4. Security
4.1. Channel security
As specified by [UMA-Fed], § 1.3, all interactions via the protection API must happen over an HTTP/1.1 channel (or higher) protected by TLS 1.3 (or higher), and in accordance with the recommendations formulated in [RFC9325].
Require key exhange algorithms based on ephemeral Diffie–Hellman ciphers (TLS_DHE and TLS_ECDHE) to ensure forward secrecy.
Require HTTP/2, which includes the requirements above, and patches some vulnerabilities in (m)TLS negotiation.
In the long-term, abstract from HTTP towards any SASL-aware application layer (cf. draft-vanrein-httpauth-sasl-06) . Conversely, enable HTTP-delivered OAuth tokens to be presented to SASL resource servers with rfc7628.
4.2. Message security
Messages from the resource server to the authorization server must be protected with a protection API access token, as defined in [UMA-Fed], § 1.3.
This is a deviation from the Level 0 specification, to realign with classic UMA.
-
HTTP Message Signatures + Well-Known JWK Set (cf. L0, but loosen fixed URL, since pointer in config)
-
mutual TLS (with OAuth mTLS grant ?)
-
password-based challenge–response authentication (e.g., SCRAM over TLS/SASL)
-
(augmented) password-only authentication and key exchange (e.g., CPake or OPAQUE)
Messages from the authorization server to the resource server should be protected with a HTTP Message Signature [RFC9421] using one of the keys present in the JWK Set refered to in the metadata.
4.3. Application security
The authorization server preferably interacts with resource owners and other agents through a (web) application, providing them with a graphical user interface. Since this broadens the attack surface for malicious actors, the must protect the security of its applications adequately by modern standards.
In particular, web applications for interaction with the requesting party, e.g., during claims gathering (cf. claims interaction endpoint), or with the resource owner, e.g., for policy management, must implement Cross Origin and Content Security policies, and SHOULD take into account the sources bundled in [CRE-636-347].
Moreover, in interactive flows that make use of redirection of the user agent (browser), e.g., claims gathering at the claims interaction endpoint, the authorization server should allow requests to include a state
parameter, and clients should employ this parameter to track the valid state of the interaction. The value of the state
parameter should be unguessable and opaque to any agent but the client itself, and [SHOULD NOT] include (unencrypted) sensitive information. If such a state
parameter is used, clients must check the value after the redirects back to them, and must invalidate any message containing an invalid state
parameter.
make accepting state param a must for AS: the authorization server must include it unaltered in the redirection to the client
4.4. Linking an RS to an AS
The resource owner links a resource server to their authorization server by providing the former with the root URI of the latter, i.e., the issuer value (cf. § 3.2 Authorization server metadata). How this information is provided, is out of the scope of this specification.
Presuming most ASs will come with some kind of native app, a QR-based flow would be handy. We could specify how, after scanning an RS’s QR code, the AS (app) would contact that RS on a Well-Known URI to initiate contact, either through a redirect URI or by specifying a code to be checked/entered.
As soon as resource server and authorization server are known to each other, the former can request a protection API access token from the latter. This must happen via an [OAuth20] flow that both servers support. In most cases, this should include interaction of the resource owner, e.g., via the authorization code flow using redirects of the resource owner’s user-agent, but other [OAuth20] flows may be employed.
To prevent the resource owner from having to confirm the authorization every time a token expires, the authorization server should inlcude a refresh token in each successful token response.