IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-16.txt

Phil Hunt <phil.hunt@oracle.com> Wed, 15 October 2014 18:46 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECD91A1B19 for <kitten@ietfa.amsl.com>; Wed, 15 Oct 2014 11:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKOy8xv6DkIp for <kitten@ietfa.amsl.com>; Wed, 15 Oct 2014 11:46:47 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 884391A90E7 for <Kitten@ietf.org>; Wed, 15 Oct 2014 11:46:47 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s9FIkibT032533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 15 Oct 2014 18:46:45 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s9FIkhMs003772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Oct 2014 18:46:44 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s9FIkh8X001897; Wed, 15 Oct 2014 18:46:43 GMT
Received: from [192.168.1.133] (/24.87.24.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 15 Oct 2014 11:46:41 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_118DE4D9-AE42-4D25-9224-66579AA0830D"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <543EB7C0.3020106@lodderstedt.net>
Date: Wed, 15 Oct 2014 11:46:40 -0700
Message-Id: <6801207E-434D-45D0-8846-6FF581F82703@oracle.com>
References: <31r908v52l19r5cb7nsqiouy.1413266582842@email.android.com> <796188397.63401.1413299215858.JavaMail.yahoo@jws106108.mail.bf1.yahoo.com> <543EB7C0.3020106@lodderstedt.net>
To: Torsten Lodderstadt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1878.6)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/-AspKwDBCvjNc1z77NhRXEhw-SM
Cc: "Kitten@ietf.org" <Kitten@ietf.org>, "tjs@psaux.com" <tjs@psaux.com>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-16.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 18:46:53 -0000

+1

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Oct 15, 2014, at 11:06 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

> 
> Am 14.10.2014 17:06, schrieb Bill Mills:
>> I wasn't planning to.   OpenID is already doing it basically.  There might not yet be  a "here's what a well behaved generic client looks like" draft yet, but is that really needed?
> 
> I think so.
> 
>> 
>> 
>> On Monday, October 13, 2014 11:03 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> 
>> 
>> Hi Bill,
>> 
>> are you proposing to write a new "generic client" I-D/RFC in the OAuth WG?
>> 
>> kind regards, 
>> Torsten. 
>> 
>> 
>> -------- Ursprüngliche Nachricht --------
>> Von: Bill Mills
>> Datum:13.10.2014 23:05 (GMT+01:00)
>> An: Torsten Lodderstedt , Kitten@ietf.org
>> Cc: tjs@psaux.com, Hannes Tschofenig , Benjamin Kaduk
>> Betreff: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-16.txt
>> 
>> 3 through 6 should be handled by OAuth (and OpenID?) and are outside the scope of this spec.  This spec deals with 1 and maybe 2 & 7 above).  
>> 
>> A generic mail/contacts/calendar client will used more than SASL endpoints, notably CalDAV and CardDAV.  This isn't the place to solve the general problem.   
>> 
>> -bill
>> 
>> 
>> 
>> On Monday, October 13, 2014 1:48 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> 
>> 
>> Hi Bill,
>> 
>> Am 13.10.2014 18:08, schrieb Bill Mills:
>>> I totally agree that generic and interoperable OAuth client implementations need both endpoint discovery and client registration.  I disagree that this spec needs registration.  
>>> This spec is about using OAuth on resource servers which have nothing to do with authentication and token issuance.
>> 
>> I agree these are different aspects. Does this mean they need to be treated in different specs? What is the benefit of this approach? 
>> 
>> I'm not looking for a generic OAuth client. My goal is to enable the development of generic email/calendar/xmpp ... clients, which authorize access to the respective service using OAuth.
>> Such a generic client must (at most) perform the following steps in order to get access to the resource server:
>> 
>> 1) client tries to access resource server
>> 2) resource server refuses access and returns discovery URL
>> 3) client obtains metadata from discovery URL
>> 4) client determines its client credentials for this particular authz server
>> 5) if client is not in possession of suitable client credentials ->  register with the authz server (at the registration endpoint obtained from the discovery document)
>> 6) client performs authz flow with the authz server
>> 7) client accesses resource server again (with new access token) 
>> 
>> This spec currently does not specify steps 4 through 6, which means there is no way to implement the whole process in an interoperable way in my generic email client. I therefore suggest to add registration to this spec in order to cover the entire process. 
>> 
>> Do you have an alternative proposal to achieve this goal? 
>> 
>>> We might need to talk about client registration requirements in a token profile, but this draft doesn't define new tokens either.
>> 
>> There is no need to define new tokens as this is not relevant for client/resource server interop. Resource server know the authz server's token format (which is standard in OAuth deployments). 
>> 
>> kind regards,
>> Torsten.
>> 
>> 
>>> 
>>> On whether to specify the full OpenID Connect Discovery schema, I think a SHOULD is reasonable, I don't really like the MUST.
>>> 
>>> 
>>> On Saturday, October 11, 2014 4:30 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>> 
>>> 
>>> Hi all,
>>> 
>>> as one of the proposers (beside Hannes) of the change, I would like to explain the rationale.
>>> 
>>> > -16 is submitted, and there is one suggested change (which I was supposed to have added in already and blew it), which is to replace section 3.2.2 with the text (farther) below. My comments on the suggested text:
>>> 
>>> > #1)  I don't think the dynamic registration stuff is baked enough to want to pull that in to the "oauth-configuration" definition. I don't want to pull it in because I don't think dynamic registration is required for SASL/OAUTH (as evidenced by the Google and Outlook.com implementations.
>>> 
>>> 
>>> Existing implementations at Google and Outlook.com are no evidence against dynamic client registration. They demonstrate that it is possible
>>> to implement the server side. But we are talking about clients (more precisely about generic clients). I'm not aware of any generic
>>> client implementing the SASL mechanisms in the moment. I recommend taking a look at https://bugzilla.mozilla.org/show_bug.cgi?id=849540.
>>> 
>>> Before I dive into the registration details, I would like to give my personal summary why this SASL profile is needed.
>>>   
>>> In my opinion, one of the main purposes of this mechanism is to allow generic clients to authorize access to standard protocols, such as IMAP,
>>> using OAuth Access Tokens. This offers the following advantages:
>>> 
>>> - multi-factor authn: An increasing number of service providers (e.g. Google, Yahoo, Apple) offer 2-factor authentication to their users,
>>> but only for apps and web sites. Why? It currently does not work in conjunction with IMAP and the like. Instead, application-specific passwords
>>> must be used, which offer a terrible user experience and therefore are a significant burden for better Internet                                                   security. Using OAuth access tokens
>>> allows to decouple service access and authentication/authorization process. So the authorization server can choose the appropriate/available
>>> mechanisms to authenticate at its discretion. This also allows to use any kind of (provider-specific) multi-factor authentication methods also
>>> in the context of IMAP and the like.
>>> 
>>> - Furthermore, using OAuth also allows to use refresh tokens as persistent credential for service login, that way eleminating the need to store user
>>> passwords on devices.
>>>   
>>> So basically, the SASL OAuth profile can (at least in my opinion) be a major leap forward in Internet security.
>>> 
>>> Why does this require dynamic registration?
>>> 
>>> Well, OAuth requires any client to possess a client_id (and client_secret) with the particular authorization server. Nowadays developers typically
>>> register with the authz server's provider out of band and bake the credentials into the software package. This works for clients, which
>>> are directly programmed against a certain deployment/API, such as Facebook, but is inappropriate (if not unfeasible) for generic
>>> clients using standardized protocols, e.g. Thunderbird.
>>> 
>>> Or do you want to register the Thunderbird deveopers with every e-Mail/Calendar-provider in the world up-front?
>>> 
>>> I don't think so. That's why the OAuth WG came up with the specification for dynamic client registration, which allows
>>> the client to dynamically obtain client credentials from the authorization server. It basically solves the client credential challenge for generic
>>> clients, but it does integrate the registration step into an overall process.
>>> 
>>> That's why I think we must define a way for a generic SASL client to, based on user-provided data, find the appropriate authorization server and
>>> register with it. I think the SASL mechanism should specify how those mechanisms are used in concert in order to authorize service access using OAuth.
>>> Otherwise, the SASL mechanism can only be used for point to point integrations among partners but never for generic clients.
>>> 
>>> So I think true interoperability calls for addition of registration as well.
>>> 
>>> Regarding state of dynamic client registration: It's not ratified yet but already sent to IESG for publication.
>>> Beside that it is already implement in existing OpenId Connect deployments.
