[OAUTH-WG] Authorization server SHOULD NOT process repeated authorization requests automatically
M Hickford <mirth.hickford@gmail.com> Tue, 18 April 2023 06:01 UTC
Return-Path: <matt.hickford@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEFFC169538; Mon, 17 Apr 2023 23:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6a47P0D753Dn; Mon, 17 Apr 2023 23:01:17 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D0CCC14CEE3; Mon, 17 Apr 2023 23:01:17 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id dx24so26228619ejb.11; Mon, 17 Apr 2023 23:01:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681797676; x=1684389676; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=8tfBduEmsmK0GtbEWNVVYu3aKcM/5VdoPvLaFPTybt0=; b=Fx4dW7boNoMB5+RXUkU6NjaGP3q2kWXtAdr/hHhj7b/DE2cZpUjrJPLDyxMh8xB2BD BudVAU9gEgMCfsbNgjM7T4b3mi7HRsqsc4VU8MWHGiPE+0AA5Gf2u80KR9MG9LEegN4h 8jOtzLFB6666tPZdEoTBC/9wdJXrcJIOys+LUr0JYgTlS82FZapGgstJBsUc5HT9tiO+ 97l0hmNixdcveO7XZsrV6SkcgGmYAXirYwXqAAx5oK+IhhptJNfxdypPkaXc7FNBN5Lb atOO6mGymsodwZIK3p7FA9tW7feLD1gETeBGeFlcZ1FqmpJEw2kIl6gU6uwPiW1+8j1Q 9UEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681797676; x=1684389676; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=8tfBduEmsmK0GtbEWNVVYu3aKcM/5VdoPvLaFPTybt0=; b=O2uraHuXi1mwPMad+RYSiTT6tcVT2Rn3YbQXbz1kM6M/ke8wpoq4VE7KJ8QGMWn48U FdXBMJb5ySfExN1hA0f0fa/sSPmnGyBY9WjldqZdWkJ4OTI46CHxnY6g5PGPoq4hs5uG dkIAtJBokVy6FdWesN1i3ACfHscgUcNYt5c071u0xtWxUxEwoTUUnck4r0GfHBNAlcff XODXpRwxXqZf2/bgldghnKB3ZmK38Zx2/al0soKh8VgQNZf/pcP5546NyJCG8T0NFoS3 UhttP08zfvHJeH4T+M1RxHda45Eu8FgVE9T68CUweALVMlMNLHryHn11Fi1E3srkwUlA NtxQ==
X-Gm-Message-State: AAQBX9eeqojLuQ9dkqNaHB4f6dryBhLzZa6zMy5oZKHSe4GYuuyBntel 3+itJ+P0EzfMQCiYs/qyPB+1l/kYl1cHFcDCGhpqxxxGEmUBPQ==
X-Google-Smtp-Source: AKy350YGhKtbt84MgxYjrpaO+oocHnRJayF0LfobPxuowY5Th2SBccpJ+dKDqW64YQbGu/hYhIzWG3j1UuWsr5lb05U=
X-Received: by 2002:a17:906:2656:b0:94e:5f2a:23fe with SMTP id i22-20020a170906265600b0094e5f2a23femr4889407ejc.5.1681797675354; Mon, 17 Apr 2023 23:01:15 -0700 (PDT)
MIME-Version: 1.0
From: M Hickford <mirth.hickford@gmail.com>
Date: Tue, 18 Apr 2023 07:00:38 +0100
Message-ID: <CAGJzqs=5WjsobhT1OpT3D101rN2VdbeDeKv=OkeoEgsrOmUBiQ@mail.gmail.com>
To: oauth@ietf.org, draft-ietf-oauth-v2-1@ietf.org, draft-ietf-oauth-security-topics@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P3snfqtO2Seb8iAYX8rRRu-16Aw>
Subject: [OAUTH-WG] Authorization server SHOULD NOT process repeated authorization requests automatically
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 06:01:21 -0000
RFC 6749 discusses client impersonation https://datatracker.ietf.org/doc/html/rfc6749#section-10.2 > The authorization server SHOULD NOT process repeated authorization > requests automatically (without active resource owner interaction) > without authenticating the client or relying on other measures to > ensure that the repeated request comes from the original client and > not an impersonator. Does anyone know why this is only SHOULD NOT? For public clients, how about strengthening it to MUST NOT? How else can the authorization server ensure the request comes from the original client, not an impersonator? Even though RFC 8252 clarifies "This includes the case where the user has previously approved an authorization request for a given client id" https://datatracker.ietf.org/doc/html/rfc8252#section-8.6 most authorization servers that I've tested ignore this recommendation https://github.com/hickford/git-credential-oauth/issues/17 Corresponding section in draft OAuth 2.1 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-08#section-7.2