Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
William Denniss <wdenniss@google.com> Fri, 28 December 2018 07:34 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638E1130FED for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2018 23:34:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEMXCp4NQJKZ for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2018 23:34:50 -0800 (PST)
Received: from mail-it1-x12c.google.com (mail-it1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA8FD130FE8 for <oauth@ietf.org>; Thu, 27 Dec 2018 23:34:49 -0800 (PST)
Received: by mail-it1-x12c.google.com with SMTP id h193so26284180ita.5 for <oauth@ietf.org>; Thu, 27 Dec 2018 23:34:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ApY3Cvokea3+LTHzLK9hQ5GOmn8nTKFBWNOCzNVRrOk=; b=TnQhe9m/GnjQ+UigW42nid78JhBq+RUWYufkjbQDGnmJW7bhYPKj7sZUcGksvVBDVZ miojPLwuYTVzou0rOLOJPQSvWdACEFGOB93s2DCk4y1jqe24WWMosHvySOdLZZ405SuA 0nFtyF3URJDzq/PR/L+vbqkwvC5qBKiiw+WDHGQ00d3BZmDhKsWiy2mYAGEfEdP/1DMR u/JxFZWe+C2TuTS+r1NEs8mwP8MbGG4y+5+yKySIW+xjB9KS3QQHpCbOLBnSLU7quwjT g61/Y0mP6J3vJyn6Md3lAqX2jVot3csCIG0eNfLigj0On6osRQ84d0TiJxIYkE8tU+YT qKlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ApY3Cvokea3+LTHzLK9hQ5GOmn8nTKFBWNOCzNVRrOk=; b=JawC30l5fEfO5PQgU/8+1VHvw4+qCd8+z9smz3gv7LYfe7JQQWaPIbbqniO7hSzNWt EEcBTzHHnYIPIiTWsLUp+hnNMHGucjHGWW887VShWUGWHyhUoB8gWf2TvId1X00wy9XF KKZMReZI03SP4qHkniqZxRD3YXFqmep3zBoTK4xUg1SzERDqprTICliu1hXmrmu360Uh LrxXlkBYtTIegyzh5U+O2fYocOoUSgQMkgwdbbRrixkzMyt/I2yd3rElhD1jpPpqRUxl SErUJFYizkBapjXqMfGVM0d0WbynkTEjI1PPS91btRvHI2POnTlrBaD91I5eYEPIFadl IYjA==
X-Gm-Message-State: AA+aEWafLKweik+SiV+I9YR2aFZuTwBEA5ZYX16Z/8EQFRddSGe6tl23 llYPinV84dZfOLeKSYXXU5mbUu6+UOLWJI4UcKtVzQ==
X-Google-Smtp-Source: AFSGD/WjIrw/kE3kW9N+CtiJnlw/4XrneGSzL9min94+3DxrkwSVReNH6zYIfINbySEvYO5DI6+5VSZ2TF6CXTIxSFc=
X-Received: by 2002:a24:c584:: with SMTP id f126mr18711777itg.162.1545982488800; Thu, 27 Dec 2018 23:34:48 -0800 (PST)
MIME-Version: 1.0
References: <153305269020.3071.5881779499900104302.idtracker@ietfa.amsl.com> <CAAP42hCVBG6vnaazuo1A7sxj5zYj_MJfY8fHujWP0M9Mjdh3TQ@mail.gmail.com> <6EDF694B-553E-45FF-99A4-3034FA393372@cooperw.in>
In-Reply-To: <6EDF694B-553E-45FF-99A4-3034FA393372@cooperw.in>
From: William Denniss <wdenniss@google.com>
Date: Fri, 28 Dec 2018 17:34:37 +1000
Message-ID: <CAAP42hCFrKkvJ33YS4vEALCec8t7kEpozCi0K5LCmyFE0dNP+g@mail.gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Cc: IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000137bec057e101947"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-LSZ1lFq5Ue_BvzUuMQHaYNYi5I>
Subject: Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2018 07:34:52 -0000
Hi Alissa, Version -13 contains both these improvements, thank you for your feedback! Detailed response inline below: Best, William On Fri, Aug 3, 2018 at 6:22 AM, Alissa Cooper <alissa@cooperw.in> wrote: > Hi William, > > On Aug 2, 2018, at 2:41 PM, William Denniss <wdenniss@google.com> wrote: > > Alissa, > > Thank you for your review. Replies inline: > > On Tue, Jul 31, 2018 at 8:58 AM, Alissa Cooper <alissa@cooperw.in> wrote: > >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I support Mirja's DISCUSS point #3 which was also raised by the Gen-ART >> reviewer. The Gen-ART review also included a number of other useful >> comments. >> Please address them. >> > > We're working through the comments, some were addressed in -12, and the > work continues. > > >> >> Perhaps this is implicit, but I found it a little odd that there is no >> mention >> of whether the device codes and user codes are expected to be unique to >> individual devices. >> > > The are definitely expected to be unique. > > Section 3.2 currently states "the authorization server generates a device > verification code and an end-user code that are valid for a limited time" > > The assumption was that the "generated" codes would be unique. I will add > the word unique in future version (13), so it will read "generates a unique > device verification code…” > > > Great. > Section 3.2 of version 13 reads in part: the authorization server generates a *unique* device verification code and an end-user code that are valid for a limited time > > > > >> Section 3.3: >> >> "It is NOT RECOMMENDED for authorization servers to include the user >> code in the verification URI ("verification_uri"), as this increases >> the length and complexity of the URI that the user must type." >> >> I don't fully understand the justification for the normative requirement >> here. >> The user ultimately ends up typing in both strings, right? Is it so much >> more >> complex to type them both into a browser bar contiguously than to type >> the uri >> into the browser bar and the code into some form field on the page such >> that >> the normative requirement is warranted? >> > > Yes, the user will need to type both strings regardless. > > The main reason for the recommended separation is that the URI can't be > validated/corrected – either they type it correctly and they get to the > page, or they don't. But for the user-code, the page can display an error > if the user types it wrong. The belief is that it's a better user > experience that they get to the page, and then continue the input from > there rather than get browser errors if they typed the user-code part of > the URI wrong. > > > Got it. I think it would help to add this explanation to the document. > > Added an explanation to Section 3.3 in version 13: It is NOT RECOMMENDED for authorization servers to include the user code in the verification URI ("verification_uri"), as this increases the length and complexity of the URI that the user must type. *While the user must still type the same number of characters with the user_code separated, once they successfully navigate to the verification_uri, any errors in entering the code can be highlighted by the authorization server to improve the user experience.* The next section documents user interaction with "verification_uri_complete", which is designed to carry *both pieces of* information. > Thanks, > Alissa > > > This is also how every implementation I've seen has actually implemented > it. > > As written, if the authorization server were to include the code in the > URI, this would then raise the question of what should be in the user_code > (e.g. would it be the empty string?) and how the device client should > render the instructions in that case. I think the spec is simpler if we > recommend one preferred approach based on the usability best-practices > derived from the implementation experience of earlier drafts. > > Section 3.3.1: >> >> Wouldn't there be textual instructions about how to use the QR code also >> included here? If the point is to illustrate the UI it seems like those >> should >> be included too. >> > > Good point! Figure 3 was updated to include QR scanning instructions. > > Best, > William > > >
- [OAUTH-WG] Alissa Cooper's No Objection on draft-… Alissa Cooper
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… William Denniss
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… Alissa Cooper
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… Benjamin Kaduk
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… William Denniss
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… William Denniss