>>> 
>>> > #2)  I didn't really want to make all of the OpenID elements required but I don't have a strong opinion here, my initial intent was to use the OpenID Discovery format as an existing format to be re-used here but leave it flexible.
>>> 
>>> Agreed. Using the format as specified by OpenID Connect makes sense. As generic OAuth differs from OpenID Connect, the WG should (probably in cooperation with
>>> the OAuth WG) discuss, which elements are really needed.
>>> 
>>> > #3)  I am against recommending scope names at all in any way.  I would not include the last sentence of paragraph 5 below and strike the scope names.
>>> 
>>> 
>>> Given there is already a response parameter scope, which intructs the client on what scope to use in the authz request, I tend to agree. I'm not yet fully
>>> convinced whether this approach will work. But let's give it a try.
>>> 
>>> kind regards,
>>> Torsten.
>>> 
>>> 
>>> 
>>> >  New text for 3.2.2:
>>> > -----------------------
>>> > 3.2.2.  Server Response to Failed Authentication
>>> >
>>> >
>>> > For a failed authentication the server returns a JSON [RFC4627]
>>> > formatted error result, and fails the authentication.  The error
>>> > result consists of the following values:
>>> >
>>> >
>>> > status (REQUIRED):  The authorization error code.  Valid error
>>> > codes are defined in the IANA "OAuth Extensions Error Registry"
>>> > specified in the OAuth 2 core specification.
>>> >
>>> >
>>> > scope (OPTIONAL):  An OAuth scope which is valid to access the
>>> > service.  This may be empty which implies that unscoped tokens
>>> > are required, or a scope value.  If a scope is specified then a
>>> > single scope is preferred, use of a space separated list of
>>> > scopes is NOT RECOMMENDED.
>>> >
>>> >
>>> > oauth-configuration (OPTIONAL):  The URL for a document following
>>> > the OpenID Provider Configuration Information schema, as
>>> > described in Section 3 of the OpenID Connect Discovery
>>> > [OpenID.Discovery], that is appropriate for the user.  The
>>> > server MAY return different URLs for users from different
>>> > domains and a client MUST NOT cache a single returned value and
>>> > assume it applies for all users/domains that the server
>>> > suports.  The returned discovery document MUST have all data
>>> > elements required by the OpenID Connect Discovery specification
>>> > populated.  In addition, the discovery document MUST contain
>>> > the 'registration_endpoint' element to learn about the endpoint
>>> > to be used with the Dynamic Client Registration protocol
>>> > [I-D.ietf-oauth-dyn-reg] to obtain the minimum number of
>>> > parameters necessary for the OAuth protocol exchange to
>>> > function.  Authorization servers MUST implement the
>>> > authorization code grant and other grant types MAY be
>>> > supported.  Furthermore, authorization servers MUST implement
>>> > the ability to issue refresh tokens for use with native
>>> > applications to benefit from an abbreviated protocol exchange.
>>> > The use of the 'offline_access' scope, as defined in
>>> > [OpenID.Core] is RECOMMENDED to give clients the capability to
>>> > explicitly request a refresh token.
>>> >
>>> >
>>> > If the resource server provides a scope (as part of the element of
>>> > the configuration payload) then the client MUST always request
>>> > scoped tokens from the token endpoint.  This specification
>>> > RECOMMMENDs the use of the following scopes:
>>> >
>>> > imap:  The 'imap' scope value is used to interact with IMAP mail
>>> > servers.
>>> >
>>> > pop3:  The 'pop3' scope value is used to interact with POP3 mail
>>> > servers.
>>> >
>>> > xmpp:  The 'xmpp' scope value is used to interact with XMPP servers.
>>> >
>>> >
>>> >
>>> > If the resource server provides no scope to the client then the
>>> > client SHOULD presume an empty scope (unscoped token) is needed.
>>> >
>>> >
>>> > Since clients may interact with a number of application servers,
>>> > such as email servers and XMPP servers, they need to have a way
>>> > to determine whether dynamic client registration has been performed
>>> > already and whether an already available refresh token can be
>>> > re-used to obtain an access token for the desired resource server.
>>> > This specification RECOMMENDs that a client uses the information in
>>> > the 'issue' element to make this determination.
>>> > -----------------------
>>> >
>>> >
>>> > I think we're getting very close :)
>>> >
>>> > -bill
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email