Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
Ash Narayanan <ashvinnarayanan@gmail.com> Thu, 14 October 2021 09:01 UTC
Return-Path: <ashvinnarayanan@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CABA63A100F for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 02:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cai_MKaAoj_3 for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 02:01:10 -0700 (PDT)
Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ECD63A1048 for <oauth@ietf.org>; Thu, 14 Oct 2021 02:01:10 -0700 (PDT)
Received: by mail-oi1-x236.google.com with SMTP id o204so7516719oih.13 for <oauth@ietf.org>; Thu, 14 Oct 2021 02:01:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zOpf5y5WazvQpp5T6sHxv3bHmsEHBcXiX7boAsXE1l8=; b=Z5TVS8wzQUSdlUcKtD0BOu/YGzGKjP03cyUOYjcf2BDziaT11rHceYdc89M724BQYK TSMa1irDTrOHclfUsf+vo3CxXepgjkkAck89rn9LIvVee/sZfcIcydaIq2iUcidP6al8 N50AK7GlsI+Qzi84og2gyIj9N9rC/pzlCUH7YMCdVgvn1OPyWQEqQPj8bfKywkVeRds1 2XdcztXNYWaKqb9Iw3cAp1b2H64VmmpqdwQb/COgyn4tMQTc1LuaqDQSK4XWu/8DgwN2 XcA1+nBPNhljoQwupELmxzLI0o4F1Fp41HUODtg56OlVdq0cHjcj4YYwyNkyvXUJF7xH 1YpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zOpf5y5WazvQpp5T6sHxv3bHmsEHBcXiX7boAsXE1l8=; b=41hwkphEPLPQ4qi4rYvCW0/wkRkFs+xkYfZ9JUS1NurnqOYlAH0jXayEANXt+6PtGJ 8RJ1LbZPb+j0j4RDB2y7mJtfffrrSOc/Dv1ooL/JAc0VZH3N14zYISwhaxzYvwL/SXDG EBaZwXLJb/VarNAOoMPaoZvpDrxRMgor5V1fAnvJ6ar0Ny0Iw3mBd1W7Vv+RRfHgXQS6 FGIqJmPguYsUVrI2Q65CBqM6kgSMTlwm+whrXg3OBOYaqp6EAsNBOdsvUY5MY2thIQS1 z+FFkoCQWnW3syjqjB8TCnwS2MLr4J6uPgdFF/DXImMwWL++fKaCTGdTQsAkw3rZDHrs iE/A==
X-Gm-Message-State: AOAM530xwVCw9J5V+F4uKvbosoHeIU4y4KRQbiY+t2kyxjG/2229ouMU GgILm2Ph278zHiRo4/5guQctY221Q+PgkTgxZ/Tdk2pPLCI3Rw==
X-Google-Smtp-Source: ABdhPJw0hAfuLXkiMZcGR1bZjZOpCHsrADETOrGcwRpQ30sKCR/0ThSBn00hf2pfxzLKgNfM4Kdbo7ATpBetzyjFEoY=
X-Received: by 2002:a05:6808:1487:: with SMTP id e7mr3240044oiw.126.1634202067309; Thu, 14 Oct 2021 02:01:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com> <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com>
In-Reply-To: <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com>
From: Ash Narayanan <ashvinnarayanan@gmail.com>
Date: Thu, 14 Oct 2021 20:00:56 +1100
Message-ID: <CAFvbn=bGwoe3gKp8nP+sFhjKb3QqBRZR9jxcH0UFvONOQ=-1SQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b698d605ce4c511c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HyBWEzrykTtF5FTYt_oZegZsKX8>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2021 09:01:15 -0000
Hi Brian, I'm all for pivoting, as long as the original concerns raised are addressed or even acknowledged, but since they weren't, here is the original message again in its entirety. Cheers, Ash === Referring to the latest draft ( https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html) ... 1. The definition given under section 2.1 Client Types is: > Clients that have credentials but no prior relationship with the AS are > designated as "credentialed clients" This does not seem like the best or even the right definition to me. The definition as it stands, is in two parts: a) "Clients that have credentials" b) Clients that have "no prior relationship with the AS" With (a), the typical use-case is an app that runs on the end-user device and dynamically registers itself with the AS. Such a client does not "have" credentials to begin with, or at least the use of the word "have" here, if it's intended to mean "at some point will have", does not differentiate it from confidential clients, which are also defined to be clients "that have credentials". Instead, a better choice of words for credentialed clients may be "Clients that dynamically obtain credentials". (b) is not necessarily true, because the credentialed client may very well be a known client and therefore have a prior relationship with the AS. Think of (common) scenarios where the AS and client are both part of the same organisation or a peer organisation, and therefore the client metadata an AS receives in a dynamic registration request is already known to the AS. An AS may only decide to accept dynamic registrations from such known clients. Of course I may not be interpreting "prior relationship" as it may be intended, in which case that needs to be clarified somewhere. 2. Continuing with section 2.1 Client Types, for a native application, it says: > On the other hand, dynamically issued credentials such as access tokens or > refresh tokens can receive an acceptable level of protection. Why is this also not mentioned for a browser-based application? Unless I'm mistaken, in terms of accessibility for an intruder, in-memory for a native app is equivalent to in-memory for an SPA and local storage for a native app is equivalent to local storage for an SPA.
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-04.t… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-… Aaron Parecki
- [OAUTH-WG] OAuth2.1 credentialed client Ash Narayanan
- [OAUTH-WG] convert to credentialed client... ( wa… Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Dick Hardt
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … David Waite
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Warren Parad
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Domingos Creado
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan