IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Marius Scurtescu <mscurtescu@google.com> Wed, 14 March 2012 18:24 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D8221F84FD for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 11:24:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.677
X-Spam-Level:
X-Spam-Status: No, score=-102.677 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UKKfMYWfQynx for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 11:24:11 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1362121F84FE for <oauth@ietf.org>; Wed, 14 Mar 2012 11:24:10 -0700 (PDT)
Received: by yhpp34 with SMTP id p34so2430951yhp.31 for <oauth@ietf.org>; Wed, 14 Mar 2012 11:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=RGwuuES2UtC2a1BHQkdLxaIZJnNORwUAIoxDsE/nubQ=; b=CxeOqaFrDVLZE+o9Nq81PKbaAR1cuZmemTcMfmgy//5tOnkVO+UbwmOdapo0iBna6S YPHRlVQ9TK/34M3h69iPBJ2bIRP8BsSg1XV1JVjOhIOjs7t7xiw0b3Kw7ssUoZk86AQm eAELQrFTD6H5nyPXlXyum5MZFF4MqOR1AdRLoTnbNstRJqHqNNgWrRpEwzJ98yvyApS3 ZMRqRm2GXdSCeoT87sZGJBTZgACL7QLIdc/rjQHSMbBsrTmGX+bFMzDkeo3S/cbQ0k4E 6x5wa0NpOiykJq/dEezQX1O43EpGzSBH8oHxGBXRlUrS0iXBNwJVTnPKdKTaRRid91AI GA2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=RGwuuES2UtC2a1BHQkdLxaIZJnNORwUAIoxDsE/nubQ=; b=J0x6PHAtS98pfSVgwFNgUbw+GoxNc0i0rN2p/IQqtkyr65fR3+l5EmfcWfrXIm4Zp5 NYeA1c3zE/uD4EBPeGG3Xv1WH9nS7MsGhvypyW+1TXWwCWjNLUaFd7qbG4Sr+im3Ibgl //Z7oCWHcpmGmM+kz3XA0mxD8VdeI+MEvIU508nwCg4+2PuCXXWBoPx+tOjipR/BNfiT b7boUPEcKY3M9p/VXgjsK04Hf8CRq0vI09KxXzk1Agrk+ygGOULaLQ68nv8qst4WeS8M vNejn0sAzpZ9kyoIGJPeU5H7HUM5dMJJk/t0CS3BhsVvbEH26DphO8soGkOQz4Btjkl8 0t+Q==
Received: by 10.236.46.232 with SMTP id r68mr4232447yhb.80.1331749450441; Wed, 14 Mar 2012 11:24:10 -0700 (PDT)
Received: by 10.236.46.232 with SMTP id r68mr4232434yhb.80.1331749450335; Wed, 14 Mar 2012 11:24:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.164.1 with HTTP; Wed, 14 Mar 2012 11:23:50 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF08919@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qE3KcFgJey7xXzW8dkTPzvtcu_ke7abkOEMS4hwi93yEg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08919@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 14 Mar 2012 11:23:50 -0700
Message-ID: <CAGdjJpK6dMzSyoxEb_2rQcB-anXzvWaW-PLdYTZW_jECieBSMg@mail.gmail.com>
To: Eran Hammer <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQkYfSZR/nlBPl6vGc6lVUsVxIgqt6Lin6hqON7GnuQK8mO641tfySJg0PJHQ9KhmNb71IEgQZz0sA15ehtFFf9+PA245efTVAsYnw3YZ6d8k9dffSMXdp5Rxi505Zq2bQunu4ze
Cc: Breno de Medeiros <breno@google.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 18:24:12 -0000

Before v23 a web server client could use either response_type=code or
response_type=token, with the same client id. No security issues and
this was supported for quite a while.

With this latest change, if I am reading it correctly, this is not
possible anymore. The client has to use two different client ids. It
is very late in the game to introduce changes like this, unless there
is an extremely good reason.

Marius



On Wed, Mar 14, 2012 at 11:09 AM, Eran Hammer <eran@hueniverse.com> wrote:
> If the server locks a client type to a particular grant type (or response type) then this is true, you don't need to specify the response type in the request. But this is based on a very limited set of potential response types. I can envision a code response type with different response syntax but same security properties, and same goes for token.
>
> In the past, a cookie response type was proposed to use the cookie headers in the server response instead of returning a token. The security properties of such a flow are very similar to those of token (from OAuth's perspective). This means a public client would be able to request either token or cookie response type.
>
> Also as noted, servers are allowed to provide different registration options to clients, as long as the client identifies each discrete component. There is no requirement or even suggestion that the server issues different client identifiers to such complex clients. I think this is another point missed in your reading of the text.
>
> Hope this clarifies it.
>
> EH
>
>> -----Original Message-----
>> From: Breno de Medeiros [mailto:breno@google.com]
>> Sent: Wednesday, March 14, 2012 10:16 AM
>> To: Eran Hammer
>> Cc: Marius Scurtescu; OAuth WG
>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>
>> Can you explain to me why response_type is necessary at all after this
>> change.
>>
>> If a javascript client (candidate for token usage) and the web server
>> component (candidate for code usage) cannot share registration (since they
>> are different components with different security contexts of the same
>> application) then there is no need to specify response_type. The server can
>> infer the response type from the client and its security context.
>>
>> My objection has nothing to do with code+token flow. I think the change
>> makes response_types irrelevant and is essentially a new protocol.
>>
>> As far as I understand it, the introduction of different code and token flows
>> was precisely to allow different security-context components of the same
>> client to securely operate under the same registration. I think if we change
>> this we need to specify a lot more behavior, such as how a client can request
>> authorization on behalf of several components simultaneously.
>>
>> On Wed, Mar 14, 2012 at 10:08, Eran Hammer <eran@hueniverse.com>
>> wrote:
>> > This was already raised and addressed on this list last week.
>> >
>> > When someone defines and registers code+token, that specification must
>> define how such a client is registered in light of the text below. This might
>> mean defining a new client type, choosing the confidential client type with
>> other normative text limiting the use of the secret in the public component,
>> etc.
>> >
>> > IOW, this section doesn't break anything because there is nothing else
>> defined to break. There is no way to avoid explicitly defining these
>> requirements for a code+token response type, or any other new response
>> type for that matter. The text below is required to ensure that the
>> authorization server can properly enforce the rest of the normative security
>> language in the specification.
>> >
>> > EH
>> >
>> >
>> >> -----Original Message-----
>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>> >> Behalf Of Marius Scurtescu
>> >> Sent: Wednesday, March 14, 2012 9:53 AM
>> >> To: OAuth WG
>> >> Cc: Breno de Medeiros
>> >> Subject: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>> >>
>> >> Hi,
>> >>
>> >> Nat Sakimura started a thread on the OpenID Connect list about a
>> >> breaking change introduced by rev 2.3
>> >>
>> >> The paragraph in question is in section 2.1:
>> >>
>> >> "A client application consisting of multiple components, each with
>> >> its own client type (e.g. a distributed client with both a
>> >> confidential server-based component and a public browser-based
>> >> component), MUST register each component separately as a different
>> >> client to ensure proper handling by the authorization server.  The
>> >> authorization server MAY provider tools to manage such complex clients
>> through a single administration interface."
>> >>
>> >> http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-oauth
>> >> -v2-
>> >> 23.txt
>> >>
>> >> You can see the thread here:
>> >> http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-
>> >> 20120312/001672.html
>> >>
>> >> This paragraph basically prevents response_type=code+token which is
>> >> already implemented by many providers and also relied on by OpenID
>> >> Connect.
>> >>
>> >> The intent, I think, was to prevent clients from embedding the client
>> >> secret meant for a confidential client into a public client.
>> >> JavaScript based clients using the token flow do not need the client
>> >> secret, so this concern does not apply.
>> >>
>> >> Thoughts?
>> >>
>> >> Thanks,
>> >> Marius
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> --
>> --Breno

v2.23.0 | Report a Bug | By Email