[OAUTH-WG] Cross-device BCP: Alternative labels for different cross-device flow patterns
Pieter Kasselman <pieter.kasselman@microsoft.com> Fri, 16 June 2023 14:02 UTC
Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03C32C15107C for <oauth@ietfa.amsl.com>; Fri, 16 Jun 2023 07:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjaRRa1tJSJ6 for <oauth@ietfa.amsl.com>; Fri, 16 Jun 2023 07:02:51 -0700 (PDT)
Received: from EUR02-VI1-obe.outbound.protection.outlook.com (mail-vi1eur02on2123.outbound.protection.outlook.com [40.107.241.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1D1DC14CE4A for <oauth@ietf.org>; Fri, 16 Jun 2023 07:02:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FWKbIgxgyg2lOUQQ8C6XEheygFO7PvDKRIMzBGiyxVWxMA78SYRtBb+Tz3p6poy+DuZNuCTevBuXhehC2uoufrOymS7NejUofi/Tj9mBOnaCGo9u1vp3CK7F5CoxQHfdSa24zZEuM16SOSomp2ONw6SQlOAm4dYk4ujj8ZNEB+TbjUqMbJNqSy+a4zs8jzWBeobUqsFeA2Dc7azEgjJj/rTruUHH7RHn8IWgQg7mozuKq0snJcMUUQKl7fWXwabQ8o8+3R/oQ955poUx33yHyi67n3qzD8/9NlHtr+fn3iEQbVXUdeWTiE30Jf/LC0YslHcBwsyOZieoYGvx+wB7Ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X34/wyLYYuUz6V59BdSx4uOmKHc2u2uQ2K6HnYWEpMM=; b=eeZoVGdqP4uA+FMORVCeF4FPxPYjV31Ggpd4+M5C3qG93pSz/TMiSPgwoqigl6svVFXBBGL/AVrnVbX5OfU88IYfN/anrapk6dSu4mYDWXRY380xh/0EkK8vFNwyoWCoDMk9Pc+gYb1g0pJ5zO2nPC4R/joJy0QX7L0fk9ULAnIie4H0LN99+uePyRG6Jus6i3QM68OA7PO5UTUg7zh9+Oe1rQFoepNmNFZx+OTA73+AbMuPpCkRRx2YEPeSsISquPgyVNznD+z98HBr64DitfwaZrbdsbCzqtQAlFiz+tukboSc0FwLFSlzWNfrPeY9hhZH94H7twNc54pO8v5fJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X34/wyLYYuUz6V59BdSx4uOmKHc2u2uQ2K6HnYWEpMM=; b=G2oS+FacvLdnTCs1dSJDJNrhNn79VovMaUhSpWfwaekhZzS2ALVvkBGFDYlhFMAw1ID5RBwg3qx1FUHgShC33qCi08e7iNQi8OrjjAMuCQEQOKtNvRF90rULhva38j0bKygWA3/60J71snEV33a/G8t7Ly7PduN25gjgjxYkn0Q=
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com (2603:10a6:10:195::11) by AM7PR83MB0420.EURPRD83.prod.outlook.com (2603:10a6:20b:1c0::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.12; Fri, 16 Jun 2023 14:02:46 +0000
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::3e28:8564:a8cd:51a]) by DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::3e28:8564:a8cd:51a%4]) with mapi id 15.20.6521.013; Fri, 16 Jun 2023 14:02:46 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Daniel Fett <fett@danielfett.de>, Filip Skokan <filip.skokan@okta.com>
Thread-Topic: Cross-device BCP: Alternative labels for different cross-device flow patterns
Thread-Index: AdmgWxtNK/C4BNduQxywWtQ8wPYwow==
Date: Fri, 16 Jun 2023 14:02:46 +0000
Message-ID: <DBAPR83MB04220869A759DA4CCE22F3F59158A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0422:EE_|AM7PR83MB0420:EE_
x-ms-office365-filtering-correlation-id: fec5a59e-076d-4543-d6ac-08db6e725cf7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y4akTrJz06h0MGFP3+7qgCyg/L733vLndi+v16Yl5G7qVb7YwmGi0n+dNszp66nQ2x5dqKjwIrUCKg1WNlrSHjSDXg5Sut3vBBjDJB14zK8FXWKpIFuDrn2i3kdS0078AWDPkfALdWnI/GczrsUIYilIa4wLUhQ6QGTBqvc1TiezBQSVDq8TuxFENm9pf+FsLQTN9UVmX60NLnVsdHd+XiSAYZ0Itl7lZUIMptdpf9xjmxF+z4/LAGKRJvZDeABgg8xVwYWgEy1c0geIDHlPUxpE9kdRhjKRXYrc83WaFRrgwmP1f+cqe71NmrO7E6kd6VOLjQg7VUU9OhSiFfQu0FVwjTUzOHqsWgOsuymn9kv0pL8I0q1WrXlSIUQJvLao+zLWbpWNvGwCPJjv0Er02aJm8b3fzm7u4is82NiAGA975zEcpen7dQe5QjDuj+HPF9k3cZJRRzqviDPjocGr3BsMrS3qoJkift5iPYabjdToy3E/ealdSBq0+TiNLwgIfts6FSvDYidTU2FNQlPs+P3+5i/8HC3i8ymqOlzgKdcKgWHEtuiPbuMSOtbb0VokbfS4tzf9kOC+TwTunabhBf8J9hnbYB++0vJurZRxeipEkJkXumCqFehxv7b46o0A0sbKSeU3SVCBZVsR3HO94A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR83MB0422.