IETF Logo Mail Archive

Re: [OAUTH-WG] user-agent flow needs a rewrite

Eran Hammer-Lahav <eran@hueniverse.com> Sun, 11 July 2010 13:37 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A3E863A6974 for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 06:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.327
X-Spam-Level:
X-Spam-Status: No, score=-2.327 tagged_above=-999 required=5 tests=[AWL=0.271, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rlm423ZeVoYw for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 06:37:21 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 4BEF43A6985 for <oauth@ietf.org>; Sun, 11 Jul 2010 06:37:21 -0700 (PDT)
Received: (qmail 24029 invoked from network); 11 Jul 2010 13:37:27 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 11 Jul 2010 13:37:27 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sun, 11 Jul 2010 06:37:28 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Eaton <beaton@google.com>
Date: Sun, 11 Jul 2010 06:37:25 -0700
Thread-Topic: [OAUTH-WG] user-agent flow needs a rewrite
Thread-Index: AcsgsTNdzUBzvAJKTDKhTG0SEXY31QATP8Rn
Message-ID: <C85F1725.36FD1%eran@hueniverse.com>
In-Reply-To: <AANLkTilLjR9aJ-BmJ4qAwjvw3zUEYFUvsqZsEPnZL-rO@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C85F172536FD1eranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 13:37:26 -0000

The problem with the original 'type' parameter and the flows in general is that they tried to address a specific use case and then got expanded (or overloaded) with other use cases. The user-agent and web-server flows became the foundation of native applications, and there were people discussing using native application techniques for user-agent clients. At the end, the flow names and prose became more confusing than helpful (I'm not talking about the grouping of normative language).

The key here is to figure out what information about the client the server actually needs, what it should obtain during registration, and what it can figure out from other parameters. For example, if a client_id has a matching secret, do you allow it to request an access token directly in the authorization endpoint? If you do, is it going to include the same capabilities as an access token obtained using an authorization code and client authentication? It seems like we need to address these questions head on.

The server can't trust what the client is asking unless the client is authenticated *and* the server can trust that authentication (i.e. Client secret not used in a user-agent). For that, you need to establish some form of trust with the client which in today's world means registration. If you are going to perform registration, that's where you should ask about the nature of the client so you can optimize the user experience and the overall security.

The way I understand the Twitter use case is that the client isn't just a user-agent trying to get both an access token and authorization code (or refresh token), but a more complex client which includes both a user-agent and web-based components, each providing a different functionality, but both using the same, single end-user authorization (i.e. The end-user is asked once).

EHL




On 7/10/10 9:26 PM, "Brian Eaton" <beaton@google.com> wrote:

On Sat, Jul 10, 2010 at 9:05 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> There is no user-agent flow anymore.

Yeah.  That's a bug. =(

> The request was to allow it to
> obtain both when using a web-based component together with the user-agent.

Right, this didn't use to be possible, but Brian Ellin asked for this,
and several people agreed it was a good idea.  Unfortunately when that
feature got added, it broke a bunch of other stuff:
- all of the descriptive language about the user-agent flow is inaccurate
- if anyone tries to use the verification code approach with the
user-agent flow, the user-agent flow is no longer efficient

So in the quest to add a new feature, we broke other features.  Plus
we didn't get the new feature right.  This sounds like a normal
software development project. =)

Let me know what you think of the new language I proposed.

Note that this pretty much requires that the "type" parameter return
to the authorization URL.  That's a good thing.  If authorization
servers know about the client environment, they do a better job of
meeting the client's needs.

(Also note that we tried leaving this parameter out of WRAP, and
regretted it afterwards.)

Cheers,
Brian

v2.35.0 | Report a Bug | By Email | System Status