Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

login_hint support for ipv4Address (publicAddress and privateAddress) #267

Open
trehman-gsma opened this issue Feb 11, 2025 · 1 comment
Open

login_hint support for ipv4Address (publicAddress and privateAddress) #267

trehman-gsma opened this issue Feb 11, 2025 · 1 comment

Comments

@trehman-gsma
Copy link
Collaborator

Problem description

The current supported login_hint formats include ipport, which consists of a mandatory ip address and an optional port. For example, ipport:80.90.34.2:16790, ipport:80.90.34.2, ipport:[2001:db8::1]:8080 or ipport:[2001:db8::1].

The CAMARA Device object defines an ipv4Address object that contains 2 IP address (publicAddress and privateAddress). For example:

"device": {
    "ipv4Address": {
      "publicAddress": "203.0.113.0",
      "privateAddress": "192.168.1.132"
    }
  }

Does the current ipport format support ipv4Address containing publicAddress and privateAddress? My interpretation is that it's not currently supported.

Should the format be updated to support ipv4Address containing publicAddress and privateAddress?

Expected action

  • Guidance on whether ipport can support ipv4Address containing publicAddress and privateAddress.
  • If not supported, an update to login_hint format to support this if it's deemed required.
@jpengar
Copy link
Collaborator

jpengar commented Feb 12, 2025
edited
Loading

In this case, CAMARA ICM only defines the format of the login_hint:

ipport

For IPv4 and IPv6 addresses, that can optionally include a port. For example, ipport:80.90.34.2:16790, ipport:80.90.34.2, ipport:[2001:db8::1]:8080 or ipport:[2001:db8::1].

Ref: https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#format-of-login_hint

CAMARA Commonalities, on the other hand, defines the device object and in particular the DeviceIpv4Addr:

Ref: https://github.com/camaraproject/Commonalities/blob/9e343b7696b1b54edbd34fa03eaaad07440efa4e/artifacts/CAMARA_common.yaml#L94C5-L94C20

The device should be identified by either the public (observed) IP address and port as seen by the application server, or the private (local) and any public (observed) IP addresses in use by the device (this information can be obtained by various means, for example from some DNS servers).

If the allocated and observed IP addresses are the same (i.e. NAT is not in use) then the same address should be specified for both publicAddress and privateAddress.

If NAT64 is in use, the device should be identified by its publicAddress and publicPort, or separately by its allocated IPv6 address (field ipv6Address of the Device object)

In all cases, publicAddress must be specified, along with at least one of either privateAddress or publicPort, dependent upon which is known. In general, mobile devices cannot be identified by their public IPv4 address alone.

With existing CAMARA definitions, I think that under the scenarios above where both privateAddress and publicAddress are required, the current login_hint does not support this.

API consumer may need to use MSISDN as login_hint instead (or operator token) or use auth code flow with network based auth if applicable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpengar @trehman-gsma