Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard

William Denniss <wdenniss@google.com> Fri, 01 June 2018 20:56 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D64412DA4F for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 13:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H99siYllWijs for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 13:56:20 -0700 (PDT)
Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDB1112DA19 for <oauth@ietf.org>; Fri, 1 Jun 2018 13:56:19 -0700 (PDT)
Received: by mail-ua0-x234.google.com with SMTP id c23-v6so11702350uan.3 for <oauth@ietf.org>; Fri, 01 Jun 2018 13:56:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Rp/+Z2pEF9cV1Q91XiXMC+aSc0strB3tIo7dN5mSWjY=; b=CGNDVDfhOE0oi9zD6ICArQqX8Wi67JMjwvPE2SYcXf1BDZNTiBK7FITsNdMkIS0XtN FxHC0rT5VmE414DMocLqQQDJAzPw4wNAK7y6Tw5rtwJhLMsyN00yk2vA8PVzPM/J/Aqy xvvSS7MWk5JMLCWifU7g4B/ZY/HrP/3t+8x+LMNtLSzaekcY8/vgKqZz+eJxF2/nG4TU 92H7Fy3a8HLRExUuVIod2SmU61w496qxiUAEXg7K8TrhOnNzgeU6Zph9Ewz2gkFzUiMb +8c3TOuXtiwuMW+gRC24/oHH7FKNf0Nzf2ik7QaqL7kMg4q1CStWTlW/NbC27oHQdzI4 Hg9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Rp/+Z2pEF9cV1Q91XiXMC+aSc0strB3tIo7dN5mSWjY=; b=rAmewfIy6LbVA6k3k6fgSXwDLydyq+YF2h0v7EzqBwkcmTXwf4kFnTABIeP008ahuq kgSseUeicQiauKzTUEBrdiiw7yPRvMG2qgfP7lfewygMDlz0iFcXyI5sQPBqEnFSfxm3 pOvGkvWGKoPfb2QnN6ezBrmaO9nvl63STs1fdimvKLrwX/bjGqbJeCpmQ4HnhJZDP4xt CIN1E8q6vpD1haUDT6oCDWS87c7tGh9sjAj1idGDdxo6/9PPPVyB7TY43PgcZxCNY1Jb Fm5D8viA/U6MjkM5oWxAuN08B7Gy705YRdGFF9L3m+JgeTc8eX+2GL4O818EgGluru8M N2rg==
X-Gm-Message-State: APt69E3eEVSQJu3ZK8efoQ7WXfq5aOXwKDmddcx6hAjo2UKpZ+MdRD4P iXFP4ZtxvR3YdaCurI4d58JgvlcxErgdLI6bq75Nkg==
X-Google-Smtp-Source: ADUXVKJraGpr4fhmxmZ/Tv4F1SiNYQ3+Nhk9Ptt5zxP2jxshq0k/1FwO0QhGhKjFxS6exY9zyC1WAsaj8k1ne7Y10Wo=
X-Received: by 2002:a9f:3a47:: with SMTP id r7-v6mr1630993uag.198.1527886578309; Fri, 01 Jun 2018 13:56:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:2110:0:0:0:0:0 with HTTP; Fri, 1 Jun 2018 13:55:57 -0700 (PDT)
In-Reply-To: <CA+k3eCQH_+a4duxo1q3zXPAsYOpVLnBcx5c09xTg4w1GJuP-0w@mail.gmail.com>
References: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com> <CAEqOSkfwdn-+1zFBgpgk3Mr6HYy-OvKNdVRKZtdP9c6HVHC60Q@mail.gmail.com> <CAAP42hAA8FC8B8bhDdCAg=5TnDjZXr76UiMLNABEG23GRFdeyQ@mail.gmail.com> <CAEqOSkcquQ4GXhhOV30TsOEYSV5fuG_PtO7TFo_pE_zVAJd0zA@mail.gmail.com> <CAAP42hBznvLPe8JLy1HYxFQ2bWxGW5mbpa8hcAv6K8jM3EkQxw@mail.gmail.com> <CA+k3eCQ5xxj4nCUBvQn1QwUEL-ouLiZgean02rFwEjC6dcz9mw@mail.gmail.com> <CAAP42hAwPdvNX1Hr=dvPwghQcP_iHvbHvS_aXtKGf1uGfLidSw@mail.gmail.com> <CA+k3eCQH_+a4duxo1q3zXPAsYOpVLnBcx5c09xTg4w1GJuP-0w@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 1 Jun 2018 13:55:57 -0700
Message-ID: <CAAP42hBnaHfBYqVXp07sav0OcU=Has_iwwSH7Wm1+L5DtB072A@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: William Denniss <wdenniss=40google.com@dmarc.ietf.org>, Andrew Sciberras <andrewsciberras@pingidentity.com>, draft-ietf-oauth-device-flow@ietf.org, oauth-chairs@ietf.org, ietf@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c26c65056d9ad09c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AueVIU8DObTVFT6lYeKSyd_6CnU>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 20:56:23 -0000

On Thu, May 31, 2018 at 9:49 AM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

>
>
> On Wed, May 30, 2018 at 6:06 PM, William Denniss <wdenniss@google.com>
> wrote:
>
>>
>> On Wed, May 30, 2018 at 3:48 PM, Brian Campbell <
>> bcampbell@pingidentity.com> wrote:
>>
>>> I realize this is somewhat pedantic but I don't think referencing 4.1.2.1
>>> works given how RFC 6749 set things up. Rather I believe that the device
>>> flow needs to define and register "access_denied" as a valid token
>>> endpoint
>>> response error code (it's not a token endpoint response error per RFC
>>> 6749
>>> sec 5.2 nor has it been registered https://www.iana.org/assignmen
>>> ts/oauth-parameters/oauth-parameters.xhtml#extensions-error
>>> <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#extensions-error>
>>> ).  Also
>>> invalid_grant is a a token endpoint response error from RFC 6749 sec 5.2
>>> so
>>> that reference is needed and appropriate. RFC 6749 Sec 4.1.2.1
>>> <https://tools.ietf.org/html/rfc6749#section-4.1.2> defines errors
>>> returned
>>> from the authorization endpoint. But the device flow errors are from the
>>> token endpoint.
>>>
>>>
>> Yes, that's true. It's still the token endpoint, so 5.2 does in fact
>> apply, it's just we're mixing in authorization-style actions which were not
>> previously considered/used for that endpoint.
>>
>> Do you have any proposed text to resolve this?
>>
>>
>
> Sure, here's a crack at some text/changes:
>
>
> Add this to the list of error codes in section 3.5.:
>
>         "access_denied
>                The end-user denied the authorization request."
>
>
> And add this to section 7.2.1.:
>
>   "o  Error name: access_denied
>    o  Error usage location: Token endpoint response
>    o  Related protocol extension: [[ this specification ]]
>    o  Change controller: IETF
>    o  Specification Document: Section 3.5 of [[ this specification ]]"
>
>
> I might also slightly change this text in section 3.5:
>
> "In addition to the error codes defined in Section 5.2 of [RFC6749],
>    the following error codes are specific for the device flow:"
>
> to
>
> "In addition to the error codes defined in Section 5.2 of [RFC6749],
>    the following error codes are specified by the device flow:"
>
> so that the wording doesn't read as prohibiting the error codes from being
> used outside the device flow (access_denied from the token endpoint might
> well be useful for other grant types).
>
>
> And add "Andrew Sciberras" to the Acknowledgements.
>

Thank you Andrew for raising the point about needing to explicitly document
this error code, and Brian for your proposed text to resolve this, and for
the other issues you raised.

Version 10 has been posted by the authors to resolve the feedback received
so far during this last call:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-10