Cross Device Flow in SIOP

Issue #1257 resolved
Torsten Lodderstedt created an issue

SIOP is currently limited to interactions on the device where the SIOP OP is located. However, there are use cases where the user might want to use the keys and credentials in her SIOP to login/identify on a different device. Example are mDL, kiosks or a website visited on the user’s desktop PC.

There is a adopted SIOP flow being proposed in the mDL context, where the first request from RP to SIOP is conveyed using request object/URL and the SIOP sends a POST request to the RP‘s backend. I suggest to add this flow (or a similar flow) to SIOP v2 in order to support the beforementioned use cases.

Comments (10)

  1. David Waite

    This sounds like a variation of the device flow, in reverse - interesting.

    This will require the RP be a confidential client and online. It will also be the first API endpoint defined for RPs that I know of.

  2. Torsten Lodderstedt reporter

    Why do you think the RP needs to be confidential?

    I would consider this an endpoint similar (at least conceptually) to the redirect URI in case of redirect based flows. It also has a well-defined parameter set.

  3. Kristina Yasuda

    in 2021-07-08 call, Pam mentioned cross-domain QR codes work in OAuth that might be relevant

  4. Jeremie Miller

    During the call fishing was mentioned as a challenge for cross-device flows, but I believe it’s a more general statement along the lines of: the user must have some means to trust the origin of a new SIOP flow (such as in a browser w/ TLS or known installed app).

    There’s some discussion of this also over on #1255 as well.

    This is something we’ll also see trust frameworks doing regularly (like in mDL) in order to ensure it’s secure/safe, where RPs will have to be registered to or attested by the framework such that requests can be verified when they reach the wallet.

  5. Kristina Yasuda

    The issue has been discussed in 07-12-2021 Connect Call and 07013 SIOP call. Below are some points that have been made

    Cross-device SIOP can be used for attribute-presentation, but should not be used to authenticate an agent on another device to create an agent session, since it is very vulnerable to a phishing attack

    Security properties are different. Same-device SIOP is essentially a federation, and has same risks, while cross-device SIOP introduces new higher risks, because two devices are uncoupled and you cannot verify the access channel.

    We should be careful with how QR codes are being used, Using them to attach mobile device to another device (terminal, PC) and establish a secure connection is different from using QR code to initiate a session that is completely in the backchannel, since use would not have anidea whether QR code is being presented directly or through a reverse proxy.

  6. Log in to comment