Re: [OAUTH-WG] OAuth 2.0 Device Flow: IETF98 Follow-up

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 02 May 2017 05:35 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717F5126B7F for <oauth@ietfa.amsl.com>; Mon, 1 May 2017 22:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.221
X-Spam-Level:
X-Spam-Status: No, score=-0.221 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hhasu6WErl-E for <oauth@ietfa.amsl.com>; Mon, 1 May 2017 22:35:08 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB4E7128B88 for <oauth@ietf.org>; Mon, 1 May 2017 22:32:50 -0700 (PDT)
Received: from [80.187.107.84] (helo=[10.155.141.93]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1d5QQZ-0007DW-00; Tue, 02 May 2017 07:32:47 +0200
Content-Type: multipart/signed; boundary=Apple-Mail-5B14A1E0-B12E-4243-BBF1-7129B13D8D98; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (1.0)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: iPhone Mail (14E304)
In-Reply-To: <22d06952-94ab-e6a9-d2b2-f96f8252bf5e@mit.edu>
Date: Tue, 2 May 2017 07:32:42 +0200
Cc: John Bradley <ve7jtb@ve7jtb.com>, William Denniss <wdenniss@google.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <4107AB98-25D8-4542-B932-CD6F921D0D1D@lodderstedt.net>
References: <CAAP42hDugtAz-7MaeVcNsS+Oza1GVKRyGm4vfR6Vj1DFF1-nag@mail.gmail.com> <77856AF4-9B2E-4478-9509-1459037C24E4@ve7jtb.com> <22d06952-94ab-e6a9-d2b2-f96f8252bf5e@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CEzqoELr4eqVyxhmxT9qSQS8Nk0>
Subject: Re: [OAUTH-WG] OAuth 2.0 Device Flow: IETF98 Follow-up
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 05:35:11 -0000

+1 to keep the optional parameter along with clear wording regarding security risk and interoperability 

> Am 29.04.2017 um 15:12 schrieb Justin Richer <jricher@mit.edu>;:
> 
> +1, documentation is better. Though we also need to keep in mind that this was the justification for the password flow in 6749, which has been abused all over the place (and continues to this day). Still, it would be arguably worse without that so I'm good with keeping the parameter in there as long as we're careful.
> Namely: So long as the user code is *also* delivered separately to the user, we would have interoperability between the two. What       I don't think we want is some systems that *require* the URI parameter on the approval URL and other implementations that *forbid* it. That case could end up with something like: I've got a set-top system that's incapable of displaying a separate user code because it always assumes it's baked into the URL, and then I try to put it on a server that requires the code be entered separately. 
> The resulting spec needs to be clear that the box MUST be able to display both the URL and the code separately, in case the URL does not include the code. In fact, maybe we'd even want to introduce a new parameter from the endpoint for the pre-composed URL:
> 
>    user_code
>       REQUIRED.  The end-user verification code.
> 
>    verification_uri
>       REQUIRED.  The end-user verification URI on the authorization
>       server.  The URI should be short and easy to remember as end-
>       users will be asked to manually type it into their user-agent.
>    composite_verification_uri
>       OPTIONAL.  The end-user verification URI with the end-user 
>       verification code already included. See discussion in [blah]
>       for its use.
> 
>  -- Justin
> 
>> On 4/28/2017 6:38 PM, John Bradley wrote:
>> I would like to keep the optional parameter.   It is useful enough that if we don’t have it people will add it on there own as a custom parameter.  
>> Better to document any issues. 
>> 
>> John B.
>>> On Apr 28, 2017, at 5:39 PM, William Denniss <wdenniss@google.com>; wrote:
>>> 
>>> Thanks all who joined us in Chicago in person and remotely last month for the discussion on the device flow. [recording here, presentation starts at about 7min in].                 
>>> 
>>> The most contentious topic was addition of the user_code URI param extension (introduced in version 05, documented in Section 3.3).
>>> 
>>> I'd like to close out that discussion with a decision soon so we can advance to a WG last call on the draft.
>>> 
>>> To summarise my thoughts on the param:
>>> It can be can be used to improve usability – QR codes and NFC can be used with this feature to create a more delightful user authorization experience.
>>> It may increase the potential phishing                       risk (which we can document), as the user has less typing. This risk assessment is likely not one-size-fits-all, it may vary widely due to different the different potential applications of this standard.
>>> The way it's worded makes it completely optional, leaving it up to the discretion of the authorization server on whether to offer the optimisation, allowing them to secure it as best they see it.
>>> I do believe it is possible to design a secure user experiance that includes this optimization.
>>> I think on the balance, it's worthwhile feature to include, and one that benefits interop. The authorization server has complete control over whether to enable this feature – as Justin pointed out in the meeting, it degrades really nicely – and should they enable it, they have control over the user experiance and can add whatever phishing mitigations their use-case warrants.  Rarely is there a one-size-fits-all risk profile, use-cases of this flow range widely from mass-market TV apps to internal-only device bootstrapping by employees, so I don't think we should be overly prescriptive.
>>> 
>>> Mitigating phishing is already something that is in the domain of the authorization server with OAuth generally, and I know that this is an extremely important consideration when designing user authorization flows. This spec will be no exception to that, with or without this optimization.
>>> 
>>> That's my opinion. I'm keen to continue the discussion from Chicago and reach rough consensus so we can progress forward.
>>> 
>>> Best,
>>> William
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth