Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call
William Denniss <wdenniss@google.com> Fri, 03 March 2017 06:38 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397D71297A8 for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 22:38:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 005kY42-Ikv5 for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 22:38:24 -0800 (PST)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE1A1297A5 for <oauth@ietf.org>; Thu, 2 Mar 2017 22:38:24 -0800 (PST)
Received: by mail-qk0-x22d.google.com with SMTP id h9so7082694qke.2 for <oauth@ietf.org>; Thu, 02 Mar 2017 22:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=allIXkbKsNJRi57zIL86RHafN75r+m41tARUfUwG25A=; b=FGdq6eS+5TMV6L/Ba2eZJduIkjRNDKLIRCtDFq0mupt9hmkQD7f+EIiqxdL8fJF+Xt Tw6JeHxMl4xhBlQRFPYqpcukg2LGD/+WzUoj0MDlDv3X+LuCFUhYdRmLXgBuQ/ZyAGTK z1sH4iIyHi+Wnk70MRnBIT8PD1DveihOyo3R+yRALh1Dkb7ipW4p4KJU6m554Sgz2I+2 hBrsJfI6uEQs3P32mIrANWnq5WZIRHiXMm3hGLKHou1WPkArBwHMnq6m+sCpSV37jb8V A5r91zVTo48xPFxp0nsn4XXfvLcmytS9k3fqDwFmVNr1hilTVXVLgRrLEHYXrQY5ZIze nNqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=allIXkbKsNJRi57zIL86RHafN75r+m41tARUfUwG25A=; b=OSCDul4+lhDDKvlVHQ2VDu9ITTE14iKW6TpnyIfZzeD7oUMjp/Sconko5tNUA1ix9B BEyWpEDt7pq9wNW8kboWZEI3FIzAbbT/6VJ5kaR7p3f2SNGRDWHHrWAtIwciYwO3kyvG 7GebHHK01StzAWJSVdndbMsNSr4Jp+7UdpJzELwSiLfAmfDg6QYr9ZYDpE1OXlZAkALb 6TxgGoqd/5zIvFbvEpebZHVQcW9Ee45gfDuSx+Jq2lI2kgmcpV21OLq/LNOkwgXJ9OQo odBiOlYp/Q5X29jG1YrvTKfo46D23a81z1kg4toX4ZNFbLnsOUZ8zMUEsbkDE9gO7sry g2Iw==
X-Gm-Message-State: AMke39n5iVQGUd9HMWm35r0hXUAZNRzAsz5wegtqF5FOXL1MtL4W75uEHXFtYFl/XTp2wJpzrNxre5lfJCrVQrqg
X-Received: by 10.55.42.211 with SMTP id q80mr989853qkq.186.1488523103292; Thu, 02 Mar 2017 22:38:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Thu, 2 Mar 2017 22:38:02 -0800 (PST)
In-Reply-To: <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <CA+k3eCRN4m5rpSzhb+O+GVPjmUaJt22LUP8LGmi80J8v932zpQ@mail.gmail.com> <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 02 Mar 2017 22:38:02 -0800
Message-ID: <CAAP42hDYPqck2=oDLcVJ100TMjUAVtosqDVbT4gTNATUqapY6g@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary="001a1147ae5cd06abf0549cdca0e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RyXZ27OyS_j3F3nxjwlaxzbIb1E>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 06:38:26 -0000
Thank you for the excellent feedback Nat. I believe I have addressed all the points you raised in the latest version (08). On Wed, Mar 1, 2017 at 6:11 AM, Nat Sakimura <sakimura@gmail.com> wrote: > > It looks generally good. Thanks William and John for creating it. > > I spotted a few nits. > > NS1: MUST is not a recommendation > ================================ > In 8.5, it says: > > (which is a recommended in Section 7.1.1 > <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1> > ) > > However, in 7.1.1, it is a MUST, i.e., required instead of recommended. > So, "recommended" in the above sentence needs to be changed to "required". > > > NS2: Dynamically registered client can be treated as a confidential client > ======================================================= > In 8.9 > <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.9>. > it says: > > Authorization servers that still require a shared secret for native app > clients MUST treat the client as a public client > > As it is a MUST, we have to qualify it a little more as it is ok to treat > it as a confidential client if the client does dynamically register the > copy and obtain shared secret that is only shared between the copy of the > app and the server. > > Suggests: > > Authorization servers that still require a statically included shared > secret for native app clients MUST treat the client as a public client > > NS3: Sever Mix-up > ====================== > 8.11 > <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.11>. > talks about mix-up mitigation but misses one of the points. Specifically: > > * the app MUST store the redirect uri in the request with the "session" > and MUST verify that it exactly matches with the URI of the endpoint that > it received the response. > > Cheers, > > Nat Sakimura > > > > On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell <bcampbell@pingidentity.com> > wrote: > >> -07 LGTM >> >> On Feb 20, 2017 2:53 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> >> wrote: >> >> Hi all, >> >> after the working group last call of the "OAuth 2.0 for Native Apps" >> document July last year (see >> https://www.ietf.org/mail-archive/web/oauth/current/msg16534.html) I >> had, as a shepherd, collected IPR confirmations (see >> https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html) and >> produced a shepherd writeup (see >> https://www.ietf.org/mail-archive/web/oauth/current/msg16702.html). >> >> Since version -03 and the current version -07 a fair amount of text has >> been changed, see >> https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/ >> id/draft-ietf-oauth-native-apps-03.txt&url2=https:// >> tools.ietf.org/id/draft-ietf-oauth-native-apps-07.txt >> >> Although most of those changes are editorial and normative changes have >> been discussed on the mailing list I believe it is fair to let the group >> take a brief look at the final version. >> >> For this reason we will issue a short, one week, working group last call >> before pushing the document to the IESG. >> >> So, please provide your comments to the list no later than February 27th. >> >> Here is the link to the document again: >> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07 >> >> Ciao >> Hannes & Derek >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- > > Nat Sakimura > > Chairman of the Board, OpenID Foundation > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to… Hannes Tschofenig
- [OAUTH-WG] review draft-ietf-oauth-native-apps-07 Sebastian.Ebling
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Brian Campbell
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Nat Sakimura
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… William Denniss
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… William Denniss
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… Sebastian.Ebling