Re: [OAUTH-WG] Mirja Kühlewind's Discuss on draft-ietf-oauth-device-flow-11: (with DISCUSS)
William Denniss <wdenniss@google.com> Thu, 02 August 2018 00:24 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B90130F36 for <oauth@ietfa.amsl.com>; Wed, 1 Aug 2018 17:24:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfxyVOd9CD5r for <oauth@ietfa.amsl.com>; Wed, 1 Aug 2018 17:24:52 -0700 (PDT)
Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910F3130F23 for <oauth@ietf.org>; Wed, 1 Aug 2018 17:24:49 -0700 (PDT)
Received: by mail-vk0-x235.google.com with SMTP id s17-v6so192203vke.10 for <oauth@ietf.org>; Wed, 01 Aug 2018 17:24:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W46h2ELNaaFQfnd8uNUESGPSyIvdAGnLMxKs0buQ9hQ=; b=MmFLe2aUsDWivRYzbN3e3Mtar4dJIjMatqEZEDPhHk1w9otKEK8c2kXLuX30ZzPXo5 NcaZsVhDwJG8ZyCeX9T1C4nGlCuzrFsYviqbwWN1z9Aub5oby2o7A91HkLhJGO9X47I2 Hlr3/ntEV/Q5msC7NkxQgyMWeLwlQD50gzJW5qViZ8x3eN796bwbRU6EkOZodE2joaZU bi14297I1zf+9i0MIADFCEIDI+llUNp3ZV8hgNwjlpyKrSKjgf+T7k/56W/eULfkrsIE Nbec4DLjp+9uUltbNbuyjzquHPO73sIkuwF3gZGNGfUj2jt1ux+CKaffE1wPMTFeBFGW ll0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W46h2ELNaaFQfnd8uNUESGPSyIvdAGnLMxKs0buQ9hQ=; b=q8mLMa37aew6CzmhkRxMug7UnYR+drARYLRKr+mRr8IOY+H7t+XicuE5F3Y/UbhxFO t84DkdfXi/Sss+HF9xeqsIYudr1NWelI0BtNcGqVxzfvn0N3rDZlzdwLgjFjQt0UGt4t UyLDG6pkpAraZi2B3tZG0E/zaEqVtkfY84ZUiQwIb0PBNeYC2/NNgp9Cg7I064ruc5JL 9gCgG4e2uHKTyB7kJ580My14L5ZSAaGDeQz+6y2ulC+DXsSlmFP90zSa1rByHVbFdyVK vJfNXsG9dU4tSEXY7PYwUFEQDvpydEQJkK+9mli/XuLhj2YNgV2eXzhKMlvtSQVFq6i0 JBvw==
X-Gm-Message-State: AOUpUlGWHrTd4LdB3tXzbuNPWAtn1jBu8JbWLMuhgIVErtw9T7NIFh0u cUv7M9pqYnXh0BXKoTlTDHKnRnpEgikmOsIw6twcdA==
X-Google-Smtp-Source: AAOMgpemKpya8nUuZWIRbmim3AHZNz20qGLNNxefb+18lVxRrXTtGAFj3BImDrMZQRphVS2BiUKTVWSFUqRywGP/Elk=
X-Received: by 2002:a1f:5981:: with SMTP id n123-v6mr364631vkb.43.1533169488129; Wed, 01 Aug 2018 17:24:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:185a:0:0:0:0:0 with HTTP; Wed, 1 Aug 2018 17:24:27 -0700 (PDT)
In-Reply-To: <153245825559.22685.11395607099141261021.idtracker@ietfa.amsl.com>
References: <153245825559.22685.11395607099141261021.idtracker@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Aug 2018 17:24:27 -0700
Message-ID: <CAAP42hBhpTRsVQr7jr-YfBEttJ+grafxn4SEL_jfdYUOkwdA4g@mail.gmail.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b93ce9057268d660"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/I62mzW3exLVZ9XT-8tovpgh12cQ>
Subject: Re: [OAUTH-WG] Mirja Kühlewind's Discuss on draft-ietf-oauth-device-flow-11: (with DISCUSS)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 00:24:54 -0000
Mirja, Thanks for your feedback. Version 12 has been posted which incorporates much of your feedback. Replies inline: On Tue, Jul 24, 2018 at 11:50 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote: > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Please specify more clearly the (default) polling behavior to ensure that > the > polling does neither overload the network, nor the server, or is never > terminated. Ideally provide default values and an upper bound for the > polling > frequency, as well as a timer to terminate polling if no reply is received > (and > no expiration time is given). See further details below. > > 1) Sec 3.3: "until the user completes the interaction, the code expires, or > another > error occurs." > What if not expiration time is given (as this optional) and no reply is > ever > received? > The expiration time is now required. > > 2) Sec 3.5: "the client should stop polling and react accordingly, for > example, by displaying an error to the user." > Maybe: > "the client MUST stop polling and SHOULD react accordingly, for > example, by displaying an error to the user." > > Added, thanks! > 3) sec 3.5 "If no interval was provided, the client > MUST use a reasonable default polling interval." > Can you please provide a default number for a "reasonable" polling > interval! > And in best case an upper bound! > We set a default of 5 seconds. > > 4) sec 3.5: "...increasing the time between polls if a > "slow_down" error is received. " > Maybe use a separate normative sentence instead: > "The client SHOUD increase the time between polls if a > "slow_down" error is received." > Or MUST? If so how much? Can you given further (default) guidance. > We now document that every slow_down message should increase the interval by 5 seconds. > > 5) sec 3.5: "Clients MAY then choose to > start a new device authorization session." > Maybe make it clear that polling is stopped > "Clients MUST stop polling but MAY then choose to > start a new device authorization session." > This was revised, thank you! > > 6) sec 3.5: "then the > device MAY wait until notified on that channel that the user has > completed the action before initiating the token request." > Why not SHOULD (or MUST) here? > This is a non-normative discussion of a potential optimization, perhaps we should drop the normative keyword completely? The reason MAY was chosen is that the client would be free to follow the rest of this document which allows for polling. Best, William
- [OAUTH-WG] Mirja Kühlewind's Discuss on draft-iet… Mirja Kühlewind
- Re: [OAUTH-WG] Mirja Kühlewind's Discuss on draft… William Denniss
- Re: [OAUTH-WG] Mirja Kühlewind's Discuss on draft… Mirja Kühlewind (IETF)