IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Skylar Woodward <skylar@kiva.org> Tue, 01 March 2011 02:27 UTC

Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 265863A6C90 for <oauth@core3.amsl.com>; Mon, 28 Feb 2011 18:27:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.441
X-Spam-Level:
X-Spam-Status: No, score=-2.441 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m5wKiFUU0Z2v for <oauth@core3.amsl.com>; Mon, 28 Feb 2011 18:27:12 -0800 (PST)
Received: from na3sys010aog101.obsmtp.com (na3sys010aog101.obsmtp.com [74.125.245.70]) by core3.amsl.com (Postfix) with SMTP id CBC5A3A6C48 for <oauth@ietf.org>; Mon, 28 Feb 2011 18:27:11 -0800 (PST)
Received: from source ([74.125.82.176]) (using TLSv1) by na3sys010aob101.postini.com ([74.125.244.12]) with SMTP ID DSNKTWxZvF2O5+iAcM0LaP8/ldyVLQcKzV4l@postini.com; Mon, 28 Feb 2011 18:28:14 PST
Received: by wya21 with SMTP id 21so4825287wya.21 for <oauth@ietf.org>; Mon, 28 Feb 2011 18:28:11 -0800 (PST)
Received: by 10.227.72.147 with SMTP id m19mr5559566wbj.131.1298946489897; Mon, 28 Feb 2011 18:28:09 -0800 (PST)
Received: from [192.168.0.10] (dan75-7-88-166-184-189.fbx.proxad.net [88.166.184.189]) by mx.google.com with ESMTPS id o6sm3834718wbo.15.2011.02.28.18.28.08 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 28 Feb 2011 18:28:09 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234464F0C3A56@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 01 Mar 2011 03:28:06 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <2B9EA296-F846-4C03-8291-C1D8A21EDB74@kiva.org>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3EE9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimjWkO8o+z+P=AKpyYkSjTh6oS7uM9N0JwR_vR6@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F44@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTi=tvwsR=_EhPRkYEwC+ERwRCNN2aAWDqRDvwx8B@mail.gmail.com> <FFDFD7371D517847AD71FBB08F9A315638493F514F@SP2-EX07VS06.ds.corp.yahoo.com> <AANLkTimxhoK1vt8HwSF9dvu4Z5xjqrLLb2SULj9pp=9b@mail.gmail.com> <AANLkTi=DtgpWNyEKBg=0GhOWuqSvzF5q0SJQgfZNRm8M@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F9A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTindJ3oGpggvZ7jRJ4TRhTRomyZG+DwLOfbHD2kq@mail.gmail.com> <OFEFAF96E1.1837BBD4-ON8025783B.0040108E-8025783B.0040FF69@ie.ibm.com> <AANLkTi=PnOmyaMnNrGgPnOO_wtF8b_=v99wiR5ospHLH@mail.gmail.com> <4D68F471.3090204@lodderstedt.net> <4D6C0289.3030300@alcatel-lucent.com> ! <AANLkTi=GK2Lrb_snOenhiCPxdqL85VHqLyp4Y1_aCCdp@mail.gmail.com> <C5A22573-AB0B-4368-9265-62B8083E9E65@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F0C3A56@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1082)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2011 02:27:18 -0000

I had assumed a use case for this was an entirely browser-based client. Such a client would be limited to same-host requests. Providing a proxy to make token requests just opens the possibility of abuse of client proxies with poor security practices - and for no added value. If a client can't secure credentials, there's no point in a second round trip. As such, simplify the model and, in the process, emphasize the loss of of a layer of security in the flow.

In principle, I favor reserving separate flows for credential vs. credential-less apps. However, in practice, I see providers evangelizing one flow when there are a mix of apps with credentials and those without (eg, mix of device & hosted apps in the ecosystem) and thus no need to restrict the code flow only to clients with secrets. One flow is enough complication when there is provider-specific complexity to explain as well. The implicit flow, then, seems appropriate for providers who never issue secret client credentials.

Better use cases anyone?


On Mar 1, 2011, at 2:24 AM, Eran Hammer-Lahav wrote:

> One more round trip is often too slow.
> 
> EHL
> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Phil Hunt
>> Sent: Monday, February 28, 2011 3:18 PM
>> To: Marius Scurtescu
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
>> 
>> Given these questions, I am wondering, why does the Implicit Grant flow
>> NOT have an authorization code step?  Having one, would keep architecture
>> of AS and TS clearly separate.
>> 
>> One down side is that issuing of access/refresh token would now have to be
>> opened to SHOULD authenticate the client from MUST.
>> 
>> What was the original case for this flow?  That should point us as to why the
>> separate flow and whether refresh makes sense given the higher risks of the
>> implicit flow.
>> 
>> Phil
>> phil.hunt@oracle.com
>> 
>> 
>> 
>> 
>> On 2011-02-28, at 2:58 PM, Marius Scurtescu wrote:
>> 
>>> On Mon, Feb 28, 2011 at 12:16 PM, Igor Faynberg
>>> <igor.faynberg@alcatel-lucent.com> wrote:
>>>> +1
>>>> 
>>>> Igor
>>>> 
>>>> Torsten Lodderstedt wrote:
>>>>> 
>>>>> ...
>>>>> 
>>>>> I'm in favour to add the refresh token parameter to the implicit
>>>>> grant flow as it would make it more useable for native apps.
>>> 
>>> I think it is much safer to go with refresh tokens only sent
>>> indirectly through an authorization code swap.
>>> 
>>> Implicit grant with refresh token also has no client secret swap and
>>> makes things worse by passing the refresh token through the browser.
>>> 
>>> Marius
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email