IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization Request via back channel / direct communication?

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Sat, 09 June 2012 22:08 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A94E21F863F for <oauth@ietfa.amsl.com>; Sat, 9 Jun 2012 15:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.466
X-Spam-Level:
X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-aG5TBpASty for <oauth@ietfa.amsl.com>; Sat, 9 Jun 2012 15:08:12 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe003.messaging.microsoft.com [216.32.181.183]) by ietfa.amsl.com (Postfix) with ESMTP id 9AF9021F862A for <oauth@ietf.org>; Sat, 9 Jun 2012 15:08:12 -0700 (PDT)
Received: from mail189-ch1-R.bigfish.com (10.43.68.243) by CH1EHSOBE011.bigfish.com (10.43.70.61) with Microsoft SMTP Server id 14.1.225.23; Sat, 9 Jun 2012 22:07:17 +0000
Received: from mail189-ch1 (localhost [127.0.0.1]) by mail189-ch1-R.bigfish.com (Postfix) with ESMTP id 29008460091 for <oauth@ietf.org>; Sat, 9 Jun 2012 22:07:17 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:129.188.136.17; KIP:(null); UIP:(null); IPV:NLI; H:il06msg01.mot-solutions.com; RD:none; EFVD:NLI
X-SpamScore: -23
X-BigFish: VPS-23(zz98dI9371I936eIc85fhzz1202hzz1033IL8275bh8275dhz2fh2a8h683h839hd25hf0ah)
Received-SPF: pass (mail189-ch1: domain of motorolasolutions.com designates 129.188.136.17 as permitted sender) client-ip=129.188.136.17; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06msg01.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.85; KIP:(null); UIP:(null); (null); H:BL2PRD0410HT004.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail189-ch1 (localhost.localdomain [127.0.0.1]) by mail189-ch1 (MessageSwitch) id 1339279635126986_28843; Sat, 9 Jun 2012 22:07:15 +0000 (UTC)
Received: from CH1EHSMHS009.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.232]) by mail189-ch1.bigfish.com (Postfix) with ESMTP id 1D59C420044 for <oauth@ietf.org>; Sat, 9 Jun 2012 22:07:15 +0000 (UTC)
Received: from il06msg01.mot-solutions.com (129.188.136.17) by CH1EHSMHS009.bigfish.com (10.43.70.9) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sat, 9 Jun 2012 22:07:15 +0000
Received: from il06msg01.mot-solutions.com (il06vts01.mot.com [129.188.137.141]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q59MrVYh007624 for <oauth@ietf.org>; Sat, 9 Jun 2012 17:53:31 -0500 (CDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe006.messaging.microsoft.com [213.199.154.209]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q59MrTZE007621 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Sat, 9 Jun 2012 17:53:30 -0500 (CDT)
Received: from mail121-am1-R.bigfish.com (10.3.201.248) by AM1EHSOBE001.bigfish.com (10.3.204.21) with Microsoft SMTP Server id 14.1.225.23; Sat, 9 Jun 2012 22:07:12 +0000
Received: from mail121-am1 (localhost [127.0.0.1]) by mail121-am1-R.bigfish.com (Postfix) with ESMTP id 721BC1E0330 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Sat, 9 Jun 2012 22:07:12 +0000 (UTC)
Received: from mail121-am1 (localhost.localdomain [127.0.0.1]) by mail121-am1 (MessageSwitch) id 1339279630222716_16247; Sat, 9 Jun 2012 22:07:10 +0000 (UTC)
Received: from AM1EHSMHS005.bigfish.com (unknown [10.3.201.249]) by mail121-am1.bigfish.com (Postfix) with ESMTP id 2AA7A40046; Sat, 9 Jun 2012 22:07:10 +0000 (UTC)
Received: from BL2PRD0410HT004.namprd04.prod.outlook.com (157.56.240.85) by AM1EHSMHS005.bigfish.com (10.3.207.105) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sat, 9 Jun 2012 22:07:09 +0000
Received: from BL2PRD0410MB363.namprd04.prod.outlook.com ([169.254.3.212]) by BL2PRD0410HT004.namprd04.prod.outlook.com ([10.255.99.39]) with mapi id 14.16.0164.004; Sat, 9 Jun 2012 22:08:02 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Authorization Request via back channel / direct communication?
Thread-Index: AQHNReQoje0+2U3x+ka5Z+tDvQd/SJbyiaDA
Date: Sat, 09 Jun 2012 22:08:01 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A90AED96D7@BL2PRD0410MB363.namprd04.prod.outlook.com>
References: <59E470B10C4630419ED717AC79FCF9A90AED9537@BL2PRD0410MB363.namprd04.prod.outlook.com> <0C36899C-5011-483D-89FA-E5ACF74C4119@ve7jtb.com>
In-Reply-To: <0C36899C-5011-483D-89FA-E5ACF74C4119@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [184.78.105.93]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A90AED96D7BL2PRD0410MB363_"
MIME-Version: 1.0
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: BL2PRD0410HT004.namprd04.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: -1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-rules-execution-history: Sample Spam Submissions
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BL2PRD0410HT004.namprd04.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authorization Request via back channel / direct communication?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jun 2012 22:08:16 -0000

Hi John,

"Most of OAuth is predicated on not sharing the users credential with the client, because clients are not trusted."

This is exactly my point.  I clearly understand the driving motivations for why OAuth was designed the way that it was.  I certainly would not want to give website-A my password to access my data on website-B.

But it seems that since OAuth was first envisioned, it has gained an incredible amount of momentum for use cases that it was not originally envisioned for.  As we all know, there is a dominant trend within the enterprise to move away from WS-*/SOAP/WS-Trust toward RESTful APIs ... and if REST is going to replace SOAP and OAuth/Connect is the preferred means by which to secure RESTful API calls, then it seems it would be useful to define some OAuth flows that are optimized for enterprise use cases, where the client and RS are under the same security domain.  When we sell our products to customers, we sell them the server and we sell them the client.  It's all very trusted.  Nobody thinks twice about entering the credentials into an Outlook client to authenticate to an exchange server.  WS-Trust was optimized for enterprise scenarios  and clients apps collected credentials and passed them to the STS in exchange for a SAML assertion via a simple RST/RSTR.  This is analogous to the RO credentials flow which communicates the password in the request and gets the token in the response.  But WS-Trust also defined other types that could be passed in the RST other than password tokens.

So I guess all I'm getting at is that if REST is to replace SOAP (in the enterprise) and OAuth/Connect is to be the endgame, then borrowing some of the design patterns from WS-* would seem beneficial.  Again, it's not that I can't do the whole "register a handler for a browser URI thing" ... but for enterprise use cases, it's a kludge.

Just my 2 cents.  It's free :)
adam

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Friday, June 08, 2012 9:04 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Authorization Request via back channel / direct communication?

To some extent it goes to the question of who do you trust.

Most of OAuth is predicated on not sharing the users credential with the client, because clients are not trusted.

Your situation may be different if you control the device.

If you are using multi factor authentication then using an embedded web view is probably your best option to allow for flexibility as authentication mechanisms change for users rather than coding them into the app directly.

Using a embedded web view with a OTP is probably not a bad thing though in general we want to train users not to put there credentials into untrusted applications and sites.

John B.

On 2012-06-08, at 6:43 PM, Lewis Adam-CAL022 wrote:


Hi,

I have a historical question around front channel / back channel (direct) communications and Authorization Requests.  Both the code-flow and implicit-flow utilize a front channel communication through the UA.  This makes sense for the delegated credentials case (e.g. shutterfly accessing photos on facebook).

I'm in the native app / client market, and the RO password credentials flow fits really well ... expect it's limited to passwords.  I've been well educated (by lots of folks on this list) about the "best practices" to enable native clients to use the code flow, e.g. registering a custom callback URI and register my native app ass the handler for that URI.

But ... (and not knowing the history behind all this), it seems that OAuth was designed for confidential clients, and was "retro-fitted" to make native apps work.  And it just feels a bit like a hack to me (albeit a workable one), the whole custom callback URI thing, to get it to work.  The RO password credentials seems like a much better fit for native apps, since it has no need for the UA and can use back channel / direction communication to talk to the AS and obtain and access token.  But that limits me to a password and eliminates any chance of strong authentication.

It would seem more straight forward to define a back channel flow such that a native client could send off an authorization request with response=token (or id_token in the Connect case), respond to a challenge from the AS for authentication, and obtain a response containing the access_token / id_token and use it for its RESTful API communications with the RS/RP.  This would enable strong authentication methods not possible using just RO passwords.

Has anybody else ever expressed interest in such back channel calls between for native clients?  Was it previously considered and dropped?

Tx!
adam
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email