clients may want to influence lifetime of auth_req_id
Issue #144
resolved
currently it seems the AS alone is responsible for deciding on the expires_in value for auth_req_id.
Talking through possible use cases it seems like often the client is going to have a better idea on what a useful auth_req_id lifetime might be. For example, if the user is trying to make an immediate payment in a store, an auth_req_id expiry is likely to be single-digit minutes.
If the client is trying to schedule a payment itself (eg. a weekly auto sweep into a savings account) it would be quite reasonable to give the user 24 hours or more to authorise the payment.
I'd hence be tempted to add a "requested_auth_req_id_expiry" (or perhaps something with a less clumsy name) parameter to the authentication request.
Comments (12)
-
-
we should discuss on the next call
agree
I think this is a sensible suggestion
I'm gonna push back pretty hard on adding something like this. Putting control of state lifetime that the server must maintain into the client's control can be problematic for the server in terms of salability and security. Furthermore, I don't think we should be encouraging the use of CIBA for situations where the user isn't somehow directly involved in something that kicks off the OOB authentication event so that they are in some position to be expecting it. Otherwise I think we are opening the door to (and training users to accept) a new kind of phishing or harassment via unsolicited authn/z requests.
The spec is also at a stage of it's lifestyle where the WG needs to be very conscientious about stability.
-
You raise some really good points Brian. I look forward to discussing this on one of the upcoming calls.
-
- changed milestone to CIBA Implementer's Draft
Discussed on Jan 8th 2019 call http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20190107/001408.html and decided "Joseph to propose the text: parameter definition and how to use it, to the list. Before end of week"
The requested TTL of the auth_req_id should be a request/hint/suggestion from the client but the AS ultimately has the final say on its expiry.
cc @josephheenan because I don't seem to be able to actually assign to him
-
-
assigned issue to
Joseph Heenan
-
assigned issue to
-
reporter
I suggest adding to the authentication request:
requested_expiry OPTIONAL A positive integer allowing the client to request the "expires_in" value for the "auth_req_id" the server will return. The server MAY use this value to influence the lifetime of the authentication request and is encouraged to do so where it will improve the user experience, for example by terminating authentications when as it knows the client is no longer interested in the result.
-
That suggesting looks okay to me, @josephheenan. Maybe go ahead with a PR for it?
-
-
assigned issue to
Brian Campbell
-
assigned issue to
-
I went ahead and put in pull request
#59with that text -
L529
authentications -> authentication -
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- CIBA
- Milestone
- CIBA Implementer's Draft
- Votes
- 0
- Watchers
- 0
I think this is a sensible suggestion that we should discuss on the next call