IETF Logo Mail Archive

Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard

Andrew Sciberras <andrewsciberras@pingidentity.com> Wed, 30 May 2018 22:19 UTC

Return-Path: <andrewsciberras@pingidentity.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C266A129C6E for <ietf@ietfa.amsl.com>; Wed, 30 May 2018 15:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KIKpj7j7GSvz for <ietf@ietfa.amsl.com>; Wed, 30 May 2018 15:19:20 -0700 (PDT)
Received: from mail-wr0-x243.google.com (mail-wr0-x243.google.com [IPv6:2a00:1450:400c:c0c::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DDCD12D873 for <ietf@ietf.org>; Wed, 30 May 2018 15:19:17 -0700 (PDT)
Received: by mail-wr0-x243.google.com with SMTP id v13-v6so19346473wrp.13 for <ietf@ietf.org>; Wed, 30 May 2018 15:19:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BBfK1YCPTJdH8MHZBkc+cCdgCGg4sCuMZQJCl1jhdxI=; b=dVVwvEYnPqcYtKgFwRQMoxFB4cXeNdc9LFIhfudGD0tsM5zFgbodNTQLcwbmLOqTdf oilbY0qjzj5QMmLicoJaoq8BiRdGQW4qREiV/2AR2pCWcsTAHpHTSQMbNHPpUJvBT5fV d7dPMjqDAtKiJdXl1xwpEi8qaBrtmoGrBP7Kk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BBfK1YCPTJdH8MHZBkc+cCdgCGg4sCuMZQJCl1jhdxI=; b=aJSoF9x2cLYI4wgvuXQbcJWhNNhH7mBC2nuMf2aTMfLFLVU167taKWyQSScmK0l8D/ mFEJAx/Qwp5EtudZyCHcC77z0qJ20jZiLQHUjF5gem8nSaAYDGySKNkZmoUfkgiYXKpQ slULKmuqfQVOSSPCFtUTVKMiX9zQvy6IpoSrEcB85XitkQkmWJV5SAuhwWELu30pcYwM fT+U7dF8AHIpsykqwdpo6dL0hQOAi/IPVe4hpuneLto4ualLpd57xxnVebf2ROhi12mo BUl7IVNrqX2fGpB/hESkZ/jGX8oZm6n6hd2pSRmmEe7DPOznsAmYxps1We5UHFnHfLbb b1Ig==
X-Gm-Message-State: ALKqPweH9Fumb82sz27wYmLQcBPn6cp97y27O4w4cvI2TCS3uwOhyc6x 0ETOOAAy+pyMwQMduRt8UaS2tkUnvqRI9GAjzbYuIM5Y2TngdpI8sHTPeeA/nfMqGlO2KDEtYuf hLLMBUevc7fwb
X-Google-Smtp-Source: ADUXVKLY/OwW6HkaZD77qzl2aDg3Ngwvi1VnlHHP203tqrMGOXwzPW6PAqk6feprH7QhSTsN/VjFKfPL/jdU+IWC4Oo=
X-Received: by 2002:adf:9663:: with SMTP id c32-v6mr3639000wra.89.1527718755491; Wed, 30 May 2018 15:19:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1c:e308:0:0:0:0:0 with HTTP; Wed, 30 May 2018 15:18:54 -0700 (PDT)
In-Reply-To: <CAAP42hAA8FC8B8bhDdCAg=5TnDjZXr76UiMLNABEG23GRFdeyQ@mail.gmail.com>
References: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com> <CAEqOSkfwdn-+1zFBgpgk3Mr6HYy-OvKNdVRKZtdP9c6HVHC60Q@mail.gmail.com> <CAAP42hAA8FC8B8bhDdCAg=5TnDjZXr76UiMLNABEG23GRFdeyQ@mail.gmail.com>
From: Andrew Sciberras <andrewsciberras@pingidentity.com>
Date: Thu, 31 May 2018 08:18:54 +1000
Message-ID: <CAEqOSkcquQ4GXhhOV30TsOEYSV5fuG_PtO7TFo_pE_zVAJd0zA@mail.gmail.com>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
To: William Denniss <wdenniss@google.com>
Cc: ietf@ietf.org, IETF-Announce <ietf-announce@ietf.org>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-device-flow@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bcfe7e056d73bdf7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Cakf8prK-ip_kjSXQt55Vm-gbVg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 22:19:24 -0000

Hi William

You are right that the document explicitly indicates which error codes may
be returned. However I think it's ambiguous as to which error within
Section 5.2 of RFC6749 would apply in the scenario of a user not granting
access.

I think that this ambiguity is highlighted further by the Google
implementation (https://developers.google.com/identity/protocols/OAuth2ForDe
vices#step-6-handle-responses-to-polling-requests) not adhering to the
explicit statement of the document and electing to use a (more appropriate)
error code that exists outside of section 5.2.

Andrew


On Thu, May 31, 2018 at 8:06 AM, William Denniss <wdenniss@google.com>
wrote:

> Hi Andrew,
>
> On Wed, May 30, 2018 at 2:35 PM, Andrew Sciberras <andrewsciberras@pingidentity.com> wrote:
>
> Hello
>>
>>
>> Do we feel that the document should be more specific in addressing how
>> the authorization service should respond to a device access token request
>> when the user has refused to grant access to the device?
>>
>>
>> The document currently indicates in section 3.5 that a success response
>> defined in section 5.1 of RFC6749, an error as defined in section 5.2 of
>> RFC6749 (this includes invalid_request, invalid_client, invalid_grant,
>> unauthorized_client, unsupported_grant_type, and invalid_scope), or a new
>> device flow error code (authorization_pending, slow_down, and
>> expired_token) may be returned in a response to a device token request.
>>
>>
>> It doesn’t seem that any of these options are appropriate to convey that
>> a user has refused to grant access to the device.
>>
>>
>> The Google implementation appears to be using the access_denied error
>> code from section 4.1.2.1 of RFC6749. While this would seem to be the most
>> suitable error code, the document does not explicitly indicate it as a
>> permitted response.
>>
>
> Actually, this is indicated explicitly I believe:
>
> If the user has approved the grant, the token endpoint responds with a
> success response defined in Section 5.1 of [RFC6749]; *otherwise it
> responds with an error, as defined in Section 5.2 of [RFC6749].*
>
In addition to the error codes defined in Section 5.2 of [RFC6749], the
> following error codes are specific for the device flow:
>
>
>>
>> I believe that clarifying the response error code in the condition where
>> a user has refused access to the client would be beneficial, remove
>> ambiguity, and promote greater consistency across implementations.
>>
>>
>> Regards
>>
>> Andrew Sciberras
>>
>>
>> On Wed, May 30, 2018 at 8:20 AM, The IESG <iesg-secretary@ietf.org>
>> wrote:
>>
>>>
>>> The IESG has received a request from the Web Authorization Protocol WG
>>> (oauth) to consider the following document: - 'OAuth 2.0 Device Flow for
>>> Browserless and Input Constrained Devices'
>>>   <draft-ietf-oauth-device-flow-09.txt> as Proposed Standard
>>>
>>> The IESG plans to make a decision in the next few weeks, and solicits
>>> final
>>> comments on this action. Please send substantive comments to the
>>> ietf@ietf.org mailing lists by 2018-06-12. Exceptionally, comments may
>>> be
>>> sent to iesg@ietf.org instead. In either case, please retain the
>>> beginning of
>>> the Subject line to allow automated sorting.
>>>
>>> Abstract
>>>
>>>
>>>    This OAuth 2.0 authorization flow for browserless and input
>>>    constrained devices, often referred to as the device flow, enables
>>>    OAuth clients to request user authorization from devices that have an
>>>    Internet connection, but don't have an easy input method (such as a
>>>    smart TV, media console, picture frame, or printer), or lack a
>>>    suitable browser for a more traditional OAuth flow.  This
>>>    authorization flow instructs the user to perform the authorization
>>>    request on a secondary device, such as a smartphone.  There is no
>>>    requirement for communication between the constrained device and the
>>>    user's secondary device.
>>>
>>>
>>>
>>>
>>> The file can be obtained via
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
>>>
>>> IESG discussion can be tracked via
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ballot/
>>>
>>>
>>> No IPR declarations have been submitted directly on this I-D.
>>>
>>>
>>> The document contains these normative downward references.
>>> See RFC 3967 for additional information:
>>>     rfc6819: OAuth 2.0 Threat Model and Security Considerations
>>> (Informational - IETF stream)
>>>     draft-recordon-oauth-v2-device: OAuth 2.0 Device Profile
>>>  (None - )
>>>     rfc6755: An IETF URN Sub-Namespace for OAuth (Informational - IETF
>>> stream)
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email