Episode 015: 05‐16‐2024 New in OAuth: First Party Native Authn and Global Token Revocation
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Aaron Parecki, Identity Standards Architect at Okta Okta
Discussion of two emerging OAuth Specs: First Party Native Authentication and Global Token Revocation.
- OAuth 2.0 for First-Party Native Applications
- Global Token Revocation
- Security Event Tokens
- Subject Identifiers for Security Event Tokens
- Expired OAuth 2 Client ID Scheme
- OpenID Continuous Access Evaluation Profile Draft
- Token Status List
-
Mobile developers need a way to implement multi-step authentication workflows without redirecting to a browser. Not because using the brower is bad--for example Google uses the browser for their Gmail mobile app. But many developers just don't want to do it--they really want a back-channel authn flow. First Party Native Authn uses a new endpoint--the Authz Challenge Endpoint--which offers a kind of backchannel code flow. The spec introduces a device_state, which is like a pre-authentication session id. If authn is successful, a code is returned. And then the code is presented at the token endpoint--the same as in a browser code flow.
-
The token endpoint could return an access token, id_token or both. The spec doesn't say of course. Also, there is special interest in passkey authn using first party mobile Auth. We should ask Tim Capelli of Okta about this on the IOH Livestream on Tue. June 11.
-
Global Token Revocation was something that companies were already doing to address account takeover. It differs from other specs because it's not a user initiated logout, it's an organization initiated logout. The OpenID CAEP protocol might inform about an account takeover event, and then someone invokes the Global Token Revocation endpoint at the AS to actually do something about it.
-
Requires refresh token revocation. Access token revocation is optional, and can be tricky if JWT tokens are used. There are a few ways to expire tokens. The
jticlaim is a unique identifier for the JWT, so one could publish a list of all revokedjti's. There is also a draft for Token Status List that defines a more concise solution.
- Why was a new code flow needed without the browser?
- What is the current state? Any new drafts? Feedback from OAuth WG members?
- What about revoking Client Credential Grant tokens? URI requires some way to reference a client by URI?
- This spec adds OP metadata
global_token_revocation_endpoint. Why not suggest a scope for protection likeglobal_token_revocation_allowed?