Episode 015: 05‐16‐2024 New in OAuth: First Party Native Authn and Global Token Revocation - GluuFederation/identerati-office-hours GitHub Wiki

Youtube Video

Description

Discussion of two emerging OAuth Specs: First Party Native Authentication and Global Token Revocation.

Homework

Takeaways

  • Mobile developers need a way to implement multi-step authentication workflows without redirecting to a browser. Not because using the brower is bad--for example Google uses the browser for their Gmail mobile app. But many developers just don't want to do it--they really want a back-channel authn flow. First Party Native Authn uses a new endpoint--the Authz Challenge Endpoint--which offers a kind of backchannel code flow. The spec introduces a device_state, which is like a pre-authentication session id. If authn is successful, a code is returned. And then the code is presented at the token endpoint--the same as in a browser code flow.

  • The token endpoint could return an access token, id_token or both. The spec doesn't say of course. Also, there is special interest in passkey authn using first party mobile Auth. We should ask Tim Capelli of Okta about this on the IOH Livestream on Tue. June 11.

  • Global Token Revocation was something that companies were already doing to address account takeover. It differs from other specs because it's not a user initiated logout, it's an organization initiated logout. The OpenID CAEP protocol might inform about an account takeover event, and then someone invokes the Global Token Revocation endpoint at the AS to actually do something about it.

  • Requires refresh token revocation. Access token revocation is optional, and can be tricky if JWT tokens are used. There are a few ways to expire tokens. The jti claim is a unique identifier for the JWT, so one could publish a list of all revoked jti's. There is also a draft for Token Status List that defines a more concise solution.

Screenshots

first-party-request revoke-request chain-trust-device

Questions

First Party Native Authn

  • Why was a new code flow needed without the browser?
  • What is the current state? Any new drafts? Feedback from OAuth WG members?

Global Token Revocation

  • What about revoking Client Credential Grant tokens? URI requires some way to reference a client by URI?
  • This spec adds OP metadata global_token_revocation_endpoint. Why not suggest a scope for protection like global_token_revocation_allowed?

Livestream Audio Archive

Here