IETF Logo Mail Archive

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Jim Willeke <jim@willeke.com> Wed, 24 February 2021 15:00 UTC

Return-Path: <jim@willeke.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7CEB3A16B9 for <ietf@ietfa.amsl.com>; Wed, 24 Feb 2021 07:00:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=willeke.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHDYA7ZXcyfc for <ietf@ietfa.amsl.com>; Wed, 24 Feb 2021 07:00:00 -0800 (PST)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F5ED3A16B5 for <ietf@ietf.org>; Wed, 24 Feb 2021 06:59:59 -0800 (PST)
Received: by mail-lf1-x12f.google.com with SMTP id h125so3458203lfd.7 for <ietf@ietf.org>; Wed, 24 Feb 2021 06:59:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willeke.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6sxvFnZ0GGl9DyQBTr64SScpYRkQy4Rk2Yy0q3fzSsw=; b=c9j5xMUAfaSn/a3QnM5Qkvbpoq1FBtUZzH/Z7Jav+eJATUz2HuOXFHAhh3UmIDAHA8 7wfuBNUjD/mHLi5hoGCFszMi9wE4iGn3XYGsy4FTx2OXZtc530AWmDkEgukIKVN+5JjH b89g+q8WFzMtB2aGt7Rk58rXj+znfyGGOJqD6khBShiVjAfwlHjWb/BIgWPy5PPJ+oz/ wlIRZVKzwxKb9gL9FPTv6Z3j8e5JFlGF8cG6Df3ao/XdCtV0EdvkyojDvToZBRXbZXf/ A6AQFHUDXIzrhSX2btbmreiH94y5NG6VKW4Nj5dUKr91F2VgwoFpKS2SrLUdoq6P2Jwo d+mQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6sxvFnZ0GGl9DyQBTr64SScpYRkQy4Rk2Yy0q3fzSsw=; b=O9Uhf06NtQVKa7YkjfGFY+nuaugg5j3S36FQWayg6Tzard10xUo4iR1MZOK4j/aKj3 z77+pU4D3kOSJFeq/WGz2GtbUIK9GkFFULFjLK0KKdm3iTEHj2f0FNJ32UrziePsL10o EFSlRVlRbn4ZZLnkBHo6K8Nf6NYyqin3Qxcwdu0NsuIxZr998cHOTydC+xS8fW5ReH/s 7gkJ8GKNkpXVS+vWICpzXWCMf/7WFmkCuYSdYgcqkmjOCM9KRLVYRwV4vKWFmyKJD704 wUS07HNwqPLJN8LpCQO4gL7H4BDd41eb10Tc0wiHrJHkjDddep5V4EPO9FpiThL6IcQx zSwA==
X-Gm-Message-State: AOAM530eHSNaYboiwGZq/Pjs14b50hdE+Vc4qcsPlUaDfAz8ELtGFMgp P4Gwl+iR8J/x8wC9rped1D0k9bvuVakvjDP26a7NJA==
X-Google-Smtp-Source: ABdhPJxylwEy2M6/IqIiYvfChtYPTAn12loSCNw5HAaNvb1mPpEQlM5z95bJyEXkqIUA7icCi/t7gUs8tEvdPQprPZM=
X-Received: by 2002:ac2:4147:: with SMTP id c7mr7141164lfi.405.1614178797834; Wed, 24 Feb 2021 06:59:57 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com> <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com> <CAJot-L0PS_3LxEkC-jd1aqXDdYF+z8BajSs4Rhx3LgRPn6wkdQ@mail.gmail.com> <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> <CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com> <02A263F5-8109-4D3B-A684-D9B574260B50@forgerock.com> <CAGBSGjqGgYfcw+jqE+Y-JP_oXcHPMwhsqrO7vE=ReUXEqdLAzg@mail.gmail.com>
In-Reply-To: <CAGBSGjqGgYfcw+jqE+Y-JP_oXcHPMwhsqrO7vE=ReUXEqdLAzg@mail.gmail.com>
From: Jim Willeke <jim@willeke.com>
Date: Wed, 24 Feb 2021 09:59:21 -0500
Message-ID: <CAB3ntOuoPFHuUJT7WoWMSAar6nH06p4YUKmdgA860KnqOB2BWA@mail.gmail.com>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
To: "oauth@ietf.org" <oauth@ietf.org>
Cc: ietf@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d968df05bc1649c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/JDl2jZUsSk7e262QX8VUCDSEhsc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 15:00:04 -0000

But in reality, Just "because the technology" is there there leaves out the
practicality of creating a secure implementation. Sure, you could write it
off as "a business problem" but many of the developers are small and not
unusually single person operations that do not have the resources to create
a specific team, or even a specific person, to work through all the
specifications that are involved.

I do believe, in general, specific implementations should not be within
the specifications but a "Best Practices" or "Common Implementations"
document to coincide with the specifications might be in order.

Just spend some time on https://stackexchange.com/filters/4229/oauth and
you will see the issue and struggles.


--
-jim
Jim Willeke


On Wed, Feb 24, 2021 at 8:46 AM Aaron Parecki <aaron@parecki.com> wrote:

> > You type your email address into {The Bat} to begin configuration. {The
> Bat} does discovery [1][2] to locate the OAuth/OIDC server for {My ISP}.
> The discovery document reveals that {My ISP} supports open dynamic client
> registration [3][4] so {The Bat} registers and gets issued with a client id
> and client secret. {The Bat} then does a normal OAuth flow to get an access
> token to access your emails from {My ISP}. If you later stop using {The
> Bat} you can go to your page on {My ISP} and revoke its access because it
> has a unique client id.
>
> Like Neil says, the building blocks are all already there. The fact that
> companies choose not to use them is not because the technology isn't there,
> it's because it's a business problem.
>
> I'd be thrilled if the NxM problem were solved in practice, but
> unfortunately that doesn't seem to be what's happened in the market. The
> technical solution has been there a long time, so there's something else
> going on.
>
> When I've brought up this topic in the past, most of the responses I've
> gotten from the "big players" are along the lines of "lol we're not going
> to let someone's software talk to us unless we have a legal arrangement
> with the developer". The fact that dynamic client registration is barely
> used is more because these service operators want the software developers
> to agree to their terms of service before being able to access APIs.
>
> This is all to say that I agree it'd be nice to solve this problem, but in
> the end, the IETF can't tell companies what to do with their products and
> services.
>
> Aaron
>
>
>
>
> On Wed, Feb 24, 2021 at 4:21 AM Neil Madden <neil.madden@forgerock.com>
> wrote:
>
>> On 24 Feb 2021, at 11:39, Bron Gondwana <brong@fastmailteam.com> wrote:
>>
>>
>>
>> […]
>>
>>
>> Let's get down to use cases then, rather than talking in abstracts.
>>
>> I'm an end user with a copy of {The Bat email client} and I want to
>> connect it to {Gmail} + {Yahoo} + {My ISP}.  It supports {POP3}, a widely
>> popular open standard.  I want to be able to authenticate to each of those
>> services without saving my plaintext passwords on my hard disk where the
>> next {Windows ME} virus will exfiltrate them to {Noextraditionistan} and
>> all my {Dogecoin} will then be exfiltrated from my {Paybuddy} account,
>> leaving me destitute.
>>
>> But, {The Bat} doesn't have a trusted client cert from my isp, because
>> who does - so there's no good protocol for me - it's either plaintext auth,
>> or it's some architecture astronaut multi-party nonsense that's massively
>> over specified and doesn't work half the time.  So I write a plain text
>> password on a post-it note which is lying in the dust under my monitor
>> because the glue has gone bad, and I hope I never accidentally click
>> "remember me" when I type it in.
>>
>> That's been the reality of the end user experience for very many years.
>>
>> NxM means that you can authenticate an arbitrary client against an
>> arbitrary server so long as they are both speaking a known public protocol,
>> without needing to build a trust relationship between the client vendor and
>> the server vendor first.
>>
>>
>> Does the following meet your needs?
>>
>> You type your email address into {The Bat} to begin configuration. {The
>> Bat} does discovery [1][2] to locate the OAuth/OIDC server for {My ISP}.
>> The discovery document reveals that {My ISP} supports open dynamic client
>> registration [3][4] so {The Bat} registers and gets issued with a client id
>> and client secret. {The Bat} then does a normal OAuth flow to get an access
>> token to access your emails from {My ISP}. If you later stop using {The
>> Bat} you can go to your page on {My ISP} and revoke its access because it
>> has a unique client id.
>>
>> [1]: https://openid.net/specs/openid-connect-discovery-1_0.html
>> [2]: https://tools.ietf.org/html/rfc8414
>> [3]: https://openid.net/specs/openid-connect-registration-1_0.html
>> [4]: https://tools.ietf.org/html/rfc7591
>>
>>
>> Any "trust relationship" is made through a user both who trusts the
>> client and trusts the server, and it's not transitive over to other users
>> of the same client and the same server.  The client author doesn't need to
>> get a signed "I trust you" from every single server, and the server author
>> doesn't have to go identify every single client.
>>
>> That's what NxM means to a user, the ability to use arbitrary clients
>> with arbitrary servers so long as they both implement a documented
>> protocol.  Interoperability.
>>
>>
>> That’s fine for your use-case, but that isn’t everybody’s use-case. Other
>> use-cases (such as Open Banking) involve regulatory or policy frameworks in
>> which open dynamic client registration is not appropriate. JMAP could have
>> an RFC describing the use of OAuth with JMAP that mandates open dynamic
>> client registration and discovery.
>>
>>
>> — Neil
>>
>>
>> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> --
> ---
> Aaron Parecki
> https://aaronparecki.com
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email