Allow to use operator_token (from TS43) to identify device on authentication request #145
Comments
|
For reference, here is the link to the current version (11) of the TS.43 spec Section 14 Device App authentication with OperatorToken |
|
are the following examples for the two options you mention? Option "new-parameter": Line-breaks for display purposes only. JWE copied from JWE-RFC. Option "standard": OIDC defines login_hint as:
Or use CIBA's login_hint_token?
The operator token can contain any information the Entitlement Server knows after EAP-AKA. Should this issue be named "Allow to use operator_token (from TS43) to identify device on authentication request" |
|
In the long run it would be good if we could use the operator token on the authentication request (authorization code request) as well as on the CIBA request. It will be rather straight forward to use it on the authorization code request (in line with the two examples). So if we rename the issue, I'm afraid that the CIBA flow is out. |
I actually re-checked CIBA, and in both CIBA and OIDC the request is named "authentication request". CIBA example using login_hint_token and the same JWE as in the other examples I think "access token request" is wrong in the name and that "authentication request" covers all bases. |
Elisabeth-Ericsson
changed the title
|
renaming of issue done |
|
For completeness the CIBA-new-parameter variant of the example: We might or we might not treat the operator_token parameter as a "hint". |
|
For the CIBA flow, there is no need to add a new parameter outside the standard. We can use the An example of a In this case. we think the hint in the AuthCode flow is unnecessary because once the application gets the operator’s token the user is already authenticated, and there is no further need to use this flow from the consumption device to authenticate. The application can use the CIBA flow directly instead of using a complex AuthCode flow through redirects with the user's browser. |
|
@garciasolero thank you for that proposal. I agree, we could use
The primary authentication in AcquireOperatorToken is the authentication of the SIM-Card using EAP-AKA. |
|
Regarding I think that all depends for what the operator token is used and I think that e.g. for MFA and the operator token being one of the factors we might be better of with a new parameter OpenId and CIBA were created to use the OAuth2 Authorization Framework as the basis for an User Authentication Framework. OIDC is hugely important today and a big success. But the work continues e.g. in FAPI. This issue is about exploring the options of how to use the operator token in authentication request. @sebdewet objections on Orange's behalf regarding the purpose parameter come to mind. And in the end ICM decided not to introduce the purpose parameter. But we need to make progress and the operator token is really an operator asset that we should leverage. Maybe for the price of a new |
|
I agree that standards can evolve, but they tend not to do so in the short term. Moreover, some operators have already reported that there could be a problem because their solutions are based on frameworks/libraries that strictly implement the standards and do not allow them to extend the behaviour (e.g. adding new parameters). This problem could also occur in the client libraries used by the applications. |
Some code has to be developed anyway, when the login_hint is interpreted. But re-using login_hint is probably the easiest way forward. The Telekom Login team seems to prefer a new parameter for authorization code flow. For them this is more like multi-factor authentication. The operator token identifies the subscription and related data, while login_hint's intention is for user authentication. To get this done we should use the fastest way forward, which is probably re-using login_hint. We should write down use cases and user stories e.g. in NumberVerification. |
|
Would like to add the requirement of trailing the operator token with @operator-domain-identifier cc@AxelNennker |
|
Getting more technical regarding the operator token generation: One way to move forward is using appclips on iOS and instant apps on Android. App clips and instant apps are apps that don't need to be installed by the user. Additionally, the full app that creates the operator token should register an URL for itself. Any app that does EAP-AKA needs special permissions. (Do not be confused by Apple's appclip codes and the appclip-code generation tools. @mengan mentioned some of the above (e.g. "app clip") in NumberVerification camaraproject/NumberVerification#86 Of course, if you want to support operator tokens then you need an Entitlement Server that supports "AcquireOperatorToken". Let's work together implementing operator tokens and defining in Camara how to use them for Camara APs! |
|
This is all very exciting, and something that we have been talking about internally for quite some time, so thank you for introducing it! iOS AppClips are extremely promising solution in providing a secure way of communicating between all parties as it reduces the friction of introducing the Operator into the flow (compared to a browser, embedded browser window, or a fully installed app). I think Android Instant Apps is going to require more thought though, because as far as I know Android is not willing to allow Instant Apps access to the Operator Tokens - however, it may still be a good way to request the end-user install the full Operator app. We must be conscious of the Application Provider experience here; taking their customer out of their applications is hugely disruptive and if we're not careful it may be a prohibitive barrier to API adoption. I'm assuming that the Operator would be unwilling to allow access to their Operator Token (or opaque substitute) without the Application Provider being authenticated (and end-user consent granted?), which would mean the Application Provider would need to know the Operator before token was requested in order to provide the appropriate auth. An outstanding question is whether Apple/Android will allow the Operator to distribute the Operator Token to Application Providers if they're protecting it with a privileged SDK; it may be that the token needs to be swapped for an opaque token before being distributed. A final thought... wouldn't it be nice if the output to this was an OIDC |
|
Yes, the API consumer must have a relationship with the carrier. That is what I meant with:
TS.43 mentions this in Figure 60 Through the relationship between API consumer and carrier, the API consumer can request an AcquirreOperatorToken-access token which is validated by the ECS before the operator token is created and returned to the API consumer. Regarding id_token, that is standardized in OIDC and the operator token should only be a part of it but not the same as the id_token. |
|
Would it be relevant on how we handle this in ad tech? @AxelNennker and @chrishowell |
|
Would it be possible to append the ‘operator token’ with the ‘advertiser ID’ that has been assigned to both the ‘mobile device’ and the ‘user’? An existing open-source standard used in Ad Tech could be deployed. This standard is managed by an established advertising trade organization. Benefits
Future State Compliance
This would increase the number of API pings that would come from ad tech. |
|
The name of this issue suggests that the proposal is to use the operator token as an additional method of identifying the end user subscription, and this is reflected in some of the examples above, where the operator token is shown as an alternative to, or additional option for, the But in several comments, it is mentioned that the operator token can be used to authenticate the end user (UE). So is the proposal just to use the operator token solely for end user identification (so a more privacy friendly alternative to the MSISDN or IP address), or also for authentication? If the proposal is to also use it for authentication:
Thanks |
|
Hi Eric, The operator_token can be used by the application (the API client) to authenticate the end user device against the API provider (please see also TS.43 Service Entitlement Configuration (gsma.com)). |
|
Thanks @Elisabeth-Ericsson So I understand the intention is to authenticate something about the end user's "involvement" in the API flow. Returning to my questions above:
|
|
Hi Eric, regarding your questions:
Some additional info: According to my knowledge, none of the device OS vendors plan to support the operator token as described in TS 43 in short term to mid term. |
|
Thanks @Elisabeth-Ericsson
I understand that the end user subscription (SIM) must have been authenticated for the operator token to be issued in the first place. But, given your other answers, in the context of the CAMARA API call this is irrelevant. The operator token itself is not a secret (the contents may be, but not the token), and hence the API provider cannot know how the API consumer obtained that token, and cannot assume that the end user knows anything about the CAMARA API call itself. Hence, as proposed to be used above, operator tokens do NOT authenticate anything about the end user in the context of the CAMARA API call. The token will identify the end user, but the API provider will still have to verify that the end user has consented to the requested scopes being granted to the API consumer (client) for the declared purpose. This is no different to the case where the end user is identified by So we should stop referring to operator tokens as authenticating the end user for CAMARA API calls. |
|
Hi Eric,
These tokens - especially if we find a mechanism to relate then to the application - could give a more secure mechanism for conveying the end user identity. |
DT/TDG has an implementation that gets an operator token on Android and on iOS. The beauty of this is, that it all works over wifi as well and also it works silently. The operator token is based on EAP-AKA and after successful EAP-AKA the operator token can contain anything that the ECS knows about the subscription e.g. IMEI of last ATTACH, IMSI, MSISDN, contract number related to subscription, ... In one user story the operator token is encrypted to MobileConnect IDGW (client_id mobileconnect). So, I see no need to move away from operator token. The operator token was never intended to authenticate the end-user. There are some variants to the above flow. We/DT have not decided yet which variant best fits Camara. |
|
Hello, |
|
Axel's perspective highlights that there may not be a need to deviate from the Operator Token flow outlined in TS.43 and ASAC. TS.43 establishes the interface between a TS.43 Client and an Entitlement Configuration Server, while the ASAC specification (available here https://www.gsma.com/newsroom/gsma_resources/asac-01-v1-0/ ) aims to define commendable APIs and workflows that facilitate third-party applications in utilizing a universal, SIM-based, and seamless/silent authentication method, as Axel mentioned. The ASAC specification:
From Orange perspective, use of Operator Token flow outlined as defined in TS.43 and ASAC is privileged option. |
Hello TS.43 clients are typically provided by the OS maker, such as Google, and are offered as optional packages. |
|
@axel Nennker: you describe that you are using the carrier token to get a temporary token and from this the operator token. I assume that this works on the carrier app interacting with DT's backend. For an application on the device to use this mecahnism and send the operator token to the backend, the app must find the carrier app via a deep link. How do you envision this to work ? How is the link to the carrier app retrieved, assuming that the app must work with multiple carriers ? |
|
I would greatly appreciate it if someone could clarify the purpose of the carrier app, as its use is not referenced in TS 43. |
|
on Android, as you wrote above, I guess it's Google's TS.43 client, on iOS I don't know! |
Problem description
GSMA's TS.43 WG describes a process where an unprivileged 3rd-Party mobile app requests an operator token from the opertor's entitlement server. Operators have control over operator token issuance because of an TS.43 access_token that is validated at the entitlement server.
The operator token is an encrypted, selfcontained token which is usually encrypted to an entity that is dependent on clientId. The operatorToken can contain any information that is known by the Entitlement Server about the subscription.
The TS.43 flow works on any HTTPS connection e.g. on a Wifi connection in addition to On-Net scenarios.
Working with an operator token instead of MSISDN or device IP will add additional security.
As of today, the CIBA flow allows to pass a parameter called "login_hint_token", providing a potential mechanism for sending the operator token, however the AuthCode flow does not.
Possible evolution
Adding the operator-token to the URL on the access token request on the /authorize and /bc-authorize request will allow to send in the operator token in a standard compliant way.
Alternative solution
Another option would be to extend Authcode flow and CIBA flow with a new parameter, allowing to pass the operator_token. This parameter should be specific to the operator token and implicitly carry information about the format.
Additional context
The text was updated successfully, but these errors were encountered: