API misuse #259
Comments
|
This issue is trickier than it looks. IMHO, this would only apply if the access token was obtained using Auth Code, where the phone number is validated with network-based authentication. In the case of CIBA, the phone number is provided by a backend as login_hint. On the other hand, if the API request provides a phone_number, it must be validated against the access token to ensure that the client is allowed to access the requested resource, i.e., the client can only access the authenticated phone number associated with the access token. I understand the proposed guideline text as potential solution, but it could also be misleading for the API client that (for example) if I request the location of phone number B with the access token associated with phone number A, I will not get an error, but a success response and the actual location obtained is the one corresponding to phone number A. I think this needs further discussion in the WG...
|
|
Hi @jpengar,
This is probably the best option in my opinion. Because we need to avoid having conflicting sources of information and it seems to be the best way to ensure that personal information is not disclosed.
I think this would be source of confusion. If we have info twice we must check they match and return an error if not. |
What would be the use case where SimSwap API access requires a 3-legged access token? Why would a fraudulent user ever allow 3-legged token to proceed?
Should we consider |
|
@jpengar regarding:
The access token is associated with the device/phone_number on which the browser run, that was used to open the link from the SMS. I think this applies to CIBA. |
|
Actually, this is quite straightforward For CIBA, there is no issue, as both the MSISDN provided in the And, as I pointed out here, CIBA also effectively allows device IP/port to MSISDN lookup, so there is no reason to use the authorisation code flow if the network supports such an IP to MSISDN mapping capability. Only if the network is relying on header enrichment to identify the device must the authorisation code flow be used. In Vodafone's case, this will only be for Number Verification, where verifying the MSISDN provided by the client against the true MSISDN is exactly the use case anyway. I can't see us using authorisation code flow for any other API. |
|
This issue is about clients buying SimSwap API but using it for NumberVerification. If SimSwap is cheaper than NumberVerifcation then clients might buy SimSwap but use it for NumberVerification. The user might have opted-out of NumberVerification but the client is using SimSwap to verify numbers which the user might not have opted-out from. |
|
But this is inherent to CIBA that supports I, as a cheapskate API consumer, request my first access token using Or, if I did not know the MSISDN itself but am only interested to know it is the same user returning, I could use CIBA with |
|
CIBA was designed for use case where the consumption device and the authentication device are different. CIBA was not designed for onboarding a user to a mobile app on the user's smartphone - For that the client's mobile app should use OIDC authorization code flow. CIBA should not be used if consumption device and authentication device are same. The assumptions the client and the telco make about CIBA might not be true or the same. CIBA and OIDC support login_hint to hint to the authorization server which "account" the user might use to authenticate and give consent. The user is free to use a different account. CIBA with login_hint=tel:+... shows that the authentication request reached someone at that number. I always interpreted the NumberVerification documentation that the number is verified when the API request is made, not when the access token is created. CIBA asserts that someone had control over the authentication device at one point in time. |
|
@AxelNennker @eric-murray For API's like KYC Match, SIM Swap and DeviceIdentifier a 3-legged flow is mandatory because we are processing personal information in these. As a result the access token is the access token is phone number specific, and the phone number is already determined by either the login_hint (in case of CIBA) or by retrieving it from the network (in case of front end-flow). There is not point to ask for the phone number again in the resource call (with the exception of Number Verify ofcourse), also because this will lead to either an unintended number verification (in case you start comparing the number provided with the number associated with the access token), or it will lead to confusion with the developer, or it will lead to loss of revenue. I think there are 3 options:
My preference is option 1, this is the simplest, if you ask me. Option 2 has more flexibility in it, in case parties want to use a (faster) client credential flow. Would like to hear your thought on this. |
|
@HuubAppelboom from the general issue back to the specific: What do you think about this proposal? |
In the case of CIBA, the phone number is specified by the API consumer, independent of any end user device. If the API consumer then specifies a different phone number in the API service call itself, then any error is just telling them that they specified two different end user phone numbers. I don't see the issue here, as no device has ever confirmed its phone number. I can see the issue with authorisation code flow but, for APIs such as SIM Swap, using authorisation code flow doesn't really make sense for the use case. Current implementations use CIBA. This will be true for many APIs. @AxelNennker |
|
@eric-murray I think that assuming only the use of CIBA flow for 3-legged scenarios is something we shouldn't do (there's not even consensus about it CC @sfnuser @AxelNennker ) and IMHO it's not consistent with existing CAMARA definitions in ICM. It has its own discussion thread in camaraproject/IdentityAndConsentManagement#176 as you mention. So I would not consider it a solution to the original problem reported here. From Huub's comment, I see option 2 as the one that better fits exiting ICM definitions giving the flexibility to consume and API in 3-legged and 2 legged mode as needed.
We should make sure that there are no other corner cases not considered so far if option 2 is chosen. And it would be necessary to define what would be the error returned to the API client when phone_number/device is used in the API call with a three-legged flow. |
@AxelNennker The problem with this proposal is that once you provide errors like the 403 - INVALID_TOKEN_CONTEXT error, you are effectively doing the same thing as a in a Number Verification call. Note that my option 2 is different in the sense that as soon as you see two sources of phone number information, you will always return an error code (and not only when there is a mismatch). Option 3 is also different, because here you make it more explicit that a Number Verification is included, by provding an explict answer on the phone number in the request (just like how you respond with Number Verification). |
|
A valid point and a way of getting a free number verification. Although we are trying to be helpful surely the use of a more generic error rather than an invalid token indication would mean that you could then not rely on the result from any of these APIs and would need to call number verify for a real answer. I can see any of the other APIs as being more premium to number verify. |
|
For some definition of "premium"... Hard to say whether billions times small fee greater or less than millions time high fee. |
|
I think all APIs that have a device object or phoneNumber as a parameter should be aware that the API could be used to validate that information. |
|
@AxelNennker @MarkCornall There will be API's at a lower price point than Number Verify and at a higher price point. Either way you can have a revenue leak. But what is more relevant I think is that you may have a privacy leak which the MNO or the API Consumer is not aware of. |
The issue is not solely the error message returned. The primary use case for Number Verification is to confirm a number "positively," under the assumption that the number is already known. It is not intended for discovering numbers through trial and error. When using the Sim Swap API or similar services as an alternative, the objective is to obtain a 200 status code to verify the number. As long as CAMARA asserts that a 200 API response indicates successful validation of the number against the provided token, we are inherently disclosing this verification. If an error occurs, it may be unclear whether it is due to a mismatch of the phone number or another issue. However, it can already be inferred that the number has not been verified. |
|
Are we also open to someone calling the authorisation flow and getting the information that they need but not finally calling the actual API? |
That seems to be a question for Camara business people. |
|
If it is agreed that this type of information leak is to be avoided, then I think the decision for Commonalities is whether providing a 3-legged access token and a device object in the service API call is always and error or never an error. It is only because we currently only give an error when the device identifiers do not match that we have an information leak. So the options would be:
As an API implementor, I slightly favour the second option (as, in fact, that is what Vodafone already do). But I understand that the API consumer may not be aware they are using a 3-legged token (maybe the developer got it from some library call) and could be misled by the response when they provided a device object that identifies a different device to the token. So my preference is therefore that providing a 3-legged token and a device object should always be an error. As to which error, I'd say a 422 still applies, but with a more generic code - maybe |
Aan alternative error code may be This already exsists, and it covers it (the phone number should not be in the request) |
My instinct is to try to restrict In this case, the Now maybe this additional error documentation could be in the error |
|
I'd like to try and progress this issue as I think it is important and something that we should conclude before the Spring '25 meta-release. My proposed solution is that:
I think this is simple to implement, and provides a clear indication to the API consumer as to why their request failed. Can we agree on that solution, or are there alternative solutions in play? |
|
@eric-murray This seems a simple proposal that can fix this issue, and prevent the misuse. |
|
Hello all, Sorry that I have not participated in this discussion due to work on Fall24 Meta, but now I have some comment. Thank you, @eric-murray, for the proposal. In principle, it looks good, but wouldn't it be possible to add something like 'in principle' and to make room for sub projects to reshape it? Actually KnowYourCustomer SP is having discusion on this topic, because KYC Match API uses 'phoneNumber' (a device identifier, I understand) as an optional parameter even in 3-legged cases. So, from this perspective, for example, another phrase to add to Eric's proposal may be 'unless API specific requirements / use cases exist'. I don't mean to reverse the past discussion, but I feel too much restriction and less flexibility may lead to narowing down potential new businesses and potential new use cases, which may not be good to the industry ecosystem. Best regards, |
|
So this issue, and my proposal, only apply for APIs that can accept either a 2-legged or 3-legged access token. Such APIs must allow the API consumer to provide an optional APIs such as KYC Match and Number Verification just do not work with 2-legged access tokens. As a 2-legged token is not an option, the purpose of the So any proposal adopted by Commonalities for the API guidelines would be clear that it only applies to APIs that accept both 2-legged and 3-legged tokens. As a sidenote, APIs such as KYC Match and Number Verification are still vulnerable to misuse if the token is obtained using the CIBA flow. Either the So APIs such as KYC Match and Number Verification should not allow validation of the phone number if the 3-legged token is obtained using the CIBA flow. |
|
Within Commonalities, can we move forward with this baseline proposal? |
|
Hi @PedroDiez However, I'd appreciate that if anyone has further comments or proposals, they raise them in this issue, rather than waiting until I have proposed a PR and opening up discussion there. Preparing a PR is a lot more work than debating a topic in the issue. |
|
@eric-murray From Orange you have our support for:
Providing an explicit device identifier when a 3-legged token is being used should ALWAYS be an error; cc: @patrice-conil |
|
Hi @eric-murray, understood your point: At least to be clear from my side:
|
|
And one doubt @eric-murray, not related to the "core" resolution of this issue. I would like to understand your view about KYC-Match do not work in a 2-legged scenario. I mean from the service point of view the API could work in a 2-legged scenario. Other thing is that from Business side would not be considered to be accessed in such a way due privacy reasons or any legal constraint. |
Maybe I'm misunderstanding the role of
So how is the "verification of the If the API accepts 2-legged access tokens, then the I had understood from @ToshiWakayama-KDDI that such misuse was not possible for KYC Match, which would only be true if the only purpose of Unless |
I don't see the need to have parallel error codes for I think this will result in a proliferation of error codes, and complicate generation and handling of such errors, just to avoid that an API consumer who thinks they are querying a "subscription" (or "account" or "identity" or whatever you want to call it) does not get confused by an error code using the term "DEVICE". Far better just to customise the But I will raise that objection in more detail in #321. |
|
Thank you, @eric-murray , @PedroDiez .
Actually, Pedro's this point was partly aligned with what I wanted to share by my prevous comment #259 (comment) . I always wonder why KYC Match is restricted for 3-legged access token scenarios, thinking it could work in 2-legged access token scenarios as well.
Considerint the above Eric's point, there could be the potential misuse, but from business perspective, it still could work. For example, if an API provider could provide phoneNumber match by KYC-Match, avoiding forcing API users to call two APIs.
This Eric's point is aligned with what I was thinking. I think phoneNumber in Number Verificaiton is not always the same as phoneNumber in KYC Match, and I think we can discuss KYC Match use cases for 3-legged access token as well as 2-legged access token furthre in KYC SP. So, as we KYC-SP need some more time to discuss, I would like to recall my previous comment:
If other colleagues accept this kind of exception. Best regards, |
|
@ToshiWakayama-KDDI @PedroDiez As it is also intended that KYC-Match accept 2-legged access tokens, a simple "this rule only applies to APIs that accept both 3-legged and 2-legged" is no longer sufficient, as that would exempt Number Verification from this new rule, but not KYC-Match nor any other API that wants to also offer "Number Verification" functionality in addition to its primary purpose. How about something like: (*) Working title. We could consider a more "universal" error, such as |
|
Hi @eric-murray, Regarding KYC-Match, thanks for your view. From our business view it could also work in 2-legged (trusting in the phoneNumber indicated and using it as the reference for the backend logic). Other point is whether Business may want to expose in such a way or not. Anyway, it is a matter for KYC WG discussions. |
Hi @eric-murray, @ToshiWakayama-KDDI, I think the approach can work, Agree Eric is the same error condition but referred to the concept of device or phoneNumber. I wanted to be precise in that way. I understand the concern you raise of duplicating errors even I think would not be so much. I think we can move forward with the proposal (not attached to device nor phoneNumber in the terms of the |
|
Based on that, I will reformulate some basis under the Issue #321 |
Agree. I think I understand how that API is intended to work now, but this "dual use" of
@jlurien made a proposal to simply adopt the term "IDENTIFIER" to cover both cases, which I'm happy with. I'm working on a PR for this issue, so will adopt that terminology for now. It can be revised before any merging once agreement is reached on the specific error codes. |
|
Hi @eric-murray , @PedroDiez ,
Sorry for the late response. I think the approach can work, as well, and I am happy with the above proposal. Thank you so much, Eric.
Thank you also for your valuable opinions on KYC-Match 2-legged case. We will continue discussion in KYC SP, taking your views into account. Best regards, |
Problem description
@HuubAppelboom raised an issue in today's SimSwap... - meeting
If the parameter phoneNumber is present and the phoneNumber is also in the access token, then SimSwap might also accidentally implementing NumberVerification because if the values do not match the result of the API request is different to when the values match.
This problem exists for APIs where identifying information is available in several places.
This leads to several topics worth considering:
Expected behavior
API Design Guideline should make API designers aware of this problem and provide guidance on how to handle this.
e.g. add guidance e.g. to the API Design Guidelines' Security section like the following sentence
If identifying information is both available in a request parameter and in the access token then the resource server MUST ignore the request parameter. No error should be returned if information from the access token and information from request parameters are inconsistent or contradict each other, because the error message is doing the leaking of information.ICM could also or additionally put some text into info.description?! @jpengar
Aditional Context
regarding device object:
camaraproject/DeviceLocation#201
The text was updated successfully, but these errors were encountered: