IETF Logo Mail Archive

Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard

Andrew Sciberras <andrewsciberras@pingidentity.com> Wed, 30 May 2018 22:19 UTC

Return-Path: <andrewsciberras@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F282B12D86F for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 15:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2_7sWHJCwBK for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 15:19:21 -0700 (PDT)
Received: from mail-wr0-x241.google.com (mail-wr0-x241.google.com [IPv6:2a00:1450:400c:c0c::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F3401275FD for <oauth@ietf.org>; Wed, 30 May 2018 15:19:17 -0700 (PDT)
Received: by mail-wr0-x241.google.com with SMTP id l41-v6so31069198wre.7 for <oauth@ietf.org>; Wed, 30 May 2018 15:19:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BBfK1YCPTJdH8MHZBkc+cCdgCGg4sCuMZQJCl1jhdxI=; b=dVVwvEYnPqcYtKgFwRQMoxFB4cXeNdc9LFIhfudGD0tsM5zFgbodNTQLcwbmLOqTdf oilbY0qjzj5QMmLicoJaoq8BiRdGQW4qREiV/2AR2pCWcsTAHpHTSQMbNHPpUJvBT5fV d7dPMjqDAtKiJdXl1xwpEi8qaBrtmoGrBP7Kk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BBfK1YCPTJdH8MHZBkc+cCdgCGg4sCuMZQJCl1jhdxI=; b=cnXHugJqofjQ8YsvP8cVwwdrQtf6Ekv9h039cqmTW6WQiLF1E0TGbqKipgftqtUVqm 4GDZdoSNN3JM9lEUxqsW/FprJeZG4dZ0ZTvoxDdBr/iRoaB0dGnA9CUzJxFcXEnSyKUn OqnDemZGM1bGJ4wBgaTP5tcrb7ql/IYg4W/MiDS4GaDdLuE6VGN1FKUjQ9j2IioCkjFW d/F6gHcaZ+ChDTSBWw/PKVyHsrnDrwPZzam91imBzclZ3xyzIn9F5Zc2mSxzSqVuOlsp QbtZ1UOrGNEihKSoMYh0CikLIHk33IN5iFum2II8JMkEISn0eKSevFk3omotlDotQwyx CF/A==
X-Gm-Message-State: ALKqPwc05rMDSxa8TsRC6VuSxOU9SJSqOh/j23qUj4TqHaxxeQD6oqGI LHSaClY9EUTWDgzjj/W9rgkNy24AzJKFNiH13vn7e7PWbWdWgVmfhtBc5apB8a0Cp3ZiB4an3Vq ZuWAAzn6RWYQAHw==
X-Google-Smtp-Source: ADUXVKLY/OwW6HkaZD77qzl2aDg3Ngwvi1VnlHHP203tqrMGOXwzPW6PAqk6feprH7QhSTsN/VjFKfPL/jdU+IWC4Oo=
X-Received: by 2002:adf:9663:: with SMTP id c32-v6mr3639000wra.89.1527718755491; Wed, 30 May 2018 15:19:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1c:e308:0:0:0:0:0 with HTTP; Wed, 30 May 2018 15:18:54 -0700 (PDT)
In-Reply-To: <CAAP42hAA8FC8B8bhDdCAg=5TnDjZXr76UiMLNABEG23GRFdeyQ@mail.gmail.com>
References: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com> <CAEqOSkfwdn-+1zFBgpgk3Mr6HYy-OvKNdVRKZtdP9c6HVHC60Q@mail.gmail.com> <CAAP42hAA8FC8B8bhDdCAg=5TnDjZXr76UiMLNABEG23GRFdeyQ@mail.gmail.com>
From: Andrew Sciberras <andrewsciberras@pingidentity.com>
Date: Thu, 31 May 2018 08:18:54 +1000
Message-ID: <CAEqOSkcquQ4GXhhOV30TsOEYSV5fuG_PtO7TFo_pE_zVAJd0zA@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Cc: ietf@ietf.org, IETF-Announce <ietf-announce@ietf.org>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-device-flow@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bcfe7e056d73bdf7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BEFjzQ1kTiWU4VJfsdrw8RWb-ps>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 22:19:24 -0000

Hi William

You are right that the document explicitly indicates which error codes may
be returned. However I think it's ambiguous as to which error within
Section 5.2 of RFC6749 would apply in the scenario of a user not granting
access.

I think that this ambiguity is highlighted further by the Google
implementation (https://developers.google.com/identity/protocols/OAuth2ForDe
vices#step-6-handle-responses-to-polling-requests) not adhering to the
explicit statement of the document and electing to use a (more appropriate)
error code that exists outside of section 5.2.

Andrew


On Thu, May 31, 2018 at 8:06 AM, William Denniss <wdenniss@google.com>
wrote:

> Hi Andrew,
>
> On Wed, May 30, 2018 at 2:35 PM, Andrew Sciberras <andrewsciberras@pingidentity.com> wrote:
>
> Hello
>>
>>
>> Do we feel that the document should be more specific in addressing how
>> the authorization service should respond to a device access token request
>> when the user has refused to grant access to the device?
>>
>>
>> The document currently indicates in section 3.5 that a success response
>> defined in section 5.1 of RFC6749, an error as defined in section 5.2 of
>> RFC6749 (this includes invalid_request, invalid_client, invalid_grant,
>> unauthorized_client, unsupported_grant_type, and invalid_scope), or a new
>> device flow error code (authorization_pending, slow_down, and
>> expired_token) may be returned in a response to a device token request.
>>
>>
>> It doesn’t seem that any of these options are appropriate to convey that
>> a user has refused to grant access to the device.
>>
>>
>> The Google implementation appears to be using the access_denied error
>> code from section 4.1.2.1 of RFC6749. While this would seem to be the most
>> suitable error code, the document does not explicitly indicate it as a
>> permitted response.
>>
>
> Actually, this is indicated explicitly I believe:
>
> If the user has approved the grant, the token endpoint responds with a
> success response defined in Section 5.1 of [RFC6749]; *otherwise it
> responds with an error, as defined in Section 5.2 of [RFC6749].*
>
In addition to the error codes defined in Section 5.2 of [RFC6749], the
> following error codes are specific for the device flow:
>
>
>>
>> I believe that clarifying the response error code in the condition where
>> a user has refused access to the client would be beneficial, remove
>> ambiguity, and promote greater consistency across implementations.
>>
>>
>> Regards
>>
>> Andrew Sciberras
>>
>>
>> On Wed, May 30, 2018 at 8:20 AM, The IESG <iesg-secretary@ietf.org>
>> wrote:
>>
>>>
>>> The IESG has received a request from the Web Authorization Protocol WG
>>> (oauth) to consider the following document: - 'OAuth 2.0 Device Flow for
>>> Browserless and Input Constrained Devices'
>>>   <draft-ietf-oauth-device-flow-09.txt> as Proposed Standard
>>>
>>> The IESG plans to make a decision in the next few weeks, and solicits
>>> final
>>> comments on this action. Please send substantive comments to the
>>> ietf@ietf.org mailing lists by 2018-06-12. Exceptionally, comments may
>>> be
>>> sent to iesg@ietf.org instead. In either case, please retain the
>>> beginning of
>>> the Subject line to allow automated sorting.
>>>
>>> Abstract
>>>
>>>
>>>    This OAuth 2.0 authorization flow for browserless and input
>>>    constrained devices, often referred to as the device flow, enables
>>>    OAuth clients to request user authorization from devices that have an
>>>    Internet connection, but don't have an easy input method (such as a
>>>    smart TV, media console, picture frame, or printer), or lack a
>>>    suitable browser for a more traditional OAuth flow.  This
>>>    authorization flow instructs the user to perform the authorization
>>>    request on a secondary device, such as a smartphone.  There is no
>>>    requirement for communication between the constrained device and the
>>>    user's secondary device.
>>>
>>>
>>>
>>>
>>> The file can be obtained via
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
>>>
>>> IESG discussion can be tracked via
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ballot/
>>>
>>>
>>> No IPR declarations have been submitted directly on this I-D.
>>>
>>>
>>> The document contains these normative downward references.
>>> See RFC 3967 for additional information:
>>>     rfc6819: OAuth 2.0 Threat Model and Security Considerations
>>> (Informational - IETF stream)
>>>     draft-recordon-oauth-v2-device: OAuth 2.0 Device Profile
>>>  (None - )
>>>     rfc6755: An IETF URN Sub-Namespace for OAuth (Informational - IETF
>>> stream)
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email