Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
Dick Hardt <dick.hardt@gmail.com> Mon, 11 October 2021 17:51 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 950F73A087F for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 10:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQtOMN4DUJ6R for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 10:51:32 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 141763A0840 for <oauth@ietf.org>; Mon, 11 Oct 2021 10:51:32 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id j5so77024666lfg.8 for <oauth@ietf.org>; Mon, 11 Oct 2021 10:51:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MF0H7Rd2PKOjtmRZVDR6Jdycc9de0CJZ1E+k+N8AdPE=; b=dKVFUruFAn02UguLyd4mjD9awFMmI2uyQg0DnPzZFgbOn+JQULx4ZSSoQLb0R3iI38 RH5Bm1SKmmrssaPq0pJ7K4vkc6NS5Od9nA88weJe/SSbhECyWL6YmB1UwTRBmJzWAkH8 smFVNqTGwvX7Wc40bF0liuu0Sra5YEwm/5SoiNwf8tZpjHlCr6lWOG4HO8RNGXqb7123 qtGcgjfvcaVQziqLr/pN3sEV5uzghTLRohuPMJEpc0D4b78QN5P1nJB/g1uYV3Ai/KvX S5UsIFcc0cW8ntC9BUquCB+rs7JV2pBNQJCAmGLUERPpakFqHFEkHAduM5+nDOLyns1a Z7sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MF0H7Rd2PKOjtmRZVDR6Jdycc9de0CJZ1E+k+N8AdPE=; b=uzL8AwTkeaXKyJBCGr+WiK9wIxyemtyrcA0caPRA+cesnJ04nAK0wBRAzr8UZjCuYO G9Pi5WHu02vSrDw0GQMSJX8GOjZYuwFznE9w5UcphPNTEjXp3VPU9rnXCQZvSQ3C9uY8 +C4BNSBFtWNUCle3IAe1yYu+2x5fRXODzSKKrTJzLlvJV84spUk8mQbux3Ec+GfRXVbr /Gh3GP5borGc24zz5NDNeFbgVElNXEraOZngFKR1XgGZMT2xw3MY6uszqQKJdpLFrLw6 qfgzpMvVnJZ9konSwa3I7FxY/0F38Jsqe/tFb5gMOYE/lQU0vpXnO+7rqEDqXDY2kKpx woqA==
X-Gm-Message-State: AOAM530DU/kM6IzHoej3QlqKh6xl5j1hOMWLp1puS4Y4hvCfZ6/B7FtT PJlJ8pmnF4/u9BbnMkMCI2uGkt5rTTcLuNUAW/o=
X-Google-Smtp-Source: ABdhPJyfFExZ0ZEVNbI/MvKqKxmeJJkYxXd72cD8YRDY0Zi4slJSjqqtHB2JypLJ7M0GoasNfsSJimuHwURjaISlLoI=
X-Received: by 2002:a2e:a407:: with SMTP id p7mr17594702ljn.68.1633974689738; Mon, 11 Oct 2021 10:51:29 -0700 (PDT)
MIME-Version: 1.0
References: <163347956410.26563.6262394233835671220@ietfa.amsl.com> <CAGBSGjryjQ3pnh+RnGnxqjCENgG-6td1JBSG4tV9VZfVSaKvnQ@mail.gmail.com> <CAFvbn=YisYSbu8sL+TLgRakJ52oA6TEQSJ8i_4+9qNNQ0b9bkA@mail.gmail.com> <CA+k3eCTsi37FGKwCdA4CJgJ3PFux8JJxV4aDk42X5p61a70qBQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTsi37FGKwCdA4CJgJ3PFux8JJxV4aDk42X5p61a70qBQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 11 Oct 2021 10:50:53 -0700
Message-ID: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Ash Narayanan <ashvinnarayanan@gmail.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f4370805ce1760aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SHsYcG6q6w18pp4HaCouAvjh1nI>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 17:51:45 -0000
Thanks for the feedback Brian. We have struggled in how to concisely describe credentialed clients. "identifying a client" can be interpreted a number of ways. The intent is that the AS knows a credentialed client is the same client it previously interacted with, but that the AS can not assume any other attributes of the client, for example that it is a client from a given developer, or has a specific name. How to phrase and describe this would be welcome! ᐧ On Mon, Oct 11, 2021 at 10:35 AM Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org> wrote: > Credentialed clients might be worthwhile item for the interim. I think I > sorta get what the credentialed clients distinction is trying to do but the > way it manifests in the draft is somewhat bewildering. One example I've > struggled to make sense of is the following text from > https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#section-2.4 > - I honestly don't understand what it really means and what actual > ramifications would be to implementations/deployments: > > "The authorization server MAY establish a client authentication method > with public clients, which converts them to credentialed clients. However, > the authorization server MUST NOT rely on credentialed client > authentication for the purpose of identifying the client." > > > On Fri, Oct 8, 2021 at 8:57 PM Ash Narayanan <ashvinnarayanan@gmail.com> > wrote: > >> I'm not sure if these items have been brought up previously or are >> already on the agenda to be discussed at the interim meeting. >> >> Referring to the latest draft ( >> https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html) ... >> >> 1. The definition given under section 2.1 Client Types is: >> >>> Clients that have credentials but no prior relationship with the AS are >>> designated as "credentialed clients" >> >> >> This does not seem like the best or even the right definition to me. The >> definition as it stands, is in two parts: >> a) "Clients that have credentials" >> b) Clients that have "no prior relationship with the AS" >> >> With (a), the typical use-case is an app that runs on the end-user device >> and dynamically registers itself with the AS. Such a client does not "have" >> credentials to begin with, or at least the use of the word "have" here, if >> it's intended to mean "at some point will have", does not differentiate it >> from confidential clients, which are also defined to be clients "that have >> credentials". >> Instead, a better choice of words for credentialed clients may be >> "Clients that dynamically obtain credentials". >> >> (b) is not necessarily true, because the credentialed client may very >> well be a known client and therefore have a prior relationship with the AS. >> Think of (common) scenarios where the AS and client are both part of the >> same organisation or a peer organisation, and therefore the client metadata >> an AS receives in a dynamic registration request is already known to the >> AS. An AS may only decide to accept dynamic registrations from such known >> clients. >> >> Of course I may not be interpreting "prior relationship" as it may be >> intended, in which case that needs to be clarified somewhere. >> >> >> 2. Continuing with section 2.1 Client Types, for a native application, it >> says: >> >>> On the other hand, dynamically issued credentials such as access tokens >>> or refresh tokens can receive an acceptable level of protection. >> >> >> Why is this also not mentioned for a browser-based application? Unless >> I'm mistaken, in terms of accessibility for an intruder, in-memory for a >> native app is equivalent to in-memory for an SPA and local storage for a >> native app is equivalent to local storage for an SPA. >> >> >> Cheers, >> Ash >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-04.t… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-… Aaron Parecki
- [OAUTH-WG] OAuth2.1 credentialed client Ash Narayanan
- [OAUTH-WG] convert to credentialed client... ( wa… Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Dick Hardt
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … David Waite
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Warren Parad
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Domingos Creado
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan