Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption?

Sascha Preibisch <saschapreibisch@gmail.com> Tue, 07 July 2020 23:56 UTC

Return-Path: <saschapreibisch@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 893393A0C70 for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2020 16:56:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3XkQEhLdloI for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2020 16:56:49 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECFC23A0C7F for <oauth@ietf.org>; Tue, 7 Jul 2020 16:56:48 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id b6so47061545wrs.11 for <oauth@ietf.org>; Tue, 07 Jul 2020 16:56:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mRUYQ1fiKfU/Feq0Ez6426l5rv0OlMOZzA9I1bK8DqA=; b=iN2qBb2CyU16peH+4gmvNFBOoiYnBy1SV8FqZaKO4cUK6cUoAHwrI4ybYDWzseC68X sjTWraG9sSSWKfqugLoB/LWfZqXfNid3m740VlRFMXvu7Affg96qfLP3z3ThZTu1HCNW qQfssMFlPIC70yoMwPWJWR5Kmt0SMzpkFXiLDZXggOLN8zgZDMXvm4jig30hu2jrNfjh 7vzfkBNrSBdmeP8/ArJTzTsk2bVmddMlnqD92A+GTTyG96zxbTpRtAa9FampnBfY9Ty+ T3ioSxBRaNcU0krCZakZBAzp6JrFg4MKPoOCp+zZFRUlJy25+2Ye5XXIYA55FbmW4HoD K5BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mRUYQ1fiKfU/Feq0Ez6426l5rv0OlMOZzA9I1bK8DqA=; b=dizJ4QKVNfOtl02jaxWsXD5Sgjrc7eZsVonJjNAfTfYMl/1QzHAevUXa/SNtjy4lRx RtBkwllhVugA/S8vY/DECWb2ui/g+NxKaJYd3M3w5XgfdzN6/kTPO3Atb0rQivKPEwR6 fS996BbVp6vz+HbyVjags5k4ViK2DSP90mOzck+lxgP/gzfWp8PU9dGF+31bpcFgLdIo jBNsE342WoFWBkwUr6uOqtlwWrUvHWJ7PKUS26HPDHH8FipWxFSEzfkIxtuMpABFVnO4 LBLheMGIqNHBtZ2eJQpCO/OPMJCJX/ctG7K8hAmDo6cnNHwTuq9/WY7T5WhXtDT0tI8I M4Kw==
X-Gm-Message-State: AOAM533QmGXMWd068XTH7ZfcBAFSZaVBSDyNWMmlFLikELJseEMv0i8g Ok5L1b2RRfPf0ityyba3dj9DDTpm+JPPpA271Oc=
X-Google-Smtp-Source: ABdhPJyRdEa2MegF9nsq08kCpQ+KeAoF1yEDm9ee1udzrrDutpJubOmgE93N37OtHGsrPNWJQg5PYy6+j4b9547cioo=
X-Received: by 2002:a05:6000:1143:: with SMTP id d3mr44238068wrx.235.1594166207365; Tue, 07 Jul 2020 16:56:47 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uOiy92_68YzLajEDr4kjoKwvmn1aQiz6_=HojpbWYtPA@mail.gmail.com> <7ce27138-b1f5-7593-72aa-40d04b64ee9e@connect2id.com> <CAP=vD9tAGtpcWh2tX68M8SpgMBNo9hYNdBuZLD8SCKR1Ar1seA@mail.gmail.com> <CAD9ie-t167+vmispTd6A=ZDhrzx-HBDMHBPPPDpNx-2LXK=zpQ@mail.gmail.com>
In-Reply-To: <CAD9ie-t167+vmispTd6A=ZDhrzx-HBDMHBPPPDpNx-2LXK=zpQ@mail.gmail.com>
From: Sascha Preibisch <saschapreibisch@gmail.com>
Date: Tue, 07 Jul 2020 16:55:33 -0700
Message-ID: <CAP=vD9vNZK+k1aWvQsKL96OJsiyBMk72svai+R6vbF2xN=EijA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080c5d005a9e2be89"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RoFreN7uVwIkm50Iu7BE7NhvpTw>
Subject: Re: [OAUTH-WG] OAuth 2.1-03 - WG adoption?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 23:56:53 -0000

Hello Dick!

Unless the two typos that I have mentioned should be updated beforehand ,
no, I do not.

Thank you,
Sascha

On Tue, 7 Jul 2020 at 16:36, Dick Hardt <dick.hardt@gmail.com> wrote:

> Thanks Sascha and Vladimir for the feedback!
>
> Sascha: did you have a concern with the document being adopted by the WG?
>
> ᐧ
>
> On Tue, Jul 7, 2020 at 4:04 PM Sascha Preibisch <saschapreibisch@gmail.com>
> wrote:
>
>> Hi all!
>>
>> Here is the rest of my feedback. At the end I also included a list of
>> typos and the summary of changes that I have found between RFC 6739
>> and the current draft.
>>
>> Regards,
>> Sascha
>>
>> Section 2.3. Client Authentication
>> -------------------------
>>
>> Draft and current:
>> - both documents contain this description: "... the authorization
>> server (e.g., password, public/private key pair)"
>> - since the client usually uses a 'client secret', maybe this could be
>> worded as such:
>> - suggestion: "... the authorization server (e.g., client secret,
>> public/private key pair)"
>>
>> Draft:
>>
>> "The authorization server MAY establish a client authentication method
>> with public clients, which converts them to credentialed clients.
>> However, the authorization server MUST NOT rely on credentialed
>> client authentication for the purpose of identifying the client."
>>
>> - Does this mean that credentialed clients are as trustworthy/ not
>> trustworthy as public clients?
>>
>> Draft:
>>
>> "Clients in possession of a client password, also known as a client
>> secret, ..."
>>
>> - Maybe this could simply be changed to:
>> "Clients in possession of a client secret ..."
>>
>> Section 3.1.2.2 Registration Requirements
>> -------------------------
>>
>> Draft:
>>
>> "Lack of requiring registration of redirect URIs enables an attacker
>> to use the authorization endpoint as an open redirector as described
>> in <a href="#section-9.18">Section 9.18</a>."
>>
>> - is that still required since redirect_uris have to be pre-registered
>> now?
>>
>> Section 4.1. Authorization Code Grant
>> -------------------------
>>
>> Draft:
>> - Figure 3, step (1), does not include 'code_challenge_method' Is that
>> intentionally?
>> - I am suggesting to include it to avoid potential questions and
>> confusion. It could listed as 'optional' as 'scope' is
>> - In addition, when referencing parameters, they should be spelled as
>> used in the protocol, i.e.: 'code_challenge' instead of
>> 'code_challenge'
>>
>> Section 4.1.1 Authorization Request
>> -------------------------
>>
>> Draft:
>>
>> "Clients use a unique secret per authorization request to protect .... "
>>
>> - It would be less confusing if this section would start of with "PKCE
>> is required"
>> - Introducing a '... unique secret per ...' sounds like something very
>> new although this is referencing PKCE
>> - Suggestion (along the lines of):
>> "Clients MUST leverage PKCE per authorization request to protect ..."
>>
>> Section 4.1.2.1 Error Response
>> -------------------------
>>
>> Draft:
>>
>> "An AS MUST reject requests without a "code_challenge" from public
>> clients, and MUST reject such requests from other clients  unless
>> there is reasonable assurance that ..."
>>
>> - These statements are the ones that cause discussions between
>> developers and/ or third parties
>> - ' ... unless ...' is very difficult to grasp, even when looking into
>> section 9.8
>> - I would suggest to make it required
>>
>> Section 5.1 Successful Response
>> -------------------------
>>
>> Draft and current:
>>
>> - both documents describe the refresh_token response parameter and
>> describe it as such:
>> "OPTIONAL.  The refresh token, which can be used to obtain new access
>> tokens using the same authorization grant as described in <a
>> href="#section-6">Section 6</a>"
>>
>> - As an enhancement, I suggest this update:
>> "OPTIONAL.  The refresh token, which can be used to obtain new access
>> tokens using the grant type "refresh_token" as described in <a
>> href="#section-6">Section 6</a>"
>>
>> Section 6. Refreshing an Access Token
>> -------------------------
>>
>> Draft:
>>
>> Authorization servers SHOULD determine, based on a risk assessment,
>> whether to issue refresh tokens to a certain client.  If the
>> authorization server decides not to issue refresh tokens, the client
>> MAY refresh access tokens by utilizing other grant types, such as the
>> authorization code grant type.  In such a case, the authorization
>> server may utilize cookies and persistent grants to optimize the user
>> experience.
>>
>> - That paragraph sounds like a general advice for web developers and
>> should appear in an appendix for my taste
>> - ' ... based on risk assessment ... ' may exclude any implementation
>> that does not have such capabilities
>>
>> ===
>>
>> Draft:
>>
>> - this section includes this statement:
>> "Confidential or credentialed clients MUST authenticate with the
>> authorization server ..."
>>
