IETF Logo Mail Archive

Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call

William Denniss <wdenniss@google.com> Fri, 03 March 2017 06:38 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397D71297A8 for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 22:38:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 005kY42-Ikv5 for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 22:38:24 -0800 (PST)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE1A1297A5 for <oauth@ietf.org>; Thu, 2 Mar 2017 22:38:24 -0800 (PST)
Received: by mail-qk0-x22d.google.com with SMTP id h9so7082694qke.2 for <oauth@ietf.org>; Thu, 02 Mar 2017 22:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=allIXkbKsNJRi57zIL86RHafN75r+m41tARUfUwG25A=; b=FGdq6eS+5TMV6L/Ba2eZJduIkjRNDKLIRCtDFq0mupt9hmkQD7f+EIiqxdL8fJF+Xt Tw6JeHxMl4xhBlQRFPYqpcukg2LGD/+WzUoj0MDlDv3X+LuCFUhYdRmLXgBuQ/ZyAGTK z1sH4iIyHi+Wnk70MRnBIT8PD1DveihOyo3R+yRALh1Dkb7ipW4p4KJU6m554Sgz2I+2 hBrsJfI6uEQs3P32mIrANWnq5WZIRHiXMm3hGLKHou1WPkArBwHMnq6m+sCpSV37jb8V A5r91zVTo48xPFxp0nsn4XXfvLcmytS9k3fqDwFmVNr1hilTVXVLgRrLEHYXrQY5ZIze nNqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=allIXkbKsNJRi57zIL86RHafN75r+m41tARUfUwG25A=; b=OSCDul4+lhDDKvlVHQ2VDu9ITTE14iKW6TpnyIfZzeD7oUMjp/Sconko5tNUA1ix9B BEyWpEDt7pq9wNW8kboWZEI3FIzAbbT/6VJ5kaR7p3f2SNGRDWHHrWAtIwciYwO3kyvG 7GebHHK01StzAWJSVdndbMsNSr4Jp+7UdpJzELwSiLfAmfDg6QYr9ZYDpE1OXlZAkALb 6TxgGoqd/5zIvFbvEpebZHVQcW9Ee45gfDuSx+Jq2lI2kgmcpV21OLq/LNOkwgXJ9OQo odBiOlYp/Q5X29jG1YrvTKfo46D23a81z1kg4toX4ZNFbLnsOUZ8zMUEsbkDE9gO7sry g2Iw==
X-Gm-Message-State: AMke39n5iVQGUd9HMWm35r0hXUAZNRzAsz5wegtqF5FOXL1MtL4W75uEHXFtYFl/XTp2wJpzrNxre5lfJCrVQrqg
X-Received: by 10.55.42.211 with SMTP id q80mr989853qkq.186.1488523103292; Thu, 02 Mar 2017 22:38:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Thu, 2 Mar 2017 22:38:02 -0800 (PST)
In-Reply-To: <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <CA+k3eCRN4m5rpSzhb+O+GVPjmUaJt22LUP8LGmi80J8v932zpQ@mail.gmail.com> <CABzCy2CRy66OMzxPAtWYZ--D0HNxoodf16zbcTo=Th9FmTrz1w@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 02 Mar 2017 22:38:02 -0800
Message-ID: <CAAP42hDYPqck2=oDLcVJ100TMjUAVtosqDVbT4gTNATUqapY6g@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary="001a1147ae5cd06abf0549cdca0e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RyXZ27OyS_j3F3nxjwlaxzbIb1E>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to the IESG -- Short Working Group Last Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 06:38:26 -0000

Thank you for the excellent feedback Nat. I believe I have addressed all
the points you raised in the latest version (08).

On Wed, Mar 1, 2017 at 6:11 AM, Nat Sakimura <sakimura@gmail.com> wrote:

>
> It looks generally good. Thanks William and John for creating it.
>
> I spotted a few nits.
>
> NS1: MUST is not a recommendation
> ================================
> In 8.5, it says:
>
> (which is a recommended in Section 7.1.1
> <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1>
> )
>
> However, in 7.1.1, it is a MUST, i.e., required instead of recommended.
> So, "recommended" in the above sentence needs to be changed to "required".
>
>
> NS2: Dynamically registered client can be treated as a confidential client
> =======================================================
> In 8.9
> <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.9>.
> it says:
>
> Authorization servers that still require a shared secret for native app
> clients MUST treat the client as a public client
>
> As it is a MUST, we have to qualify it a little more as it is ok to treat
> it as a confidential client if the client does dynamically register the
> copy and obtain shared secret that is only shared between the copy of the
> app and the server.
>
> Suggests:
>
> Authorization servers that still require a statically included shared
> secret for native app clients MUST treat the client as a public client
>
> NS3: Sever Mix-up
> ======================
> 8.11
> <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.11>.
> talks about mix-up mitigation but misses one of the points. Specifically:
>
> * the app MUST store the redirect uri in the request with the "session"
> and MUST verify that it exactly matches with the URI of the endpoint that
> it received the response.
>
> Cheers,
>
> Nat Sakimura
>
>
>
> On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> -07 LGTM
>>
>> On Feb 20, 2017 2:53 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
>> wrote:
>>
>> Hi all,
>>
>> after the working group last call of the "OAuth 2.0 for Native Apps"
>> document July last year (see
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16534.html) I
>> had, as a shepherd, collected IPR confirmations (see
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html) and
>> produced a shepherd writeup (see
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16702.html).
>>
>> Since version -03 and the current version -07 a fair amount of text has
>> been changed, see
>> https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/
>> id/draft-ietf-oauth-native-apps-03.txt&url2=https://
>> tools.ietf.org/id/draft-ietf-oauth-native-apps-07.txt
>>
>> Although most of those changes are editorial and normative changes have
>> been discussed on the mailing list I believe it is fair to let the group
>> take a brief look at the final version.
>>
>> For this reason we will issue a short, one week, working group last call
>> before pushing the document to the IESG.
>>
>> So, please provide your comments to the list no later than February 27th.
>>
>> Here is the link to the document again:
>> https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07
>>
>> Ciao
>> Hannes & Derek
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> --
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email