Re: [OAUTH-WG] FW: draft-ietf-oauth-device-flow: url with code

"Manger, James" <> Wed, 01 March 2017 02:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E4969129469 for <>; Tue, 28 Feb 2017 18:07:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ej8ODdO1PMTK for <>; Tue, 28 Feb 2017 18:07:04 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 103E5126DFB for <>; Tue, 28 Feb 2017 18:07:03 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.35,222,1483966800"; d="scan'208";a="26282768"
Received: from unknown (HELO ([]) by with ESMTP; 01 Mar 2017 13:07:01 +1100
X-IronPort-AV: E=McAfee;i="5800,7501,8453"; a="312440296"
Received: from ([]) by with ESMTP; 01 Mar 2017 13:07:00 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 8.3.485.1; Wed, 1 Mar 2017 13:07:01 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 1 Mar 2017 13:06:59 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Wed, 1 Mar 2017 13:06:59 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=aEUCc97t5bRG3Tl0VqvofTR4QZ7BYZOUYQEAt0aEQKw=; b=IuuHdBLkzO/h98VGGphjflIr48VtCPZs4DFN8nS/m85IBQL2p8Y6l3FBPzKw2jq8VJna8bSKdLEqIkzxMbq1stvfx2h3z0eDu4aMXJCNDtiIZEeqBHZaOnpomr1HmXSKomM2NVZ5ZpSPovcjCENvMNuIW1qSjl+RyqNa5CsgMfQ=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Wed, 1 Mar 2017 02:06:58 +0000
Received: from ([]) by ([]) with mapi id 15.01.0933.020; Wed, 1 Mar 2017 02:06:58 +0000
From: "Manger, James" <>
To: William Denniss <>
Thread-Topic: FW: draft-ietf-oauth-device-flow: url with code
Thread-Index: AdKRRh/IkJeVOoDTRW+gjblgguPT/QA23hYgAACvXwAAACL3EA==
Date: Wed, 01 Mar 2017 02:06:58 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-AU, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: db13b22c-f483-4e4d-d2b7-08d46047a4ad
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SYXPR01MB1616;
x-microsoft-exchange-diagnostics: 1; SYXPR01MB1616; 7:8mqmqIyit7tY5zmH1QudT4WMy/ScTlxubhZIoAAzS0EYeIxKFijJRL6JV6gmZxMX3cy/qMe6bmdGlYaSAa8FmsUHePH0cqVn5xlWZhuIGo/4UinQ7gbbYWoQqyQJCl+WNjb/K0EBcHpCNfaGgKVHzX6RbtXgz0i8ywJm8VxTZuCQ6HhcYqHaqF7h+v2VDk9qTi6w3hOwOxnZLGS4vI0fknEUFonYuGA93RFFIDT3PNEyiovQWDYBONgUtksyfMiUaMCKBJei4hFVdVoG6L461H/x+Ss/2F5QFo2/iI+8SRUSWC9h3Bdd3RTrgw2bg732vMk/sbiLZmO4Kx2JLuz/fw==
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123555025)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(6072148)(6042181); SRVR:SYXPR01MB1616; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB1616;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(199003)(86362001)(25786008)(229853002)(2906002)(97736004)(7736002)(8936002)(101416001)(33656002)(3280700002)(6436002)(3660700001)(77096006)(6506006)(102836003)(6116002)(230783001)(81166006)(4326008)(81156014)(3846002)(5660300001)(92566002)(122556002)(68736007)(74316002)(8676002)(7696004)(53936002)(66066001)(42882006)(2950100002)(6916009)(105586002)(54356999)(99286003)(55016002)(189998001)(305945005)(6246003)(9686003)(6306002)(76176999)(50986999)(110136004)(38730400002)(106356001)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB1616;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 02:06:58.6788 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1616
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] FW: draft-ietf-oauth-device-flow: url with code
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Mar 2017 02:07:07 -0000


>> Transmitting a URI via Bluetooth, or NFC, or QR code, is quite common. In such cases it would be nicer to transmit the user_code as part of the URI.

> I don't really see the benefit.

If the device is always used with a pre-installed companion mobile app: no benefit.
If the device has ample screen size for "To register, visit <uri> and enter <code>": no benefit.
If the device can use NFC/BLE/QR-code/… to transmit a URI: benefit; can get verification_uri and user_code to a mobile browser without anything else (on the device or on the mobile).

Scenario: a device with no screen, just a few LEDs; the instructions say "to activate, tap the device with your mobile (after enabling NFC or bluetooth)".
User taps with mobile; browser launches; AS shows picture of device and asks user to confirm LEDs are flashing red/green/red/green… (on form with CSRF-protection); user click Yes; next device polling token request succeeds.

This scenario is harder without a standard way to combine verification_uri and user_code into a single URI.

> If you're doing some kind of out-of-band transmission (which is mentioned as out of scope of the spec) there's no reason you can't simply transmit both pieces of information.

My guess is that "transmitting both pieces of info" requires special-purpose code that understands those 2 pieces. Whereas browsing to a transmitted URI is generic.

>  We've done that before, and this is what we do.  Having the data separate did not really alter the implementation of this, and combining it wouldn't measurably make it simpler (but it would make the spec more complex).
> Also if the AS really wanted to, there's nothing to stop it including whatever parameters it wanted in the verification URI today (which could include the user code).

> So I'd prefer to keep 1 protocol, designed for the browser model (which is the only thing in-scope in the spec), that can potentially work with a wide range of cases.

It is still the browser model; it's just how the URI and code get to the browser.

 >> Perhaps both modes could be supported by saying the user_code can be included as a query parameter on the verification_uri when it is more convenient for a device to transmit a single URI. Authorization Servers MUST accept this. The choice is to use user_code as the complete query string (eg or specify a “code” parameter name (eg

> -1. I know for sure Google's AS will not comply with that MUST. As it is there are some phishing concerns around this flow (documented in the spec), and this change unfortunately makes the matter worse by allowing for single-click phishing.

I didn't mean to imply the AS had to *finish* the flow immediately when uri?code was accessed. An AS can still display anti-phishing measures requiring explicit user clicks to continue. The AS could still display a picture of the device.

I do concede that requiring a code to be manually entered is a specific phishing defence so any alternative should probably be specified separately.

> For example, we use the text today: "Enter the code displayed on your device". And we display a picture picture of the device to help guide the user as to the expected usage of this flow (this by itself isn't everything – but they are important hints).

>> Recommending case-insensitive punctuation-ignoring alphabetic codes is good, but how does a user know this is the case for a particular code? Perhaps the advice needs to be to use a “fancy” input field with javascript to convert to uppercase as the user types and handle punctuation?

> I believe that's covered:
>   The server should ignore …

I guess I read that as a suggestion for server-side code. But the user needs a hint at the client-side as they enter the code.
This is a minor detail. A web form could, for instance, say "case and punctuation are ignored" below the code input field.
James Manger