[kitten] minor issue with scope and RFC 6749 ABNF in sasl-oauth
Benjamin Kaduk <kaduk@MIT.EDU> Mon, 23 March 2015 05:26 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 152B71A8845; Sun, 22 Mar 2015 22:26:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWEOWGRGAixM; Sun, 22 Mar 2015 22:26:26 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64941A8847; Sun, 22 Mar 2015 22:26:25 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-77-550fa3ffed96
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id C4.C1.03355.FF3AF055; Mon, 23 Mar 2015 01:26:23 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t2N5QNfA014303; Mon, 23 Mar 2015 01:26:23 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2N5QLC3030333 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 23 Mar 2015 01:26:22 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t2N5QK9g004187; Mon, 23 Mar 2015 01:26:20 -0400 (EDT)
Date: Mon, 23 Mar 2015 01:26:20 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: kitten@ietf.org
Message-ID: <alpine.GSO.1.10.1503230110340.22210@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrPIsWRmVeSWpSXmKPExsUixCmqrPt/MX+owfweE4ujm1exWJx8+4rN gcljyZKfTAGMUVw2Kak5mWWpRfp2CVwZ71+tYC9YI1gxf8Np5gbG6XxdjJwcEgImEpNbtrBA 2GISF+6tZ+ti5OIQEljMJLFgewMLhLORUeL71LnsEM4hJonni/9DlTUwSjy784ANpJ9FQFvi 0rK1jCA2m4CKxMw3G8HiIgLCEru3vmPuYuTgYBYQkmh7Hg0SFhawl/jb+gAszCvgKNHxPw4k LCqgI7F6/xSwi3gFBCVOznwCZjMLaEksn76NZQIj/ywkqVlIUgsYmVYxyqbkVunmJmbmFKcm 6xYnJ+blpRbpGuvlZpbopaaUbmIEh5sk3w7GrweVDjEKcDAq8fBWBPCHCrEmlhVX5h5ilORg UhLltVgAFOJLyk+pzEgszogvKs1JLT7EKMHBrCTCyz4PKMebklhZlVqUD5OS5mBREufd9IMv REggPbEkNTs1tSC1CCYrw8GhJMEbD4wrIcGi1PTUirTMnBKENBMHJ8hwHqDhjCA1vMUFibnF mekQ+VOMilLivOIgCQGQREZpHlwvLB28YhQHekWY99YioCoeYCqB634FNJgJaPC5fD6QwSWJ CCmpBsYywRv7o7xbJ1vIpCzbJcjxKkplkk6aePfjFxtVTL9N0y6KvCV4Vub6iq3pQo4BRblz jz7rtUq9cra9w27LztTf/vI3r1h9OiH0ofrBPyORWK3mDj++t8faF2csiwmqdTLW14uWUAya m73j5sE1P65/nyow0+bsizvTLz9OujBnzaYvumZHjtopsRRnJBpqMRcVJwIApR3RDOICAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/VEiHwojxn-XNyxTFcu9xoKl85Ro>
Cc: oauth@ietf.org
Subject: [kitten] minor issue with scope and RFC 6749 ABNF in sasl-oauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 05:26:28 -0000
Hi all, During the shepherd review for draft-ietf-kitten-sasl-oauth-19, I noticed an old comment from Matt back in December 2013, in http://www.ietf.org/mail-archive/web/kitten/current/msg04488.html . The relevant point here is that sending a scope of "" (the empty string) during the authorization request violates the ABNF in RFC 6749. (The other concerns seem to have been addressed by suggesting that a single scope be used, when recommending against a space-separated list.) In the current draft-ietf-kitten-sasl-oauth-19, in section 3.2.2 ("Server Response to Failed Authentication"), we provide a way for the server to tell the client what scope to use, in a custom JSON message defined in the sasl-oauth document. This error response has no obligation to comply to the ABNF of RFC 6749, so saying both that the scope field is optional and that it "may be empty which implies that unscoped tokens are required, or a scope value" does not cause any compliance issues. However, a few paragraphs down, we furthermore say that "[i]f the resource server provides no scope to the client then the client SHOULD presume an empty scope (unscoped token) is required to access the resource." The phrase "empty scope" here is concerning, and seems to suggest sending scope="", which is disallowed by RFC 6749. The simple fix would be to just replace "empty scope (unscoped token)" with "unscoped token". However, it is a bit aesthetically unpleasing to have our new JSON structure diverge from the existing ABNF guidelines; we may wish to just utilize the optionality of the scope field in the server's response to failed authentication, and remove the mention of an empty value for that field. This proposal is a change to the wire protocol, and so we would need consensus from the working group to move forward with it -- in particular, we would like to know if there are existing implementations which would be affected by this change. Please comment about the proposal to remove the option of an empty scope in the server's response to failed authentication, both from the protocol change standpoint and from its effects on existing implementations. Thank you, Ben
- [kitten] minor issue with scope and RFC 6749 ABNF… Benjamin Kaduk
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Jamie Nicolson
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Torsten Lodderstedt
- Re: [kitten] [OAUTH-WG] minor issue with scope an… Benjamin Kaduk