IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Breno de Medeiros <breno@google.com> Thu, 15 March 2012 21:12 UTC

Return-Path: <breno@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A65C21E8029 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 14:12:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.575
X-Spam-Level:
X-Spam-Status: No, score=-102.575 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uiqlO-N4Ahyz for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 14:12:09 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1201021E8025 for <oauth@ietf.org>; Thu, 15 Mar 2012 14:12:08 -0700 (PDT)
Received: by iazz13 with SMTP id z13so5114045iaz.31 for <oauth@ietf.org>; Thu, 15 Mar 2012 14:12:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=Q7noc2T8WuWT9+g5rKa7CuoX2ZtaOhViQY6R+13lkeI=; b=WlVt1fF67oqJhcwOi+zIbjsOld4079UVxspZafPVvT4FLrjp5A3JeWCmbtCGEkqTFO vQggbVBKtXgIw9iCcd02WTP2iGrSP4QQ4UNpFuDwrv5kSri05KR92AH4Fowb0Vo62UDS XaDFTjE+jQM6XdggIQsQp6odR951gkv0ll53KMM+H6VIKr5KopzPVy9HzFe2eXR3+pjT sUSEqiegKdUzsBPoRhhQCpVGVy6mZ9Lkl9soOrmjB0rLvuWirlpUgQ+CHFOm7b2QThY6 ghRHj+5qJbm611IjAam1kqHsBksa3PuSacVdLbVVVZ28uZRkw1VHyz597KY4t/LH/ssn XZCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=Q7noc2T8WuWT9+g5rKa7CuoX2ZtaOhViQY6R+13lkeI=; b=nNfLxjM4A7YkVgXkN/Tc6lrPtGUIG9Mtr+9u5JnKZVL+PmUb+HPesfk7uTICEPpoeI xMI8AVW+4wx7UrKsquFQElpk7SwUQcMJD12bsQEJSizNm699ekabXDAy5/R8RdLKyttg UgfnA6ywJkU0AhSYtuvNlZu0JKMnyKYVgoZiokYJ19ziF9fFP/qJXPOTE9ZDc9yxUimg hxW4gMaRgYQx6NiV7ca8VdNCl8Mw2nbf1fycKXBqbX1zhw8lpNQWTpleaF74+yA5XJYf W1JYLLTDY8tBI5t1UOo+oTL25B6CY4VWuBtdWPZrJ1SRgjsDlTbigzZ0Y2S4XIh8dkiX h1nA==
Received: by 10.50.149.131 with SMTP id ua3mr18119715igb.41.1331845928596; Thu, 15 Mar 2012 14:12:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.149.131 with SMTP id ua3mr18119705igb.41.1331845928516; Thu, 15 Mar 2012 14:12:08 -0700 (PDT)
Received: by 10.231.41.137 with HTTP; Thu, 15 Mar 2012 14:12:08 -0700 (PDT)
In-Reply-To: <CB879ABB.1658B%eran@hueniverse.com>
References: <CAAJ++qFYrWR5HeV41C-miJY60g_QZ7xp5qgZRTyVUHjcM5rUeQ@mail.gmail.com> <CB879ABB.1658B%eran@hueniverse.com>
Date: Thu, 15 Mar 2012 14:12:08 -0700
Message-ID: <CAAJ++qH7nW-W+saqSiONDi6j_GMz8q8_Q2yfoaOune2xpmXRbg@mail.gmail.com>
From: Breno de Medeiros <breno@google.com>
To: Eran Hammer <eran@hueniverse.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQmP4SviMfsfjRQ6O/vPj8Z3muoMGWTO3yobXWFywC3sePzLAFxm3ZdBz0y7LhlDJUdNxWAIn49MF2R+xDQZcFOqaKswZTMi6LrH0FAZ3ycSC/CSVGdtWRWGmqOfTvo8kfR4tC4h
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 21:12:10 -0000

On Thu, Mar 15, 2012 at 13:13, Eran Hammer <eran@hueniverse.com> wrote:
> Ok. That's much better than my guess that you wanted to drop all the
> registration text from the specification…
>
> What I'm looking for is a simple text that answers the question:
>
> "What to do if my client isn't simply public or confidential?"
>
> If we just drop the current text, the answer is implicitly "you can't have
> such a client" because there is no way to register a client of any other
> type.
>
> So let's try this again, and focus exclusively on answering this question.
> My text takes a position which is, "you can't - unless". Your suggestion
> is more of a vague discussion of the topic. I'd like to see clear,
> normative answer to this question.

The current version is normative but far from clear. In fact, the most
natural interpretation is that it bans normal practice and throws away
the work that was done in defining different flow types to support
normal practice.

1. I don't see the need or desirability to put normative language on
registration practices.
2. The contents of said normative language are harmful.

I suggest two alternatives:

1. Remove the language.
2. Substitute the language by non-normative informative discussion.

You can also do other things, like introduce normative language that
makes sense. But I have not yet seen proposed language that would be
acceptable.

>
> EH
>
>
> On 3/15/12 12:30 PM, "Breno de Medeiros" <breno@google.com> wrote:
>
>>I am proposing the entire removal of:
>>
>>"A client application consisting of multiple components, each with its
>>own client type (e.g. a distributed client with both a confidential
>>server-based component and a public browser-based component), MUST
>>register each component separately as a different client to ensure
>>proper handling by the authorization server."
>>
>>In particular the example of a server-side component versus
>>browser-based components is particularly unhelpful since it violates
>>the entire principle of why two response_type 'code' and 'token' were
>>defined, and how OAuth2 is typically implemented. That's when I claim
>>this normative language is redefining the protocol.
>>
>>
>>On Thu, Mar 15, 2012 at 12:13, Eran Hammer <eran@hueniverse.com> wrote:
>>> Which text in -25 are you proposing we remove exactly? I can't judge the
>>> text below without the full context of where and how it is proposed in
>>>the
>>> current document.
>>>
>>> Also, you are ignoring my detailed analysis of the current facts. We
>>>have
>>> two client types and the issue here is what to do with other, undefined
>>> types.
>>>
>>> EH
>>>
>>>
>>> On 3/15/12 11:54 AM, "Breno de Medeiros" <breno@google.com> wrote:
>>>
>>>>My proposal is to remove any reference to registration (which is a red
>>>>herring and has raised all the problems we refer here) and refer to
>>>>client authentication instead.
>>>>
>>>>Proposal:
>>>>
>>>>"Clients may be implemented as a distributed set of components that
>>>>run in different security contexts. For instance, a single client may
>>>>include a webserver component and a script component in a browser. It
>>>>is not appropriate for the different components to utilize the same
>>>>client authentication mechanisms, since client authentication
>>>>credentials that are held securely in one context cannot be deployed
>>>>securely in another.
>>>>
>>>>Servers MUST mitigate security threats from client components that
>>>>cannot hold client credentials as securely by distinguishing them from
>>>>client components that can. Example of suitable measures are:
>>>>
>>>>- Requiring separate registration of components such as web server and
>>>>a mobile application.
>>>>- Restricting the time validity of tokens issued to clients that hold
>>>>no authentication credentials, such as browser script-based
>>>>components."
>>>>
>>>>Please don't truncate explanations in the interest of space if the
>>>>resulting text is confusing and possibly misleading. Better to say
>>>>nothing instead.
>>>>
>>>>On Thu, Mar 15, 2012 at 11:32, Eran Hammer <eran@hueniverse.com> wrote:
>>>>> Here are the facts:
>>>>>
>>>>> The authorization server must know the client type in order to enforce
>>>>>many
>>>>> of the requirements in the specification.
>>>>> The requirement to provide a client type is not decorated with a MUST
>>>>>or
>>>>> SHALL but that is implied.
>>>>> The specification only defines two client types: public and
>>>>>confidential.
>>>>> There is no client type defined for a hybrid client.
>>>>> The specification needs to address the very common use case of clients
>>>>>with
>>>>> both public and private components.
>>>>>
>>>>> I don't want to discuss in the specification how client identifiers
>>>>>are
>>>>> provisioned, nor do I want to discuss the potential binding of
>>>>>response
>>>>> types to client types. But we do need to provide some guidance to
>>>>>clients
>>>>> and authorization servers what to do with clients that do not fit the
>>>>> current type definitions.
>>>>>
>>>>> It is far too late for us to define a new client type, along with all
>>>>>the
>>>>> security considerations that such type imply. Our entire security
>>>>> consideration section and protocol design are based on have a well
>>>>>defined
>>>>> client type.
>>>>>
>>>>> Requiring separate registration for each component is the most
>>>>> straight-forward solution. Allowing the authorization server to offer
>>>>> alternatives is the backdoor to enable extensibility.
>>>>>
>>>>> Within these constraints, I am open to other prose or creative
>>>>>solutions.
>>>>> But the add-ons proposed are all ugly hacks. They clarify specific
>>>>>questions
>>>>> raised which I do not believe represent the core confusion here which
>>>>>is
>>>>> what is the right way to handle hybrid clients.
>>>>>
>>>>> The best way to move forward is to take a minute and ask the group to
>>>>>share
>>>>> how they handle such cases or how they think they should be handled.
>>>>>Based
>>>>> on that we can come up with a clear solution.
>>>>>
>>>>> EH
>>>>>
>>>>> From: Breno de Medeiros <breno@google.com>
>>>>> Date: Thu, 15 Mar 2012 09:56:13 -0700
>>>>> To: Eran Hammer-Lahav <eran@hueniverse.com>
>>>>> Cc: Nat Sakimura <sakimura@gmail.com>, OAuth WG <oauth@ietf.org>
>>>>>
>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Mar 15, 2012 at 07:45, Eran Hammer <eran@hueniverse.com>
>>>>>wrote:
>>>>>>
>>>>>> This add-on is unnecessary. It already says the authorization server
>>>>>>can
>>>>>> handle it any way it wants. The fact that other registration options
>>>>>>are
>>>>>> possible clearly covers the client identifier reuse case. As for the
>>>>>> response type, that¹s not an issue but more of an optimization for an
>>>>>>edge
>>>>>> case raised.
>>>>>
>>>>>
>>>>> It still feels like a horse by committee to me. "unless the
>>>>> authorization server provides other registration options to specify
>>>>>such
>>>>> complex clients." seems a very round about way to say that the core
>>>>>spec
>>>>> already provides for such arrangements in the most common scenario. It
>>>>>is a
>>>>> bit of a stretch to say that the server provides "other registration
>>>>> options" by simply following strategy already laid out in the spec.
>>>>>
>>>>> In particular, I feel that this wording will be harmful to register
>>>>>extended
>>>>> behavior, e.g., alternative response_types by leading to fruitless
>>>>> conversations about spec compliance in the absence of real security
>>>>>risks.
>>>>>
>>>>> I do not believe the current text is the best representation of the
>>>>>spirit
>>>>> in which the spec was written (in particular the effort to specify two
>>>>>flows
>>>>> in detail to deal with precisely this issue) and possibly lead to
>>>>>harmful
>>>>> future interpretation.
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> EH
>>>>>>
>>>>>>
>>>>>>
>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>>>Behalf
>>>>>>Of
>>>>>> Nat Sakimura
>>>>>> Sent: Thursday, March 15, 2012 2:04 AM
>>>>>> To: Breno de Medeiros; OAuth WG
>>>>>>
>>>>>>
>>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> So, Eran's first proposal:
>>>>>>
>>>>>>
>>>>>>
>>>>>>   A client application consisting of multiple components, each with
>>>>>>its
>>>>>>   own client type (e.g. a distributed client with both a confidential
>>>>>>   server-based component and a public browser-based component), MUST
>>>>>>   register each component separately as a different client to ensure
>>>>>>
>>>>>>   proper handling by the authorization server, unless the
>>>>>>authorization
>>>>>>   server provides other registration options to specify such complex
>>>>>> clients.
>>>>>>
>>>>>>
>>>>>>
>>>>>> kind of meets my concern. There seems to be another issue around the
>>>>>> usefulness of return_type in such case raised by Breno, and if I
>>>>>>understand
>>>>>> it correctly, Eran's answer was that these separate components may
>>>>>>have the
>>>>>> same client_id so that return_type is a valid parameter to be sent at
>>>>>>the
>>>>>> request.
>>>>>>
>>>>>>
>>>>>>
>>>>>> So, to clarify these, perhaps changing the above text slightly to the
>>>>>> following solves the problem?
>>>>>>
>>>>>>
>>>>>>
>>>>>>   A client application consisting of multiple components, each with
>>>>>>its
>>>>>>   own client type (e.g. a distributed client with both a confidential
>>>>>>   server-based component and a public browser-based component), MUST
>>>>>>   register each component separately as a different client to ensure
>>>>>>
>>>>>>   proper handling by the authorization server, unless the
>>>>>>authorization
>>>>>>   server provides other registration options to specify such complex
>>>>>> clients.
>>>>>>
>>>>>>   Each component MAY have the same client_id, in which case the
>>>>>>server
>>>>>>
>>>>>>   judges the client type and the associated security context  based
>>>>>>on
>>>>>>   the response_type parameter in the request.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Would it solve your problem, Breno?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>>
>>>>>>
>>>>>> =nat
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> --Breno
>>>>
>>>>
>>>>
>>>>--
>>>>--Breno
>>>
>>
>>
>>
>>--
>>--Breno
>



-- 
--Breno

v2.23.0 | Report a Bug | By Email