Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
Brian Campbell <bcampbell@pingidentity.com> Wed, 30 May 2018 19:57 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96C1012EBA8 for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 12:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12paUeQl_zWR for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 12:57:11 -0700 (PDT)
Received: from mail-io0-x243.google.com (mail-io0-x243.google.com [IPv6:2607:f8b0:4001:c06::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02E0412EB53 for <oauth@ietf.org>; Wed, 30 May 2018 12:57:06 -0700 (PDT)
Received: by mail-io0-x243.google.com with SMTP id t5-v6so10496310ioa.8 for <oauth@ietf.org>; Wed, 30 May 2018 12:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=92x3L1zwMYXxCrf2uV1D2cUM/MUjk3zcdSsP6OiRZJw=; b=Di5XGVgVvKcTW9uv3Vhf9wdX5/lqqigRI+LRxiNYV5gMvWT1rSeesEirRJ+fp2N1gK ASGAd5QXYW6Zb/GQJNTImBxT5oadmeILJ9n0wIHIcvGbsqJlcMfDUMhrJt5sfvr3GrS7 +gqarffZEttkPBH3yur33E89hnFC8HOPoM038=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=92x3L1zwMYXxCrf2uV1D2cUM/MUjk3zcdSsP6OiRZJw=; b=taORVO4y1giRBxaQpSitY5p8fksdH9Ak2lr1a+jLd89zpqS7YPtyamrk8sF4zvSZsD SwQJ4Oo4Lv5E0YM2OoettZQg/BHFD5XiF0qQawUss2DE6R1kVcQM4y63000GX/yDzP3Y c1+H3azgV5C2Ileet89whCkmVTV6ASMsl3Njs2lKR5poyt944a2iKs0K3HfOvVHCzpGh VctVoT52DwtbT1bIS8TW57Vfjmbe7FZA04QIfdgT/0Q93DwO5UNvACEd8WKqiecZQUd0 lxdN1oSWl6nNT6l7DWg36T0W0e1arNHwiqEG67hE5dwmU6j//CaSru4+HBJN8q4SQfZj rOvA==
X-Gm-Message-State: APt69E3r3Zcb8myM5dFcUBjYZQNsAmrA6klcfw5y6lvstrPh9eBZpCqC b0Na3qVjcosuItc3FQZAc5zdgiVT/Gox/GPX7sy/N3Ocgo4aa9zE/43tZmsQ1UqnqUYkIKSw1zM wWctewIREtP3NEQ==
X-Google-Smtp-Source: ADUXVKLqEjHkUwAQXJBfV+xa/3AaEIOOpb9gbPlVff1zYJ21ynV6UbPZ9S13nJpPRznbNj+FGU5eHf4id9IdNxiy9nI=
X-Received: by 2002:a6b:591:: with SMTP id 139-v6mr3248260iof.282.1527710225130; Wed, 30 May 2018 12:57:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Wed, 30 May 2018 12:56:34 -0700 (PDT)
In-Reply-To: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com>
References: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 30 May 2018 13:56:34 -0600
Message-ID: <CA+k3eCRTteQmKP9xdba2zNLknQerQpHbVxp98Okq4a8gvMessw@mail.gmail.com>
To: ietf@ietf.org
Cc: IETF-Announce <ietf-announce@ietf.org>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-device-flow@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004a2900056d71c1b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3aY1G-alyR6Xf6LdVnTFunAaKQo>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 19:57:21 -0000
In reading the draft (again) I noticed a couple of things that, while maybe not substantive, seemed like they were worth raising here in last call: 1: In Section 3.5 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09#section-3.5> a new 'expired_token' error code is defined for when the 'device_code' has expired and the client will need to start the flow over. Shortly after the new error code definition there is text in that section that says 'If the verification codes have expired, the server SHOULD respond with the standard OAuth error "invalid_grant". Clients MAY then choose to start a new device authorization session.' This reads to me like: here's a new error for expired device code but this other code SHOULD be used for expired device code. Am I confused or otherwise missing something? I kinda suspect that the intent is that expired_token can be returned for codes that are known to be expired while invalid_grant is more of a catch all for codes that may have expired long enough ago that they have been purged from server memory/persistence or are otherwise unknown. That's my guess anyway. But the current text seems somewhat contradictory, which I think could be clarified/fixed. 2: In section 5 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09#section-5.5> about security considerations for Non-confidential Clients there's a pointer to recommendations from Section 8.9 of [RFC8252] <https://tools.ietf.org/html/rfc8252#section-8.9>, which is about using the "state" parameter in the authorization request to protect against cross-app request forgery. That doesn't seem right or relevant to the device flow, does it? Was it intended to point to section 8.5 in RFC8252 <https://tools.ietf.org/html/rfc8252#section-8.5>? Or something else? On Tue, May 29, 2018 at 4:20 PM, The IESG <iesg-secretary@ietf.org> wrote: > > The IESG has received a request from the Web Authorization Protocol WG > (oauth) to consider the following document: - 'OAuth 2.0 Device Flow for > Browserless and Input Constrained Devices' > <draft-ietf-oauth-device-flow-09.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits final > comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2018-06-12. Exceptionally, comments may be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of > the Subject line to allow automated sorting. > > Abstract > > > This OAuth 2.0 authorization flow for browserless and input > constrained devices, often referred to as the device flow, enables > OAuth clients to request user authorization from devices that have an > Internet connection, but don't have an easy input method (such as a > smart TV, media console, picture frame, or printer), or lack a > suitable browser for a more traditional OAuth flow. This > authorization flow instructs the user to perform the authorization > request on a secondary device, such as a smartphone. There is no > requirement for communication between the constrained device and the > user's secondary device. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > The document contains these normative downward references. > See RFC 3967 for additional information: > rfc6819: OAuth 2.0 Threat Model and Security Considerations > (Informational - IETF stream) > draft-recordon-oauth-v2-device: OAuth 2.0 Device Profile > (None - ) > rfc6755: An IETF URN Sub-Namespace for OAuth (Informational - IETF > stream) > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Last Call: <draft-ietf-oauth-device-fl… The IESG
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Eric Fazendin
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Naveen Agarwal
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… George Fletcher
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss