[OAUTH-WG] Feedback on draft-jenkins-oauth-public-00
George Fletcher <gffletch@aol.com> Wed, 24 July 2024 23:36 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01098C1D5C6E for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2024 16:36:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3RXojQJYL5Er for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2024 16:36:26 -0700 (PDT)
Received: from sonic311-52.consmr.mail.ne1.yahoo.com (sonic311-52.consmr.mail.ne1.yahoo.com [66.163.188.233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06E3DC151992 for <oauth@ietf.org>; Wed, 24 Jul 2024 16:36:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1721864185; bh=UGfF/y7BtpI8FaHLPBvp/UCHad4/fax20GcUtVJ5gbk=; h=Date:From:To:Subject:References:From:Subject:Reply-To; b=kawum9WzA6rKLoIl6IYc8odP4279uF3LLAqZH9KfY4R8E+p39qC1yDwzV/IZuUZPHU0ZriO1aAQ5fNu1pP2vfxNaUb0We+ENon1SglmLtpqROeqXqOn4x65J7JOEICC78aAfdAqOkXUIP0QEtWHGw7ORUhlsJFXq/97ic82hvD6mQ8b87iZStYVHWVF08noHAMglQGpxFsnFhhVuxUkWWCROwdYyRUOYJsMW4ZeojQsr0Yu0AO4LZdC26sruGl//AX3KkTGIC715POaN7hYb3H4/T2r+FqrMj7qpkcLOqBFQdnW3kzgNUHkWg/wlFP2ZN4Yy7CEkUBgEgrEXfUeIaA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1721864185; bh=8X37BvV2yEWzcBfgcTl7K73n5GHlj2/SEbZQg0xJ/81=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=qRFBUCuiP6niWYnjP4bpMyC1Jgk3AdVh46/AKM8l8A9K85+nRtBjTX3IAOaNIQz+fuKTdJUZd5AG/DaxRXwiV2+8CFXuuhISnKCA8r877Tzgtohqaz+kelBmz+cUYWSmcWTOswQKJMN4nHTW+kTpXxenDiAGlPjN20ozFzDMM6aRe85MU/kDXybLik7IAi6iCRB0ps+zk3A8hSTKD8MoRksAVf5XpbShwzKcNNDJlyiv0CBCQnN89xEQhGJUi7CMRhZdWNL0cNSYWK/+xWbwLalt9binPHYKRqWVb7Zs6TWnQ3/+1+rf3Y5lyFIjCsHc43yVRGbJLfDhAcFLl+HSyA==
X-YMail-OSG: iIwzbj4VM1k0SlFh_0Q0.lVgY6IaM1Eu__Q_c0p7CYghhnzeIgk8K5Vk1FMELb9 bCCX8KjDBkgFyiiSvnW4Z4nymf6FJ62L_fL6BogHodWysroIRQE_bG08b_ZSJeibid1Xd6AoVmT9 mM2SrqNyQsKozIceDxQeYGEspAClScrcIqX4uRMrYwMYqVVep1vxDAME9QGXENVunw0RY8BKhj5a 02ukDLqA_C8c1zNxO1q7.IRBchOf96l2Rkm6Ek1q18o5sd7_4oqkJ8Ld830hqZzZg8892MNUadiG 8c0ruczKSym44ue3Ba73SVv.kobPDyhyqQzpOqas5vFhHIGDOLoogrboFcNnVuyAEriMIf8DwDqL dXozwOLhYf0DhtVpzT84Ugr4Sf1hojuK7CgACXNoh3XLhhwP4_d.uvLLjakuHOSfTEFE80rKVvg. l6puOujH5Afglu.NEFMBsL7C.4KlYEPPFC9RmsWiddyiucDvHD9Ir6qJx.PkIzDsbpNaMG7asnI6 iMf8gspbfYx0nJ0lXyHMNyvf1EgMIJCmM1d6yqa3LZOnrKC2S74LJRVxcqTiA4wrjMoWSCjHSyIr toaZ7Rk.VD7R16netE5_HBh1ZzCW_esoBtbIN61Qhy7nzreq.zXTu1aqfjAKkCss8DsNIeBQSPp5 yad76iLvV6oEMF1qiyAcGboKoK.ZYcwxfXvmFaxIbdh9x1zraF5bC8xFVCwVTli.F66rqldLGjUi Xl4pcxi8wNW_z3B6hxurElh5XjEPOxHLLswZr.zlt905MZB2bYAPXnKfYe0LN47MqrV93cpFT3_q JN0Yozfon6JqQhKfajRKpWWCEqBndzIacL8PWqdt7hhKAsbpAp4omDVVyGCPq.vkr1SQyMok_yks rQC1zPZi9OYn9g2yk1mWbus.Rq9bOaJ9cMTZEwlsZLizLf65iKgqdrzs1RNFCG3iNGp9NYuWjVVV ahJZR.tLnqVJhnCsECW.aCnZWEq5GpUZ9aBlgCP8f_T41SLlsLHrDIosMsCY.mvQSYgb4GqnnpHt .cHznJyjMqF96H..7NhfLiu5Jkx6K3YmpPkDr8MBxfkIbD0ZYUzgq0Wl_HJ8fDJ1FE5QHjP.cS1c .CVosjF9Z5H.f08mu53vA7fJFRiNMEJqoGQ6raqHbgheKRaqrCZJdUa3.th.qWAO2iiBiRzPPtuL 5Tp.oyQvwXdlnfK9xXsJQMu9H0BRznFA6t0vAN5qrBZr0.CisO6Damg5BdWOYIoOV6Uf3OVrWqpS hzCELWeiQFdEwWgz9QW2ekEJhxP3OgCJat5tClOUmYWCInXggKZVloZf2i1uxw_1OEx4VqDPx7sN CSWNGOaMu94D9IQv2bNAwPS7fx0qiHbsv2bxPWZ8gS2p.OjXV9J58Hp8CA4D_YhpysXuJA3KGtdU x0UFAy0OY6ETKJj0Qr6Z5SnIyL24EhmfKiMRiJBMz8p_2VZ0ovH50T8CvMkglLtZJkF33bXO.o6e 9JvPtPAaMvhFWZhTWdzRKfuraQBB5kCgF1783RO1MvDpSF6omnVgCgy6jaMSOG.bydddKkz1OaL4 0EJOzsLabjkoZDsR4r2tM.psAo7zINk7cxpZvq9CFGBY.xPcSXY..xwYKPQ29lNcWQBjWV2lj7Yf lVJ7mNzRdSQp.bmos0fhyoHgjA0MoBz0q5RhLA_V6KdEBrhLLQDTuGfLw9LKQwe6x8i4oxSwhmDF r4a9An_jaeoGz.GLQRsIZNvDeF7kU.49TK8UY79JRjrzcMJeULS77K7skVcJUtOMG0vR1Z2VPh1B TlfrJX9QXv.oAJZaCYPQsnSFuMYCKbYOpS_umk45cBQ0NCpgj2Zj7rj7luDjXbREJAjD33sfB_nD qDb8pjdv1B5b675WbK78MUmAGW92csC2zBg70HP8AixYyIKakXO6Czq191IfDo0RakfQa_XIHVkg U7c8uwH3cE7auA1KEgX0Vp9_gIpJBJk8_B4Ogteb8D9VNuCWphbAPwrSDMuIxF0IlcaOJRqsXITb BWuwip_Yj8dYg2ajBvP_ESHjiFjaunlii3xgdDVYi_UH6CBGnOeJBcJoxSJCBsqKZ.5_e_Cxy36E _4oDkgU4b6vYDRWWDVsipDcwv9qg3Oi_VhIcRVLrmS8jJBRU1gSSHF58rAU9DFYlSiE08cetWkej tTh_wQHI0z59fnMDozMJpw9wDPww6FsLeRt2L.zLcluWapleysx46vg8nsAHbvVAh7Ghzt8x6_fl Jnix3xyaDyNjfUA--
