Hello, Following our discussion at the FIWARE plenary meeting for the Security Chapter on June 6th , and now that the rush of the review has passed, I would like to remind you of the following feature requests for DT's IdM GE (GCP): 1. OAuth client app authentication (using the client AppSecret as this is not used so far) to the OAuth Token endpoint in order to get an OAuth access token. See the mail thread below for more details. 2. A way to get the client app ID for which a given OAuth access token was generated (ID of the client that was granted access), either from the token itself or via some API. See the mail thread below as well. *Could you please check whether this is acceptable for you/DT in the technical roadmap of Release 3 or not?* Maybe it is already the case now... I think this can benefit to all users of the IdM and Access Control GE, as I am anticipating questions/Use Case requirements regarding feature 1, to achieve better compliance with the OAuth 2.0 standard and security overall; and for feature 2, regarding the ability to make access control based on various Client App attributes. Regards, Cyril Access Control GE owner De : DANGERVILLE Cyril Envoyé : vendredi 12 avril 2013 14:58 À : 'Wolfgang.Steigerwald at telekom.de' Cc : Andreas.Wittwer at telekom.de; BISSON Pascal Objet : RE: [FIWARE] GCP OAuth API security - Require client app to authenticate to GCP with AppSecret Hello, Yes, I would much prefer to have a standard client authentication mechanism relying on the client credentials (client_id, client_secret). This would be more convincing to people/reviewers checking the compliance of the Access Control GE to OAuth 2.0 security considerations (see section 10.1 "Client Authentication" of OAuth 2.0 standard [1]) before they accept to use it. For now, this is not critical for the integration of the Thales Access control Asset with the IdM GE. What is more critical at least is simple client app identification (get the client_id info) based on the access token (in the token itself as extra attribute, or requesting the IdM GE with token id parameter to get the client_id), because it will be required by the Thales Asset to know WHO accesses what and use it in access control policies. Thanks. [1] http://tools.ietf.org/html/rfc6749#section-10.1 Regards, CD De : Wolfgang.Steigerwald at telekom.de<mailto:Wolfgang.Steigerwald at telekom.de> [mailto:Wolfgang.Steigerwald at telekom.de] Envoyé : mercredi 10 avril 2013 17:15 À : DANGERVILLE Cyril Cc : Andreas.Wittwer at telekom.de<mailto:Andreas.Wittwer at telekom.de> Objet : AW: [FIWARE] GCP OAuth API security - Require client app to authenticate to GCP with AppSecret Hello Cyril, the authentication of the client is currently not done by the ClientId and the ClientSecret. Currently verification is done by checking if the client has the right service in scope, is using the right redirect URI and the code is provided in a short timeframe. This was until now good enough for client authentication and that the flow is secure through the user authentication. If you think it is necessary validate also the clientsecret I have to check if I can get it in the GCP backlog. Best regards Wolfgang Von: Steigerwald, Wolfgang Gesendet: Dienstag, 9. April 2013 13:32 An: 'DANGERVILLE Cyril' Cc: Wittwer, Andreas Betreff: AW: [FIWARE] GCP OAuth API security - Require client app to authenticate to GCP with AppSecret Hello Cyril, Andreas and I are not sure about the answer to this question. Therefor I send it to a colleague, I came back to you as soon as possible. Best regards Wolfgang Von: DANGERVILLE Cyril [mailto:cyril.dangerville at thalesgroup.com] Gesendet: Donnerstag, 4. April 2013 15:09 An: Steigerwald, Wolfgang Cc: Wittwer, Andreas Betreff: [FIWARE] GCP OAuth API security - Require client app to authenticate to GCP with AppSecret Hello, I have a question regarding the security of the OAuth access token request to the GCP. When the client app does such a request, the client app does not authenticate (the client AppSecret configured in the GCP admin panel is not used) to get an access token: POST https://logint2.idm.toon.sul.t-online.de/gcp-web-api/oauth?grant_type=authorization_code&client_id=RbKaKyrKHB&code=2504572063178823&redirect_uri=https%3A%2F%2Fwww.nowhere.de According to the OAuth 2.0 standard [1], this is step (D) and it says "When making the request, the client authenticates with the authorization server". You can also see an example here [2] with Google where there is an extra parameter "client_secret" that must be sent. In the GCP, is there a way to require client authentication, by sending the AppSecret for instance, or is it some feature you've planned for a next release ? Regards, CD [1] http://tools.ietf.org/html/rfc6749#section-4.1 [2] https://developers.google.com/accounts/docs/OAuth2WebServer#handlingtheresponse -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-api-cross/attachments/20130618/bb335961/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy