search

mozilla / fxa-oauth-server

OAuth server for Firefox Accounts
48 stars 40 forks source link

Let reliers request MFA at the start of the OAuth dance #520

Closed rfk closed 5 years ago

rfk commented 6 years ago

For high-security logins, reliers need a way to specify that an OAuth dance must be completed using MFA. We'll need to expose a query parameter that they can specify, and decide on how to error out when MFA is not available or not successful.

First action here is for @rfk to review OIDC and related specs for prior art on this topic.

rfk commented 6 years ago

See discussion in https://github.com/mozilla/fxa-oauth-server/issues/519#issuecomment-367213438 for an initial proposal.

rfk commented 6 years ago

Pulling the relevant bits of the proposal out of the linked bug, this is how things would work:

  1. Reliers that require 2FA, should pass ?acr_values=AAL2 as a query parameter when starting the OAuth dance.
  2. We detect this flag and use it to escalate the user to 2FA. If they don't have 2FA on their account, we show some messaging about how the relier is requesting it, and offer to help them set it up.
  3. We complete the OAuth dance as normal, reporting 2FA status back to the relier.
  4. The relier checks the acr_values in the id_token to confirm that 2FA was used.

I chatted with :kang about the priority of this. They're already doing (1) and (4), but we're ignoring the extra query parameter rather than doing (2). If a user attempts to sign in to IAM without 2FA enabled, they will complete the OAuth dance, then get an error when redirected back to IAM saying something like "2FA required".

:kang confirmed this is not a blocker for their release, it's a nice-to-have UX improvement. Since we don't have a lot of bandwidth for the UX parts of (2), I think we should deprioritize this and focus on getting the core TOTP experience out the door.

davismtl commented 6 years ago

@vbudhram @rfk do we need UX for this? Specifically, I'm thinking about this part:

  1. We detect this flag and use it to escalate the user to 2FA. If they don't have 2FA on their account, we show some messaging about how the relier is requesting it, and offer to help them set it up.
rfk commented 6 years ago

You're right, I think we'll need some. The smallest simplest thing we could do here is just show an error saying "you need 2FA to proceed" and then a link that opens the settings page in a new tab to allow the user to set it up.

There might be a variant of this flow where we don't show any UX, but just fail the auth flow and return to the relier so they can show their own UX. That's probably a good intermediate step that we can work on without blocking on UX.

vladikoff commented 5 years ago

from mtg: waiting for content-server

rfk commented 5 years ago

This has landed! \o/