Versions Compared

Old Version 1

changes.mady.by.user Alec Laws

Saved on

compared with

New Version Current

changes.mady.by.user Alec Laws

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • NOTE: As of Sept 15, 2022, quorum is 3 of 5. (Peter, Sal, Alec, Eve, Steve)

  • Voting:

    • Alec

  • Non-voting participants:

  • Regrets:

    • Eve

Quorum: No

Meeting Minutes

...

Drafting vulnerability report + publication

template format

Protecting Wide-UMA Ecosystems

Introduction

Creating loosely coupled ecosystems presents some direct challenges in establishing and maintaining trust between dynamic connected, and often previously unknown systems.

OAuth and UMA both allow dynamic client interactions and registration, especially when the network is large. In fact, this is one of the main goals of UMA, to allow a user managed ecosystem of Resource Servers and client applications, where the relationships and authorization for a client to access a resource is established by the user at run time. UMA starts from the perspective that the client, resource server and authorization server may not have any existing or established relationship, and that a authorization and access of an API is facilitated by a human (Resource owner) to human (requesting party) interaction, out of band from the technical interactions.

Although UMA is open for completely unknown parties to interact,a authorization and exchange data, it does not preclude a safe system from having controls and a trust model to ensure that network participants are trusted - willing and able to follow the norms and rules of the ecosystem.

A possible network vulnerability does occur when there is little to no trust process or requirements for dynamically connected participants. Having no requirements for unknown systems opens an ecosystem to malicious actors and unintended disclosure of information. These ‘system in the middle’ attacks can be mitigated both with technical controls and by raising appropriate information to the end-users of trusted systems.

Criteria for affected wide-ecosystems

  • Authorization Servers will interact with any client application. They allow dynamic client registration with little to no client attestation required

  • Clients will interact with any resource server or authorization service.

  • Access tokens are full bearer tokens – anyone with the token can can access the resource

Scenarios (make this concrete, eg access to financial information)

A malicious actor, Evan, has a target resource and a target resource server they want access to. They know that a user, Alice, may have access to this resource.

Scenario: Fishing with a malicious resource location

  1. Evan sets up a malicious resource server, and create a fake resource.

  2. Evan, crafts a fishing message to Alice, which includes the fake resource uri

  3. Alice uses her trusted client to access the fake resource uri

  4. On that request, Evan’s malicious resource server makes a request to the target resource and receives a permission ticket and trusted authorization server uri

  5. Evan’s malicious resource server returns the permission ticket to Alice’s client

  6. Alice’s client uses the ticket to follow the UMA Grant flow with the trusted AS.

  7. Alice completes authentication and claims gathering at the trusted AS

  8. The AS provides Alice’s client with a access token for the targetted resource

  9. Alice’s client attempts to use the access token at the malicious resource server

END: the malicious resource server uses the access token to retrieve the target resource

Mitigations

There are several places that controls can be added to the above scenario to prevent the inappropriate access.

In step 3, Alice’s client may consult a list of known and trusted resource servers before making the request

In step 7, the Authorization service could present Alice with information about the requested resource, in order for her to determine that the resource she is granting access to is a different location than the malicious resource

In step 6, the authorization server may require the client to register a public key that can be used for dynamic proof of possession by the RS at access time

In step 8, the AS may provide the client with information about the audience of the token, the URL of the trusted resource server where the token should be presented. the Client may then determine that the granted token is not valid or intended for the malicious resource server

In step 9, the client may provide a signed and dynamic proof of possession over the access token. Since the signature is over the target uri, the malicious RS cannot replay the request to the target resource.

Scenario: Fishing with a malicious authorization service

  • description of the vulnerability (general)

...

  • frame up “real” scenarios to show motivation → help us test mitigations

  • how do implementors know if they’re impacted?

  • what are their mitigation option?

Vulnerability Description

AOB

Expand
titlePotential Future Work Items / Meeting Topics

Tentative 2023 roadmap:

  • 120 A financial use-case report (following the Julie healthcare template)

    • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

    • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • 127 Open Banking Report → requires more research, determine use case

      • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

  • 130 IDPro knowledge base articles

  • 140 Wikipedia article refresh: https://en.wikipedia.org/wiki/User-Managed_Access

  • UMA simple value explainers, business and technical ‘marketing’

  • 170 UMA + Verifiable Credentials OR UMA and Wallets/User Held Credentials (+ mDL?)

    • how does a wallet fulfill both an RS and AS responsibility for a user? How are available resources and attributes understandable by a wide-ecosystem

    • how does a local/offline wallet act as an RS if it’s offline?

    • how to create true user controlled ecosystem, not a few major wallets…

Full list:

  • 20 Confluence clean up, archive old items and promote the latest & greatest

    • 10 UMA glossary – Steve has started 

  • 100 FAPI Review (FAPI + UMA) 

    • scope: how the FAPI work could be applied to UMA ecosystems

    • review may inform what profiling work is required, eg if UMA must support PAR to work with FAPI

  • 120 A financial use-case report (following the Julie healthcare template)

    • openbanking is to FHIR(data model) as FAPI is to SMARTonFHIR(authZ protocol profile)

    • 123 Pensions Dasboard Report → use-case is well understood and live/going live soon. tight use-case

    • 127 Open Banking Report → requires more research, determine use case

      • Who would lead this/ needs this for UMA in open banking contexts? Should come after FAPI review?

  • 130 IDPro knowledge base articles

  • 140 Wikipedia article refresh

  • 150 Minor profiling work,

    • resource scopes → scopes 

    • PAR as dynamic scopes eg fhir query params

    • policy manager & policy description

    • 110 pushed claims types: templates + profiles (beyond IDTokens): 171 VCs, 113 consent, policy, mDL

      • use-case, consent as claims (needs_info),

        • if the client has gathered RqP consent, can it be presented to the AS

        • the policy to access a resource says "you must have agreed to this TOS/consent"

        • compare to interactive claims gathering where the AS would present this consent/TOS to the RqP

        • intersection with ANCR/consent receipt/trust registry work in other Kantara groups

  • 170 UMA + Verifiable Credentials OR UMA and Wallets/User Held Credentials

    • how would VCs work in an UMA ecosystem? How could VCs be used as claims in UMA

    • There are openapi specs for VC formats

    • Could UMA protect a VC presentation or issuance endpoint?

    • There's a lot of openid4vc profiles 

  • 300 mDL + UMA

    • scope: how mDL could work in UMA ecosystems, how mDL could be a claim to UMA 

    • is there a role for UMA in token fabrication and referencing it as the RS?

  • 600 Review of the email-poc correlated authorization specification

  • 500 UMA + GNAP https://oauth.xyz/specs/  

    • would we have an UMA GNAP version (eg extension of GNAP or UMA? UMAonGNAP) 

    • will GNAP meet all the UMA outcomes?

  • UMA 2 playground/sandbox

Upcoming Conferences

...