IETF Logo Mail Archive

Re: [OAUTH-WG] Device Code expiration and syntax

Mike Jones <Michael.Jones@microsoft.com> Sat, 11 March 2017 21:46 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08DA81295DB for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 13:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xinWwKQI0_Fz for <oauth@ietfa.amsl.com>; Sat, 11 Mar 2017 13:46:14 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0092.outbound.protection.outlook.com [104.47.40.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AAC81295C9 for <oauth@ietf.org>; Sat, 11 Mar 2017 13:46:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uJ+PXB2iFPSDwploQxlp7uhAYD6XBfod/8MUh7eKZPk=; b=Byq5KYolXWPfM202P/TW7cq686+JYnt06rZaODOUMk3oapxVPEezmU8D66q5qg0bH3WkiJ9CM2PJ79ZmOZnWrahssdZcFPxDnpsT8a/cfCQbUr9BfwhucZjhEEN3hgBaBexp63J5AgfLZrIsjCP44audmDiiQnn37N0UXJaflvU=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Sat, 11 Mar 2017 21:46:12 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.022; Sat, 11 Mar 2017 21:46:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>, Justin Richer <jricher@mit.edu>
Thread-Topic: [OAUTH-WG] Device Code expiration and syntax
Thread-Index: AQHSmpsdXlwJ3/sQwE+4v2nL6A4fqqGQDU4AgAANDYCAAAO6gIAADfkA
Date: Sat, 11 Mar 2017 21:46:12 +0000
Message-ID: <CY4PR21MB05041D4776423586F0B1EA32F5230@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <AEE72C0E-6FFA-4BE5-87EB-D2EBF891211E@mit.edu> <CAAP42hBAaAMf0ojSBYL55O1GiUZ4Hx2Z43jRoWZqsm6=HVCVNQ@mail.gmail.com> <0CAB3A6D-5B80-41DF-9499-35D21D98F7B7@mit.edu> <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com>
In-Reply-To: <CAAP42hCUBKt=cHRQ8jKETRzmLxZsnKbxthtSE=xmXhLpGkH+rg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-ms-office365-filtering-correlation-id: eeded083-5fc1-46e3-a13e-08d468c8095f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254007)(48565401081); SRVR:CY4PR21MB0504;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:41nBn793B+xEd9HkuwSwlV8VcsQs0o1oByAQcQQ8osvbY57FwY19tssAvmNDyVYW30sDAfSJ1Djdg6IGh/Ilm6FoH1G+n0HqcJZDYj1+DZK2NsV6L4/Cq6UpdY773njuUhiOxQvyCli2SvoA33tz0Q66qA+TDIh2e4LZCeARhjt/+i7CsTL5F3y3MP/RWj4RWT0IcAmAWYBqU3LhNnfkY9rno5A3ymQQesQQugQJfrwALsWJ35+pmApeWLAJ8Y5OttbHYJVc0Ci21I0Nj9mpmyrJhwvZDBDIXnzD9FnVXZKLg+NPJN0yXZ2AroTfRHz6RTlTaqUJfYOfBfula7VY8xXSsf8Ug+yMHQqBnBll2Xg=
x-microsoft-antispam-prvs: <CY4PR21MB050407ECDCAE64FB9EF601BBF5230@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(211936372134217)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504;
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39860400002)(39450400003)(39850400002)(24454002)(377454003)(8676002)(122556002)(4326008)(81166006)(6306002)(3280700002)(3660700001)(99286003)(54896002)(9686003)(2950100002)(25786008)(55016002)(6436002)(5660300001)(2906002)(7696004)(33656002)(236005)(19609705001)(7736002)(74316002)(8936002)(2900100001)(86362001)(86612001)(5005710100001)(189998001)(50986999)(10090500001)(10290500002)(93886004)(53936002)(966004)(2171002)(53376002)(6246003)(38730400002)(77096006)(6506006)(53546006)(102836003)(66066001)(54356999)(76176999)(790700001)(6116002)(3846002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05041D4776423586F0B1EA32F5230CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2017 21:46:12.4341 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/D-t7syJxLJQ-YS9d4OIjrYz6U80>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 21:46:17 -0000

The pre-Chicago submission deadline is Monday afternoon (see http://ietf.org/meeting/important-dates.html#ietf98).  Would you have time to check proposed edits into GitHub for the editors to review before that, William?

                                                       -- Mike

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of William Denniss
Sent: Saturday, March 11, 2017 12:54 PM
To: Justin Richer <jricher@mit.edu>
Cc: <oauth@ietf.org> <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Code expiration and syntax


On Sat, Mar 11, 2017 at 12:40 PM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:

On Mar 11, 2017, at 2:54 PM, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:

On Sat, Mar 11, 2017 at 11:10 AM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
We’re implementing support for the device code draft and had a question on what the “expiration” of the code refers to. Obviously, once the code has expired it can no longer be used. But when should the expiration count from? Say I have a code that’s good for 60 seconds, do I start the timer as soon as I issue the code to the client? Do I reset the timer when the user approves the client, to another 60 seconds? Or does that 60 seconds count for the entire transaction?

My read on it is the latter-- one timeout for the entire lifetime of the code regardless of its current state, with no resets. But I didn’t find good guidance in the document itself.

It's the expiry of the user_code and device_code pair, at which point the device will need to start-over with a new device authorization request.  The device wouldn't *have* to start a timer, as they will get an error during polling:


   expired_token

      The "device_code" has expired.  The client will need to make a new

      Device Authorization Request.

We should add some guidelines around expiry behavior.

OK, so it really is one expiration for the whole thing. The device doesn’t need to care (and I’ll bet you right now that, just like with access tokens, the overwhelmingly vast majority of devices won’t care about expires_in), but the authorization server certainly does, and we wanted to know the right place to set the timers.


You're probably right that most ignore expires_in, and I think that's fine. As long as the client handles errors correctly, it'll work out OK.

Agree that we should add some documentation. One piece of advice for the AS would be not to make it too short, else users won't be able to complete the flow in time.

We use a 30 minute expiry.


Secondly, I had a question about the “response_type” parameter to the device endpoint. This parameter is required and it has a single, required value, with no registry or other possibility of extension. What’s the point? If it’s for “parallelism”, I’ll note that this is *not* the authorization endpoint (as the user is not present) and such constraints need not apply here.

Good points here. At a guess, it bled in from the OAuth spec. If it's not needed, we should remove it.


I’d vote for removal, I don’t see the point.

 — Justin

v2.23.0 | Report a Bug | By Email