IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

"Richer, Justin P." <jricher@mitre.org> Wed, 14 March 2012 19:47 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C46D821F875B for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 12:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.284
X-Spam-Level:
X-Spam-Status: No, score=-6.284 tagged_above=-999 required=5 tests=[AWL=-0.285, BAYES_00=-2.599, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4lOURKZSvjo for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 12:47:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1DFD021F880F for <oauth@ietf.org>; Wed, 14 Mar 2012 12:47:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1D7DD21B0367; Wed, 14 Mar 2012 15:47:40 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id F019521B1235; Wed, 14 Mar 2012 15:47:39 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.126]) by IMCCAS01.MITRE.ORG ([129.83.29.78]) with mapi id 14.01.0339.001; Wed, 14 Mar 2012 15:47:39 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Eran Hammer <eran@hueniverse.com>
Thread-Topic: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Thread-Index: AQHNAgMWxQQUri5nmEOAit8MpDUHmZZqSTIAgAACNICAAA7JAIAABA0AgAADMYCAAAHmgIAAC4QAgAAGzwA=
Date: Wed, 14 Mar 2012 19:47:38 +0000
Message-ID: <FA2BEFD7-6D3C-42BD-9FAE-7AE1A9706A79@mitre.org>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qE3KcFgJey7xXzW8dkTPzvtcu_ke7abkOEMS4hwi93yEg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08919@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGdjJpK6dMzSyoxEb_2rQcB-anXzvWaW-PLdYTZW_jECieBSMg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08932@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B16804296739436641D4E3@TK5EX14MBXC284.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08949@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF08949@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.8.106]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <F87AF7B31C4DC44AA05B9E2FF8102464@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Breno de Medeiros <breno@google.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 19:47:42 -0000

Even though I also don't like the addition of normative text in such a late revision, I'm with Eran in that I don't think this actually introduces a breaking change, nor did I read it as such when it went through. It's talking about public vs. confidential clients and keeping them separate, and it's really got nothing to do with the response type. After all, you can have a public client use the code flow (like a native app) just fine. But though if it's clear to me, it's definitely to the spec's benefit to make sure that the language is clear, and as Mike points out if a decent subset of familiar developers misread it the same way, then we should fix that.

I think that perhaps the use of normative language here was the major confusing point -- it made something explicitly normative that was implicitly recommended before. If that's the case, would removal of the normative MUST (change to "must" or "really should") in the client type text help the situation?

Barring the relaxation of normative language here, Eran's first text below clarifies that this is in response to the public/confidential client type and *NOT* the response_type, and does so better than Mike's suggested text which I believe continues to conflate the two. 

 -- Justin

On Mar 14, 2012, at 3:23 PM, Eran Hammer wrote:

