Re: [OAUTH-WG] Client authentication in the Device Authorization Request
William Denniss <wdenniss@google.com> Mon, 11 March 2019 20:43 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1CB13115C for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 13:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.511
X-Spam-Level:
X-Spam-Status: No, score=-15.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKM1Peco1BeU for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 13:43:06 -0700 (PDT)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58A31293B1 for <oauth@ietf.org>; Mon, 11 Mar 2019 13:43:05 -0700 (PDT)
Received: by mail-it1-x12f.google.com with SMTP id e24so881995itl.1 for <oauth@ietf.org>; Mon, 11 Mar 2019 13:43:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uRPA6l/XSNGTRHyy8yGnfzE9v+ikva3U+V2bmeBY2zc=; b=bmuISmJVF5rYPePsd54q3hhbxOVcBARfprNdB0DjI34WTtPmz0B6srPtvzxE+rrvO/ fQY98cmJ7rExo0I6+q3AVC+RAhatbDkIhTGs3idDTKc1vjCjNVQvgb0/Mkl7poG1D2m1 mFq94XW4JizSW03kdQI0hhC/JDGfRdteG6ORnGyEXBryl9KMYQm3ULECop/m0ys2gs52 eUaPMeakwaZeA+iaFtJXvkh3QBds76HLxy1Ango0hdTRs/r1y3C1mDJBFavmoCleWB/c GYG1A3SkQ+RrD4H1qpRdPwDLrR+mDQM7vVxg5Df1H9L8Tm+v+Z116TjDKypZVkQyIbE2 PUXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uRPA6l/XSNGTRHyy8yGnfzE9v+ikva3U+V2bmeBY2zc=; b=Br+tfG5qyCIGjWlTTcrLVwUIk8nS8t2qLsEzSpgpeJGO+puy3zKKQu8bJBQ8dtp/oZ sHYYG6inQrXRp826Ba+QnfK/knr+3S8/+9pKeGRp2JLNI7Pd9fHseZAqP/osWZvFaMt8 tWV9cyG88r7r0WFtjMdZKzJ+20uz213Ig47aCU4NKlA7CL9HWujggRwfHtXx/Dv/FT5v hCuKv5rZ+pYElOqsZnmJVTGOV7yWwidOqy7CoEWjLVGyMJhPm8cmYL90PFie+k7np+9x qV6asNDE7BHyhoyfacd3+tv9gz2SfQqms0rkoi+oX2W+PETMZsytIg4zIgia6RbtiNp4 iNaA==
X-Gm-Message-State: APjAAAX5dxpqEuYd/A0nNMtGTdwGCYZgOcacJS509YMrynyKY2GJzQXr 43NzoUE/2kza8QH1CwVpHKtp3YSLfey7WOL9XkOeVw==
X-Google-Smtp-Source: APXvYqwZ8fcNf6xcW64+vAcYA8qEYwgl6IuEnxISwCOultR/M51UEJ9BBougD/lBzDTTq+Wid9+Jxpv8BiwurYnYlXA=
X-Received: by 2002:a24:1444:: with SMTP id 65mr61283itg.137.1552336984863; Mon, 11 Mar 2019 13:43:04 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCS8ZvCAGy_0Vi+XxyY6O11ZANAEE8vMcACfUP3=UmRu-g@mail.gmail.com> <CA+k3eCR=j9d6Rim3fEv_S_WbmcnKWqKGNXSdUuLfdGUL_CKiXw@mail.gmail.com> <CALAqi__RUaSOCVHYrByWP2EJVrL-wXoiLtgEi_Jr1fdxNud47Q@mail.gmail.com> <CALAqi_8Orve3YTRKWZGWLkAzegoG5w_wzntxGAtJh0H6B3QNaA@mail.gmail.com> <CA+k3eCRfYsYhr08eWw+0Zg=pLS1-D5WOZCzz+UpdXU05go1AuQ@mail.gmail.com> <7c605f52-ff7f-49cd-0a4e-af3aa15663be@aol.com> <710ACBA5-C43D-4396-A3AE-9D7156204E3E@oracle.com> <CAAP42hBjHsXer7c_wTRn07TndO_XbGdV-o3MbjSA0=8XphWetw@mail.gmail.com> <CA+k3eCTJzy=AuxfH2xedDREzUEYoVZE1F0qz=udM1STNBnopfQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTJzy=AuxfH2xedDREzUEYoVZE1F0qz=udM1STNBnopfQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 11 Mar 2019 13:42:53 -0700
Message-ID: <CAAP42hCPCQG0AZSmQDE3UL2bk7LDqsg5T9ktR4wB3sKbFpd2pw@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Phil Hunt <phil.hunt@oracle.com>, George Fletcher <gffletch@aol.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008e4b010583d79edd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SzqlXJObICL0bEdJsPY0ajol4Sc>
Subject: Re: [OAUTH-WG] Client authentication in the Device Authorization Request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 20:43:09 -0000
On Mon, Mar 11, 2019 at 1:21 PM Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org> wrote: > And thank you, William, for being responsive about it. > > > On Mon, Mar 11, 2019 at 1:18 PM William Denniss <wdenniss= > 40google.com@dmarc.ietf.org> wrote: > >> Thank you Brian for raising this. >> >> Yes, the expectation I believe is to follow the same approach as the >> token endpoint. As the spec is primarily for public clients, that's what we >> documented explicitly but it's worth calling out. >> >> Would the following text suffice in order to "inherit" the client >> authentication requirements of the token endpoint do you think? >> >> "The client authentication requirements of Section 3.2.1 of RFC6749 >> apply to requests on this endpoint." >> > > I think so, yes. > > Although given the primary focus being for public clients, it might be > helpful to have a little qualifying text here catering to that most common > case. I guess I'm just looking to try and avoid folks mistakenly > interpreting that to mean that client authentication is always required and > so somehow public clients can't do this flow. Something like the following > (wording could maybe be improved but hopefully conveys the idea): > > 'The client authentication requirements of Section 3.2.1 of RFC6749 apply > to requests on this endpoint, which means that confidential clients (those > that have established client credentials) authenticate in the same manner > as when making requests to the token endpoint and public clients provide > the "client_id" parameter to identify themselves.' > > The context helps, thanks for the suggested text, I used it and it's staged locally now. > > >> Then there's the matter of the REQUIRED "client_id" parameter. Perhaps we >> could say "REQUIRED, unless the client authenticates per Section 2.3 of >> RFC6749" >> > > I kinda prefer the text you have already in section 3.4: > > " client_id > REQUIRED, if the client is not authenticating with the > authorization server as described in Section 3.2.1. of [RFC6749]." > > hah yeah I prefer that construction too, forgot I'd already given it that treatment elsewhere. Also staged locally. Thanks again for reporting this! > > >> >> On Mon, Mar 11, 2019 at 10:30 AM Phil Hunt <phil.hunt@oracle.com> wrote: >> >>> +1 to using same authentication requirements as for token endpoint. >>> >>> Phil >>> >>> On Mar 11, 2019, at 10:27 AM, George Fletcher < >>> gffletch=40aol.com@dmarc.ietf.org> wrote: >>> >>> +1 >>> >>> to using the same client authn method as for the /token endpoint >>> >>> On 3/11/19 12:31 PM, Brian Campbell wrote: >>> >>> >>> >>> On Mon, Mar 11, 2019 at 10:22 AM Filip Skokan <panva.ip@gmail.com> >>> wrote: >>> >>>> Strike that, it should maybe just use the registered auth method for >>>> the token endpoint? >>>> >>> >>> Yeah, that's what I'd think would be the way to go. >>> >>> >>>> >>>> If there's auth we should also make it clear that client_id should not >>>> be omitted from the request body and it must be the same as the one >>>> provided with client authentication. >>>> >>>> >>> Fair point. >>> >>> >>> >>> >>>> S pozdravem, >>>> *Filip Skokan* >>>> >>>> >>>> On Mon, 11 Mar 2019 at 17:14, Filip Skokan <panva.ip@gmail.com> wrote: >>>> >>>>> If we're about to add client authentication for the >>>>> device_authorization_endpoint, i'd say we should also register for >>>>> device_authorization_endpoint_auth_method, >>>>> device_authorization_endpoint_auth_signing_alg client metadata. Maybe >>>>> define the default value to be "none" / not provided to be in line with the >>>>> late draft implementations. Wdyt? >>>>> >>>>> S pozdravem, >>>>> *Filip Skokan* >>>>> >>>>> >>>>> On Mon, 11 Mar 2019 at 17:08, Brian Campbell <bcampbell= >>>>> 40pingidentity.com@dmarc.ietf.org> wrote: >>>>> >>>>>> I do realize it's very late in the process for this document but >>>>>> believe these omissions can be addressed in the document with only minor >>>>>> changes/additions and that it'd be better late than not at all.. >>>>>> >>>>>> On Mon, Mar 11, 2019 at 10:03 AM Brian Campbell < >>>>>> bcampbell@pingidentity.com> wrote: >>>>>> >>>>>>> Another omission[1] (maybe, I believe it is anyway) to the Device >>>>>>> Flow is that client authentication isn't defined for the device >>>>>>> authorization request to device authorization endpoint. >>>>>>> >>>>>>> I suspect that it's largely an oversight because public clients are >>>>>>> really the conical use-case for the device flow and no authentication is >>>>>>> needed or possible in that case. There are, however, likely to be cases >>>>>>> where a client with credentials will do the device flow and it would be >>>>>>> good for the AS to be able to properly authenticate such clients before >>>>>>> setting up and saving the state for the transaction. Having normal client >>>>>>> authentication at device authorization endpoint also brings better >>>>>>> consistency to client identification/authentication for requests made >>>>>>> directly from client to AS. >>>>>>> >>>>>>> >>>>>>> [1] error responses from the device authorization endpoint should >>>>>>> probably also be defined >>>>>>> https://mailarchive.ietf.org/arch/msg/oauth/DMTUR1msdNQPiLh0xVXe39933k4 >>>>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_oauth_DMTUR1msdNQPiLh0xVXe39933k4&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=0mpCioWFgFIBMvwRTGb0v6ZawCSwMK9a2YH4G_yoRoo&e=> >>>>>>> >>>>>>> >>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>>>> privileged material for the sole use of the intended recipient(s). Any >>>>>> review, use, distribution or disclosure by others is strictly >>>>>> prohibited... If you have received this communication in error, please >>>>>> notify the sender immediately by e-mail and delete the message and any file >>>>>> attachments from your computer. Thank you.* >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=> >>>>>> >>>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=> >>>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited.. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >>> >>> _______________________________________________ >>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=> >>> >>> >>> -- >>> Identity Standards Architect >>> Verizon Media Work: george.fletcher@oath.com >>> Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_gffletch&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=fm9UvoaRS-A1-2CXwQEgOZ7fWb-PGvleny8Ccwq-SRs&e=> >>> Office: +1-703-265-2544 Photos: http://georgefletcher.photography <https://urldefense.proofpoint..com/v2/url?u=http-3A__georgefletcher.photography&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=pHcwrS-xhaUz37RAgViALdKPBAFeoFc7nLxxs2NywdQ&e=> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e= >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- [OAUTH-WG] Client authentication in the Device Au… Brian Campbell
- Re: [OAUTH-WG] Client authentication in the Devic… Brian Campbell
- Re: [OAUTH-WG] Client authentication in the Devic… Filip Skokan
- Re: [OAUTH-WG] Client authentication in the Devic… Filip Skokan
- Re: [OAUTH-WG] Client authentication in the Devic… Brian Campbell
- Re: [OAUTH-WG] Client authentication in the Devic… George Fletcher
- Re: [OAUTH-WG] Client authentication in the Devic… Phil Hunt
- Re: [OAUTH-WG] Client authentication in the Devic… William Denniss
- Re: [OAUTH-WG] Client authentication in the Devic… Brian Campbell
- Re: [OAUTH-WG] Client authentication in the Devic… William Denniss
- Re: [OAUTH-WG] Client authentication in the Devic… Brian Campbell