IETF Logo Mail Archive

Re: [OAUTH-WG] Client credentials flow vs. authorization grant flow for native clients

"Stein Desmet" <stein.desmet@lin-k.net> Wed, 14 March 2012 15:51 UTC

Return-Path: <stein.desmet@lin-k.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84AA421F8798 for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 08:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.043
X-Spam-Level:
X-Spam-Status: No, score=-3.043 tagged_above=-999 required=5 tests=[AWL=0.556, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPfcJ7MIRl3c for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 08:51:45 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2C92421F8587 for <oauth@ietf.org>; Wed, 14 Mar 2012 08:51:44 -0700 (PDT)
Received: by wibhj6 with SMTP id hj6so6002051wib.13 for <oauth@ietf.org>; Wed, 14 Mar 2012 08:51:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:to:cc:subject:references:date:mime-version :content-transfer-encoding:from:organization:message-id:in-reply-to :user-agent:x-gm-message-state; bh=pI78SpOgYNl1KNAVpRluLdxeMDt+xqFP2YfLWUoBM3M=; b=S9F8cbxG9YoKaXbosNuB6kNPq4raB27vS2tBHeWXw/4OyDasmfbluEoipgYNHLyjdu RGvJZ+q6pO7dOq3F0KmILu5dWfBWaS1J8ySdEwFyEKLeBKSVIIdJORbGNtGvQtYW3Z/z m4I5rgbkLjhj2++l0jQjVB+vlboNnbvvGFiy8mHyrfruXuZmpQUMh7Qc7FbXQRMkrzgr SUc8Pk+98oGwxBRalfJ4ZUgY7edzlt/J8md/V4y1MUiYSKrtMVfgEQ483J7USuGcZlBL UeeEfOrqleirMtNVHIq5bfA5Vh+3Nb1i8+hnSyHps3L9GAr8JhRHFBtNuN2nSsysM7Hw CY/A==
Received: by 10.180.102.231 with SMTP id fr7mr7527400wib.10.1331740304166; Wed, 14 Mar 2012 08:51:44 -0700 (PDT)
Received: from sgdesmet.lin-k.net ([80.169.61.18]) by mx.google.com with ESMTPS id fz9sm18214132wib.3.2012.03.14.08.51.42 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 14 Mar 2012 08:51:43 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: "Richer, Justin P." <jricher@mitre.org>
References: <op.waweyewxkkn6mu@sgdesmet.lin-k.net> <9A009C12-25F1-4FB6-BE7B-F0CDAD1E7A6A@mitre.org>
Date: Wed, 14 Mar 2012 16:51:41 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Stein Desmet <stein.desmet@lin-k.net>
Organization: Lin.K
Message-ID: <op.wa53of0jkkn6mu@sgdesmet.lin-k.net>
In-Reply-To: <9A009C12-25F1-4FB6-BE7B-F0CDAD1E7A6A@mitre.org>
User-Agent: Opera Mail/11.61 (MacIntel)
X-Gm-Message-State: ALoCoQlvg7f/3Wr/nZjExj9QgNncQNVNpRE/832hw4Os10+lIjcaE63nrYv6vP26Mj3AEEEFSPYZ
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client credentials flow vs. authorization grant flow for native clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 15:51:49 -0000

Thank you for your reply. We've indeed decided to go with the  
authorization flow like you suggested, because:
- the client credentials flow would require a timeout for user  
registration (to handle idle users)
   However, it seems that you might as well use the authorization flow in  
that case, as it works
   like an OTP of sorts (as you pointed out). The authorization flow also  
has the state field,
   which solves other possible security issues with user/client  
registration in the client credentials
   flow.
- Support for the authorization flow is wider than for the others  
(including device flow)
- Implementing the authorization flow has the added benefit that we can  
immediately
   use Oauth as an alternative to our openid and saml authentication  
options.

Best regards,
Stein Desmet


On Mon, 12 Mar 2012 16:39:10 +0100, Richer, Justin P. <jricher@mitre.org>  
wrote:

> Client credentials is not the right flow for this approach since there's  
> a user present at the client and they can close the loop for you. The  
> Device Flow, if it were to get picked up and fleshed out a bit, is a  
> better fit for what you're after and is made for just such a  
> disconnected world where you can't rely on the user logging in through a  
> browser that's easily accessible from the client app.
>
> Another, arguably better, approach would be to use the vanilla Authz  
> Code flow, taking advantage of the fact that the code is itself a OTP.  
> First, have the ClientID embedded in the mobile app, like normal. Since  
> it's a configuration time piece of information that gets copied to every  
> instance, you wouldn't use a client secret here. (It doesn't buy you  
> anything.) Next, direct your users to log into a server-side "help app",  
> which is basically just the Authz Server's authorization endpoint that's  
> been seeded with the client ID, scope, and other relevant parameters.  
> This is easy enough to do by giving your users a short URL  to go go  
> that starts off this process automatically. Next, the user goes through  
> all the normal OAuth stuff and gets redirected to a pre-registered  
> callback URL. This callback URL is hosted by your service, not by the  
> device itself. The page would then display the code so that the user  
> could type it in, present a QRCode to scan in, do some kind of  
> backchannel trusted pass, or a few other tricks to get the code from the  
> hosted site over to the device itself. Then the device uses the code,  
> which you remember is a OTP that's hopefully time limited, along with  
> its client ID to go and grab the access tokens that it needs.
>
>  -- Justin
>
>
> On Mar 9, 2012, at 5:19 AM, Stein Desmet wrote:
>
>> I have mistakingly asked this question on the google group on google's
>> Oauth2 implementation, so here it is at the correct place (I hope).
>>
>> We have an authentication server/identity provider, and a number of
>> external web applications (ie resource servers) that make use of it.
>> We would like to build native applications (iOS/Android) that make use  
>> of
>> the resources on these web applications, so adding Oauht2 to
>> both our authentication server and our web applications to provide
>> authorization seems ideal.
>>
>> However, there is one issue: it is possible for end-users to  
>> authenticate
>> themselves using smartcards or electronic ids (these users do not have
>> a login/password at all). Therefore, we can't use embedded user-agents,  
>> or
>> external user agents located on the mobile platform itself, so users
>> would need to use a browser on another computer. However, I'm not  
>> entirely
>> sure which flow is best applicable in such a case, and offers the best
>> security?
>>
>> - The client credentials flow seems like a fit. Users would need to
>> register their mobile device on the authentication server first, meaning
>> they
>>    are issued a client id and secret, unique to each client instance.  
>> These
>> credentials could be transferred in a number of ways, using QR codes,
>>    or have the user manually input them.
>> - The authorization grant flow can also be used. The flow would be  
>> started
>> on a separate browser using a helper web client app, and at the end
>>    of the flow, the authorization code is transferred to the native  
>> client
>> by for example push notifications, QR codes or having the user manually
>>    input it. Client credentials in this case would be universal for the
>> native application.
>>    This seems a bit harder to implement (and care must betaken to avoid
>> exploitation of the web client app), but the refresh tokens could be  
>> used
>>    as OTP (i.e. issuing a new refresh token each time a user asks for a  
>> new
>> access token, and invalidating the previous one), allowing some  
>> detection
>>    of misuse.
>>
>> The device flow seems applicable as well, but is no longer present in
>> recent Oauht2 drafts (though there is still
>> http://tools.ietf.org/html/draft-recordon-oauth-v2-device-00).
>>
>> Best regards,
>> Stein Desmet
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email