Re: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless and Input Constrained Devices (Brian Campbell)

Justin Richer <jricher@mit.edu> Mon, 11 December 2017 20:41 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 702981273B1 for <oauth@ietfa.amsl.com>; Mon, 11 Dec 2017 12:41:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22o2o86a-ulH for <oauth@ietfa.amsl.com>; Mon, 11 Dec 2017 12:41:42 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 062DB126D85 for <oauth@ietf.org>; Mon, 11 Dec 2017 12:41:41 -0800 (PST)
X-AuditID: 12074425-8d9ff70000000e7d-a6-5a2eed81e60b
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 13.EB.03709.28DEE2A5; Mon, 11 Dec 2017 15:41:39 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id vBBKfXVM015236; Mon, 11 Dec 2017 15:41:34 -0500
Received: from [192.168.1.9] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id vBBKfV0B016634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 11 Dec 2017 15:41:32 -0500
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <B017F0AB-BBEC-4198-9C80-A1103F566F42@iwelcome.com>
Date: Mon, 11 Dec 2017 15:41:30 -0500
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B25A78BF-4BDD-49E4-99DC-B728BF401309@mit.edu>
References: <mailman.3552.1513014995.4036.oauth@ietf.org> <B017F0AB-BBEC-4198-9C80-A1103F566F42@iwelcome.com>
To: Jaap Francke <jaap.francke@iwelcome.com>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIKsWRmVeSWpSXmKPExsUixG6nrtv8Vi/KYOtrZou2WU/YLU6+fcXm wOSxZMlPJo+rPx+wBzBFcdmkpOZklqUW6dslcGUsebCApeBFWcXHD5tYGhi/JXYxcnJICJhI 3Hrwl72LkYtDSGAxk8TjxzNZIJyNjBLvjpxlBakSErjGJLFqLpjNLKAu8WfeJeYuRg4OXgF9 id7njCBhYYFyib5tX1hAbDYBVYnpa1qYQGxOAQeJ9yemsYCUswDFW69EgJggU9pPukAM1JZY tvA1M4jNK2Al0fd8CStIiZBAvsTke/kgYREBHYkTB/4zQlwsK3Fr9iXmCYwCs5CcMwvhnFlI hi5gZF7FKJuSW6Wbm5iZU5yarFucnJiXl1qka6GXm1mil5pSuokRHJ4uqjsY5/z1OsQowMGo xMMb0aEXJcSaWFZcmXuIUZKDSUmUlyUYKMSXlJ9SmZFYnBFfVJqTWnyIUYKDWUmE19RPN0qI NyWxsiq1KB8mJc3BoiTO62GiHSUkkJ5YkpqdmlqQWgSTleHgUJLgnfAGaKhgUWp6akVaZk4J QpqJgxNkOA/Q8EaQGt7igsTc4sx0iPwpRm+OJy03/jBxXLp1F0hu+P4ASD6b+bqBmWPa1dYm Zo55x781MQux5OXnpUqJ8055DTRCAGRERmke3BZQSnJfZ2fxilEc6Glh3uUgi3iA6Qxuzyug E5iATmCarA1yQkkiQkqqgVHbfFf5qTTBbqeZGzk1tIt966qmz5J6Or/M6WHPxAVeX95+a3ip /3T52qWf+VILme9PFtn24OUfG4aiFqV6uyKrJtE7cR+/T96RO/VV/izJIslN30wv+D+fIlMS /c5s8Y3j4dMOfy7QfK2/TWOC7fT/Bb+3XTu6XnT1qtzZpmYXLhfeXPnWhC9GiaU4I9FQi7mo OBEANpw0FiQDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7zg0ozne4LaNlnGkU-49Tr6wy3k>
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless and Input Constrained Devices (Brian Campbell)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2017 20:41:45 -0000

This could be useful but shouldn’t be done in a way that’s tied to the device flow — any public client would suffer from the same fate. 

 — Justin

> On Dec 11, 2017, at 3:19 PM, Jaap Francke <jaap.francke@iwelcome.com> wrote:
> 
> Hi all,
> 
> I have previously made the following suggestion which still makes sense to me.
> 
> […]we were working with one of our customers to implement the device flow as part of our IDaaS.
> One of the requirements was the ability to revoke tokens for one of the devices at the Resource Server.
> 
> In our use case, we used the terminolgy ‘pairing a device to the enduser’s account’ to describe the process of authorising a device to access the resource owner’s resources.
> The resource owner may want to ‘unpair’ a device from a list of paired devices without having access to the device itself (anymore). Think about a stolen/lost kind of situation.
> We are looking for ways to allow the user to unpair one of his devices at the Authorisation Server.
> Since the Device Flow exchanges only the ‘generic’ client_id with the Authorisation Server, there is no logical way at the Resource Server to make a distinction between various devices (having the same client_id) that may be paired to the same Resource Owner.
