Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Warren Parad <> Wed, 24 February 2021 16:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2D0C33A17EC for <>; Wed, 24 Feb 2021 08:48:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id da5JcWlZOFE1 for <>; Wed, 24 Feb 2021 08:48:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 697273A17E9 for <>; Wed, 24 Feb 2021 08:48:41 -0800 (PST)
Received: by with SMTP id f7so2264840ilk.12 for <>; Wed, 24 Feb 2021 08:48:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bYSmnpdczEgCtvBK56XkA/Agge/3wFSXb0DyUhLLI+I=; b=GwjAenfjjFkXgq07/AyIT22gkF/4/eHuUHAzDcbNnDztxk4SZEXy8e8AOLPBGJAUy4 XwDd99ERc9ymybX82GNeNZjaRNRzJgPIMk/zuqVor45iNJky3G0oX9BPszBV9r9zmVl6 Fhrh6ko5JcB8Tp000mknNmvVyxcwJLDNpI9BIVGl/4QuOYPeXFU7oslKz6f4HOoQnb8q 6APh5mlFeP6IOVthyN6eU53CvtxGHRrHJD+XwsdkcIXBHOCtswMDL6iHzYLE6ZwdOei0 oGN2NZRkC1MGw4uMWiRQyVNfgQQKNJ5qFqsOfLeTfL5egNhxSiDrVQ0hNxxv5GYUR3bo /Rfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bYSmnpdczEgCtvBK56XkA/Agge/3wFSXb0DyUhLLI+I=; b=RyFTmNUQBSePAS+GyI8H86zDROKD+sbnMiGiU9FlHqpWEnmG4RbgzkxogIuCfoqOj8 bTMLEkDTxEcLdKpK9l/lNCS4gqWrvjobAL8pIsei95v5ryo/2joyq/ap9HXGe/DlEFZK Zow2xnoUlY7cWMqOi4zlyPIjJ1E/ifYrBNOy+Kxsc0IWQUh22yKjU3pOFYUDNjq2SJBT N1vUJ5v22JvSGQ8p9pHV97L0M0x5wlb9rpOBbjdYd9wiPN+AfY6Nh4xyagDbYKzH9bwQ 4no8PCfa0RwNSsr3fy5wJ7j276XwjBCrlNDBbfPnqjFkb0w4O7vdGEu593XV60XitERt exMQ==
X-Gm-Message-State: AOAM530Vfwhsv1xsXl654N4lipLY7CRiFXJrVsLU1Iu2tCeW0r1D6G7o TXf5CIz/PBcZVR6eo0VYZnZXHcrDfTv/R3tfgWUB
X-Google-Smtp-Source: ABdhPJwtohEeER+LKX8Xnhd5xQ9UHfCXp+lbNl//Z/SZiTGk90PDMNVxGtJwwtjzbtrck0IJzpQS8wEQCYZLvgyJK3M=
X-Received: by 2002:a92:c6ca:: with SMTP id v10mr18100671ilm.195.1614185320488; Wed, 24 Feb 2021 08:48:40 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Warren Parad <>
Date: Wed, 24 Feb 2021 17:48:29 +0100
Message-ID: <>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
To: Tim Bray <>
Cc: Justin Richer <>, Bron Gondwana <>, Phillip Hallam-Baker <>, "" <>, IETF-Discussion Discussion <>
Content-Type: multipart/alternative; boundary="000000000000a13e0405bc17ce86"
Archived-At: <>
X-Mailman-Approved-At: Thu, 25 Feb 2021 08:33:19 -0800
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Feb 2021 16:48:44 -0000

I'll add just one more thing here, even if the protocol exists, the
clarity, and was supported, I'm not sure that it would even be that widely
used. Thinking about this from the user perspective, I just can't imagine
how many would really choose to even need or want to set up these other
mechanisms. There is a very small community dedicated to web3.0 which
supports browser extensions to log in to various tools via crypto

There's still only a handful, and identity providers, who are actually in
this WG, can attest to supporting N+ number of AS and WebAuthN, and
username/password, and likely anything else users want. As one of them, we
add anything and everything that application developers want to support. So
it isn't the lack of paradigms, RFCs, or general neglect (/lack of desire)
to implement these. The blocking factor is the symbiotic evolution of user
desires, platform capabilities, and AS features. So as all AS don't support
all features, and as it seems the capabilities are there, even if they were
supported by user facing applications, there is still further that the
community as a whole needs to go to adopt the mindset of wanting to bring
custom unverified AS to the table.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <>.

On Wed, Feb 24, 2021 at 5:34 PM Tim Bray <> wrote:

> The OAuth work has successfully built a perfectly reasonable syntax and
> protocol for exchanging identity and attribute assertions, and that's
> fine.  What it hasn't done is opened up the world of Identity Provision,
> but that's not a technical problem.
> OAuth flowed out of OpenID back in the day. The core idea of OpenID,
> beginning with the attractive but wrong notion that URIs are a good way for
> people to identify themselves, was that service providers should be
> prepared to trust arbitrary identity providers.  At the moment, nobody has
> figured out an automated way for services to figure out which  identity
> providers they want to trust. The counter-argument is that service
> providers should just trust people to pick appropriate identity providers,
> and it has never in my experience succeeded in convincing a single lawyer
> or business-policy type.
> On Wed, Feb 24, 2021 at 7:21 AM Justin Richer <> wrote:
>> I agree that the NxM problem is the purview of the whole IETF, but it’s
>> something that we’re particularly interested in over in GNAP. As the editor
>> of OAuth’s dynamic registration extension and the GNAP core protocol, I
>> hope I can add to this conversation.
>> From a technical standpoint, OAuth’s dynamic client registration lets
>> arbitrary clients talk to an AS, but the trust isn’t there in practice. On
>> top of that I think this problem is exacerbated by a fundamental protocol
>> design element of OAuth: the client_id that’s required. That field means
>> there’s an assumption that a relationship was set up between the pieces of
>> software, implied to be trusted by admins at the AS. Sure you can get that
>> client_id under special circumstances, but there’s still a special weight
>> handed to that and the dynamic stuff feels like you’re giving up control as
>> an AS. In GNAP, the relationship is inverted, and it’s designed as
>> “dynamic-first”, with pre-registered clients being an optimization on top
>> of that.
>> Does this solve the NxM problem? No, because companies are still going to
>> decide that they only talk to keys or identifiers that they know ahead of
>> time. But the protocol puts the dynamic case forward as baseline and fits
>> in much better with the likes of JMAP than OAuth ever could:
>> - {The Bat} creates a key pair.
>> - {User} enters their email address into {Bat}, {Bat} does discovery
>> (maybe that’s a JMAP thing? Webfinger?) and finds the JMAP server and the
>> GNAP endpoint for authentication as an option.
>> - {Bat} talks to the GNAP AS at {ISP} and presents the key it just made
>> up. {ISP} has never seen this key, but knows how to talk GNAP and get the
>> user to authorize {Bat} to access email.
>> - {User} does this using GNAP and gets back an access token that’s tied
>> to the key {Bat} made back at the beginning. That token is tied (at the
>> {ISP}) to the user’s account.
>> Yes, you can do all of this today with OAuth (and people have done so),
>> but OAuth’s basic model of “go do discovery and registration first and THEN
>> talk to me” is a trust impediment more than it is a technical impediment.
>> The “negotiation” part of the GNAP name comes from the philosophy of “start
>> talking first and figure out what you need as you go”. Instead of jumping
>> through hoops to get something you can trust, you just start in and then
>> decide how much you trust it. A corporate rollout could use its own key
>> distribution mechanism and static registration to limit which client
>> instances talk back to the company server, regardless of which accounts
>> would authorize access on top of that. An internet-facing service is going
>> to be more likely to take a TLS approach, of “I’ll talk to you in a secure
>> fashion without caring who you are right now”.
>> We really are trying to make GNAP a consistent protocol at its core and
>> learn from problems with OAuth in the wild, all while letting GNAP address
>> a wider variety of use cases. I agree that GNAP could be clearer about
>> specific use cases, and we’re working on the spec still so any help here is
>> appreciated.
>>  — Justin
>> On Feb 24, 2021, at 7:15 AM, Bron Gondwana <>
>> wrote:
>> On Wed, Feb 24, 2021, at 23:09, Warren Parad wrote:
>> (I tend to trend lightly in the pronoun area, mostly because I'm shocked
>> that openid included gender but not pronouns)
>> I hadn't heard that to be called the NxM problem, so that definitely
>> cleared up the potential confusion (at least for me).
>> I think GNAPs lack of clarity is a non sequitur for the handling or not
>> of the multitrust arbitrary-client with arbitrary-service, however it's
>> lack of clarity for me prevents me from knowing whether GNAP actually seeks
>> to solve this problem. So from an OAuth WG perspective we can still ask:
>> *Is this or should this problem be left to GNAP to solve, or is an OAuth
>> WG responsibility?*
>> Honestly I think the problem space is the whole ietf's responsibility.
>> Protocols that allow an end user to safely transfer data between two
>> parties that don't have a pre-existing trust relationship are a key part of
>> enabling user freedom and user choice.
>> Bron.
>> *Warren Parad*
>> Founder, CTO
>> Secure your user data with IAM authorization as a service. Implement
>> Authress <>.
>> On Wed, Feb 24, 2021 at 12:39 PM Bron Gondwana <>
>> wrote:
>> On Wed, Feb 24, 2021, at 22:04, Warren Parad wrote:
>> I would prefer Bron to answer that question, as they are the one who
>> started this email thread.
>> You can also use he when talking about me, or she for that matter - I do
>> enough group fitness classes where it's roughly assumed that the entire
>> class is female, and I have an ambiguous enough name that I'm used to it.
>> Most people use "he" most of the time.
>> However let's look at GNAP, I've honestly been struggling to understand
>> at least one fully documented case that GNAP supports. It seems in every
>> document the only thing that is clear is GNAP wants to allow "everything",
>> doesn't actually talk about an example.
>> That's my biggest fear for GNAP - it too will try to be everything to
>> everybody and wind up being nothing to nobody because the super flexible
>> "everything protocol" is the same as no protocol at all, since you have to
>> special-case everybody you talk to anyway.
>> By NxM, I assume we mean that the end user or client is free to select
>> whichever AS they want, in a way which the RS can verify the AS credential
>> and the user identity, without the RS having to (and really without the
>> ability to limit) which AS are allowed.
>> Let's get down to use cases then, rather than talking in abstracts.
>> I'm an end user with a copy of {The Bat email client} and I want to
>> connect it to {Gmail} + {Yahoo} + {My ISP}.  It supports {POP3}, a widely
>> popular open standard.  I want to be able to authenticate to each of those
>> services without saving my plaintext passwords on my hard disk where the
>> next {Windows ME} virus will exfiltrate them to {Noextraditionistan} and
>> all my {Dogecoin} will then be exfiltrated from my {Paybuddy} account,
>> leaving me destitute.
>> But, {The Bat} doesn't have a trusted client cert from my isp, because
>> who does - so there's no good protocol for me - it's either plaintext auth,
>> or it's some architecture astronaut multi-party nonsense that's massively
>> over specified and doesn't work half the time.  So I write a plain text
>> password on a post-it note which is lying in the dust under my monitor
>> because the glue has gone bad, and I hope I never accidentally click
>> "remember me" when I type it in.
>> That's been the reality of the end user experience for very many years.
>> NxM means that you can authenticate an arbitrary client against an
>> arbitrary server so long as they are both speaking a known public protocol,
>> without needing to build a trust relationship between the client vendor and
>> the server vendor first.
>> Any "trust relationship" is made through a user both who trusts the
>> client and trusts the server, and it's not transitive over to other users
>> of the same client and the same server.  The client author doesn't need to
>> get a signed "I trust you" from every single server, and the server author
>> doesn't have to go identify every single client.
>> That's what NxM means to a user, the ability to use arbitrary clients
>> with arbitrary servers so long as they both implement a documented
>> protocol.  Interoperability.
>> OAuth has not given interoperability in the NxM sense outside some simple
>> web use cases.  They're nice and all, but they don't tend to be useful with
>> open protocols - OAuth gets used for accessing proprietary API endpoints
>> after getting an access key for a single provider.  At least you get Nx1 or
>> 1xM out of it depending who's the N and who's the M, and maybe some of your
>> code can rhyme so you're not doing everything from scratch each time.
>> This is the sorry story of real open protocols.  The floor for true
>> interoperability is still username + password over cleartext, over
>> hopefully a TLS tunnel that's providing some level of protection.  Most so
>> than a few years ago when Fastmail wrote our "starttls considered
>> harmful"[1] objection to the IETF's habit at the time of putting a
>> "STARTTLS" upgrade into an initially plaintext protocol, where an active
>> intercepter could just strip the "I support STARTTLS" indicator from the
>> protocol and convince the client to send the credentials in the clear.
>> We're a little better mostly these days, but it's still a tirefire, and
>> in my heart I do hold the OAuth working group's squatting on this area of
>> the landscape while failing to address this burning need partially
>> responsible.  The result (as Phillip pointed out upthread) has been a
>> consolidation towards a few big players - because NxM becomes tractable
>> when you reduce the N and M to small enough numbers.
>> Bron.
>> [1]
>> --
>>   Bron Gondwana, CEO, Fastmail Pty Ltd
>> --
>>   Bron Gondwana, CEO, Fastmail Pty Ltd
>> _______________________________________________
>> OAuth mailing list