Re: [OAUTH-WG] draft-hardt-oauth-distributed suggestions
David Waite <david@alkaline-solutions.com> Fri, 26 October 2018 03:40 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6D3212F1A6 for <oauth@ietfa.amsl.com>; Thu, 25 Oct 2018 20:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJ8N-G0ikkvs for <oauth@ietfa.amsl.com>; Thu, 25 Oct 2018 20:40:28 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id DFE1712DD85 for <OAuth@ietf.org>; Thu, 25 Oct 2018 20:40:27 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:e8a1:73fe:aeca:80e2] (unknown [IPv6:2601:282:202:b210:e8a1:73fe:aeca:80e2]) by alkaline-solutions.com (Postfix) with ESMTPSA id 66964315EC; Fri, 26 Oct 2018 03:40:26 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <582DF2F1-9A8C-4A80-8A07-7B7151320D10@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B0175D1F-5C66-4092-A7F9-67FA8ED2A603"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Thu, 25 Oct 2018 21:40:25 -0600
In-Reply-To: <b7d7be5a-61fc-69d9-d59f-e3293f46edc6@evertpot.com>
Cc: oauth <OAuth@ietf.org>
To: Evert Pot <me@evertpot.com>
References: <b7d7be5a-61fc-69d9-d59f-e3293f46edc6@evertpot.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/80H31N7iYpFLMnhf6o8tdTsYRDU>
Subject: Re: [OAUTH-WG] draft-hardt-oauth-distributed suggestions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2018 03:40:30 -0000
> On Sep 28, 2018, at 9:10 PM, Evert Pot <me@evertpot.com> wrote: > <parts answered by Brian> > > One thing I've missed from using OAuth2-powered services over HTTP Basic > / Digest, is the ability for a browser to handle login. The idea that a > browser can potentially do all the steps required, means that a user > could potentially hit a resource server directly and browse it > interactively without requiring a non-browser client. I think this > concept is really powerful, and Distributed OAuth is a good step in that > direction. > > The piece that's missing though is that using the current OAuth2 > framework, a generic client would still need to have a client_id. > > I don't fully understand the security implications of this, but could > this specification potentially be expanded so that the WWW-Autenticate > challenge can optionally also include a client_id? I assume this is the WWW-Authenticate Bearer challenge at the resource. I lean toward reducing the coupling between the resources and the AS to understanding the access token - how to directly verify it or introspect it, the meaning of data contained within such as scopes, and so on. This sort of dynamic specification expands that to needing to state the issuer (hopefully not raw metadata url) of the issuers it wishes to receive authorization from - a pretty minimal (and logical) expansion on the requirements of the resource server for what is being attempted. Having the resource server also maintain metadata on how anonymous clients should work seems like an unnecessary expansion on resource server responsibilities. I would say instead: - Expand Dynamic Client Registration (7591) as necessary to meet new requirements. - Give an anonymous client identifier as part of the AS server metadata (8414) Having a unique client identifier (or token) per browser may help with managing security constraints the AS may want to place on anonymous clients, such as SSO or persistent consent. > The way I see this work is that a browser could grab it and attempt > using it with the implicit flow. For a built-in browser support (especially for a static client_id) it isn’t clear what a recommendation for the redirect uri would be. Reducing the requirements placed upon a resource server, I’d prefer this not be a ‘dummy resource’ for the browser to consume rather than routing through. > I did some experimentation with this, and I believe that this feature > could actually be built as a web extension, but it will only work in > Firefox as Chrome does not give web extensions access to the > Authorization header. The other approach I’ve played with for this is using service workers, although I haven’t gotten far enough to figure out the UX for user authentication and consent. Is there any feasibility to having an extension inject a service worker? I suppose this could conflict with CSP. -DW
- [OAUTH-WG] draft-hardt-oauth-distributed suggesti… Evert Pot
- Re: [OAUTH-WG] draft-hardt-oauth-distributed sugg… Brian Campbell
- Re: [OAUTH-WG] draft-hardt-oauth-distributed sugg… David Waite