re-authorization vs. re-authentication

oauth-wg / oauth-first-party-apps

https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/

Other

11 stars 9 forks source link

re-authorization vs. re-authentication #116

Open deansaxe opened 2 days ago

deansaxe commented 2 days ago

Sections 3.2 and 3.3 both use the language “re-authorization of the user is required” when the AS responds with an error to presentation of a refresh token (3.2) or the RS requires step up per RFC9470 (3.3). In both of these cases, re-authorization is required, however, I believe that the requirement is actually re-authentication of the user in order to re-authorize them.

I suggest changing both instances to re-authentication. (Edited to change re-authorization to re-authentication in this sentence.)

PieterKas commented 2 days ago

Can you clarify if you mean it should be re-authentication or re-authorization? The text suggest you prefer re-authentication, but your recommendation is for re-authorization.

deansaxe commented 2 days ago

I think that what's necessary is re-authorization, but in order to re-authorize the user, they must be re-authenticated. So my preference is to change the text to re-authentication.

PieterKas commented 2 days ago

Ok, that is different from your proposal in the issue

I suggest changing both instances to re-authorization.

embesozzi commented 2 days ago

+1 re-authorization since we are in the context of OAuth. I usually try to say OIDC → authentication and OAuth → authorization (which is really an access delegation standard)

aaronpk commented 2 days ago

Yes I agree these should be "re-authentication". The goal is to leverage the existing step-up spec RFC9470, which has this language:

https://www.rfc-editor.org/rfc/rfc9470#section-3

The authentication event associated with the access token presented with the request does not meet the authentication requirements of the protected resource.

Yes we are talking about user authentication here. I am not actually sure how those two sentences in 3.2 and 3.3 turned in to "re-authorization". The user is not being authorized, the application is, and these sections are talking about the user. So "re-authentication" is correct.

deansaxe commented 1 day ago

Ok, that is different from your proposal in the issue

I suggest changing both instances to re-authorization.

Yes, I had an error in the original issue. I updated the text in the issue to align with what I intended. Good catch!

PieterKas commented 21 hours ago

Thanks for the clarification Dean. I agree it should read re-authentication.

deansaxe commented 20 hours ago

I filed a PR #132.