Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
Brian Campbell <bcampbell@pingidentity.com> Wed, 30 May 2018 19:57 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0B812EB49 for <ietf@ietfa.amsl.com>; Wed, 30 May 2018 12:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZ_AMI8ckZ6P for <ietf@ietfa.amsl.com>; Wed, 30 May 2018 12:57:11 -0700 (PDT)
Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 594FE12EB90 for <ietf@ietf.org>; Wed, 30 May 2018 12:57:06 -0700 (PDT)
Received: by mail-io0-x242.google.com with SMTP id a10-v6so23082817ioc.9 for <ietf@ietf.org>; Wed, 30 May 2018 12:57:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=92x3L1zwMYXxCrf2uV1D2cUM/MUjk3zcdSsP6OiRZJw=; b=Di5XGVgVvKcTW9uv3Vhf9wdX5/lqqigRI+LRxiNYV5gMvWT1rSeesEirRJ+fp2N1gK ASGAd5QXYW6Zb/GQJNTImBxT5oadmeILJ9n0wIHIcvGbsqJlcMfDUMhrJt5sfvr3GrS7 +gqarffZEttkPBH3yur33E89hnFC8HOPoM038=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=92x3L1zwMYXxCrf2uV1D2cUM/MUjk3zcdSsP6OiRZJw=; b=GiFR1NxhbHBPbrxuIRls/m4W6oKGW/SDjIAHftJtT3nl1iJSCtoeNTuJE6Q4dX7pk7 bf9Jk9rlUwoCPqY8MFWPk0tKHhKziTdX7xQhdhzIAZRM7VGcEBtokYW9eYpe+NqaKnFS 3JL0iu2Voi+Rxf1n9UKs/LDL7tHcsrtXYXI7HMvdbIXHXWPO9T6J679DGon+5ePyosdk 3nwvPfgDBZwIHMGOTdWzt9pTdD7Cl1w9r6kyrZs/pj0GoephJQxSYqsbfhPuJBrWh9jz E/bHMFUcytocdXS76c/A4a9fRJdRyhdyUMrnw6K/0n8AZKVJg21SVrVbmr2RD2sNBbw8 tnyw==
X-Gm-Message-State: APt69E26yxnp4iD9TqLE1GOquNMtltLxQqLFnaHiJ5CZgihdSJ7+Ip8x joqGhf21Xm89FbAwFoH3gCLZ6IyCS3VwDluyJsxVYeT1P+BlKem3cZSrQN152OU+JrBznksjV6W EqzaOcpy+oVFdr1c=
X-Google-Smtp-Source: ADUXVKLqEjHkUwAQXJBfV+xa/3AaEIOOpb9gbPlVff1zYJ21ynV6UbPZ9S13nJpPRznbNj+FGU5eHf4id9IdNxiy9nI=
X-Received: by 2002:a6b:591:: with SMTP id 139-v6mr3248260iof.282.1527710225130; Wed, 30 May 2018 12:57:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Wed, 30 May 2018 12:56:34 -0700 (PDT)
In-Reply-To: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com>
References: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 30 May 2018 13:56:34 -0600
Message-ID: <CA+k3eCRTteQmKP9xdba2zNLknQerQpHbVxp98Okq4a8gvMessw@mail.gmail.com>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
To: ietf@ietf.org
Cc: IETF-Announce <ietf-announce@ietf.org>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-device-flow@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004a2900056d71c1b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/WGjrvrEHv5C-Jw-lrrak65tv730>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 19:57:22 -0000
In reading the draft (again) I noticed a couple of things that, while maybe not substantive, seemed like they were worth raising here in last call: 1: In Section 3.5 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09#section-3.5> a new 'expired_token' error code is defined for when the 'device_code' has expired and the client will need to start the flow over. Shortly after the new error code definition there is text in that section that says 'If the verification codes have expired, the server SHOULD respond with the standard OAuth error "invalid_grant". Clients MAY then choose to start a new device authorization session.' This reads to me like: here's a new error for expired device code but this other code SHOULD be used for expired device code. Am I confused or otherwise missing something? I kinda suspect that the intent is that expired_token can be returned for codes that are known to be expired while invalid_grant is more of a catch all for codes that may have expired long enough ago that they have been purged from server memory/persistence or are otherwise unknown. That's my guess anyway. But the current text seems somewhat contradictory, which I think could be clarified/fixed. 2: In section 5 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09#section-5.5> about security considerations for Non-confidential Clients there's a pointer to recommendations from Section 8.9 of [RFC8252] <https://tools.ietf.org/html/rfc8252#section-8.9>, which is about using the "state" parameter in the authorization request to protect against cross-app request forgery. That doesn't seem right or relevant to the device flow, does it? Was it intended to point to section 8.5 in RFC8252 <https://tools.ietf.org/html/rfc8252#section-8.5>? Or something else? On Tue, May 29, 2018 at 4:20 PM, The IESG <iesg-secretary@ietf.org> wrote: > > The IESG has received a request from the Web Authorization Protocol WG > (oauth) to consider the following document: - 'OAuth 2.0 Device Flow for > Browserless and Input Constrained Devices' > <draft-ietf-oauth-device-flow-09.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits final > comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2018-06-12. Exceptionally, comments may be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of > the Subject line to allow automated sorting. > > Abstract > > > This OAuth 2.0 authorization flow for browserless and input > constrained devices, often referred to as the device flow, enables > OAuth clients to request user authorization from devices that have an > Internet connection, but don't have an easy input method (such as a > smart TV, media console, picture frame, or printer), or lack a > suitable browser for a more traditional OAuth flow. This > authorization flow instructs the user to perform the authorization > request on a secondary device, such as a smartphone. There is no > requirement for communication between the constrained device and the > user's secondary device. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > The document contains these normative downward references. > See RFC 3967 for additional information: > rfc6819: OAuth 2.0 Threat Model and Security Considerations > (Informational - IETF stream) > draft-recordon-oauth-v2-device: OAuth 2.0 Device Profile > (None - ) > rfc6755: An IETF URN Sub-Namespace for OAuth (Informational - IETF > stream) > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- RE: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… George Fletcher
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss