IETF Logo Mail Archive

Re: [OAUTH-WG] Flowchart for legs of OAuth

Skylar Woodward <skylar@kiva.org> Mon, 04 April 2011 18:19 UTC

Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 885EC3A63D2 for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 11:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6bPmdELa2qN for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 11:19:41 -0700 (PDT)
Received: from na3sys010aog104.obsmtp.com (na3sys010aog104.obsmtp.com [74.125.245.76]) by core3.amsl.com (Postfix) with SMTP id 8E85A3A63CB for <oauth@ietf.org>; Mon, 4 Apr 2011 11:19:41 -0700 (PDT)
Received: from source ([74.125.83.51]) (using TLSv1) by na3sys010aob104.postini.com ([74.125.244.12]) with SMTP ID DSNKTZoMI0FfeFavkRYDVLJvFog+2dskZOIB@postini.com; Mon, 04 Apr 2011 11:21:24 PDT
Received: by gwj17 with SMTP id 17so2539621gwj.38 for <oauth@ietf.org>; Mon, 04 Apr 2011 11:21:23 -0700 (PDT)
Received: by 10.236.173.169 with SMTP id v29mr4878505yhl.192.1301941283212; Mon, 04 Apr 2011 11:21:23 -0700 (PDT)
Received: from [192.168.2.8] (74-128-24-154.dhcp.insightbb.com [74.128.24.154]) by mx.google.com with ESMTPS id h4sm2414107yhm.80.2011.04.04.11.21.21 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 04 Apr 2011 11:21:22 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <9E68D140-ED3D-4C62-A6A1-5CE1CDB5C5D9@oracle.com>
Date: Mon, 04 Apr 2011 14:21:20 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <2597C1CF-1067-404A-BFE3-DE8F55A77EA6@kiva.org>
References: <22FB565B-A701-4502-818F-15164D9E201A@oracle.com> <AANLkTimGjiCGk5dpA=YVzq5vDkLR2+caSz=pZ5WiZO9H@mail.gmail.com> <3C84AD7A-F00F-43EC-AAD3-AD2DCFB46B0E@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4D84F7E2.6090305@redhat.com> <16B9A882-6204-4CBD-B7E3-1D806AF5056C@oracle.com> <4D8A5054.4050006@lodderstedt.net> <BANLkTiniuuRXtkzLubgOjVursVtOGjFe6A@mail.gmail.com> <7616C235-2913-4EE0-A710-F47A4CC9E424@oracle.com> <BANLkTi=XyF25vB6qKX2q8iOpEaZ1yQx9Jw@mail.gmail.com> <65E3F250-5111-4692-BFA7-F5B838E9B41D@gmail.com> <9E68D140-ED3D-4C62-A6A1-5CE1CDB5C5D9@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1084)
Cc: Kris Selden <kris.selden@gmail.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 18:19:45 -0000

Having worked many years with native Internet consumer software applications, and having worked in those teams in attempt to secure client secrets (be they keys or obfuscated dynamic algorithms), I can say with reasonable confidence that it is impossible to secure client credentials for publicly available applications (where the same credential is shared against all instances of the application).  Both iPhone and PlayStation represent some of the most formidable efforts to secure secrets or data in publicly distributed consumer products.  Systems on these have been successfully broken and this will continue to be the case.  Even if someone has a new technology to propose that they think can prove this wrong, there is no reliable record of success for hiding secrets in the field. We should assume any system distributed for public review can be reverse engineered, and secrets obtained.

I propose that for the sake of this discussion, we continue with the assumption that no native apps with public distribution are able to have client secrets.


(Btw, Kris seemed to be suggesting that users could be prompted to enter a (unique?) app ID and client secret, but this would complicate usability, working against the goals of OAuth in the first place. I'd agree - if native app users had to enter a custom client secret, they might as well obtain their own private access token and enter it instead, by passing OAuth completely).

On Apr 4, 2011, at 2:02 PM, Phil Hunt wrote:

> On 2011-04-04, at 10:47 AM, Kris Selden wrote:
> 
>> A typical iPhone app cannot be shipped with a client secret and rightly or wrongly users expect to only have to enter their credentials once.
> 
> My understanding (and I'm not an iOS expert) is that each iOS application has a secure keystore where the client credential could be stored. I am told this is fairly straight forward. The client app would issue a call out to the external safari browser for the authorization with a redirect back to the app registered (local redirect) such as myapp://authorization_code

v2.23.0 | Report a Bug | By Email