> 
> My suggestion is the following
> - add an optional parameter to the device authorisation request (or device access token request): 'device_identifier'. A device can use this to make (for example) its serial-number known at the Resource Server.
> - add an optional parameter to the device access token response that allows to communicate a name for the device as may have been given to it by the resource owner while allowing the clients access (E). This parameter could be something like ‘device_name’. The device may be able to display this ‘device_name’ on its display.
> 
> Please consider this as a suggested enhancement of the Device Flow specifications.
> 
> 
> Kind regards,
> 
> Jaap
>> On 11 Dec 2017, at 18:56, oauth-request@ietf.org wrote:
>> 
>> Send OAuth mailing list submissions to
>> 	oauth@ietf.org
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	https://www.ietf.org/mailman/listinfo/oauth
>> or, via email, send a message with subject or body 'help' to
>> 	oauth-request@ietf.org
>> 
>> You can reach the person managing the list at
>> 	oauth-owner@ietf.org
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of OAuth digest..."
>> 
>> 
>> Today's Topics:
>> 
>>  1. Re: WGLC for OAuth 2.0 Device Flow for Browserless and Input
>>     Constrained Devices (Brian Campbell)
>>  2. Re: I-D Action: draft-ietf-oauth-token-exchange-10.txt
>>     (Justin Richer)
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Mon, 11 Dec 2017 09:46:09 -0700
>> From: Brian Campbell <bcampbell@pingidentity.com>
>> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>> Cc: oauth <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless
>> 	and Input Constrained Devices
>> Message-ID:
>> 	<CA+k3eCRzTe2Xt_N-9mwsnc4WCdyWo3UTRe=UUnzcgidGpqmW_A@mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> I couldn't get the QR code to work... ;)
>> 
>> On Mon, Nov 27, 2017 at 6:55 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>> wrote:
>> 
>>> All,
>>> 
>>> As discussed in Singapore, we are starting a WGLC for the
>>> *draft-ietf-oauth-device-flow-07* document, starting today and ending on
>>> December 11, 2018.
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
>>> 
>>> Please, review the document and provide feedback on the list.
>>> 
>>> Regards,
>>> Rifaat & Hannes
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>> 
>> -- 
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
>> material for the sole use of the intended recipient(s). Any review, use, 
>> distribution or disclosure by others is strictly prohibited.  If you have 
>> received this communication in error, please notify the sender immediately 
>> by e-mail and delete the message and any file attachments from your 
>> computer. Thank you.*
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20171211/119c614c/attachment.html>
>> 
>> ------------------------------
>> 
>> Message: 2
>> Date: Mon, 11 Dec 2017 12:56:21 -0500
>> From: Justin Richer <jricher@mit.edu>
>> To: Brian Campbell <bcampbell@pingidentity.com>
>> Cc: Denis <denis.ietf@free.fr>fr>, "<oauth@ietf.org>" <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] I-D Action:
>> 	draft-ietf-oauth-token-exchange-10.txt
>> Message-ID: <94AA427C-744B-4A33-AEFC-A5F276C911A2@mit.edu>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> +1 to Brian
>> 
>> -1 to the proposed text from Denis
>> 
>> 
>>> On Dec 8, 2017, at 8:48 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>> 
>>> The privacy matter is already mentioned. Despite your many messages to this WG and others about the so called ABC attack, I do not believe it warrants treatment in this document or others. And your continued proposals to have it included in documents have not gotten support.  
>>> 
>>> On Fri, Dec 8, 2017 at 2:46 PM, Denis <denis.ietf@free.fr <mailto:denis.ietf@free.fr>> wrote:
>>> RFC 3552 (Guidelines for Writing RFC Text on Security Considerations) states: 
>>> 
>>>  All RFCs are required by RFC 2223 to contain a Security
>>>  Considerations section.  The purpose of this is both to encourage
>>>  document authors to consider security in their designs and to inform
>>>  the reader of relevant security issues.  This memo is intended to
>>>  provide guidance to RFC authors in service of both ends.
>>> 
>>> Section 5 (Writing Security Considerations Sections) of RFC 3552 states: 
>>> 
>>>  While it is not a requirement that any given protocol or system be
>>>  immune to all forms of attack, it is still necessary for authors to
>>>  consider as many forms as possible.  Part of the purpose of the
>>>  Security Considerations section is to explain what attacks are out of
>>>  scope and what countermeasures can be applied to defend against them 
>>> 
>>>  There should be a clear description of the kinds of threats on the
>>>  described protocol or technology.  
>>> 
>>> It is important to mention the threat related to collusion attacks. A different wording could be used, 
>>> but the threat should be mentioned one way or another.
>>> 
>>> RFC 6973 (Privacy Considerations for Internet Protocols) intends to provide a similar set of guidelines 
>>> for considering privacy in protocol design.
>>> 
>>> It is important to mention a current threat related to privacy. A different wording could be used, 
>>> e.g. using the word "surveillance" as mentioned in 5.1.1 : "Surveillance is the observation or monitoring 
>>> of an individual?s communications or activities", but the threat should be mentioned one way or another.
>>> 
>>> Denis
>>> 
>>>> I believe the text would detract from the document. 
>>>> From: OAuth <oauth-bounces@ietf.org> <mailto:oauth-bounces@ietf.org> on behalf of Brian Campbell <bcampbell@pingidentity.com> <mailto:bcampbell@pingidentity.com>
>>>> Sent: Friday, December 8, 2017 3:47:32 PM
>>>> To: Denis
>>>> Cc: oauth
>>>> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt
>>>> 
>>>> As an individual, I do not believe that the proposed text should be incorporated into the draft.
>>>> 
>>>> As one of the document editors, my responsibility is for the document to be of reasonable quality and to reflect the rough consensus of this Working Group. So I should ask the list more explicitly - are there other WG remembers who are in favor of the proposed text here (the text would have to be fixed up some too)? 
>>>> 
>>>> On Fri, Dec 1, 2017 at 11:12 AM, Denis <denis.ietf@free.fr <mailto:denis.ietf@free.fr>> wrote:
>>>> Comments on draft-ietf-oauth-token-exchange-10
>>>> 
>>>> I propose the following rephrasing for sections 6 and 7:
>>>> 
>>>> 6 . Security Considerations
>>>> 
>>>> All of the normal security issues that are discussed in [JWT],especially in relationship to comparing URIs 
>>>> and dealing with unrecognized values, also apply here.  In addition, both delegation and impersonation introduce 
>>>> unique security issues. Any time one user receives a token, the potential for abuse is a concern, 
>>>> since that user might be willing to collude with another user so that other user could use the token. 
>>>> 
>>>> Techniques like the binding of an access token to a TLS channel described elsewhere are ineffective since 
>>>> the legitimate user would be able to perform all the cryptographic computations that the other user would need 
>>>> to demonstrate the ownership of the token. The use of the "scp" claim is suggested to mitigate potential for 
>>>> such abuse, as it restricts the contexts in which the token can be exercised.  If the issued access token scope 
>>>> allows to unambiguously identify the user, then that user is likely to be reluctant to collude with another user.  
>>>> However, if the issued access token scope only indicates that the user is over 18, then there is no risk 
>>>> for the original user to be discovered and in such a context a collusion may easily take place. 
>>>> This document does not specify techniques to prevent such a collusion to be successful.
>>>> 
>>>> 7 . Privacy Considerations
>>>> 
>>>> Tokens typically carry personal information and their usage in Token Exchange may reveal details of the target services 
>>>> being accessed. The resource and the audience parameters allow authorization servers to know where the issued access token 
>>>> will be used.  This may be a privacy concern for some users. This document does not specify techniques to prevent 
>>>> authorization servers to know where the access tokens they issue will be used.
>>>> 
>>>> Denis
>>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>>> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>>>>> 
>>>>>       Title           : OAuth 2.0 Token Exchange
>>>>>       Authors         : Michael B. Jones
>>>>>                         Anthony Nadalin
>>>>>                         Brian Campbell
>>>>>                         John Bradley
>>>>>                         Chuck Mortimore
>>>>> 	Filename        : draft-ietf-oauth-token-exchange-10.txt
>>>>> 	Pages           : 32
>>>>> 	Date            : 2017-11-30
>>>>> 
>>>>> Abstract:
>>>>>  This specification defines a protocol for an HTTP- and JSON- based
>>>>>  Security Token Service (STS) by defining how to request and obtain
>>>>>  security tokens from OAuth 2.0 authorization servers, including
>>>>>  security tokens employing impersonation and delegation.
>>>>> 
>>>>> 
>>>>> The IETF datatracker status page for this draft is:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/>
>>>>> 
>>>>> There are also htmlized versions available at:
>>>>> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-10 <https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-10>
>>>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-10 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-10>
>>>>> 
>>>>> A diff from the previous version is available at:
>>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-10 <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-10>
>>>>> 
>>>>> 
>>>>> Please note that it may take a couple of minutes from the time of submission
>>>>> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
>>>>> 
>>>>> Internet-Drafts are also available by anonymous FTP at:
>>>>> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> 
>>>> 
>>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
>>> 
>>> 
>>> 
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20171211/dbd247f6/attachment.html>
>> 
>> ------------------------------
>> 
>> Subject: Digest Footer
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> ------------------------------
>> 
>> End of OAuth Digest, Vol 110, Issue 8
>> *************************************
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth