Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption?
Dick Hardt <dick.hardt@gmail.com> Tue, 07 July 2020 23:36 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002173A0C2A for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2020 16:36:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XUjRz2Sv4KCT for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2020 16:36:28 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78253A0C1B for <oauth@ietf.org>; Tue, 7 Jul 2020 16:36:27 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id f5so36192700ljj.10 for <oauth@ietf.org>; Tue, 07 Jul 2020 16:36:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KR+x7rqvtD1oChOr898twdijgA5nja6bDgZjlbAYUMY=; b=Lkbq0PPZfpWUBD7TscxgDUKXTXIXRc5R6XtGkKtraQ9VidSwoagaNEfvjEAa534rlx Cw95bVf6kA4NbxF/sHwUG2ge/Zb8Dg0oTwP6t1SpkU6jUkWfxPf2NcNC9UCOyZyaCiLj 6FyKk38xr+NAaQf/bK0IMCh/5i3XTE1vIqVw605nf7tsrc06G6UYhNxnkZpuU8HJKysb z39qyt8GF42ZX16ML1D0E375FxSzkSqFPyzIDZ27Zkm+WJjnwMybTxcK9Uz5VbJAMSbn KDAjYXKTxLo9jHTRMg03RPVMm7nLR4f0Nwvfk4F2RWQjjjD3rdDLBPSN/UjC38R+nHHA igxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KR+x7rqvtD1oChOr898twdijgA5nja6bDgZjlbAYUMY=; b=CXG10AdcbhKCzdX5XvmoNqyL8GEZv/LCy2jXWXQLMuvkrhGd9EHFy7HJzedwBHkjFe mhagppIcatoT0OFKZJD50K4cMWpFKpQ/nPm1CDaolOG4xSla6ZlR1UTpIY6rFmOi+vE2 njPPrlQ2pB4eh+WAxpUdzZpMPnl6rtNI6Dir4DpxV7+P17NxwniIlwIyJDmxbYGfQMUs dZGG3P3iXx8M3wOs1dly3axBjWqE1madPK13uFhX4gMfJR/Q4ukKd3nZRLs+LPHTzlez 72lyTpReTfsLqlz4l1KRuEE8EzuxCovZMyyj/STrcHxHPJRW1BwzrmGI6sLM06agmsRh GRSA==
X-Gm-Message-State: AOAM532XXpJaK7uskSfpMg+3fyZstR2tnchzxmKFXhCnWuLDsDVGAraD S8nKQskwA7PpHtgauJght/IaTm7Izbs9o470VQytNLDr
X-Google-Smtp-Source: ABdhPJx+6Y6XrWgxZ97O7Myq+A4/13oaNlv60EsOXPw7cTaw3Ux2VM5bvvmev2d3yMH6QvrA9ERgUM9mjxuU42wyUlo=
X-Received: by 2002:a2e:b607:: with SMTP id r7mr26268947ljn.5.1594164985886; Tue, 07 Jul 2020 16:36:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uOiy92_68YzLajEDr4kjoKwvmn1aQiz6_=HojpbWYtPA@mail.gmail.com> <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com> <CAP=vD9tAGtpcWh2tX68M8SpgMBNo9hYNdBuZLD8SCKR1Ar1seA@mail.gmail.com>
In-Reply-To: <CAP=vD9tAGtpcWh2tX68M8SpgMBNo9hYNdBuZLD8SCKR1Ar1seA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 07 Jul 2020 16:35:49 -0700
Message-ID: <CAD9ie-t167+vmispTd6A=ZDhrzx-HBDMHBPPPDpNx-2LXK=zpQ@mail.gmail.com>
To: Sascha Preibisch <saschapreibisch@gmail.com>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b27bf205a9e27505"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GK6r3uTeRSK1m1uSWPWvM0gYQUc>
Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 23:36:31 -0000
Thanks Sascha and Vladimir for the feedback! Sascha: did you have a concern with the document being adopted by the WG? ᐧ On Tue, Jul 7, 2020 at 4:04 PM Sascha Preibisch <saschapreibisch@gmail.com> wrote: > Hi all! > > Here is the rest of my feedback. At the end I also included a list of > typos and the summary of changes that I have found between RFC 6739 > and the current draft. > > Regards, > Sascha > > Section 2.3. Client Authentication > ------------------------- > > Draft and current: > - both documents contain this description: "... the authorization > server (e.g., password, public/private key pair)" > - since the client usually uses a 'client secret', maybe this could be > worded as such: > - suggestion: "... the authorization server (e.g., client secret, > public/private key pair)" > > Draft: > > "The authorization server MAY establish a client authentication method > with public clients, which converts them to credentialed clients. > However, the authorization server MUST NOT rely on credentialed > client authentication for the purpose of identifying the client." > > - Does this mean that credentialed clients are as trustworthy/ not > trustworthy as public clients? > > Draft: > > "Clients in possession of a client password, also known as a client > secret, ..." > > - Maybe this could simply be changed to: > "Clients in possession of a client secret ..." > > Section 3.1.2.2 Registration Requirements > ------------------------- > > Draft: > > "Lack of requiring registration of redirect URIs enables an attacker > to use the authorization endpoint as an open redirector as described > in <a href="#section-9.18">Section 9.18</a>." > > - is that still required since redirect_uris have to be pre-registered now? > > Section 4.1. Authorization Code Grant > ------------------------- > > Draft: > - Figure 3, step (1), does not include 'code_challenge_method' Is that > intentionally? > - I am suggesting to include it to avoid potential questions and > confusion. It could listed as 'optional' as 'scope' is > - In addition, when referencing parameters, they should be spelled as > used in the protocol, i.e.: 'code_challenge' instead of > 'code_challenge' > > Section 4.1.1 Authorization Request > ------------------------- > > Draft: > > "Clients use a unique secret per authorization request to protect .... " > > - It would be less confusing if this section would start of with "PKCE > is required" > - Introducing a '... unique secret per ...' sounds like something very > new although this is referencing PKCE > - Suggestion (along the lines of): > "Clients MUST leverage PKCE per authorization request to protect ..." > > Section 4.1.2.1 Error Response > ------------------------- > > Draft: > > "An AS MUST reject requests without a "code_challenge" from public > clients, and MUST reject such requests from other clients unless > there is reasonable assurance that ..." > > - These statements are the ones that cause discussions between > developers and/ or third parties > - ' ... unless ...' is very difficult to grasp, even when looking into > section 9.8 > - I would suggest to make it required > > Section 5.1 Successful Response > ------------------------- > > Draft and current: > > - both documents describe the refresh_token response parameter and > describe it as such: > "OPTIONAL. The refresh token, which can be used to obtain new access > tokens using the same authorization grant as described in <a > href="#section-6">Section 6</a>" > > - As an enhancement, I suggest this update: > "OPTIONAL. The refresh token, which can be used to obtain new access > tokens using the grant type "refresh_token" as described in <a > href="#section-6">Section 6</a>" > > Section 6. Refreshing an Access Token > ------------------------- > > Draft: > > Authorization servers SHOULD determine, based on a risk assessment, > whether to issue refresh tokens to a certain client. If the > authorization server decides not to issue refresh tokens, the client > MAY refresh access tokens by utilizing other grant types, such as the > authorization code grant type. In such a case, the authorization > server may utilize cookies and persistent grants to optimize the user > experience. > > - That paragraph sounds like a general advice for web developers and > should appear in an appendix for my taste > - ' ... based on risk assessment ... ' may exclude any implementation > that does not have such capabilities > > === > > Draft: > > - this section includes this statement: > "Confidential or credentialed clients MUST authenticate with the > authorization server ..." > > - section 2.3 includes this statement and makes me wonder how > confident an authorization server can be when working with > 'credentialed' clients': > "However, the authorization server MUST NOT rely on credentialed > client authentication for the purpose of identifying the client." > > - Any clarification, I would say about the client type 'credentialed' > in general, would be helpful > > ------------------------- > Typos: > ------------------------- > > Section 2.1. Client Types > ------------------------- > > Draft: > > "credentialed": Clients that have credentials and their identity has > been not been confirmed by the AS are designated as "credentialed > clients" > > - I believe it should be: > > "credentialed": Clients that have credentials and their identity has > not been confirmed by the AS are designated as "credentialed clients" > > Section 3.2.1 Client Authentication > ------------------------- > > Draft: > > "Confidential or credentialed clients client MUST authenticate with..." > > - I believe it should be: > "Confidential or credentialed clients MUST authenticate with..." > > ------------------------- > Summary of changes between draft and current: > ------------------------- > > - no more implicit > - no more response_type=token > - no more ropc > - no more redirect code 307 > - no more open redirect_uri > - new client type 'credentialed' > - must use PKCE (with few exceptions) > - AS must provide a way to show their support for 'code_challenge_method' > > - refresh token should expire > - description for client type 'confidential' got updated > - clients should not be able to choose their client_id > - no reference to 'mac' token profile anymore > - section 7.2 details on Bearer token > - resource server must include 'WWW-Authenticate: Bearer > realm="example"' header for failing authorization > - extended list of security threats > - discussion on native apps removed > - recommended bindings between access_token and resource_server > - recommended refresh_token rotation or sender-constraints > - recommended to use '127.0.0.1' instead of 'localhost' > > On Tue, 7 Jul 2020 at 15:21, Vladimir Dzhuvinov <vladimir@connect2id.com> > wrote: > > > > I find 03 well structured, well written and it shows that a lot of > thought and work has gone into it. > > > > If this is a formal call for adoption - I support it. > > > > > > - defined new client type - credentialed clients - a client that has > credentials, but the AS has not confirmed the identity of the client. > Confidential clients have had their identity confirmed by the AS. We talked > about changing the names of confidential and public, but thought that would > be confusing. This new definition cleans up the text substantially. > > > > I understand why this new client type was introduced. For the reader who > is not familiar with the recent OAuth RFCs and drafts - I suspect this can > still be confusing. There will likely be questions -- Why does this > difference between confidential and credentialed matter? What is a concrete > example of a credentialed client? > > > > Also, people will likely ask themselves - what does the confirmation of > a (credentialed) client's identity by the AS actually mean and do? (section > 2.1) > > > > > > Authorization servers SHOULD consider the level of confidence in a > > client's identity when deciding whether they allow such a client > > access to more critical functions, such as the Client Credentials > > grant type. > > > > Again, normative text that relies on the implementer being able to > assign levels of confidence in the client's identity, but is not > immediately obvious how to go about this. > > > > > > There is mention in 9.1 about "enlisting the resource owner to confirm > identity" and "if there is a web application whose developer's identity was > verified...". But this talk about client identity is secondary and happens > in the context of client authentication. > > > > Perhaps it will make sense to promote the discussion about identity to a > new 9.x section "Client identity" or "Client Identification", before > "Client Authentication". Addressing the topics what client identity is, why > does it matter (especially for security), and the "confirmation by the AS". > Then proceed with "Client Authentication" which now is freed to focus on > the credentials / auth methods aspects. > > > > Such credentials are either issued by the > > authorization server or registered by the developer of the client > > with the authorization server. > > > > Credentials (public key) can also be registered by a client performing > dynamic registration (section 2.1) > > > > > > Vladimir > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth 2.1-03 - WG adoption? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption? Sascha Preibisch