> Let's take a step back for a second.
> 
> Previous versions of this document stated that during the registration process the client developer specifies the client type as described in 2.1. This has been specified under "registration requirements" since -17 published July 8th 2011. The only two types provided were (and still are) public and confidential.
> 
> While there was no MUST or SHALL directive, the text was pretty clear about the need for each client registration to be tied to a single client type.
> 
> -23 was an attempt to clarify this, by making it explicit that hybrid clients are not addressed by the specification, and have to be dealt with as two separate clients.
> 
> The specification breaks if a client has more than one type. The authorization server cannot enforce some of the security requirements if the client type is unknown. This is all based on how the specification is written and how the security consideration section is structured.
> 
> The real issue raised here is how to handle hybrid clients which are beyond the scope of this specification.
> 
> Here is an alternative text:
> 
>   A client application consisting of multiple components, each with its
>   own client type (e.g. a distributed client with both a confidential
>   server-based component and a public browser-based component), MUST
>   register each component separately as a different client to ensure
>   proper handling by the authorization server, unless the authorization
>   server provides other registration options to specify such complex clients.
> 
> It's basically saying that unless the authorization server provides a special option other than 'public' and 'confidential', clients MUST register such applications separately for each component. It leaves the decision of how to deal with such clients completely up to the authorization server during the registration process.
> 
> I think we should also add a SHALL in section 2: "When registering a client, the client developer SHALL:", which is implicit already.
> 
> Another, less desirable alternative is to remove this section and add:
> 
>   The authorization server MAY provide the client with other client types
>   options during the registration process. Such client types are beyond the
>   scope of this specification. Such additional client types will require a
>   different set of security considerations not provided by this specification.
> 
> My intention was never to introduce a (breaking) change here, just to clarify what was already the prescribed process. I'm open to other suggestions as long as they account for the deep dependency this protocol has on client type identification.
> 
> EH
> 
> 
> 
>> -----Original Message-----
>> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
>> Sent: Wednesday, March 14, 2012 11:42 AM
>> To: Eran Hammer; Marius Scurtescu
>> Cc: Breno de Medeiros; OAuth WG
>> Subject: RE: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>> 
>> All of Marius, Breno, Nat, myself, and several others on the OpenID AB list
>> have read it this way.  I believe that either this change needs to be removed
>> (my preference!) or a sentence needs to be explicitly added that states that
>> "The same client_id MAY be used with both the code and token response
>> types"  to explicitly rule out this apparently common misinterpretation of the
>> new text.
>> 
>> Otherwise, I agree that it will continue to be perceived by most people as a
>> breaking change.
>> 
>> 				-- Mike
>> 
>> P.S.  When you make this change, you should also correct the typo in this
>> sentence: "The authorization server MAY provider tools to manage such
>> complex clients through a single administration interface" by changing
>> "provider" to "provide".
>> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Eran Hammer
>> Sent: Wednesday, March 14, 2012 11:35 AM
>> To: Marius Scurtescu
>> Cc: Breno de Medeiros; OAuth WG
>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>> 
>> You are not reading it correctly.
>> 
>> This is a *registration* requirement, meaning, the client has to inform the
>> server of the different components. If the server doesn't care, it can issue
>> one client identifier capable of both.
>> 
>> This protocol assume the authorization server asked the client for its type
>> and based on that made decisions about the credentials issued and the
>> security properties of the client. It is also triggers a whole list of normative
>> language handling the different client types throughout the specification.
>> 
>> EH
>> 
>>> -----Original Message-----
>>> From: Marius Scurtescu [mailto:mscurtescu@google.com]
>>> Sent: Wednesday, March 14, 2012 11:24 AM
>>> To: Eran Hammer
>>> Cc: Breno de Medeiros; OAuth WG
>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>> 
>>> Before v23 a web server client could use either response_type=code or
>>> response_type=token, with the same client id. No security issues and
>>> this was supported for quite a while.
>>> 
>>> With this latest change, if I am reading it correctly, this is not
>>> possible anymore. The client has to use two different client ids. It
>>> is very late in the game to introduce changes like this, unless there
>>> is an extremely good reason.
>>> 
>>> Marius
>>> 
>>> 
>>> 
>>> On Wed, Mar 14, 2012 at 11:09 AM, Eran Hammer <eran@hueniverse.com>
>>> wrote:
>>>> If the server locks a client type to a particular grant type (or
>>>> response type)
>>> then this is true, you don't need to specify the response type in the
>> request.
>>> But this is based on a very limited set of potential response types. I
>>> can envision a code response type with different response syntax but
>>> same security properties, and same goes for token.
>>>> 
>>>> In the past, a cookie response type was proposed to use the cookie
>>> headers in the server response instead of returning a token. The
>>> security properties of such a flow are very similar to those of token
>>> (from OAuth's perspective). This means a public client would be able
>>> to request either token or cookie response type.
>>>> 
>>>> Also as noted, servers are allowed to provide different registration
>>>> options
>>> to clients, as long as the client identifies each discrete component.
>>> There is no requirement or even suggestion that the server issues
>>> different client identifiers to such complex clients. I think this is
>>> another point missed in your reading of the text.
>>>> 
>>>> Hope this clarifies it.
>>>> 
>>>> EH
>>>> 
>>>>> -----Original Message-----
>>>>> From: Breno de Medeiros [mailto:breno@google.com]
>>>>> Sent: Wednesday, March 14, 2012 10:16 AM
>>>>> To: Eran Hammer
>>>>> Cc: Marius Scurtescu; OAuth WG
>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>>> 
>>>>> Can you explain to me why response_type is necessary at all after
>>>>> this change.
>>>>> 
>>>>> If a javascript client (candidate for token usage) and the web
>>>>> server component (candidate for code usage) cannot share
>>>>> registration (since they are different components with different
>>>>> security contexts of the same
>>>>> application) then there is no need to specify response_type. The
>>>>> server can infer the response type from the client and its security
>> context.
>>>>> 
>>>>> My objection has nothing to do with code+token flow. I think the
>>>>> change makes response_types irrelevant and is essentially a new
>>> protocol.
>>>>> 
>>>>> As far as I understand it, the introduction of different code and
>>>>> token flows was precisely to allow different security-context
>>>>> components of the same client to securely operate under the same
>>>>> registration. I think if we change this we need to specify a lot
>>>>> more behavior, such as how a client can request authorization on
>>>>> behalf of
>>> several components simultaneously.
>>>>> 
>>>>> On Wed, Mar 14, 2012 at 10:08, Eran Hammer <eran@hueniverse.com>
>>>>> wrote:
>>>>>> This was already raised and addressed on this list last week.
>>>>>> 
>>>>>> When someone defines and registers code+token, that specification
>>>>>> must
>>>>> define how such a client is registered in light of the text below.
>>>>> This might mean defining a new client type, choosing the
>>>>> confidential client type with other normative text limiting the use
>>>>> of the secret in the public component, etc.
>>>>>> 
>>>>>> IOW, this section doesn't break anything because there is nothing
>>>>>> else
>>>>> defined to break. There is no way to avoid explicitly defining
>>>>> these requirements for a code+token response type, or any other new
>>>>> response type for that matter. The text below is required to ensure
>>>>> that the authorization server can properly enforce the rest of the
>>>>> normative security language in the specification.
>>>>>> 
>>>>>> EH
>>>>>> 
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>>>> Behalf Of Marius Scurtescu
>>>>>>> Sent: Wednesday, March 14, 2012 9:53 AM
>>>>>>> To: OAuth WG
>>>>>>> Cc: Breno de Medeiros
>>>>>>> Subject: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>>>>> 
>>>>>>> Hi,
>>>>>>> 
>>>>>>> Nat Sakimura started a thread on the OpenID Connect list about a
>>>>>>> breaking change introduced by rev 2.3
>>>>>>> 
>>>>>>> The paragraph in question is in section 2.1:
>>>>>>> 
>>>>>>> "A client application consisting of multiple components, each
>>>>>>> with its own client type (e.g. a distributed client with both a
>>>>>>> confidential server-based component and a public browser-based
>>>>>>> component), MUST register each component separately as a
>>>>>>> different client to ensure proper handling by the authorization
>>>>>>> server.  The authorization server MAY provider tools to manage
>>>>>>> such complex clients
>>>>> through a single administration interface."
>>>>>>> 
>>>>>>> http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-
>>>>>>> oa
>>>>>>> uth
>>>>>>> -v2-
>>>>>>> 23.txt
>>>>>>> 
>>>>>>> You can see the thread here:
>>>>>>> http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-
>>>>>>> 20120312/001672.html
>>>>>>> 
>>>>>>> This paragraph basically prevents response_type=code+token which
>>>>>>> is already implemented by many providers and also relied on by
>>>>>>> OpenID Connect.
>>>>>>> 
>>>>>>> The intent, I think, was to prevent clients from embedding the
>>>>>>> client secret meant for a confidential client into a public client.
>>>>>>> JavaScript based clients using the token flow do not need the
>>>>>>> client secret, so this concern does not apply.
>>>>>>> 
>>>>>>> Thoughts?
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> Marius
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> --Breno
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email