IETF Logo Mail Archive

Re: [OAUTH-WG] Client authentication in the Device Authorization Request

William Denniss <wdenniss@google.com> Mon, 11 March 2019 20:43 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1CB13115C for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 13:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.511
X-Spam-Level:
X-Spam-Status: No, score=-15.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKM1Peco1BeU for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 13:43:06 -0700 (PDT)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58A31293B1 for <oauth@ietf.org>; Mon, 11 Mar 2019 13:43:05 -0700 (PDT)
Received: by mail-it1-x12f.google.com with SMTP id e24so881995itl.1 for <oauth@ietf.org>; Mon, 11 Mar 2019 13:43:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uRPA6l/XSNGTRHyy8yGnfzE9v+ikva3U+V2bmeBY2zc=; b=bmuISmJVF5rYPePsd54q3hhbxOVcBARfprNdB0DjI34WTtPmz0B6srPtvzxE+rrvO/ fQY98cmJ7rExo0I6+q3AVC+RAhatbDkIhTGs3idDTKc1vjCjNVQvgb0/Mkl7poG1D2m1 mFq94XW4JizSW03kdQI0hhC/JDGfRdteG6ORnGyEXBryl9KMYQm3ULECop/m0ys2gs52 eUaPMeakwaZeA+iaFtJXvkh3QBds76HLxy1Ango0hdTRs/r1y3C1mDJBFavmoCleWB/c GYG1A3SkQ+RrD4H1qpRdPwDLrR+mDQM7vVxg5Df1H9L8Tm+v+Z116TjDKypZVkQyIbE2 PUXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uRPA6l/XSNGTRHyy8yGnfzE9v+ikva3U+V2bmeBY2zc=; b=Br+tfG5qyCIGjWlTTcrLVwUIk8nS8t2qLsEzSpgpeJGO+puy3zKKQu8bJBQ8dtp/oZ sHYYG6inQrXRp826Ba+QnfK/knr+3S8/+9pKeGRp2JLNI7Pd9fHseZAqP/osWZvFaMt8 tWV9cyG88r7r0WFtjMdZKzJ+20uz213Ig47aCU4NKlA7CL9HWujggRwfHtXx/Dv/FT5v hCuKv5rZ+pYElOqsZnmJVTGOV7yWwidOqy7CoEWjLVGyMJhPm8cmYL90PFie+k7np+9x qV6asNDE7BHyhoyfacd3+tv9gz2SfQqms0rkoi+oX2W+PETMZsytIg4zIgia6RbtiNp4 iNaA==
X-Gm-Message-State: APjAAAX5dxpqEuYd/A0nNMtGTdwGCYZgOcacJS509YMrynyKY2GJzQXr 43NzoUE/2kza8QH1CwVpHKtp3YSLfey7WOL9XkOeVw==
X-Google-Smtp-Source: APXvYqwZ8fcNf6xcW64+vAcYA8qEYwgl6IuEnxISwCOultR/M51UEJ9BBougD/lBzDTTq+Wid9+Jxpv8BiwurYnYlXA=
X-Received: by 2002:a24:1444:: with SMTP id 65mr61283itg.137.1552336984863; Mon, 11 Mar 2019 13:43:04 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCS8ZvCAGy_0Vi+XxyY6O11ZANAEE8vMcACfUP3=UmRu-g@mail.gmail.com> <CA+k3eCR=j9d6Rim3fEv_S_WbmcnKWqKGNXSdUuLfdGUL_CKiXw@mail.gmail.com> <CALAqi__RUaSOCVHYrByWP2EJVrL-wXoiLtgEi_Jr1fdxNud47Q@mail.gmail.com> <CALAqi_8Orve3YTRKWZGWLkAzegoG5w_wzntxGAtJh0H6B3QNaA@mail.gmail.com> <CA+k3eCRfYsYhr08eWw+0Zg=pLS1-D5WOZCzz+UpdXU05go1AuQ@mail.gmail.com> <7c605f52-ff7f-49cd-0a4e-af3aa15663be@aol.com> <710ACBA5-C43D-4396-A3AE-9D7156204E3E@oracle.com> <CAAP42hBjHsXer7c_wTRn07TndO_XbGdV-o3MbjSA0=8XphWetw@mail.gmail.com> <CA+k3eCTJzy=AuxfH2xedDREzUEYoVZE1F0qz=udM1STNBnopfQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTJzy=AuxfH2xedDREzUEYoVZE1F0qz=udM1STNBnopfQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 11 Mar 2019 13:42:53 -0700
Message-ID: <CAAP42hCPCQG0AZSmQDE3UL2bk7LDqsg5T9ktR4wB3sKbFpd2pw@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Phil Hunt <phil.hunt@oracle.com>, George Fletcher <gffletch@aol.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008e4b010583d79edd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SzqlXJObICL0bEdJsPY0ajol4Sc>
Subject: Re: [OAUTH-WG] Client authentication in the Device Authorization Request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 20:43:09 -0000

On Mon, Mar 11, 2019 at 1:21 PM Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

> And thank you, William, for being responsive about it.
>
>
> On Mon, Mar 11, 2019 at 1:18 PM William Denniss <wdenniss=
> 40google.com@dmarc.ietf.org> wrote:
>
>> Thank you Brian for raising this.
>>
>> Yes, the expectation I believe is to follow the same approach as the
>> token endpoint. As the spec is primarily for public clients, that's what we
>> documented explicitly but it's worth calling out.
>>
>> Would the following text suffice in order to "inherit" the client
>> authentication requirements of the token endpoint do you think?
>>
>>     "The client authentication requirements of Section 3.2.1 of RFC6749
>> apply to requests on this endpoint."
>>
>
> I think so, yes.
>
> Although given the primary focus being for public clients, it might be
> helpful to have a little qualifying text here catering to that most common
> case. I guess I'm just looking to try and avoid folks mistakenly
> interpreting that to mean that client authentication is always required and
> so somehow public clients can't do this flow. Something like the following
> (wording could maybe be improved but hopefully conveys the idea):
>
> 'The client authentication requirements of Section 3.2.1 of RFC6749 apply
> to requests on this endpoint, which means that confidential clients (those
> that have established client credentials) authenticate in the same manner
> as when making requests to the token endpoint and public clients provide
> the "client_id" parameter to identify themselves.'
>
>

The context helps, thanks for the suggested text, I used it and it's staged
locally now.


>
>
>> Then there's the matter of the REQUIRED "client_id" parameter. Perhaps we
>> could say "REQUIRED, unless the client authenticates per Section 2.3 of
>> RFC6749"
>>
>
> I kinda prefer the text you have already in section 3.4:
>
>   " client_id
>       REQUIRED, if the client is not authenticating with the
>       authorization server as described in Section 3.2.1. of [RFC6749]."
>
>
hah yeah I prefer that construction too, forgot I'd already given it that
treatment elsewhere.

Also staged locally.

Thanks again for reporting this!


>
>
>>
>> On Mon, Mar 11, 2019 at 10:30 AM Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>> +1 to using same authentication requirements as for token endpoint.
>>>
>>> Phil
>>>
>>> On Mar 11, 2019, at 10:27 AM, George Fletcher <
>>> gffletch=40aol.com@dmarc.ietf.org> wrote:
>>>
>>> +1
>>>
>>> to using the same client authn method as for the /token endpoint
>>>
>>> On 3/11/19 12:31 PM, Brian Campbell wrote:
>>>
>>>
>>>
>>> On Mon, Mar 11, 2019 at 10:22 AM Filip Skokan <panva.ip@gmail.com>
>>> wrote:
>>>
>>>> Strike that, it should maybe just use the registered auth method for
>>>> the token endpoint?
>>>>
>>>
>>> Yeah, that's what I'd think would be the way to go.
>>>
>>>
>>>>
>>>> If there's auth we should also make it clear that client_id should not
>>>> be omitted from the request body and it must be the same as the one
>>>> provided with client authentication.
>>>>
>>>>
>>> Fair point.
>>>
>>>
>>>
>>>
>>>> S pozdravem,
>>>> *Filip Skokan*
>>>>
>>>>
>>>> On Mon, 11 Mar 2019 at 17:14, Filip Skokan <panva.ip@gmail.com> wrote:
>>>>
>>>>> If we're about to add client authentication for the
>>>>> device_authorization_endpoint, i'd say we should also register for
>>>>> device_authorization_endpoint_auth_method,
>>>>> device_authorization_endpoint_auth_signing_alg client metadata. Maybe
>>>>> define the default value to be "none" / not provided to be in line with the
>>>>> late draft implementations. Wdyt?
>>>>>
>>>>> S pozdravem,
>>>>> *Filip Skokan*
>>>>>
>>>>>
>>>>> On Mon, 11 Mar 2019 at 17:08, Brian Campbell <bcampbell=
>>>>> 40pingidentity.com@dmarc.ietf.org> wrote:
>>>>>
>>>>>> I do realize it's very late in the process for this document but
>>>>>> believe these omissions can be addressed in the document with only minor
>>>>>> changes/additions and that it'd be better late than not at all..
>>>>>>
>>>>>> On Mon, Mar 11, 2019 at 10:03 AM Brian Campbell <
>>>>>> bcampbell@pingidentity.com> wrote:
>>>>>>
>>>>>>> Another omission[1] (maybe, I believe it is anyway) to the Device
>>>>>>> Flow is that client authentication isn't defined for the device
>>>>>>> authorization request to device authorization endpoint.
>>>>>>>
>>>>>>> I suspect that it's largely an oversight because public clients are
>>>>>>> really the conical use-case for the device flow and no authentication is
>>>>>>> needed or possible in that case. There are, however, likely to be cases
>>>>>>> where a client with credentials will do the device flow and it would be
>>>>>>> good for the AS to be able to properly authenticate such clients before
>>>>>>> setting up and saving the state for the transaction. Having normal client
>>>>>>> authentication at device authorization endpoint also brings better
>>>>>>> consistency to client identification/authentication for requests made
>>>>>>> directly from client to AS.
>>>>>>>
>>>>>>>
>>>>>>> [1] error responses from the device authorization endpoint should
>>>>>>> probably also be defined
>>>>>>> https://mailarchive.ietf.org/arch/msg/oauth/DMTUR1msdNQPiLh0xVXe39933k4
>>>>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_oauth_DMTUR1msdNQPiLh0xVXe39933k4&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=0mpCioWFgFIBMvwRTGb0v6ZawCSwMK9a2YH4G_yoRoo&e=>
>>>>>>>
>>>>>>>
>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>> review, use, distribution or disclosure by others is strictly
>>>>>> prohibited...  If you have received this communication in error, please
>>>>>> notify the sender immediately by e-mail and delete the message and any file
>>>>>> attachments from your computer. Thank you.*
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=>
>>>>>>
>>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=>
>>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited..
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>>
>>> _______________________________________________
>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=>
>>>
>>>
>>> --
>>> Identity Standards Architect
>>> Verizon Media                     Work: george.fletcher@oath.com
>>> Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_gffletch&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=fm9UvoaRS-A1-2CXwQEgOZ7fWb-PGvleny8Ccwq-SRs&e=>
>>> Office: +1-703-265-2544           Photos: http://georgefletcher.photography <https://urldefense.proofpoint..com/v2/url?u=http-3A__georgefletcher.photography&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=pHcwrS-xhaUz37RAgViALdKPBAFeoFc7nLxxs2NywdQ&e=>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>>
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*

v2.23.0 | Report a Bug | By Email