You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-cross-device-security.md
+8-5Lines changed: 8 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -330,7 +330,7 @@ Protocol flows that span multiple end-user devices are in widespread use today.
330
330
331
331
In all cases, it is up to the user to decide whether to grant authorization or not. However, the QR code or PIN are transferred via an unauthorized channel, leaving it up to the user to decide in which context an authorization is requested. This may be exploited by attackers to gain unauthorized access to a user's resources.
332
332
333
-
To accommodate the various nuances of cross-device flows, this document distinguished between cases where the cross-device flow is used to authorize access to a resource (cross-device authorization flows) and cases where the cross-device flow is used to transfer an existing session (cross-device session transfer flows).
333
+
To accommodate the various nuances of cross-device flows, this document distinguished between use cases where the cross-device flow is used to authorize access to a resource (cross-device authorization flows) and use cases where the cross-device flow is used to transfer an existing session (cross-device session transfer flows).
334
334
335
335
## Cross-Device Authorization
336
336
Cross-device authorization flows enable a user to initiate an authorization
@@ -408,13 +408,16 @@ These best practices apply to the Device Authorization Grant ({{RFC8628}}) as we
408
408
{{cross-device-flow-patterns}} provides details about susceptible protocols and {{cross-device-flow-exploits}} provides attack descriptions. {{practical-mitigations}} provides details about the security mechanisms and mitigations, {{protocol-selection}} provides protocol selection guidance and {{foundational-pillars}} provides details from formal analysis of protocols that apply to cross device flows.
Cross-device flows allow a user to start a flow on one device (e.g., a smart TV) and then transfer the session to continue it on a second device (e.g., a mobile phone). The second device may be used to access the service that was running on the first device, or to perform an action such as authenticating or granting authorization before potentially passing control back to the first device.
411
+
Cross-device flows allow a user to start a flow on one device (e.g., a smart TV) and then transfer the session to a second device (e.g., a mobile phone). This specification focus on two use cases for transferring the session:
412
+
413
+
- **Cross-Device Authorization:** In the cross-device authorization use case, the second device is used to authenticate the user or grant authorization before passing control back to the first device as described in {{cda}}.
414
+
- **Cross-Device Session Transfer** In the cross-device session transfer use case, the user is already authenticated on the first device, before the session is transferred to the second device without requiring the user to re-authenticate as described in {{cdst}}.
412
415
413
416
These flows typically involve using a mobile phone to scan a QR code
414
417
or enter a user code displayed on the first device (e.g., Smart
415
-
TV, Kiosk, Personal Computer or other electronic devices.).
418
+
TV, Kiosk, Personal Computer or other electronic devices).
416
419
417
-
## Cross-Device Authorization
420
+
## Cross-Device Authorization {#cda}
418
421
In a cross-device authorization flow, a user attempts to access a service on one device, referred to as the Consumption Device, (e.g., a smart TV) and then uses a second device, referred to as the Authorization Device (e.g., a smartphone), to authorize access to a resource (e.g., access to a streaming service) on
419
422
the Consumption Device.
420
423
@@ -537,7 +540,7 @@ Figure: User-Transferred Authorization Data Pattern
537
540
538
541
The Authorization Server may choose to authenticate the user before sending the authorization data.
539
542
540
-
## Cross-Device Session Transfer
543
+
## Cross-Device Session Transfer {#cdst}
541
544
Session transfer flows enable a user to transfer access to a service or network from a device on which the user is already authenticated to a second device such as a mobile phone. In these flows, the user is authenticated and then authorizes the session transfer on one device, referred to as the Authorization Device (e.g., a personal computer, web portal or application), and transfers the session to the device where they will continue to consume the session, referred to as the Consumption Device (e.g., a mobile phone or portable device).
542
545
543
546
The session transfer preserves state information, including authentication state, at the second device to avoid additional configuration and optimize the user experience. These flows are often used to add new devices to a network, onboard customers to a mobile application, or provision new credentials (e.g., {{OpenID.SIOPV2}}).
0 commit comments