Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Neil Madden <neil.madden@forgerock.com> Wed, 24 February 2021 12:21 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32CF13A14DC for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 04:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYvgeaXmycky for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 04:21:00 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1D0A3A14DA for <oauth@ietf.org>; Wed, 24 Feb 2021 04:20:59 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id u20so2695857ejb.7 for <oauth@ietf.org>; Wed, 24 Feb 2021 04:20:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ktmwHnKmyU7W+hV+tY55GMfwwXuI32BXDG1r+dDvJuI=; b=HmujXtWKGZ81JxOKJ3SrcZJgP1rmyQelzLDoD4np6NgWiqwQOCR2iMlA2zOQrpRI6r KAg7n72sZjSOQB39OCfhRKNWFvAyenccbllYksTD27m4PoLysEhHMunV4NwTiejdC4wI 0G1T3GjJv3SHf7FyS88OkeMngl2cv2i2yz5rY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ktmwHnKmyU7W+hV+tY55GMfwwXuI32BXDG1r+dDvJuI=; b=Tu/ZW4bDdwP8/+PlEo6Pn1qSffaIYkTqY0UOpc0WcCTDw/8pTkWjDWA08xQXzenZ9+ WcKlbVc1BvHz5HFRvN2WkpUIXwOVeb5OqScECutPMd366D1owU2AhkmeodYBcWircuGE gwqwy9TIVVNlqKfAQfex+th9xjwNyBsTw20TCkeA/JQtft7uPDu4yWbwhmSfFQ2Elvh1 O04HiAGJlUxHYu+4ZI2Et+k2v0nivm7LL2bnxmiMzhE+TM5a8gj3hx7MdNxXLDIrM3Ah ZB+sX12i7eRANRlifXzQg/MVx/hpl0K8lHML7LihOzQDtjO+jtTm3kTnfX219fOscdq6 VHPw==
X-Gm-Message-State: AOAM532YP+DKMe/uASfLUv/PNdIavX4lMYx6fwqOaoAoUGQbHEo5Bgbc lo/aaw+RJkDVyeKjEBQgYVuyqmD/lBSuIPXNFhxd2pnsxg3rJLMvVTASRpekmijgzmvcxet1FA= =
X-Google-Smtp-Source: ABdhPJz24dUdt1iR/LjyKzWoiP2D+uh5/CAK6xQE5/Usxkdaqd8YsHhhDHHFcoTVHovI3cAGQyAjGQ==
X-Received: by 2002:a17:906:6048:: with SMTP id p8mr7328786ejj.105.1614169257787; Wed, 24 Feb 2021 04:20:57 -0800 (PST)
Received: from [10.0.0.6] (252.207.159.143.dyn.plus.net. [143.159.207.252]) by smtp.gmail.com with ESMTPSA id x25sm1228658ejc.27.2021.02.24.04.20.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Feb 2021 04:20:57 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <02A263F5-8109-4D3B-A684-D9B574260B50@forgerock.com>
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Wed, 24 Feb 2021 12:20:56 +0000
In-Reply-To: <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com>
Cc: Warren Parad <wparad@rhosys.ch>, Carsten Bormann <cabo@tzi.org>, Phillip Hallam-Baker <phill@hallambaker.com>, "oauth@ietf.org" <oauth@ietf.org>, ietf@ietf.org
To: Bron Gondwana <brong@fastmailteam.com>
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com> <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com> <CAJot-L0PS_3LxEkC-jd1aqXDdYF+z8BajSs4Rhx3LgRPn6wkdQ@mail.gmail.com> <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> <CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Content-Type: multipart/alternative; boundary="Apple-Mail=_DE4FA786-0A0A-48B5-81E7-AA3EFBFB7C23"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4qLb3Y_zdIhnvxKNNBIuC3ZjXB4>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 12:21:02 -0000

On 24 Feb 2021, at 11:39, Bron Gondwana <brong@fastmailteam.com> wrote:
> 
>> 
>> […]
> 
> Let's get down to use cases then, rather than talking in abstracts.
> 
> I'm an end user with a copy of {The Bat email client} and I want to connect it to {Gmail} + {Yahoo} + {My ISP}.  It supports {POP3}, a widely popular open standard.  I want to be able to authenticate to each of those services without saving my plaintext passwords on my hard disk where the next {Windows ME} virus will exfiltrate them to {Noextraditionistan} and all my {Dogecoin} will then be exfiltrated from my {Paybuddy} account, leaving me destitute.
> 
> But, {The Bat} doesn't have a trusted client cert from my isp, because who does - so there's no good protocol for me - it's either plaintext auth, or it's some architecture astronaut multi-party nonsense that's massively over specified and doesn't work half the time.  So I write a plain text password on a post-it note which is lying in the dust under my monitor because the glue has gone bad, and I hope I never accidentally click "remember me" when I type it in.
> 
> That's been the reality of the end user experience for very many years.
> 
> NxM means that you can authenticate an arbitrary client against an arbitrary server so long as they are both speaking a known public protocol, without needing to build a trust relationship between the client vendor and the server vendor first.

Does the following meet your needs?

You type your email address into {The Bat} to begin configuration. {The Bat} does discovery [1][2] to locate the OAuth/OIDC server for {My ISP}. The discovery document reveals that {My ISP} supports open dynamic client registration [3][4] so {The Bat} registers and gets issued with a client id and client secret. {The Bat} then does a normal OAuth flow to get an access token to access your emails from {My ISP}. If you later stop using {The Bat} you can go to your page on {My ISP} and revoke its access because it has a unique client id.

[1]: https://openid.net/specs/openid-connect-discovery-1_0.html <https://openid.net/specs/openid-connect-discovery-1_0.html>
[2]: https://tools.ietf.org/html/rfc8414 <https://tools.ietf.org/html/rfc8414> 
[3]: https://openid.net/specs/openid-connect-registration-1_0.html <https://openid.net/specs/openid-connect-registration-1_0.html>
[4]: https://tools.ietf.org/html/rfc7591 <https://tools.ietf.org/html/rfc7591> 

> 
> Any "trust relationship" is made through a user both who trusts the client and trusts the server, and it's not transitive over to other users of the same client and the same server.  The client author doesn't need to get a signed "I trust you" from every single server, and the server author doesn't have to go identify every single client.
> 
> That's what NxM means to a user, the ability to use arbitrary clients with arbitrary servers so long as they both implement a documented protocol.  Interoperability.

That’s fine for your use-case, but that isn’t everybody’s use-case. Other use-cases (such as Open Banking) involve regulatory or policy frameworks in which open dynamic client registration is not appropriate. JMAP could have an RFC describing the use of OAuth with JMAP that mandates open dynamic client registration and discovery.


— Neil


-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>