X-Sonic-MF: <gffletch@aol.com>
X-Sonic-ID: b79d4594-93d0-4ec6-89bb-4314ba7fc117
Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Wed, 24 Jul 2024 23:36:25 +0000
Received: by hermes--production-gq1-799bb7c8cf-hh58k (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 4dd30d04fd1a8f5945d75a0d47d962eb; Wed, 24 Jul 2024 23:34:20 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------a0vaAVqRNDC3SXgBYZp9Zqrf"
Message-ID: <8b7a1ad4-9be3-4c41-973e-0d4b6be9f23b@aol.com>
Date: Wed, 24 Jul 2024 16:34:18 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: George Fletcher <gffletch@aol.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Organization: AOL LLC
References: <8b7a1ad4-9be3-4c41-973e-0d4b6be9f23b.ref@aol.com>
X-Mailer: WebService/1.1.22501 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Message-ID-Hash: PQHLG4XTVVUG2J53EMVVB633L6XBH6QI
X-Message-ID-Hash: PQHLG4XTVVUG2J53EMVVB633L6XBH6QI
X-MailFrom: gffletch@aol.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Feedback on draft-jenkins-oauth-public-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1KcdLz-xh8_PLMRSpOALqky_gd4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Providing feedback/questions regarding this individual draft: Section 1.1 * is there a reason that only email address based login identifiers are supported? It seems like this profile could be used for other use cases as well. Section 1.2 * I would recommend this document be more generic and then a specific profile for say IMAP can be defined that then also defines the scopes required for use with an IMAP server. * This document can just say that scopes required are out of scope (pun intended) Section 2.1 * Recommend changing the last sentence to... The rest of this document describes in detail each of the above steps. Section 2.2 * I recognize that Security Considerations will be filled out in a future version. A topic that needs to be present is the potential implications of proceeding with the flow when not all the required metadata fields are present. I suspect most authorization servers do not have a 'registration_endpoint' URL in their metadata configuration :) * Can you clarify why the 'token_endpoint_auth_methods_supported' MUST include "none"? If the client is dynamically registering, then it can receive it's own instance specific client_id and client_secret which allows it to authenticate to the token endpoint. Not requiring client authentication seems dangerous. * Similar comment for 'revocation_endpoint_auth_methods_supported' Section 2.3 * I do not think the developer should be able to do the registration. Instead, this should be required to be completed by the client. This will be the expectation of the Authorization Server if it supports Dynamic Client Registration. * There are security implication with using a custom scheme. Best practice for mobile apps is to use claimed URIs rather than custom schemes. If custom schemes are the only option in certain cases the risk need to be clearly called out in the Security Considerations section. * I'm strongly against allowing the 'token_endpoint_auth_method' to be "none". There is no reason that the default of 'client_secret_basic' can't be used (as far as I understand the profile). I recommend that the registration response from the Authorization Server also include a 'client_secret'. The client can then store the secret appropriately on the device. This secret is instance specific and hence the device must be compromised to extract that secret and impersonate the user. Section 2.5 * I believe the client should authenticate itself via some mechanism and not just present the client_id Thanks, George
- [OAUTH-WG] Feedback on draft-jenkins-oauth-public… George Fletcher
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Neil Jenkins
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Emelia Smith
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Lisa Dusseault