>> - section 2.3 includes this statement and makes me wonder how
>> confident an authorization server can be when working with
>> 'credentialed' clients':
>> "However, the authorization server MUST NOT rely on credentialed
>> client authentication for the purpose of identifying the client."
>>
>> - Any clarification, I would say about the client type 'credentialed'
>> in general, would be helpful
>>
>> -------------------------
>> Typos:
>> -------------------------
>>
>> Section 2.1. Client Types
>> -------------------------
>>
>> Draft:
>>
>> "credentialed":  Clients that have credentials and their identity has
>> been not been confirmed by the AS are designated as "credentialed
>> clients"
>>
>> - I believe it should be:
>>
>> "credentialed":  Clients that have credentials and their identity has
>> not been confirmed by the AS are designated as "credentialed clients"
>>
>> Section 3.2.1 Client Authentication
>> -------------------------
>>
>> Draft:
>>
>> "Confidential or credentialed clients client MUST authenticate with..."
>>
>> - I believe it should be:
>> "Confidential or credentialed clients MUST authenticate with..."
>>
>> -------------------------
>> Summary of changes between draft and current:
>> -------------------------
>>
>> - no more implicit
>> - no more response_type=token
>> - no more ropc
>> - no more redirect code 307
>> - no more open redirect_uri
>> - new client type 'credentialed'
>> - must use PKCE (with few exceptions)
>> - AS must provide a way to show their support for 'code_challenge_method'
>>
>> - refresh token should expire
>> - description for client type 'confidential' got updated
>> - clients should not be able to choose their client_id
>> - no reference to 'mac' token profile anymore
>> - section 7.2 details on Bearer token
>> - resource server must include 'WWW-Authenticate: Bearer
>> realm="example"' header for failing authorization
>> - extended list of security threats
>> - discussion on native apps removed
>> - recommended bindings between access_token and resource_server
>> - recommended refresh_token rotation or sender-constraints
>> - recommended to use '127.0.0.1' instead of 'localhost'
>>
>> On Tue, 7 Jul 2020 at 15:21, Vladimir Dzhuvinov <vladimir@connect2id.com>
>> wrote:
>> >
>> > I find 03 well structured, well written and it shows that a lot of
>> thought and work has gone into it.
>> >
>> > If this is a formal call for adoption - I support it.
>> >
>> >
>> > - defined new client type - credentialed clients - a client that has
>> credentials, but the AS has not confirmed the identity of the client.
>> Confidential clients have had their identity confirmed by the AS. We talked
>> about changing the names of confidential and public, but thought that would
>> be confusing. This new definition cleans up the text substantially.
>> >
>> > I understand why this new client type was introduced. For the reader
>> who is not familiar with the recent OAuth RFCs and drafts - I suspect this
>> can still be confusing. There will likely be questions -- Why does this
>> difference between confidential and credentialed matter? What is a concrete
>> example of a credentialed client?
>> >
>> > Also, people will likely ask themselves - what does the confirmation of
>> a (credentialed) client's identity by the AS actually mean and do? (section
>> 2.1)
>> >
>> >
>> >    Authorization servers SHOULD consider the level of confidence in a
>> >    client's identity when deciding whether they allow such a client
>> >    access to more critical functions, such as the Client Credentials
>> >    grant type.
>> >
>> > Again, normative text that relies on the implementer being able to
>> assign levels of confidence in the client's identity, but is not
>> immediately obvious how to go about this.
>> >
>> >
>> > There is mention in 9.1 about "enlisting the resource owner to confirm
>> identity" and "if there is a web application whose developer's identity was
>> verified...". But this talk about client identity is secondary and happens
>> in the context of client authentication.
>> >
>> > Perhaps it will make sense to promote the discussion about identity to
>> a new 9.x section "Client identity" or "Client Identification", before
>> "Client Authentication". Addressing the topics what client identity is, why
>> does it matter (especially for security), and the "confirmation by the AS".
>> Then proceed with "Client Authentication" which now is freed to focus on
>> the credentials / auth methods aspects.
>> >
>> >    Such credentials are either issued by the
>> >    authorization server or registered by the developer of the client
>> >    with the authorization server.
>> >
>> > Credentials (public key) can also be registered by a client performing
>> dynamic registration (section 2.1)
>> >
>> >
>> > Vladimir
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>