameters are established at user authentication time and won't change in the event of access token renewals. See the aforementioned Section 2.2.1 of [RFC9068] for details. The following is a conceptual example showing the decoded content of such a JWT access token.¶
OAuth 2.0 Token Introspection [RFC7662] defines a method for a protected resource to query an authorization server about the active state of an access token as well as to determine metainformation about the token. The following two top-level introspection response members are defined to convey information about the user authentication event that the authentication server performed during the course of obtaining the access token.¶
acr
auth_time
The following example shows an introspection response with information about the user authentication event by which the access token was obtained.¶
[[TBD]]¶
Remember that oauth is not authN, you need a layer like OIDC to handle that part. This is not an encouragement to abuse oauth. This is about the authentication event of the user to the AS by which the access token was obtained.¶
[[TBD]]¶
The insufficient_user_authentication
error code in the "OAuth Extensions Error" registry [IANA.OAuth.Params].¶
Section 6.2 for acr
and auth_time
as top-level members of the introspection response in the "OAuth Token Introspection Response" registry [IANA.OAuth.Params].¶
The acr_values
and max_age
WWW-Authenticate
auth-params are "new" but doesn't seem like any registration is needed or possible.¶
I wanted to thank the Academy, the viewers at home, the shampoo manufacturers, etc..¶
Initially (kinda) discussed at the OAuth Security Workshop 2021¶
A number of others already but haven't kept track...¶
[[ To be removed from the final specification ]]¶
-00 (Working Group Draft)¶
-01¶
-00¶