clients may want to influence lifetime of auth_req_id

Issue #144 resolved
Joseph Heenan created an issue

currently it seems the AS alone is responsible for deciding on the expires_in value for auth_req_id.

Talking through possible use cases it seems like often the client is going to have a better idea on what a useful auth_req_id lifetime might be. For example, if the user is trying to make an immediate payment in a store, an auth_req_id expiry is likely to be single-digit minutes.

If the client is trying to schedule a payment itself (eg. a weekly auto sweep into a savings account) it would be quite reasonable to give the user 24 hours or more to authorise the payment.

I'd hence be tempted to add a "requested_auth_req_id_expiry" (or perhaps something with a less clumsy name) parameter to the authentication request.

Comments (12)

  1. Brian Campbell

    we should discuss on the next call


    I think this is a sensible suggestion

    I'm gonna push back pretty hard on adding something like this. Putting control of state lifetime that the server must maintain into the client's control can be problematic for the server in terms of salability and security. Furthermore, I don't think we should be encouraging the use of CIBA for situations where the user isn't somehow directly involved in something that kicks off the OOB authentication event so that they are in some position to be expecting it. Otherwise I think we are opening the door to (and training users to accept) a new kind of phishing or harassment via unsolicited authn/z requests.

    The spec is also at a stage of it's lifestyle where the WG needs to be very conscientious about stability.

  2. Dave Tonge

    You raise some really good points Brian. I look forward to discussing this on one of the upcoming calls.

  3. Brian Campbell

    Discussed on Jan 8th 2019 call and decided "Joseph to propose the text: parameter definition and how to use it, to the list. Before end of week"

    The requested TTL of the auth_req_id should be a request/hint/suggestion from the client but the AS ultimately has the final say on its expiry.

    cc @josephheenan because I don't seem to be able to actually assign to him

  4. Joseph Heenan reporter

    I suggest adding to the authentication request:

    requested_expiry OPTIONAL A positive integer allowing the client to request the "expires_in" value for the "auth_req_id" the server will return. The server MAY use this value to influence the lifetime of the authentication request and is encouraged to do so where it will improve the user experience, for example by terminating authentications when as it knows the client is no longer interested in the result.

  5. Log in to comment