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(376002)(346002)(39860400002)(136003)(366004)(451199021)(86362001)(2906002)(33656002)(110136005)(8990500004)(83380400001)(55016003)(9686003)(7696005)(316002)(8936002)(41300700001)(8676002)(38070700005)(52536014)(478600001)(122000001)(38100700002)(10290500003)(166002)(186003)(66476007)(66946007)(66556008)(64756008)(66446008)(82960400001)(71200400001)(82950400001)(76116006)(44832011)(6506007)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mtilQiYAhW2QSc/a646tTsZOKPJ2cHLv8YLA2LaDnIGPw+a+NinhtB9438TvUJm8enVMOwSHCfUhyo9S7Bo6qzVM8EXuM/EvUtgXrPS9a+O7l7wBBEp9RSZdNM4usHRTaKSw940wn+jik0lHCrm4hcjCNxfMV647dEAnuqslJQMzZ3tmnbLhHa7EEAMLxSSva6vOcHtd2Hu79A/IRLr3IL82+D16tXbILvNfd+H/DcZSpQ+1V+Usmmlyx4qaX4Xhk5YGvHpMIHhY8gVVtYKDo/NceYyZoVABHTQcZSWAtTV2sg8sZVvynkk06haS3CpmLEtu2IR5sb7+X5Yms644SAqwjawWXOMyMzTnjj7qbzkecw5OONMkV9J0upgccsYBI+X/dTMKyR3xa8qUuhd6StvdWyNZM+ZnBkXkbwSWAa2Yj7crm12wBPLCB1q9bFHifac3zDudjkrWOiIBuClTktPfEydDoXqC3CyZ5frT/UgW5aPrJK6eEc10hBS8TTkHpj96BXxVrYRnR/krAnTKCEgGUUQKdBmiwKcGNQPdkT0YogH2j88vA1HTZ8BK+qvFeQFdgKtyZBSTV1qJ1PN1yTmV3x+7Nw2Sy2f3VcC0jm2afi/ztqnVW77IzMCVghFIFv6eKFcZuucmZ6lxV7oOVBYXVI42SxCnzm1bIdoNMiYiX4iITXP46A+AOJQNY/2tdcn7LNLpGeMJ7Dq2FSOVNCVSuyzC4n2S5UfNLeQUfE7q/I2y1NC5hkIDBDjRyIHM5OHmB1Pyz4v7Gz20u0HcVCsa3aWQgxuv0gnAiatE3vtLCsSyyhK5OkimbR/KPG6+GpOK8jJ8FP074g5oZlgaYos4NA4KcyCKSsELRdWU9kOcfuboNrSfx9lJIk8Pc6rlSGqaDGz7fntJt2IASHHxCvnnq1ZYt9yzDALA0rz2smb5iXiSZDiIIPwdqx1NBkYrs02RwpJOxXHYFuVaum3P590XdgM4RSA5k1lflpgHQl7x5+7M230DcRDb9juG1CU5B67HQ2xoEbMRHalJdnjJAyYlHxP11XepIEO0TIglnjF20pYxrKLBIerGE3kCuEqmaDknrl9EMfGSNEh/AlurrIgIcwTgqnFA4ns+I5eLyAmVUctb0FBdJxPeyUd7m/PU+ytGGxwQUM7gVCD4j2aK2qBOKoPxtoutdxvByP3yt8zebRe/cjBQbSec7DN52Rrr0lwV2RS/CZgj3iVQfLHlh+AfefBBM6xQT5lypLkkRT5mki/e9aAOyKXfk4UXqFfl8RmQxMGZBnHxABCcJMWyIOlGtLoNeZlEq+R2kpX507owaln7C6CTZX9iRy4kVFdvrl32dj8n4yFaFYCUETOopYntgyqNRDJv4smz2mv1oMUkn8ZxxhddXuf6hCp6DgyqQr/jdbwscXQJfw1TlfpJNTvc++LKHgeJp5dY57PdA1SdwIcbOKb6MyGuOcPvEROXsdl/jbaXHxPufgsGErKkOS74HweyRLB0/dPjyHS/tY2wEvDysC0VvTv1DfPbUv0MtqANL2fDcr6hn8AlzPOVxOH+KKdHgtxtdi9yeSY2xdXFpxz91RSiBeU9/U4cdWli
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB04220869A759DA4CCE22F3F59158ADBAPR83MB0422EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0422.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fec5a59e-076d-4543-d6ac-08db6e725cf7
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2023 14:02:46.7801 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +GNQX6buRPiCEeAGgyhD0vD47F1IvHE3ODUhNBYVHNhYC0oxITrFesUPeyhOXEqlhOHT6zNzEXB/3AgknO0QnWRz572SUmTGbrojBJqote8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR83MB0420
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PPpxI--lIuSDbh7fn0ZGQLgvAEE>
Subject: [OAUTH-WG] Cross-device BCP: Alternative labels for different cross-device flow patterns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2023 14:02:55 -0000
Hi folks, After the previous IETF meeting, we got some feedback that the labels we chose to describe the three variants of cross device flows could be a little more descriptive. After some discussion between Daniel and myself, we would like to propose the following changes in how we label and describe the different of cross-device flow patterns to which the recommendations in the BCP apply. User transferred -> User-Transferred Session Data Client transferred -> Backchannel Transferred Session Hybrid -> User-Transferred Authorization Data Here are the descriptions for the new proposed labels 1. User-Transferred Session Data Pattern: In the first variant, the user initiates the authorization process with the authorization server by copying information from the initiating device to the authorization device, before authorizing an action. By transferring the data from the Initiating Device to the Authorization Device, the user transfers the authorization session. For example the user may read a code displayed on the Initiating Device and enter it on the Authorization Device, or they may scan a QR code displayed in the Initiating Device with the Authorization Device. 2. Backchannel-Transferred Session Pattern: In the second variant, the OAuth client on the Initiating Device is responsible for transferring the session and initiating authorization on the Authorization Device via a backchannel with the Authorization Server. For example the user may attempt an online purchase on an Initiating Device (e.g. a personal computer) and receive an authorization request on their Authentication Device (e.g. mobile phone). 3. User-Transferred Authorization Data: In the third variant, the OAuth client on the Initiating Device triggers the authorization request via a backchannel with the Authorization Server. Authorization data (e.g. an access code) is displayed on the Authorization Device, which the user enters on the Initiating Device. For example the user may attempt to access data in an enterprise application and receive an authorization code on their Authentication Device (e.g. mobile phone) that they enter on Initiating Device. For reference, here are the current labels and their definitions for the three variants (from section 2 of draft-ietf-oauth-cross-device-security-01 - Cross-Device Flows: Security Best Current Practice<https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/01/>): 1. User transferred: In the first variant, the user initiates the authorization process with the authorization server by copying information from the initiating device to the authorization device, before authorizing an action. For example the user may read a code displayed on the initiating device and enter it on the authorization device, or they may scan a QR code displayed in the initiating device with the authorization device. 2. Client transferred: In the second variant, the OAuth client on the initiating device is responsible for initiating authorization on the authorization device via a backchannel with the authorization server. 3. Hybrid: In the third variant, the OAuth client on the initiating device triggers the authorization request via a backchannel with the Authorization Server. An access code is displayed on the Authorization device, which the user enters on the initiating device. Are these new labels clearer than the previous ones or do you see some ways we can improve it further? Cheers Pieter
- [OAUTH-WG] Cross-device BCP: Alternative labels f… Pieter Kasselman