Re: [kitten] [OAUTH-WG] I-D Action: draft-ietf-kitten-sasl-oauth-16.txt
Phil Hunt <phil.hunt@oracle.com> Mon, 13 October 2014 00:37 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B66211A7017; Sun, 12 Oct 2014 17:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6dhz53MVWVZ; Sun, 12 Oct 2014 17:37:36 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 983031A6FAD; Sun, 12 Oct 2014 17:37:36 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s9D0bY4X002970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 13 Oct 2014 00:37:35 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s9D0bXbF023761 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 13 Oct 2014 00:37:34 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s9D0bXtm023746; Mon, 13 Oct 2014 00:37:33 GMT
Received: from [192.168.1.133] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 12 Oct 2014 17:37:33 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_A8A05EEF-F0DF-45A4-8663-03CB27B78FAA"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <54391575.9080707@lodderstedt.net>
Date: Sun, 12 Oct 2014 17:37:31 -0700
Message-Id: <11F6D8A7-003C-45B7-8B2D-98D8CB0EA285@oracle.com>
References: <543914E8.8070507@lodderstedt.net> <54391575.9080707@lodderstedt.net>
To: Torsten Lodderstadt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1878.6)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/E311IxhjPg8tH3Tu4MYjGMLljZY
X-Mailman-Approved-At: Sun, 12 Oct 2014 17:55:17 -0700
Cc: kitten@ietf.org, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [kitten] [OAUTH-WG] I-D Action: draft-ietf-kitten-sasl-oauth-16.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 00:37:40 -0000
Torsten, Big +1 to your comments. I think the SASL-OAuth work is very important work and it is the *classic* use case for OAuth Dynamic Registration. SASL clients are typically developed independently of server implementation and are meant to work with any server. This means that having a pre-negotiated client_id is pretty much impossible without dyn reg or some equivalent solution — and why do another? There may be simpler profiles you can develop specific to SASL, but I think OAuth Dyn Reg should work well for this use case. Phil @independentid www.independentid.com phil.hunt@oracle.com On Oct 11, 2014, at 4:33 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi all, > > there is some discussion going on in the KITTEN WG regarding the SASL/Oauth mechanism that might be of interest for the OAuth WG as well. > > kind regards, > Torsten. > > > -------- Original-Nachricht -------- > Betreff: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-16.txt > Datum: Sat, 11 Oct 2014 13:30:48 +0200 > Von: Torsten Lodderstedt <torsten@lodderstedt.net> > An: Kitten@ietf.org > Kopie (CC): tjs@psaux.com <tjs@psaux.com> > > Hi all, > > as one of the proposers (beside Hannes) of the change, I would like to explain the rationale. > > > -16 is submitted, and there is one suggested change (which I was supposed to have added in already and blew it), which is to replace section 3.2.2 with the text (farther) below. My comments on the suggested text: > > > #1) I don't think the dynamic registration stuff is baked enough to want to pull that in to the "oauth-configuration" definition. I don't want to pull it in because I don't think dynamic registration is required for SASL/OAUTH (as evidenced by the Google and Outlook.com implementations. > > > Existing implementations at Google and Outlook.com are no evidence against dynamic client registration. They demonstrate that it is possible > to implement the server side. But we are talking about clients (more precisely about generic clients). I'm not aware of any generic > client implementing the SASL mechanisms in the moment. I recommend taking a look at https://bugzilla.mozilla.org/show_bug.cgi?id=849540. > > Before I dive into the registration details, I would like to give my personal summary why this SASL profile is needed. > > In my opinion, one of the main purposes of this mechanism is to allow generic clients to authorize access to standard protocols, such as IMAP, > using OAuth Access Tokens. This offers the following advantages: > > - multi-factor authn: An increasing number of service providers (e.g. Google, Yahoo, Apple) offer 2-factor authentication to their users, > but only for apps and web sites. Why? It currently does not work in conjunction with IMAP and the like. Instead, application-specific passwords > must be used, which offer a terrible user experience and therefore are a significant burden for better Internet security. Using OAuth access tokens > allows to decouple service access and authentication/authorization process. So the authorization server can choose the appropriate/available > mechanisms to authenticate at its discretion. This also allows to use any kind of (provider-specific) multi-factor authentication methods also > in the context of IMAP and the like. > > - Furthermore, using OAuth also allows to use refresh tokens as persistent credential for service login, that way eleminating the need to store user > passwords on devices. > > So basically, the SASL OAuth profile can (at least in my opinion) be a major leap forward in Internet security. > > Why does this require dynamic registration? > > Well, OAuth requires any client to possess a client_id (and client_secret) with the particular authorization server. Nowadays developers typically > register with the authz server's provider out of band and bake the credentials into the software package. This works for clients, which > are directly programmed against a certain deployment/API, such as Facebook, but is inappropriate (if not unfeasible) for generic > clients using standardized protocols, e.g. Thunderbird. > > Or do you want to register the Thunderbird deveopers with every e-Mail/Calendar-provider in the world up-front? > > I don't think so. That's why the OAuth WG came up with the specification for dynamic client registration, which allows > the client to dynamically obtain client credentials from the authorization server. It basically solves the client credential challenge for generic > clients, but it does integrate the registration step into an overall process. > > That's why I think we must define a way for a generic SASL client to, based on user-provided data, find the appropriate authorization server and > register with it. I think the SASL mechanism should specify how those mechanisms are used in concert in order to authorize service access using OAuth. > Otherwise, the SASL mechanism can only be used for point to point integrations among partners but never for generic clients. > > So I think true interoperability calls for addition of registration as well. > > Regarding state of dynamic client registration: It's not ratified yet but already sent to IESG for publication. > Beside that it is already implement in existing OpenId Connect deployments. > > > #2) I didn't really want to make all of the OpenID elements required but I don't have a strong opinion here, my initial intent was to use the OpenID Discovery format as an existing format to be re-used here but leave it flexible. > > Agreed. Using the format as specified by OpenID Connect makes sense. As generic OAuth differs from OpenID Connect, the WG should (probably in cooperation with > the OAuth WG) discuss, which elements are really needed. > > > #3) I am against recommending scope names at all in any way. I would not include the last sentence of paragraph 5 below and strike the scope names. > > > Given there is already a response parameter scope, which intructs the client on what scope to use in the authz request, I tend to agree. I'm not yet fully > convinced whether this approach will work. But let's give it a try. > > kind regards, > Torsten. > > > > > New text for 3.2.2: > > ----------------------- > > 3.2.2. Server Response to Failed Authentication > > > > > > For a failed authentication the server returns a JSON [RFC4627] > > formatted error result, and fails the authentication. The error > > result consists of the following values: > > > > > > status (REQUIRED): The authorization error code. Valid error > > codes are defined in the IANA "OAuth Extensions Error Registry" > > specified in the OAuth 2 core specification. > > > > > > scope (OPTIONAL): An OAuth scope which is valid to access the > > service. This may be empty which implies that unscoped tokens > > are required, or a scope value. If a scope is specified then a > > single scope is preferred, use of a space separated list of > > scopes is NOT RECOMMENDED. > > > > > > oauth-configuration (OPTIONAL): The URL for a document following > > the OpenID Provider Configuration Information schema, as > > described in Section 3 of the OpenID Connect Discovery > > [OpenID.Discovery], that is appropriate for the user. The > > server MAY return different URLs for users from different > > domains and a client MUST NOT cache a single returned value and > > assume it applies for all users/domains that the server > > suports. The returned discovery document MUST have all data > > elements required by the OpenID Connect Discovery specification > > populated. In addition, the discovery document MUST contain > > the 'registration_endpoint' element to learn about the endpoint > > to be used with the Dynamic Client Registration protocol > > [I-D.ietf-oauth-dyn-reg] to obtain the minimum number of > > parameters necessary for the OAuth protocol exchange to > > function. Authorization servers MUST implement the > > authorization code grant and other grant types MAY be > > supported. Furthermore, authorization servers MUST implement > > the ability to issue refresh tokens for use with native > > applications to benefit from an abbreviated protocol exchange. > > The use of the 'offline_access' scope, as defined in > > [OpenID.Core] is RECOMMENDED to give clients the capability to > > explicitly request a refresh token. > > > > > > If the resource server provides a scope (as part of the element of > > the configuration payload) then the client MUST always request > > scoped tokens from the token endpoint. This specification > > RECOMMMENDs the use of the following scopes: > > > > imap: The 'imap' scope value is used to interact with IMAP mail > > servers. > > > > pop3: The 'pop3' scope value is used to interact with POP3 mail > > servers. > > > > xmpp: The 'xmpp' scope value is used to interact with XMPP servers. > > > > > > > > If the resource server provides no scope to the client then the > > client SHOULD presume an empty scope (unscoped token) is needed. > > > > > > Since clients may interact with a number of application servers, > > such as email servers and XMPP servers, they need to have a way > > to determine whether dynamic client registration has been performed > > already and whether an already available refresh token can be > > re-used to obtain an access token for the desired resource server. > > This specification RECOMMENDs that a client uses the information in > > the 'issue' element to make this determination. > > ----------------------- > > > > > > I think we're getting very close :) > > > > -bill > > > > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [kitten] I-D Action: draft-ietf-kitten-sasl-oauth… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Bill Mills
- [kitten] Suggested changes for -16 Re: I-D Action… Bill Mills
- Re: [kitten] Suggested changes for -16 Re: I-D Ac… Benjamin Kaduk
- Re: [kitten] Suggested changes for -16 Re: I-D Ac… Bill Mills
- Re: [kitten] Suggested changes for -16 Re: I-D Ac… Benjamin Kaduk
- Re: [kitten] Suggested changes for -16 Re: I-D Ac… Bill Mills
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Torsten Lodderstedt
- Re: [kitten] [OAUTH-WG] I-D Action: draft-ietf-ki… Phil Hunt
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Bill Mills
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Torsten Lodderstedt
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Bill Mills
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Torsten Lodderstedt
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Bill Mills
- Re: [kitten] [OAUTH-WG] I-D Action: draft-ietf-ki… Richer, Justin P.
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Torsten Lodderstedt
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Phil Hunt
- Re: [kitten] I-D Action: draft-ietf-kitten-sasl-o… Bill Mills
- [kitten] proposed softer revision to 3.2.2 Re: I-… Bill Mills
- Re: [kitten] proposed softer revision to 3.2.2 Re… Benjamin Kaduk
- Re: [kitten] proposed softer revision to 3.2.2 Re… Torsten Lodderstedt
- Re: [kitten] proposed softer revision to 3.2.2 Re… Bill Mills
- Re: [kitten] proposed softer revision to 3.2.2 Re… Shawn M Emery
- Re: [kitten] proposed softer revision to 3.2.2 Re… Bill Mills
- Re: [kitten] proposed softer revision to 3.2.2 Re… Bill Mills
- Re: [kitten] proposed softer revision to 3.2.2 Re… Benjamin Kaduk
- Re: [kitten] proposed softer revision to 3.2.2 Re… Bill Mills
- Re: [kitten] proposed softer revision to 3.2.2 Re… ⌘ Matt Miller
- [kitten] draft-17 Re: proposed softer revision to… Bill Mills