Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
Aaron Parecki <aaron@parecki.com> Fri, 26 February 2021 21:49 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0B23A0CA0 for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2021 13:49:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8CrvDkDIVMTX for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2021 13:49:43 -0800 (PST)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F433A0C9E for <oauth@ietf.org>; Fri, 26 Feb 2021 13:49:42 -0800 (PST)
Received: by mail-io1-xd2c.google.com with SMTP id i8so11191630iog.7 for <oauth@ietf.org>; Fri, 26 Feb 2021 13:49:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CHENElNI5uFUfxiROWSb7tFUiH0J3GnBfAV37tiA43g=; b=caaCxMqa5oOBDJK87y6emH22wmP9TWrWzcIfhbEIu5zY+uTVtiLNUqTgbDfaNVJ/Hw A3yTHtrkcy0yyhQaxfrkE8pzYwv6J2YS1fQoJchEuz56YCJ9Vcz57MQQa5TSvCSzf3yJ /LsI5JqKewnBsaIHN2P7NVPqJGXVjYPHhJzgwp3c9dw3CLK9sbaRF1yfkE+KsiGEx37i e0tIXdOqqhMm+YBt/e6BwgFgaB9v1bct35HSejRMDqdTGTdiLIHovaUwg2Wm+nMw1vIF IPRxd9nU9fNlKjh8SKJyQaWwW8c/ZbvRyJR2XbQJzfBzzUZ8XYp+XiGiYVfWFUfvfNx3 N7tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CHENElNI5uFUfxiROWSb7tFUiH0J3GnBfAV37tiA43g=; b=QRMw4mPSgJnBVPK4ErFQ0WgPMyaaHR+GGD8M14DRL9GWA7yLNdR3ORhrlOqrti+1Ec w89KHvCVJckttS55VHIxxHFSyMu4RU8nkwFq/4nugNJKTVncsVewIcWAsR4GzqQDWQ3H c4kCIdFdVoO90llcMNqY2MEz4WZE85JeBGDYWhPGsLW/2T5HWEH0GVLyvYBxKp5dHuHT Ae8Xw1eEVVsaT5egyBeLbK5NyKiaFIZql3qFTt4KMZyZDAW1T8Zt1cBOfcZYuik89IEb /tGP+mcymprukfo9iEAfYL+R4m4n4DBXVlxj2u9Zu2g4WbsnjWH2/lsxU0dleLeP6tDQ Iw5Q==
X-Gm-Message-State: AOAM530Vn5CuKnQEJikVCHFWccX7bITzNp0um/b9E6ITQwG1khvU1C7L oQwQhqX+9Y50PDu3H4fLarJLUrMLFz0S4w==
X-Google-Smtp-Source: ABdhPJyILmNXKdwqJ/CVEWhnR5o+EBOcdC89IiaGGo499wBvbawlBntBZqVSbPjszhFNAIEOp4yQlQ==
X-Received: by 2002:a5d:81d1:: with SMTP id t17mr4513071iol.208.1614376182070; Fri, 26 Feb 2021 13:49:42 -0800 (PST)
Received: from mail-il1-f175.google.com (mail-il1-f175.google.com. [209.85.166.175]) by smtp.gmail.com with ESMTPSA id q2sm5834860ioh.20.2021.02.26.13.49.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 Feb 2021 13:49:41 -0800 (PST)
Received: by mail-il1-f175.google.com with SMTP id c10so9311699ilo.8; Fri, 26 Feb 2021 13:49:41 -0800 (PST)
X-Received: by 2002:a05:6e02:1c2a:: with SMTP id m10mr4069474ilh.17.1614376181245; Fri, 26 Feb 2021 13:49:41 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com> <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com> <CAJot-L0PS_3LxEkC-jd1aqXDdYF+z8BajSs4Rhx3LgRPn6wkdQ@mail.gmail.com> <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> <CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com> <CAJot-L2KO2dOzZQJJeB1kbk6_KTQwUYUsoJOoRt=9maynS1jZg@mail.gmail.com> <121f52be-4747-45f3-ad75-79fa2f693d75@beta.fastmail.com> <E84B4446-5F74-402B-8071-A1164EF0B02C@mit.edu> <6b5d0e34-340f-4f93-83ef-817d4624ec7d@dogfood.fastmail.com> <CAPLh0AMfncjJ0iaZ5gmzrh1D0Z7WCOtG-+6GZkmzfQuAttsBtw@mail.gmail.com> <CAPLh0AMEnbak8=6boESQCgTd=Au4V9O=wCqGCz5qEU-d3y0g5g@mail.gmail.com> <6E2CD5EE-55D9-403A-835D-032ECA39CBFB@mit.edu> <CAJot-L1x_AxjQAH7uJ+GsW1jcc93b8ijJ7uyiVRRDZtZf=NXCw@mail.gmail.com> <CAGBSGjqE4XKQmx2B8Lvh4faazfZPYqAYBy2NhSrewaBmEEBzpw@mail.gmail.com> <6A4ABDE3-7175-4E5B-8807-437EE3CE427D@alkaline-solutions.com>
In-Reply-To: <6A4ABDE3-7175-4E5B-8807-437EE3CE427D@alkaline-solutions.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 26 Feb 2021 13:49:30 -0800
X-Gmail-Original-Message-ID: <CAGBSGjrHLF_5HQSM3znJDFbfeefBO0Ahv6UW=u4xFiJocVPkEg@mail.gmail.com>
Message-ID: <CAGBSGjrHLF_5HQSM3znJDFbfeefBO0Ahv6UW=u4xFiJocVPkEg@mail.gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, Bron Gondwana <brong@fastmailteam.com>, Phillip Hallam-Baker <phill@hallambaker.com>, IETF-Discussion Discussion <ietf@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d12f6d05bc443ed4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ax1UD1HoscFmFEm_iErMJCehoEo>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 21:49:46 -0000
> Do you disagree that this gives them control over which things talk to their servers? Yes -- with a public client, I can impersonate a "real" app and it's basically non-detectable by the AS. For a theoretical example, if I wanted to use the Instagram API but they restrict which apps can upload photos to only their own mobile apps, I can find the client ID of their own app, then do an OAuth flow using their own client ID, and without a client secret it looks the same as their own client. I'm unlikely to be able to get arbitrary users to authorize my app because of limits and checks on the redirect URI, but I can certainly do it myself for my own account. This is the sort of false sense of security provided by the client registration step I'm talking about. I'd love to solve the app identity problem too, but that's only possible with cooperation from the mobile OSs. Aaron On Fri, Feb 26, 2021 at 1:36 PM David Waite <david@alkaline-solutions.com> wrote: > > > > On Feb 26, 2021, at 9:32 AM, Aaron Parecki <aaron@parecki.com> wrote: > > > The point is that basically nobody uses it because they don't want to > allow arbitrary client registration at their ASs. That's likely due to a > combination of pre-registration being the default model in OAuth for so > long (the Dynamic Client Registration draft was published several years > after OAuth 2.0), as well as how large corporations have decided to run > their ASs where they want to have (what feels like) more control over the > things talking to their servers. > > Do you disagree that this gives them control over which things talk to > their servers? > > FWIW my personal mental model here is pretty simple: > > With users, there are services you provide anonymously and services you > provide only to registered/authenticated/trusted parties for various > reasons. Once you are delegating user access, you still have many of the > same reasons to provide access to anonymous or > registered/authenticated/trusted delegates. > > Dynamic registration arriving later and requiring additional complexity > has unfortunately encouraged registration in use cases where anonymous > clients might have been acceptable, but shifting the timelines or > complexity balance would not have changed business needs for > authentication and trust of delegates. Omitting registration would have > caused businesses to use other protocols that met their needs. > > If AS’s are only getting what feels like proper control for their business > needs, we should attempt to give them the actual control they require. > > -DW
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- [OAUTH-WG] JMAP's experience with proposing an Au… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Roman Danyliw
- Re: [OAUTH-WG] JMAP's experience with proposing a… Brian Campbell
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Kathleen Moriarty
- Re: [OAUTH-WG] JMAP's experience with proposing a… Phil Hunt
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JMAP's experience with proposing a… Evert Pot
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Eric Rescorla
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Phillip Hallam-Baker
- [OAUTH-WG] Building Real Internet Platforms Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Larry Masinter
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Jim Manico
- [OAUTH-WG] We appear to still be litigating OAuth… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Carsten Bormann
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Neil Madden
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Michael Richardson
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hunt
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… ST GERMAIN
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- [OAUTH-WG] How to tell people... Was: We appear t… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Christian Huitema
- Re: [OAUTH-WG] We appear to still be litigating O… David Waite
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jeff Craig
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Vittorio Bertola