Re: [OAUTH-WG] oauth with command line clients

Bill Burke <bburke@redhat.com> Sat, 17 June 2017 14:24 UTC

Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFB43129AD2 for <oauth@ietfa.amsl.com>; Sat, 17 Jun 2017 07:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.912
X-Spam-Level:
X-Spam-Status: No, score=-4.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hthzg1M1mn6R for <oauth@ietfa.amsl.com>; Sat, 17 Jun 2017 07:24:26 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24EA7129ACD for <oauth@ietf.org>; Sat, 17 Jun 2017 07:24:26 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7496F81222; Sat, 17 Jun 2017 14:24:25 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7496F81222
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=bburke@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 7496F81222
Received: from ovpn-116-55.phx2.redhat.com (ovpn-116-55.phx2.redhat.com [10.3.116.55]) by smtp.corp.redhat.com (Postfix) with ESMTP id A5BB67ABFA; Sat, 17 Jun 2017 14:24:24 +0000 (UTC)
To: Phil Hunt <phil.hunt@oracle.com>, Justin Richer <jricher@mit.edu>
Cc: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
References: <a496c372-b700-c6ad-06e7-c257c10d5986@redhat.com> <CAGBSGjoarSVOEdqjPJXL6BfuACnZeks4LEyBpaMSb+TQ_WFNFw@mail.gmail.com> <83057e12-1d09-1b2c-88a4-b1918c9a0b5b@mit.edu> <A743D557-F3BB-49EB-919D-90EFCE4A98A8@oracle.com>
From: Bill Burke <bburke@redhat.com>
Message-ID: <7f013f54-3484-b15a-8dca-71209d48cede@redhat.com>
Date: Sat, 17 Jun 2017 10:24:23 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.2.0
MIME-Version: 1.0
In-Reply-To: <A743D557-F3BB-49EB-919D-90EFCE4A98A8@oracle.com>
Content-Type: multipart/alternative; boundary="------------2D6F3CCBEBCF24700D18DB8C"
Content-Language: en-US
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Sat, 17 Jun 2017 14:24:25 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HXL2diWF_NjUBSDhtIznJOXRmvs>
Subject: Re: [OAUTH-WG] oauth with command line clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jun 2017 14:24:29 -0000

I guess the auth code flow could be used with the command line tool 
using the OpenID Connect "display" parameter with a value of 
"command-line" or "text" or something when it makes its auth request.  I 
could go the route of defining what "command-line" display value would 
mean in OIDC land.  Awkward from an implementation point of view, but a 
viable path.

Quite honestly, I just dont' see how any app developer would want to 
require device flow.  It is a bad user experience.  I would even go as 
far to say that the device flow is an unacceptable user experience.  
Especially if cut and paste is not possible and the human has to enter 
in some kind of long cryptic code by hand.




On 6/12/17 2:34 PM, Phil Hunt wrote:
> +1
>
> The point of OAuth is to break away from using UID/Password (basic auth).
>
> The device flow is the best way to allow stronger authentication of 
> the authorizing user while still allowing a limited input device (e.g. 
> command line) to work.
> Phil
>
> Oracle Corporation, Identity Cloud Services Architect & Standards
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>> On Jun 12, 2017, at 11:22 AM, Justin Richer <jricher@mit.edu 
>> <mailto:jricher@mit.edu>> wrote:
>>
>> I second the recommendation to use the device flow for this kind of 
>> system. The commandline client would print out a text string for the 
>> user to enter into their browser elsewhere.
>>
>> If you can pop up a system browser then it's even easier and you can 
>> just use the auth code flow, but it's a lot to assume that a 
>> commandline app can have that kind of capability available to it. 
>> Printing out a string? That's easy and universal. That's why I say go 
>> with the device flow.
>>
>> The thing is, at the end of the day, you need the user to 
>> authenticate to the AS if you're going to get delegated access from 
>> them. That's really the whole point of the OAuth protocol, after all. 
>> So you can either do that in a local browser of some kind (like 
>> popping a system browser), on another device (with the device flow), 
>> or you can be evil and use the username/password grant and just steal 
>> the user's credentials yourself. If it's not clear, I don't recommend 
>> that, basically ever.
>>
>>  -- Justin
>>
>>
>> On 6/11/2017 11:58 PM, Aaron Parecki wrote:
>>> I've seen this done a few ways:
>>>
>>> * The Device Flow: 
>>> https://tools.ietf.org/html/draft-ietf-oauth-device-flow 
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Doauth-2Ddevice-2Dflow&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=gWeHcqrhQt-ijJ5-UXHxML5rMtR05GjKVyxqZBEeQAM&e=> 
>>> which is what you see on browserless devices like the Apple TV 
>>> logging in to a cable provider from your phone. A short code is 
>>> generated and displayed on the screen, you launch a browser on your 
>>> phone and enter the code. This would work just as well from the 
>>> command line on the same device.
>>> * I've also seen apps use the authorization flow, by displaying the 
>>> authorization URL on the command line prompt and instructing the 
>>> user to open it in a browser. The redirect URI is a hosted web page 
>>> that displays the authorization code and instructs the user to paste 
>>> it back at the terminal.
>>> * The command line app can launch an HTTP server on localhost and 
>>> use that as the redirect URL for the authorization code flow. This 
>>> option ends up being the most seamless since it works like a 
>>> traditional flow without any special instructions to the user.
>>>
>>> ----
>>> Aaron Parecki
>>> aaronparecki.com 
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__aaronparecki.com&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=Zn85klv9a00I3Uo74zgqAelgrFUFQc72PdFwg4gkECQ&e=>
>>> @aaronpk 
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_aaronpk&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=g5RjhR9W1VYt00S4dV0t9ijZ4gC4HE93waQ_t7mUzUs&e=>
>>>
>>>
>>> On Sun, Jun 11, 2017 at 8:52 PM, Bill Burke <bburke@redhat.com 
>>> <mailto:bburke@redhat.com>> wrote:
>>>
>>>     Has anybody done any spec work around doing oauth from command
>>>     line interfaces?  We're looking for something where the auth
>>>     server can generate text-based challenges that are rendered in
>>>     the console window that query for simple text input over
>>>     possibly multiple requests.  I'm not talking about Resource
>>>     Owner or Client Credentials grant.  The command line client may
>>>     not know the credential types required for a successful token
>>>     request. It would be easy to write a simple protocol, but I'd
>>>     rather just do something around any existing internet draft or
>>>     rfc that somebody has put some thought into.  Hope I'm making
>>>     sense here.
>>>
>>>     Thanks,
>>>
>>>     Bill Burke
>>>
>>>     Red Hat
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=eodAcEm9pUWInxQkdRWT7sN0sZWWlo8oCtmgdjHY6oI&e=>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=eodAcEm9pUWInxQkdRWT7sN0sZWWlo8oCtmgdjHY6oI&e= 
>>
>