Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call
Nat Sakimura <sakimura@gmail.com> Wed, 01 March 2017 14:11 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E231B1295E8 for <oauth@ietfa.amsl.com>; Wed, 1 Mar 2017 06:11:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLfRPj2PJaiL for <oauth@ietfa.amsl.com>; Wed, 1 Mar 2017 06:11:16 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99ABB1295E2 for <oauth@ietf.org>; Wed, 1 Mar 2017 06:11:16 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id u188so71813556qkc.2 for <oauth@ietf.org>; Wed, 01 Mar 2017 06:11:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vPdOW6WkywI3U9oghSRouqOEudUdXzrUrx6+rNtd+aM=; b=VCoEy5HrWsh3dtP+F0JNgD2kmONPeQ+u5pnJfE+x4+cfc5Pnb6f7oGGOIRaUKycmJ4 +gWyZ1AzMD1OHAfeUKPbOXoWkr2Tv8nRr4FKP8myuMOdF916od3yQdspdIk9EU1Xz01f zkZZJCqqp5J4VutOehJV2Tpg0E0aYH2rb5T7Qhv/v2yGN+JOXzvyPtEM31PI6f8BwOag qIPtdVSHUkt7jZicHCM70UjQMVPNqYPyq9uhUe0UbZmhzAZEGOOXmClaJUgeOkPobbO3 qg1eTRIT7v86/XvKLXxSdvLQOcs6fWP6BLSWn5NGMAdmsomZTXpT1xaWwKzxWdotC7Hb G3fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vPdOW6WkywI3U9oghSRouqOEudUdXzrUrx6+rNtd+aM=; b=Vu1mswJGPPFnY5HxWYKwJj8XyLozRZKsjmRLCgG3ZrtDQmZbV6qW9CeZoNWibSI+6r 5ZQFDc+j+XVUh3znxpdjXb4PldxIzeoSJQwaeNaGakCB7qynPVp11XfvX3zf4mAz8crC uVdC2R2d59O9El8gVdmrnDNrzjyLlfu2Bs3e+YVnlslB7/jRTfx3hqRWRmqxUvqzqghr Bb0LLIeJjpJHLCysiQ5lm5bezkdvu58lpHs+lKtsZqixhf8Q+Ml/dsBUCd0kR1R9WIzK GGqHm+yMmwKRTrrcNCbvfqzEcmu9xXCV6v0+BAMhOX+OGSB6qGaoCPoD4tFu0OYgnjHB 9sFw==
X-Gm-Message-State: AMke39laKG0Hae9SCYDV93pVWO5nMjokpNx2lAwzDQ+kcTjnzBlFSTi1GYUK6co9vRLrmGabFBwltxT7BoSZMg==
X-Received: by 10.237.44.229 with SMTP id g92mr9950772qtd.204.1488377475562; Wed, 01 Mar 2017 06:11:15 -0800 (PST)
MIME-Version: 1.0
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <CA+k3eCRN4m5rpSzhb+O+GVPjmUaJt22LUP8LGmi80J8v932zpQ@mail.gmail.com>
In-Reply-To: <CA+k3eCRN4m5rpSzhb+O+GVPjmUaJt22LUP8LGmi80J8v932zpQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Wed, 01 Mar 2017 14:11:03 +0000
Message-ID: <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="94eb2c1249e6b938090549abe2d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LwUowt0ch7ZSNMpe_w4sfB1xI10>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 14:11:19 -0000
It looks generally good. Thanks William and John for creating it. I spotted a few nits. NS1: MUST is not a recommendation ================================ In 8.5, it says: (which is a recommended in Section 7.1.1 <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1>) However, in 7.1.1, it is a MUST, i.e., required instead of recommended. So, "recommended" in the above sentence needs to be changed to "required". NS2: Dynamically registered client can be treated as a confidential client ======================================================= In 8.9 <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.9>. it says: Authorization servers that still require a shared secret for native app clients MUST treat the client as a public client As it is a MUST, we have to qualify it a little more as it is ok to treat it as a confidential client if the client does dynamically register the copy and obtain shared secret that is only shared between the copy of the app and the server. Suggests: Authorization servers that still require a statically included shared secret for native app clients MUST treat the client as a public client NS3: Sever Mix-up ====================== 8.11 <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.11>. talks about mix-up mitigation but misses one of the points. Specifically: * the app MUST store the redirect uri in the request with the "session" and MUST verify that it exactly matches with the URI of the endpoint that it received the response. Cheers, Nat Sakimura On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell <bcampbell@pingidentity.com> wrote: > -07 LGTM > > On Feb 20, 2017 2:53 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> > wrote: > > Hi all, > > after the working group last call of the "OAuth 2.0 for Native Apps" > document July last year (see > https://www.ietf.org/mail-archive/web/oauth/current/msg16534.html) I > had, as a shepherd, collected IPR confirmations (see > https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html) and > produced a shepherd writeup (see > https://www.ietf.org/mail-archive/web/oauth/current/msg16702.html). > > Since version -03 and the current version -07 a fair amount of text has > been changed, see > > https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-ietf-oauth-native-apps-03.txt&url2=https://tools.ietf.org/id/draft-ietf-oauth-native-apps-07.txt > > Although most of those changes are editorial and normative changes have > been discussed on the mailing list I believe it is fair to let the group > take a brief look at the final version. > > For this reason we will issue a short, one week, working group last call > before pushing the document to the IESG. > > So, please provide your comments to the list no later than February 27th. > > Here is the link to the document again: > https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07 > > Ciao > Hannes & Derek > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation
- [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to… Hannes Tschofenig
- [OAUTH-WG] review draft-ietf-oauth-native-apps-07 Sebastian.Ebling
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Brian Campbell
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Nat Sakimura
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… William Denniss
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… William Denniss
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… Sebastian.Ebling