[OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00

Neil Jenkins <neilj@fastmailteam.com> Fri, 26 July 2024 05:47 UTC

Return-Path: <neilj@fastmailteam.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2039C180B51 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2024 22:47:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b="WsXpvJdq"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Vm/MFbpE"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CW-9ymF4yuuQ for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2024 22:47:49 -0700 (PDT)
Received: from fout1-smtp.messagingengine.com (fout1-smtp.messagingengine.com [103.168.172.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 291D1C180B59 for <oauth@ietf.org>; Thu, 25 Jul 2024 22:47:49 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.nyi.internal (Postfix) with ESMTP id 231AC1380521 for <oauth@ietf.org>; Fri, 26 Jul 2024 01:47:48 -0400 (EDT)
Received: from imap43 ([10.202.2.93]) by compute3.internal (MEProxy); Fri, 26 Jul 2024 01:47:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=cc:content-type:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1721972868; x= 1722059268; bh=okGFCzkhl6RgT9y4VRBVjFn/YDILiZh9OrXUT2Ljf+0=; b=W sXpvJdqqaj4nWAEqf6cqtFs/5HbPK4RR9n61dv3cxnX7ykHvTEihNJuIv2WCRpv9 +5vWumwkXKKbyz8vTSy7sgrNfZ+Msc0U1pEvcdy6UD0gokXPy1ut5vB+e8nrgnJy jytc9hS859kd+Qp4jddCO1S5Za82ZVMZ7h+DsSYCHfwhOzev0tkksz9diw/v/yGK X7FiFlDAVhc6PAA0U24B0OnHEqJRpjNe2z016aj/ISc4bSA7dEoWA/7LP8TNV464 jRMZV0mnmjqnSZcJSvNaDE3gvKoHUDw/W+ik2Oyi84ncg0jwVST2xll5UCo40TGm qq5I5+3QT17mSsPETCZNw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1721972868; x=1722059268; bh=okGFCzkhl6RgT9y4VRBVjFn/YDIL iZh9OrXUT2Ljf+0=; b=Vm/MFbpEJA6Uw63rXnL8LyYfYbDWxfYbrbTAUw608/Lq AeHZtu4kFWYufgnpAOhTlLL+M7CoVnEnk3KV5dyBsSSZyW7Y1RzV5FtqUit3Nabp 1ah6cVYRh5c8G4tGCozrfAPMsbjQBl+CjgFl1JmqbROupCX6Gj+EjyT9U5KkV78j eJrVJzLIzAB4VFiGHbnii+EBDf1x+zOCPWiQncuymqH32kobjZJhco6CtihncYJe auyN6s/YjOvs/ohuK6FPLBr4rhhub5vXg2zX5WG+Cm289hA9nGicdP6SXjWhfJMu laIQNIZWFXsyNvT4snOLMJYUepUy+82vRuWGCTNesg==
X-ME-Sender: <xms:gzijZrMSmEZHv1iwvcqdYFmb_hkxd4pwYsN2es5G2sGG7bcYHzDSeQ> <xme:gzijZl_khm7ec5XHgPM7s4u2egW01QovDB-Pr4rO2Br4TqJPcbmMzdGw3HTjvPL6w yRzWcpXFB5o7g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrieeggdelkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefoggffhffvkfgjfhfutgesrgdtreerredtjeenucfhrhhomhepfdfpvghilhcu lfgvnhhkihhnshdfuceonhgvihhljhesfhgrshhtmhgrihhlthgvrghmrdgtohhmqeenuc ggtffrrghtthgvrhhnpeevveetveeuledvhfevgffgtdelvdevteelkeefieelieekudet tdelgeeukeevgeenucffohhmrghinheprhhftgdqvgguihhtohhrrdhorhhgnecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepnhgvihhljhesfhgr shhtmhgrihhlthgvrghmrdgtohhmpdhnsggprhgtphhtthhopedt
X-ME-Proxy: <xmx:hDijZqTukCEF4u7c9u0MreJQ5yXB5DUlopXeC-gvaVJ3DsjsUvXjvQ> <xmx:hDijZvtfMP0vlTIQ_VzjZlsd5NvH0GefIisB8KS_3mOGO1kFzqeo1Q> <xmx:hDijZjckfKU38i2MuZTUxOywrd14VKJfIWaahul6bnNYSJ-UwTHAsQ> <xmx:hDijZr1x_5OKSknhVtphMxEWNWhusfMnml00t-ixw2kASbBK1SsO9A> <xmx:hDijZjm859l8JTB0msKxXL2tjXiDkZ_c2Kl2DQPIwyNGLOfg8Ya7XHc->
Feedback-ID: ibc614277:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E21582D4007D; Fri, 26 Jul 2024 01:47:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
Date: Fri, 26 Jul 2024 15:47:27 +1000
From: Neil Jenkins <neilj@fastmailteam.com>
To: OAuth WG <oauth@ietf.org>
Message-Id: <9fcdd58c-3d20-4c2c-a1db-1a3894b66053@dogfoodapp.fastmail.com>
In-Reply-To: <8b7a1ad4-9be3-4c41-973e-0d4b6be9f23b@aol.com>
References: <8b7a1ad4-9be3-4c41-973e-0d4b6be9f23b.ref@aol.com> <8b7a1ad4-9be3-4c41-973e-0d4b6be9f23b@aol.com>
Content-Type: multipart/alternative; boundary="404804d5004c4c81a49dfbbe849979f0"
Message-ID-Hash: 62LNF4JLGGLUKEY4XLIG67YRIV4NI2VA
X-Message-ID-Hash: 62LNF4JLGGLUKEY4XLIG67YRIV4NI2VA
X-MailFrom: neilj@fastmailteam.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/O7iNMaWWuDJzDTvLqKAmZ3cQ2O8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi George,

Thanks for the feedback.

> Section 1.1
> * is there a reason that only email address based login identifiers are supported? It seems like this profile could be used for other use cases as well.

No, this should just be username. (It is of course likely to be an email address, but you're right: there's no reason it has to be for the purposes of this document.)

> Section 1.2
> * I would recommend this document be more generic and then a specific profile for say IMAP can be defined that then also defines the scopes required for use with an IMAP server.
> * This document can just say that scopes required are out of scope (pun intended)

As mentioned at the IETF meeting this week, it's definitely an open question whether scopes should be part of this document or a separate one. I can certainly see an advantage to leaving it out of this profile and then having another document that pulls it all together (referencing an autodiscovery RFC, OAuth profile RFC, and listing the scopes).

> Section 2.1
> * Recommend changing the last sentence to... The rest of this document describes in detail each of the above steps.

Sure, that reads better.

> Section 2.2
> * I recognize that Security Considerations will be filled out in a future version. A topic that needs to be present is the potential implications of proceeding with the flow when not all the required metadata fields are present. I suspect most authorization servers do not have a 'registration_endpoint' URL in their metadata configuration :) 

If the server's metadata doesn't conform to this profile, then clients supporting the profile are likely to abort. The point of this profile is to say "if you implement this as a client you will be able to authenticate with any server that implements this" and vice versa. If you don't implement it, you're not following the profile, and there is no interoperability guaranteed.

> * Can you clarify why the 'token_endpoint_auth_methods_supported' MUST include "none"? If the client is dynamically registering, then it can receive it's own instance specific client_id and client_secret which allows it to authenticate to the token endpoint. Not requiring client authentication seems dangerous. 
> * Similar comment for 'revocation_endpoint_auth_methods_supported'

We made this none, because the RFC7591 <https://www.rfc-editor.org/rfc/rfc7591> refers to the client secret as only "used by confidential clients", which open native clients running on the user's machine are not. I guess my main question is what does this gain us? I would rather reduce options wherever possible to increase interoperability and security while keeping complexity to a minimum. If we presume there is no security difference in how the client stores the refresh token and any client secret, what does the client secret add in this case?

> Section 2.3
> * I do not think the developer should be able to do the registration. Instead, this should be required to be completed by the client. This will be the expectation of the Authorization Server if it supports Dynamic Client Registration.

Agreed.

> * There are security implication with using a custom scheme. Best practice for mobile apps is to use claimed URIs rather than custom schemes. If custom schemes are the only option in certain cases the risk need to be clearly called out in the Security Considerations section.

This profile is intended for native apps only, which is enforced by only allowing localhost or private-use schemes for the `redirect_uri`. Being able to dynamically register like this to do the OAuth flow would make it too easy for a phishing site to get the user to grant them access to their mail/contacts/calendars etc. — with a native app, it could already fake a browser window and phish the user undetectably, so we're not making the security situation worse. If the user's downloaded something malicious, they've already lost.

> * I'm strongly against allowing the 'token_endpoint_auth_method' to be "none". There is no reason that the default of 'client_secret_basic' can't be used (as far as I understand the profile). I recommend that the registration response from the Authorization Server also include a 'client_secret'. The client can then store the secret appropriately on the device. This secret is instance specific and hence the device must be compromised to extract that secret and impersonate the user.
> 
> Section 2.5
> * I believe the client should authenticate itself via some mechanism and not just present the client_id

As above, I'm happy to change this if there's a security advantage. I'm just trying to understand why the client would be able to store the client secret securely but not the refresh token (which is also needed to impersonate the user). And if it can store both the same, how the client secret adds any extra security?

Cheers,
Neil.