IETF Logo Mail Archive

Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )

Ash Narayanan <ashvinnarayanan@gmail.com> Fri, 15 October 2021 00:25 UTC

Return-Path: <ashvinnarayanan@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 168213A14AB for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 17:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjpPKxGjX-bs for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 17:25:05 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0F8F3A14A9 for <oauth@ietf.org>; Thu, 14 Oct 2021 17:25:04 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id w12-20020a056830410c00b0054e7ceecd88so10631537ott.2 for <oauth@ietf.org>; Thu, 14 Oct 2021 17:25:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JavR9xMuE6HA8FSBT+eiA28RVqExBtvlAc4RqlNq2GU=; b=QMHuHUNLSw5oAo95gzFBg9HWCpfah+XsuyJnZSLgVDkVRJOisyg0h6yopfp5hzu6Vn KmicBKeDqd2ii8rctqSXO19ObxFDKBt1S9gKZQ813ZI36ajoRpVGsAYfkr2LCKtBPpSb Wm6GHTPRU+V4cZI7Pghb5FgemsVI6TEwgBSvOSgtdlLKnCkud/JtCB27Wqs0p/hPPNmV k8La8XsZ3AmgZFidIRKmUQnvi571ioI8Z/vAqdst+z4Cf22jQAL6D3dB/iCIwNbfr/W3 jmV8hggTQ3YXzYoZsRqTcVb8vSjZLQoPAMaKQwC3ntZIplUxcoWcXVpqJmwqiljOaOBK TDZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JavR9xMuE6HA8FSBT+eiA28RVqExBtvlAc4RqlNq2GU=; b=AD1M1j1VTQ7vUuWIGc7cGhmHMWGJ/gyQtw0NuyA8j2CYmfMpbs5QSrsOvJ5XLW+t/n iNTB3EtPGcq3ZAbCbGFFuExCC7vRkOYUoP6Y3MWaOkUFIiTZPMZRpO5CtYFYntg3JT5r AvitQLMRQNTOzZdy0kXWICcuZzDcNgIyjRWCA1Bf2rrGJm5QtYjzV5OAZcrZyYshLPlx mc3SBWydZupX29eSM3pBM80+PxwsiGpP7XOoC1lLcTsgrB5fgBB7ALtm2o6cY5uGC1ex FoEajmY2kB/TAMib46Iy+gY31HRdpGVvRX+qcb/V6CTAJZ2ZtWusEJoLz9ieEecqnjpt GctQ==
X-Gm-Message-State: AOAM532QQT0MCOncVMydzqixbeiBtXifE2zBQRnMgJqIe92gfgX4bnT0 Ur+J79Z/JYmzG0dOHdbJ1kZjdRdlFKsZVPxMszA=
X-Google-Smtp-Source: ABdhPJxzrZivuKe7mawMiPjL4+/LdE1rjXyvLIJInDbOgAABKuXmruAELvrD4u6mNqRE3IlBaO0C94UhhgPxjJTXE2c=
X-Received: by 2002:a05:6830:401b:: with SMTP id h27mr5206760ots.255.1634257503722; Thu, 14 Oct 2021 17:25:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com> <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com> <CAFvbn=bGwoe3gKp8nP+sFhjKb3QqBRZR9jxcH0UFvONOQ=-1SQ@mail.gmail.com> <CAJot-L0qQhANjEtr3P97kxsjnXtH93XfNQT33Yw3mr__m1Ndrw@mail.gmail.com>
In-Reply-To: <CAJot-L0qQhANjEtr3P97kxsjnXtH93XfNQT33Yw3mr__m1Ndrw@mail.gmail.com>
From: Ash Narayanan <ashvinnarayanan@gmail.com>
Date: Fri, 15 Oct 2021 11:24:52 +1100
Message-ID: <CAFvbn=aa_UDGky=Xz3AgGn=AmFtZQqgXJcAPdeykB4bJCTwT7A@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fb1f3a05ce59392a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GUP29TExxWR4ESjV1F_PmEUU6UQ>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2021 00:25:10 -0000

It may not be exactly the same issue Warren but it's definitely related.
"whether an AS knows about the client" is related to what Brian pointed out
about the AS identifying the client, which comes back to what I said
originally about how credentialed is currently defined in two parts:
a) Clients that have credentials
b) Clients that have no prior relationship with the AS

Your enums for known/unknown and the issue of identification relates to
part (b), which as I've mentioned, comes down to what "prior relationship"
means. If it means that the AS has previously generated credentials for
this client then that would explain why part (b) exists. However, if it
means that the AS has no prior *arrangement* with the client, such as
verifying the redirect_uri in the registration request to be from a list of
allowed ones, then I would argue that (b) does not hold.

In either case, "prior relationship" is sure to cause confusion, and as
you're said, being credentialed is independent of this anyway.

So my recommendation would be to drop (b) altogether. The problem then is
(again) what I originally mentioned; (a) by itself does not differentiate
the definition from that of a confidential client. Hence why I suggested a
better (and complete) definition for credentialed could just be:
*Clients that dynamically obtain their credentials*

Done; no more confusion about prior relationship or identification.

On Thu, Oct 14, 2021 at 8:17 PM Warren Parad <wparad@rhosys.ch> wrote:

> I'm not sure this is exactly the issue, but I also found the naming of *credentialed
> client* to be confusing. It would seem to me we have an enum whose values
> do not form an orthonormal basis. In other words, whether or not a client
> is credentialed is independent from whether an AS knows about the client.
> Does having credentials make this client different in some way, not really.
> It would seem to me better to assign the labels of:
> * public / confidential
> * known / unknown (or anonymous) client.
>
> Given the fact that an AS doesn't know about the client, does it really
> matter if it is credentialed? I would suggest instead of calling unknown
> credentialed client as such, that we use *anonymous, unknown, or
> unregistered*. And let the aspect of whether they are credentialed or
> not, drive other behaviors.
>
> Warren Parad
>
> Founder, CTO
> Secure your user data with IAM authorization as a service. Implement
> Authress <https://authress.io/>.
>
>
> On Thu, Oct 14, 2021 at 11:01 AM Ash Narayanan <ashvinnarayanan@gmail.com>
> wrote:
>
>> Hi Brian,
>>
>> I'm all for pivoting, as long as the original concerns raised are
>> addressed or even acknowledged, but since they weren't, here is the
>> original message again in its entirety.
>>
>> Cheers,
>> Ash
>>
>> ===
>>
>> Referring to the latest draft (
>> https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html) ...
>>
>> 1. The definition given under section 2.1 Client Types is:
>>
>>> Clients that have credentials but no prior relationship with the AS are
>>> designated as "credentialed clients"
>>
>>
>> This does not seem like the best or even the right definition to me. The
>> definition as it stands, is in two parts:
>> a) "Clients that have credentials"
>> b) Clients that have "no prior relationship with the AS"
>>
>> With (a), the typical use-case is an app that runs on the end-user device
>> and dynamically registers itself with the AS. Such a client does not "have"
>> credentials to begin with, or at least the use of the word "have" here, if
>> it's intended to mean "at some point will have", does not differentiate it
>> from confidential clients, which are also defined to be clients "that have
>> credentials".
>> Instead, a better choice of words for credentialed clients may be
>> "Clients that dynamically obtain credentials".
>>
>> (b) is not necessarily true, because the credentialed client may very
>> well be a known client and therefore have a prior relationship with the AS.
>> Think of (common) scenarios where the AS and client are both part of the
>> same organisation or a peer organisation, and therefore the client metadata
>> an AS receives in a dynamic registration request is already known to the
>> AS. An AS may only decide to accept dynamic registrations from such known
>> clients.
>>
>> Of course I may not be interpreting "prior relationship" as it may be
>> intended, in which case that needs to be clarified somewhere.
>>
>>
>> 2. Continuing with section 2.1 Client Types, for a native application, it
>> says:
>>
>>> On the other hand, dynamically issued credentials such as access tokens
>>> or refresh tokens can receive an acceptable level of protection.
>>
>>
>> Why is this also not mentioned for a browser-based application? Unless
>> I'm  mistaken, in terms of accessibility for an intruder, in-memory for a
>> native app is equivalent to in-memory for an SPA and local storage for a
>> native app is equivalent to local storage for an SPA.
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email