Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
William Denniss <wdenniss@google.com> Thu, 02 August 2018 21:57 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5CDF130E29 for <oauth@ietfa.amsl.com>; Thu, 2 Aug 2018 14:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ml2BHWtog3Dc for <oauth@ietfa.amsl.com>; Thu, 2 Aug 2018 14:57:08 -0700 (PDT)
Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0F54130E2A for <oauth@ietf.org>; Thu, 2 Aug 2018 14:57:07 -0700 (PDT)
Received: by mail-ua0-x234.google.com with SMTP id r10-v6so2529428uao.1 for <oauth@ietf.org>; Thu, 02 Aug 2018 14:57:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OssZ4Y6IZmE7q+trQPKjxjee6Yc9gvNn/R++aSTGeDk=; b=T7lAX+IsQvTdUHFWVIOKHR7XuNzSTn2B/tAbFZ2aVcrIhhTPoH4li6ia7WmLwVgool JRt21QOavtHhfccrsN+rteI/9zuZpaXnItU4t88E8OUtHSwyhfWAtzBUEjfJZI5yA+XE SBcutDLv1kfBPHZ/XILZnsNAbWCyE9i53UQG2avNH7hgfuHj4034UB0pDCsdY3ml3+v9 PZ3ffyaHlBJ2lv/jrrZpidFHT3fvrLXMF8FyZVwrPrSVvnAcXc3PFXWvHReUFMTj/agy EYg1xTZqtoZANuj/ccsv1YAn1zKVShj0o9f+enJGt6MTWxBOkGGgDIr2emnwmtYTSYgg lOxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OssZ4Y6IZmE7q+trQPKjxjee6Yc9gvNn/R++aSTGeDk=; b=t4P0GV9fGU299WuRUP3Q0LL3lXPoOrJ+6sBnLgzAfrAvWhB1v1WJYhyxRss2cJR4FK vn8tqJ8l6GFPQXK/rQ7iibLOmuOqF/ttahylsZMCKr5JdQFzpBh7LVRBc9zY/a6a0jaP H7gCP0g/o/HQlN3LBb5GUqvaKquEjbhIYenK+TOckgHvO/+n8ZFwGZto5rLQU6efZVWl UcX/ntOX92Nh0M9Gv/zGXgfxSP0MF2Ai6Gi9YGA/v5uHTy8z8kyobVFPjcg7/R/MHVwr 0h+ukYtpSLaX2iIwwh04KPgLWOXuQ8qGIgRnONQSlLmk/sUWw0V9bcCinAOooPf4gDPw FW9w==
X-Gm-Message-State: AOUpUlGsr+E8PH96nxSLP3dgRz7H+UOP8kmEUP57sN0hVJ0SLMQC5Hjs c3umU77djFqTGegHcNsrhNRutu/4gIk4VDiDsb3pTw==
X-Google-Smtp-Source: AAOMgpc4mWbrcnXzPZS/TfOZkWCBLhbRc2jmIxsqsIrXQFdBI5HFAmzKlGfXsspS9sOtpzSqgRjIDjSKKTrzjdg4EnE=
X-Received: by 2002:ab0:4987:: with SMTP id e7-v6mr979461uad.198.1533247026477; Thu, 02 Aug 2018 14:57:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:185a:0:0:0:0:0 with HTTP; Thu, 2 Aug 2018 14:56:45 -0700 (PDT)
In-Reply-To: <153315936951.22029.4751693198552667112.idtracker@ietfa.amsl.com>
References: <153315936951.22029.4751693198552667112.idtracker@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 02 Aug 2018 14:56:45 -0700
Message-ID: <CAAP42hBcF524kXtuQJY9-GMgXwsNM5NW44AyGM8nBTtF28PAWA@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e41ab05727ae4dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7N2qLvcD8Oi09zw6JbQNmcod0ac>
Subject: Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 21:57:11 -0000
Hi Ben, Thank you for your feedback. Version 12 has been posted which addresses some of your points. Replies inline: On Wed, Aug 1, 2018 at 2:36 PM, Ben Campbell <ben@nostrum.com> wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Major Comment: > > I support Mirja's DISCUSS. (Otherwise, this would be a DISCUSS), but I > have a > slightly different spin on it. The device polls the server while waiting > on the > user to take action. Users are notoriously slow about that sort of thing. > They > might plug in a device then walk away for hours, days, or forever. Now, > consider that we are talking about IoT devices, so there may be millions of > them. If they are fate shared in some way (imagine shipping day for a new > popular product, or a software update that forces reauthorization, or a > server > coming back online after getting whacked the last time around), there > could be > millions of them trying this at the roughly the same time. > > Given all that, I think the draft really needs to give more detailed > guidance > on what sort of refresh rates, maximum attempts, expirations, back off > patterns, etc might be reasonable from both network congestion and server > overload perspectives. > Version 12 adds defaults for the interval, documents slow_down behavior, and now requires that an expiry time is given (previously this was optional). Regarding maximum attempts, as that is a function of interval and the expiry the AS can decide this (and also has the slow_down mechanism if they need). Other Substantive Comments: > > §3.1: What sort of events are expected to trigger the flow? In particular, > I > wonder if there should be guidance to make it unlikely to start the > process by > accident. For example, if the authorization process is kicked off by a > device > simply being plugged into power, a user might plug it in then walk away > before > realizing they had more to do. (See my major comment). > Added the text: Due to the polling nature of this protocol, to avoid unneeded requests on the token endpoint, the client SHOULD only commence a device authorization request when prompted by the user, and not automatically such as when the app starts. > §3.3: What sort of bad thing could happen if the device_code is > communicated to > a user? Nothing bad. This text was revised in 12 to clarify that this recommendation is for usability. > Do implementers need to worry about people guessing device-codes? > Yes. Guessing the device_code would enable another device to obtain the authorization grant once issued. We will add a security section in the next version (13). > > §3.3, last paragraph: The "NOT RECOMMENDED" seems overly strong, given > that the > next section describes a perfectly good way to do exactly that. Maybe > something > like "NOT RECOMMENDED unless the device uses a non-textual mechanism for > conveying the URL and code, such as that described in ..." would make > sense? > The next section uses `verification_uri_complete` which is separate to `verification_uri`, this NOT RECOMMENDED refers to the latter only. Also the text immediately following the block you quoted reads "The next section documents user interaction with "verification_uri_complete", which is designed to carry this information." Even devices that use the non-textual mechanism may also display the vanilla `verification_uri` and user_code as a fallback, as Figure 3 shows, and so this NOT RECOMMENDED still applies to the `verification_uri` that they display. Figure 3 was updated to indicate that the user either scans the QR code *or* follows the fallback options. > §5.4: Are devices expected to know the operating environment in advance of > deployment? > These apps typically are aware of the operating environments in which they are deployed, e.g. a TV app deployed to a branded "TV streaming stick". > Editorial Comments: > > §1, 3rd paragraph: The first sentence is hard to parse due the list of > long, > complex phrases. Please consider breaking into simpler sentences. > Added this to the -13 revision plan. > §2: There are lower case instances of normative keywords. Please consider > using the updated boilerplate from RFC8174. > Done. Best, William
- [OAUTH-WG] Ben Campbell's No Objection on draft-i… Ben Campbell
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… William Denniss
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Ben Campbell
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… William Denniss