IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries

Joseph Heenan <joseph@authlete.com> Wed, 02 March 2022 16:23 UTC

Return-Path: <joseph@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096F53A0BC9 for <oauth@ietfa.amsl.com>; Wed, 2 Mar 2022 08:23:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxUU5k5O0kIL for <oauth@ietfa.amsl.com>; Wed, 2 Mar 2022 08:23:39 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED3413A077A for <oauth@ietf.org>; Wed, 2 Mar 2022 08:23:38 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id bk29so3631140wrb.4 for <oauth@ietf.org>; Wed, 02 Mar 2022 08:23:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=IEMFe1+MnhqL3JpysaDoqhxW3nYaZ/7y95zOhqIIz0U=; b=OFOEs8Ju6TNGFwHOycL2xbLyUhoeV6z0TsH7QPwFWu5NrwM2O4KLhUQsnzKKQ/12VY SOSy28GSxhzgB/45YA2kLPXhLPI7deIivIHTaLuX4+u8c0ygxTZRLffU2EEBNNQGPrBC 4LFB4IxiqwFAcjMk33RVGtr1nEknJ3LhHTZyUcTMsIY1PyWmtwodY5y2lkOOFySTepQa YNgvh5uCe/8wUSM9quBgTdT91rvk7O5m29hqW0nUQxbmRl4u7kR8jlUAz03iJAihgUU6 l0H6yyvk57jeggjLKqOKvWHfpf5EBRMzhLH/OCT0FRnxiquMLULOR2GrTn51EYt7bY98 qzaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=IEMFe1+MnhqL3JpysaDoqhxW3nYaZ/7y95zOhqIIz0U=; b=MMrKiRr4I8sA+CRi1Ty14Bg3fsM2Jx5oTnelytVPcuhGui3anBjY9BurqniKrJxnkr dyxBpovEbyakEy/7VASxet2EW5jrE4B3FGm7imIGKPjYXjYndBBEkpUtm+jJr7P3/Sv7 Lji9qdFjTMfOThV9Iq7Pjxpu+RNzr0DKay0WRdRKUJoK6J8byYtrcX42lIwPJ50FMZrR UUpK5EeTQnebJKeSwcJkWJ4zmlac7z539pSOR1rdvDPcfa0EIpt5+XMvbEK3Y3ItjGNH Rl66csxTLYJ2+z5GgCSaLSbKE6NY7RNElrfpZvQasfE3ktmFV9m63q4xAO7MP9s1lw8P wlcw==
X-Gm-Message-State: AOAM533ADldmAiqj+FPQEX5K/hei/Lyi+v3QF5mwvf4bc3x4A6LgNEae 5CM2fS/0TGe2FSfAkUVH6O/ae7NvzJU3Lw==
X-Google-Smtp-Source: ABdhPJzlEQj+bmTNSIdY9aKv/SUjQZwDrcySjh6iYcm+ybAKEWAqquRrpVQeqD2EP9cakAiAWkvTSA==
X-Received: by 2002:a5d:4528:0:b0:1ee:ea7f:b97d with SMTP id j8-20020a5d4528000000b001eeea7fb97dmr22224588wra.593.1646238216457; Wed, 02 Mar 2022 08:23:36 -0800 (PST)
Received: from smtpclient.apple (static-90-250-10-57.vodafonexdsl.co.uk. [90.250.10.57]) by smtp.gmail.com with ESMTPSA id v5-20020adfe4c5000000b001edc1e5053esm16797554wrm.82.2022.03.02.08.23.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Mar 2022 08:23:36 -0800 (PST)
From: Joseph Heenan <joseph@authlete.com>
Message-Id: <7F0B98D8-8C34-4EC4-A89E-4EA480D9AEE6@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C490B0ED-94ED-41BE-9413-DF522BA07CEC"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Wed, 02 Mar 2022 16:23:35 +0000
In-Reply-To: <c9e1d356-2f28-e82f-d021-5331e2fc366d@danielfett.de>
Cc: oauth <oauth@ietf.org>
To: Daniel Fett <fett@danielfett.de>
References: <c9e1d356-2f28-e82f-d021-5331e2fc366d@danielfett.de>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/25iG9HOKehLrJ2bIdg7-rpgGP38>
Subject: Re: [OAUTH-WG] OAuth: The frustrating lack of good libraries
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2022 16:23:44 -0000

Hi Daniel

I do think it’s a problem that’s worth addressing somehow.

I think there’s another factor, which is that the providers of OAuth2 Authorization Servers (where they don’t have their own SDKs specific to their server) tend to lead the developer through how to do a “from scratch” implementation of OAuth2 and rarely if ever mention any libraries. (So a chicken and egg problem, because as you note there are languages without obvious good libraries to point people at.)

There’s even a set of documentation I’ve seen that links to an online PKCE generator and appears to imply that the developer should just generate the values once and hardcode them into every request…

I agree that pushing AS metadata will help matters. One of the downsides of maintaining OAuth2 libraries is dealing with constant “bug” reports when the library appears to a naive developer not to work correctly with a particular provider.

I’ve found https://jwt.io/libraries <https://jwt.io/libraries> a very useful reference for JWT libraries; anything of a similar nature for OAuth libraries sounds good to me.

Joseph



> On 1 Mar 2022, at 17:18, Daniel Fett <fett@danielfett.de> wrote:
> 
>  Hi all,
> 
> While helping clients to onboard into the yes ecosystem, in my consulting work, and in discussions with developers implementing OAuth 2.0, one topic comes up increasingly often: The (somewhat frustrating) lack of good, modern, and universal OAuth libraries. 
> 
> Many of the libraries out there have one or more of the following drawbacks:
> 
>  * They are not maintained any longer
>  * They are not well documented (e.g., it is often unclear which specifications are supported)
>  * They support only a subset of the OAuth 2.0 specification
>  * They work only with selected providers (e.g., Google, Facebook, etc.)
>  * It is unclear whether they follow recent security recommendations
>  * They do not support modern features, such as PKCE, AS Metadata, MTLS, etc.
> 
> Exceptions exist, of course, like Filip's Node.js implementation and the nimbus library for Java. But apart from those rare cases, when a developer asks me what library to use, my answer is often: "I don't think there's a good one in your language". It is a telltale sign that many providers of OAuth protected APIs also provide a custom OAuth implementation in their SDKs, which they then often have to maintain for a number of languages. This creates unnecessary costs and friction, e.g., when introducing new security features.
> 
> At the same time, practically every language/framework comes with a TLS stack and making HTTPS requests is often just a few lines of code. Why aren't we there yet with OAuth? I'm well aware that OAuth 2.0 is a framework, not a single protocol like TLS, but the mentioned libraries show that this does not preclude a comprehensive library support.
> 
> If I had to speculate about the reasons for this mess, I'd say that there are three:
> 
>  * The core of OAuth is easy to implement. The need to create or use a library might not be obvious to developers. Of course, if you want a proper implementation with correct error handling, observing all the security recommendations, etc., the effort is huge. But just getting OAuth to work for one specific use case is relatively easy.
> 
>  * OAuth is traditionally hard to configure: authorization and token endpoint URLs, client id and secret, supported scopes (and claims for OIDC), supported response types and modes, and required security features are just some of the things a developer has to figure out - often from the API's documentation - to get everything up and running. Even though configuration is not the same as implementation, I imagine that this complexity can lead to the perception that there are barely any commonalities between different OAuth flows. There might be no value, after all, in an OAuth library, if I have to provide so many details myself.
> 
>  * With many extensions and specifications to choose from, it can be hard to select a reasonable subset to support. 
> 
> What can we do about this?
> 
> I'm not sure, but I have a few ideas.
> 
>  * Of course, one step would be to increase visibility and documentation for existing implementations: Beyond listing libraries (like the list on oauth.net), it would be great to have a place to go to to find libraries based on their feature support. I'm sure there are more good libraries out there.
>  * The OpenID Foundation has a great set of conformance tests for OIDC, FAPI and other stuff. Creating conformance tests for OAuth would be harder, given that the framework leaves many options for implementers to choose from. I’m not sure if running a conformance programme would be in the scope of IETF, but it can be worthwhile to think about if we could support such an endeavor.
>  * The single most important thing to do would, in my opinion, be to set a goal: Tell library developers and language maintainers what can be expected from a good, modern, and universal OAuth library. Such a recommendation would shine a light on the most important extensions for OAuth like PKCE and might even be a prerequisite for conformance tests. It may turn out to be OAuth 2.1 or something else. For me, this would in any case include AS Metadata, as that is the single most valuable building block we have to address configuration complexity. 
> 
> I would be interested to hear what others think about this. Is this a problem worth addressing? Are there other solutions? Is this out of scope of our work here? 
> 
> -Daniel
> 
> -- 
> https://danielfett.de <https://danielfett.de/>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email