IETF Logo Mail Archive

Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )

Warren Parad <wparad@rhosys.ch> Thu, 14 October 2021 09:17 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8BCF3A113C for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 02:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7OySInDwWYY for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 02:17:23 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6678B3A113A for <oauth@ietf.org>; Thu, 14 Oct 2021 02:17:23 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id s4so13053953ybs.8 for <oauth@ietf.org>; Thu, 14 Oct 2021 02:17:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jVNg73gdXEWfhI08a0+e/3+uhed+a7EhXNqaHsp3WR4=; b=TkBIR7gekx/Sec9UJLDFEfVVip2Chur7pecYRAuIEnU1S2RnYseMWrD/40mo69RpPX pzXphS9AZuSBq+UgGqY9n71xQLOOJiGh9U7mbrESveNoXlR4znbWZKuG7/YTfby13m4l wjRwzmYBc6XSN/mSHe5G60vXi8veEuaxE9LufKhV7Wt+S6gB+XRXeJgGOklBMRAA+/Ui kPh+DeCcRt/8h/zLSmmFjPXST6hpMOyS3WubftHzMBfu1G2pW8Vt+DQ6ZefacyUhBwXs M+/QYiiuUXKk7i86f3c8uYDit9CDTdPmZUl9mKnWvIgD7+oxWOlbLP/c7b9ysWceZQnw 0DzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jVNg73gdXEWfhI08a0+e/3+uhed+a7EhXNqaHsp3WR4=; b=5TZUvh4pxSwitF+Jj0eMKUa12HpXGjVWoHFQIDE/oUHTB657GDs+9pYplDEdCjJsW7 T+WcSJ8vgWBVZz3ZpOdsPzpi8CwzcH3Hi8sduwE5WBNv/YvY/WfBhiwhbycYds4ZFNJi tlclCuG2dVz5h4oDxSTGL4aZ3di1WMXybaChyl9gD7Upa1TuU2Cya6Nj8ivl/S+bgzTl 6EGlzW61MLn+kPvAYPSAsTWMz4IE0FLZeIalt74jggIpwVYTe+c7yUgEhT3/scCOKDAM Zmi2LWI5n3JyrO1w7HJ6+h9T9H8LG/2LFSGhe5TMpKRJs0cVY5MQQ6uzU7JG4wjOokB0 Ms/g==
X-Gm-Message-State: AOAM530sJpzTO+NoalY5TmwqCrAkyZEnNNn0d4dGcPKMr+xTi41D6Suo w22K71hqQEEOn5pbOSYQMNqcOCPBQyAodWf+eygLbItLm/wb
X-Google-Smtp-Source: ABdhPJwA2NDC0xqn+oc4ku/LQwZj7Zvlgr1UUem65v8GuD5eumEBaKrPhZxi5qs7PE6HJe8V7F85UVBAatbHz1wReDc=
X-Received: by 2002:a25:dc82:: with SMTP id y124mr4968161ybe.521.1634203041801; Thu, 14 Oct 2021 02:17:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com> <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com> <CAFvbn=bGwoe3gKp8nP+sFhjKb3QqBRZR9jxcH0UFvONOQ=-1SQ@mail.gmail.com>
In-Reply-To: <CAFvbn=bGwoe3gKp8nP+sFhjKb3QqBRZR9jxcH0UFvONOQ=-1SQ@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 14 Oct 2021 11:17:11 +0200
Message-ID: <CAJot-L0qQhANjEtr3P97kxsjnXtH93XfNQT33Yw3mr__m1Ndrw@mail.gmail.com>
To: Ash Narayanan <ashvinnarayanan@gmail.com>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc3fa605ce4c8b6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Pp9iV56WC2hlGttA98I4z6n7ONk>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2021 09:17:28 -0000

I'm not sure this is exactly the issue, but I also found the naming of
*credentialed
client* to be confusing. It would seem to me we have an enum whose values
do not form an orthonormal basis. In other words, whether or not a client
is credentialed is independent from whether an AS knows about the client.
Does having credentials make this client different in some way, not really.
It would seem to me better to assign the labels of:
* public / confidential
* known / unknown (or anonymous) client.

Given the fact that an AS doesn't know about the client, does it really
matter if it is credentialed? I would suggest instead of calling unknown
credentialed client as such, that we use *anonymous, unknown, or
unregistered*. And let the aspect of whether they are credentialed or not,
drive other behaviors.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Thu, Oct 14, 2021 at 11:01 AM Ash Narayanan <ashvinnarayanan@gmail.com>
wrote:

> Hi Brian,
>
> I'm all for pivoting, as long as the original concerns raised are
> addressed or even acknowledged, but since they weren't, here is the
> original message again in its entirety.
>
> Cheers,
> Ash
>
> ===
>
> Referring to the latest draft (
> https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html) ...
>
> 1. The definition given under section 2.1 Client Types is:
>
>> Clients that have credentials but no prior relationship with the AS are
>> designated as "credentialed clients"
>
>
> This does not seem like the best or even the right definition to me. The
> definition as it stands, is in two parts:
> a) "Clients that have credentials"
> b) Clients that have "no prior relationship with the AS"
>
> With (a), the typical use-case is an app that runs on the end-user device
> and dynamically registers itself with the AS. Such a client does not "have"
> credentials to begin with, or at least the use of the word "have" here, if
> it's intended to mean "at some point will have", does not differentiate it
> from confidential clients, which are also defined to be clients "that have
> credentials".
> Instead, a better choice of words for credentialed clients may be "Clients
> that dynamically obtain credentials".
>
> (b) is not necessarily true, because the credentialed client may very well
> be a known client and therefore have a prior relationship with the AS.
> Think of (common) scenarios where the AS and client are both part of the
> same organisation or a peer organisation, and therefore the client metadata
> an AS receives in a dynamic registration request is already known to the
> AS. An AS may only decide to accept dynamic registrations from such known
> clients.
>
> Of course I may not be interpreting "prior relationship" as it may be
> intended, in which case that needs to be clarified somewhere.
>
>
> 2. Continuing with section 2.1 Client Types, for a native application, it
> says:
>
>> On the other hand, dynamically issued credentials such as access tokens
>> or refresh tokens can receive an acceptable level of protection.
>
>
> Why is this also not mentioned for a browser-based application? Unless I'm
>  mistaken, in terms of accessibility for an intruder, in-memory for a
> native app is equivalent to in-memory for an SPA and local storage for a
> native app is equivalent to local storage for an SPA.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.37.1 | Report a Bug | By Email | System Status