- changed component to SIOP
Cross Device Flow in SIOP
SIOP is currently limited to interactions on the device where the SIOP OP is located. However, there are use cases where the user might want to use the keys and credentials in her SIOP to login/identify on a different device. Example are mDL, kiosks or a website visited on the user’s desktop PC.
There is a adopted SIOP flow being proposed in the mDL context, where the first request from RP to SIOP is conveyed using request object/URL and the SIOP sends a POST request to the RP‘s backend. I suggest to add this flow (or a similar flow) to SIOP v2 in order to support the beforementioned use cases.
Comments (10)
-
reporter -
This sounds like a variation of the device flow, in reverse - interesting.
This will require the RP be a confidential client and online. It will also be the first API endpoint defined for RPs that I know of.
-
reporter Why do you think the RP needs to be confidential?
I would consider this an endpoint similar (at least conceptually) to the redirect URI in case of redirect based flows. It also has a well-defined parameter set.
-
- changed status to open
very much needed use-case wise
-
-
assigned issue to
Oliver reported that this issue has ben discussed in DIF before: https://github.com/decentralized-identity/did-siop/issues/3
-
assigned issue to
-
in 2021-07-08 call, Pam mentioned cross-domain QR codes work in OAuth that might be relevant
-
During the call fishing was mentioned as a challenge for cross-device flows, but I believe it’s a more general statement along the lines of: the user must have some means to trust the origin of a new SIOP flow (such as in a browser w/ TLS or known installed app).
There’s some discussion of this also over on #1255 as well.
This is something we’ll also see trust frameworks doing regularly (like in mDL) in order to ensure it’s secure/safe, where RPs will have to be registered to or attested by the framework such that requests can be verified when they reach the wallet.
-
reporter I created pull request #33 for this topic
-
The issue has been discussed in 07-12-2021 Connect Call and 07013 SIOP call. Below are some points that have been made
Cross-device SIOP can be used for attribute-presentation, but should not be used to authenticate an agent on another device to create an agent session, since it is very vulnerable to a phishing attack
Security properties are different. Same-device SIOP is essentially a federation, and has same risks, while cross-device SIOP introduces new higher risks, because two devices are uncoupled and you cannot verify the access channel.
We should be careful with how QR codes are being used, Using them to attach mobile device to another device (terminal, PC) and establish a secure connection is different from using QR code to initiate a session that is completely in the backchannel, since use would not have anidea whether QR code is being presented directly or through a reverse proxy.
-
- changed status to resolved
Resolved by merging PR #33
- Log in to comment