Re: [OAUTH-WG] Username and Password Flow and oauth_client_secret
Tosh Meston <tosh.meston@gmail.com> Thu, 29 April 2010 01:02 UTC
Return-Path: <tosh.meston@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FFA03A6A04 for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 18:02:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.533
X-Spam-Level:
X-Spam-Status: No, score=-2.533 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCCO68dJGvRS for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 18:02:09 -0700 (PDT)
Received: from mail-gx0-f217.google.com (mail-gx0-f217.google.com [209.85.217.217]) by core3.amsl.com (Postfix) with ESMTP id 5E6303A699A for <oauth@ietf.org>; Wed, 28 Apr 2010 18:02:09 -0700 (PDT)
Received: by gxk9 with SMTP id 9so2279478gxk.8 for <oauth@ietf.org>; Wed, 28 Apr 2010 18:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=TmqWuH2luJMAWOteXYhWWkQxPRt9pS0n1g3pk6mLh4A=; b=HD1tcPR3pS4hmbQQ5PgzW1gQHcTTHk7AkU23MSqieHZZi+QH0c4Td9UJzjku3bj7pe PY0sL0Ozc6thhLLyj5alurlo3HRC84gFuGQL5E+oHqb24ZLr5UNf7DMR+IpvnDWpRIge WaVJEqIue9pnQ8z+DF6OJ+Vxn9EDF3toI8/Kg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=hRYwa/HmZXsvXPkZ3n7a3HArDzaxhgbiqZKyNgvYIK4dPPdiJKAf5twceHCAvMsqPI C72p4/cvp5DUoPI3n+Oidkqj6WC9phgFcldYnQSVuitQqupYz25Zza/9DeZXe6u1firQ lzF1NG7PGoyDH+x+QdlpyBo7VKgbVs8ns73CI=
MIME-Version: 1.0
Received: by 10.101.20.18 with SMTP id x18mr4115092ani.101.1272502913589; Wed, 28 Apr 2010 18:01:53 -0700 (PDT)
Received: by 10.101.66.14 with HTTP; Wed, 28 Apr 2010 18:01:53 -0700 (PDT)
In-Reply-To: <u2zfd6741651004281419l67dc635en84c4491cbfc23ce2@mail.gmail.com>
References: <h2if3fdf5a71004281326l9492c83ibd957178b3716646@mail.gmail.com> <u2zfd6741651004281419l67dc635en84c4491cbfc23ce2@mail.gmail.com>
Date: Wed, 28 Apr 2010 18:01:53 -0700
Message-ID: <p2mf3fdf5a71004281801me439ae60q156c0518eb7543dc@mail.gmail.com>
From: Tosh Meston <tosh.meston@gmail.com>
To: David Recordon <recordond@gmail.com>
Content-Type: multipart/alternative; boundary="0050450170d723eeeb048555acb1"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Username and Password Flow and oauth_client_secret
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2010 01:02:11 -0000
Hey David, Thanks for the response and clarification. Agreed. The mobile device shouldn't keep the client secret so passing in the body in an SSL request is out, and signing the /access_token request is out for the same reason. So, it doesn't seem like there is a way to ensure that value in the oauth_client_identifier really represents that client, if I understand correctly. Is that an issue? Evil client X could get an access_token and token_secret for another app, but would only be able to make successful calls to protected resources if the platform failed to check if the app represented by the oauth_client_identifier is the same app represented by the oauth_consumer_key, and also used the oauth_client_identifier as the application id. Just thinking aloud and trying to get my brain around this... Thanks! Tosh On Wed, Apr 28, 2010 at 2:19 PM, David Recordon <recordond@gmail.com> wrote: > Hey Tosh, > I think this example just needs updating. In most cases the username and > password flow will be used on applications or devices which can't keep > secrets. Thus specing that the oauth client secret is used is a poor idea > from a security perspective. I imagine that different devices will be able > to keep secrets in different manners and that this will be used in a more > case by case basis. > > --David > > > On Wed, Apr 28, 2010 at 4:26 PM, Tosh Meston <tosh.meston@gmail.com>wrote: > >> Hi everyone, >> I see that in draft specification, under the username and password flow, >> the oauth_client_secret is not listed in the required or optional request >> parameters, but is included in the example request. Is it correct to assume >> it should be listed it in the required parameters? >> >> POST /access_token HTTP/1.1 Host: server.example.comoauth_client_identifier=s6BhdRkqt3&oauth_client_secret=8eSEIpnqmM&oauth_username=daveman692&oauth_password=1password >> >> >> http://www.ietf.org/mail-archive/web/oauth/current/msg01396.html#anchor9 >> >> Thanks, >> Tosh >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >
- [OAUTH-WG] Username and Password Flow and oauth_c… Tosh Meston
- Re: [OAUTH-WG] Username and Password Flow and oau… David Recordon
- Re: [OAUTH-WG] Username and Password Flow and oau… Tosh Meston
- Re: [OAUTH-WG] Username and Password Flow and oau… David Recordon
- Re: [OAUTH-WG] Username and Password Flow and oau… Allen Tom