Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
William Denniss <wdenniss@google.com> Fri, 28 December 2018 07:44 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBCA130FF1 for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2018 23:44:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zpQqZNXPx2a for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2018 23:44:42 -0800 (PST)
Received: from mail-it1-x12d.google.com (mail-it1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41B75130FEA for <oauth@ietf.org>; Thu, 27 Dec 2018 23:44:42 -0800 (PST)
Received: by mail-it1-x12d.google.com with SMTP id w18so27445516ite.1 for <oauth@ietf.org>; Thu, 27 Dec 2018 23:44:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SM1iQhojlo38R4HbfR3+0paTSxP0bBtzDbtw0CURCaM=; b=cyWHTVNrgCUOPBdAPU6YpqybePb1KJfi32pDba6S7kMsmCpU37D7CvtQ/fCXYwyXH0 ykSCJdazOukWe+CpfbqMt7KmOYQLHxGIgIcAzLDB3BQskw6Lmyz9AR2d/jzyAIlNm3F5 E/EHCqgnaQOXiQasrtJS/FNPzjTdxEBX/M6Y8A488ESSxEKD2/juoFpCfYRUCB5bqh5H ZUSExk00fdkkxkbufpr0laAYa++wsfdY/GWs9kGeWtZMMy0zPb+XfDJZTsXOLJzh/PI1 w6nEScM7RQpqUKYsH9eA/xo9ROf0FJenKW7gsIXfn/PewxIx/Fsz5oeDtmHhUX4ei/xp jj0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SM1iQhojlo38R4HbfR3+0paTSxP0bBtzDbtw0CURCaM=; b=XxmARnlkMmpuc0ydv9qL/+O6pkNaTrx+CRTCk7C8sGw1AbTtQPgLfJvFshAqUngriv cl64GgjYGj5KOFVGTruuAnPvyQ8QGyZGo801FrSqoY/7jOT/s+KpOYLYwHbJs9yVBb8M aARxnX2e2ftHNfjxrctKxCs6PgYOyqLcGnjFubyPw7S6SrNBvCKYjkZua0OgOfH+utJE X07pGtflHUS5eoLsYQmN6O8XiVJPYDLHTDHWRsrG+OVCOw4CRglkCgaU/VfpDVwZGTHV t2GjWeTFeGsn+9Ft+gdFYU0UdIlffw8MuaZgqDmHEWKZyzZs700bAqqWINM4qzOB+iws NOLw==
X-Gm-Message-State: AA+aEWaMoJ2FP5uPdtgoLGROZveEhNruXJXX4sg9VWvVM4bQmlo0TLhZ CqhiQxkKEnYSfve/ePCxGkJ8QP1wKjlUMuDtI6B7yQ==
X-Google-Smtp-Source: AFSGD/UhRik2uQEih/49SpHVUOgUjJnerKnvZyig38Uoc+IfEYhfb3VlZPiGerAJ4CFfdiPnkQUe/gK/UaLtitUe3DA=
X-Received: by 2002:a24:8d45:: with SMTP id w66mr16025173itd.137.1545983081250; Thu, 27 Dec 2018 23:44:41 -0800 (PST)
MIME-Version: 1.0
References: <153305269020.3071.5881779499900104302.idtracker@ietfa.amsl.com> <CAAP42hCVBG6vnaazuo1A7sxj5zYj_MJfY8fHujWP0M9Mjdh3TQ@mail.gmail.com> <20180803233710.GZ68224@kduck.kaduk.org>
In-Reply-To: <20180803233710.GZ68224@kduck.kaduk.org>
From: William Denniss <wdenniss@google.com>
Date: Fri, 28 Dec 2018 17:44:29 +1000
Message-ID: <CAAP42hDo8R05WWfrnEK2PkouZJxQ61t5B3mRGf+hSRwGe-9MJg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: William Denniss <wdenniss=40google.com@dmarc.ietf.org>, Alissa Cooper <alissa@cooperw.in>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org
Content-Type: multipart/alternative; boundary="00000000000063889b057e103cb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jhyba2fu3rivBtJHfMWJ9ZuUwoM>
Subject: Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2018 07:44:44 -0000
Benjamin, On Fri, Aug 3, 2018 at 4:37 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > > > I am hardly a URI expert, so salt as appropriate, but if the user code was > in the query string, would the server still be able to generate a useful > error page if the user code was typed incorrectly? It might be possible for the server to catch certain types of errors, I agree, but not all possible errors. For example mis-entering path separator wouldn't be catchable on the server, such as for the user input: "device.example.comWDJB-MJHT" or "device.example.com;WDJB-MJHT" It's also more challenging to implement the error handling, as the URI could resolve to another valid URI, e.g. "device.example.com/abc" might be used for something else. Our opinion on usability is that it's better to break it down into two steps: get the URI correct, then type the code correctly. In the latter section, the AS can render helpful instructions, and perform JS validation during the input without needing a page reload. Another advantage of having the code separate is that when the QR code with verification_uri_complete is used, the code could be re-purposed as pairing code. E.g. after scanning the QR Code: (e.g. "is your device displaying WDJB-MJHT ?"). That would be harder to describe with a combined URI + code. This is something we explicitly recommend in Section 3.3.1 (third paragraph). One final point, earlier I said that the user would type the same number of characters regardless, but that was wrong: in the case of the URI, the user would need to type an additional character being the path or query separator. That extra character may not seem like much but it does impact usability (even with no errors), as they would need to navigate to the special characters section on the keyboard. I will tweak the text to reflect this.
- [OAUTH-WG] Alissa Cooper's No Objection on draft-… Alissa Cooper
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… William Denniss
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… Alissa Cooper
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… Benjamin Kaduk
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… William Denniss
- Re: [OAUTH-WG] Alissa Cooper's No Objection on dr… William Denniss