Re: [OAUTH-WG] OAuth 2.0 Device flow error response
William Denniss <wdenniss@google.com> Mon, 11 March 2019 21:15 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE1691200ED for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 14:15:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zRFlZZoE708o for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 14:15:19 -0700 (PDT)
Received: from mail-it1-x141.google.com (mail-it1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 656D8131168 for <OAuth@ietf.org>; Mon, 11 Mar 2019 14:15:17 -0700 (PDT)
Received: by mail-it1-x141.google.com with SMTP id d125so736565ith.1 for <OAuth@ietf.org>; Mon, 11 Mar 2019 14:15:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/J3mo1Xa8DCPTLFEE1Z1BXBOuVxRWpXtl0V2+IaHH7k=; b=uzhuBns0t6eDH6hARcfQp19RSpiW6hmi5BlHiUYsEjjZf7syxXRKmn5ItoMx8uQi1d bPmdXIUboe1u+7GrNUrEeUHmLMWPG1+ojiVPdqO83ru1JSLiut/s6r3qtXL+obvWnV9P sfOE3JsC+bDV7K0VSo1Banp9esijtpH1XU4aGW+rBgHTk5WYtZfvqbOPDKjwD9wzuWbf 4MJTuEC6eVG4NtXL11i/MT8mCOd8XBFiVw0LxvxP+naMKFf2TUfiBLSb0updZDja2RSW DrUuHjPHtU9UW68y1OKu7kCM//7HJgLrglIUfYXEM8uF/YXLFjeada6w6FAWipGwxKl7 P/rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/J3mo1Xa8DCPTLFEE1Z1BXBOuVxRWpXtl0V2+IaHH7k=; b=sHqFO8z6SvxyRkbUCt+DgmCWZP794q6LWFnM4GO5EhCVq1mPV05dpNCUCJayk13kvo GGimP0LUlGV5hhqyXnmH6BK1Y1zad0/wXwXn1BA6+F773N7eAFtX2Z9A6YYAEhn/3bt5 Iey95G7k05sNckjsJklE82424EEMgdkFNMNRmomdA/tNaHkPncs0IXSmjEP2VsiXWWfb q5IYGr//cKXvUXCuHpSj0opIDWkn+0ydGuZuoGBQoO+u4zLWzsLdqx6PY2EGuMGi/1SC hcbaz1h/LyDSG97S0XvYTZI3Uyl8RiZyfMaz121FvvxESHvsDzghUy8h500W1WKEcRmC H9MA==
X-Gm-Message-State: APjAAAV/HmnN7zZx6F8f/bBGyCtW/+2yjn7kD86lccw8a1nqS/mV1LpQ Tm1o7h7vZA0ySJfGAmn9QCxQ7iVNV8pCspmw+EWU/g==
X-Google-Smtp-Source: APXvYqye4PxJgkseSZ5xFSu5ShNjKlMFDdUYDvfpW3VhgoJF9pEbg3yCHGY1Ariytm2blQc5d0ztbEqzTA1SyybYeoc=
X-Received: by 2002:a02:9f0c:: with SMTP id z12mr18365119jal.93.1552338916279; Mon, 11 Mar 2019 14:15:16 -0700 (PDT)
MIME-Version: 1.0
References: <6312173.9VWeF3DjuQ@papegaaij> <CA+k3eCQv5VMUe7fwCeup3qwmeDpaDf8AdTv-dD=Qt2FXX6becQ@mail.gmail.com> <CAGXsc+Y6pHoD6u6jPp=YL0RRjJfTJGYceXHb=sZvkHfq4dYVWQ@mail.gmail.com> <CALAqi_9dDuZxuh0gdLaHuFq_UAQ2fTjq=EO2MXb+GTEkQcN3+g@mail.gmail.com>
In-Reply-To: <CALAqi_9dDuZxuh0gdLaHuFq_UAQ2fTjq=EO2MXb+GTEkQcN3+g@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 11 Mar 2019 14:15:05 -0700
Message-ID: <CAAP42hCvULX=H0Jbg8+KR9BzBi4=QS3Yup8bzR7EWQWKjNS-1g@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: Emond Papegaaij <emond.papegaaij@gmail.com>, oauth <OAuth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad97710583d81136"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TLhNZqPiHqLURN7yNuEbz-8ttZ0>
Subject: Re: [OAUTH-WG] OAuth 2.0 Device flow error response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 21:15:23 -0000
Good catch. To the "Device Authorization Response" section I will add:
In the event of an error (such as an invalidly configured client),
the authorization server responds in the same way as the token endpoint
specified in Section 5.2 of RFC 6749.
On Mon, Mar 11, 2019 at 10:30 AM Filip Skokan <panva.ip@gmail.com> wrote:
> Hi Emond,
>
> the way i approached implementation of device flow into an OIDC server was
> to allow all already registered and handled parameters excluding the ones
> [1] that really don't make sense for the flow at the device authorization
> endpoint.
>
> What can be validated at the device authorization endpoint time is,
> everything else runs as part of the regular authorization pipeline for
> which i also construct the request based on the params saved together with
> the device code backend model. Everything else that depends on the actual
> device where authnz happens is processed as part of the web request
> following the user code submission. When errors occur that cannot be
> resolved with user interaction the error is assigned to the device code and
> returned to the device with the next poll. I did not exclude prompt:none,
> as the pipeline processing starts after the submission it's possible that
> no prompt will occur there, but i can see how it may be weird.. Yes the
> result at the token endpoint will include an id token if the scope included
> `openid` as one would expect, just like it will include a refresh token if
> `offline_access` is present. `resource` specifically is available as per
> the resource indicator spec at device authorization as well as token
> endpoints.
>
> I guess this is very similar to what you're thinking.
>
> I don't think we need to (and can for that matter) enumerate all possible
> OAuth2.0 extensions in the specification.
>
> [1] web_message_uri, web_message_target, response_type, response_mode,
> state, redirect_uri
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Mon, 11 Mar 2019 at 15:02, Emond Papegaaij <emond.papegaaij@gmail.com>
> wrote:
>
>> Yes, that's how I implemented it as well. I return 'invalid_request'
>> when the client_id is missing entirely.
>>
>> Do you have any thoughts how this specification should work in
>> combination with other specs, such as OIDC? For example, the OIDC
>> Authentication Request specifies several additional parameters, some
>> of which may be applicable for the device flow as well. Can the device
>> flow be used to obtain an ID token? How should parameters like
>> 'max_age', 'id_token_hint' and 'claims' be processed? My plan was to
>> construct a pseudo-authentication/authorization request using the
>> parameters specified at the device authorization endpoint and apply
>> these parameters during the user interaction. Some parameters, such as
>> 'prompt=3Dnone', do not make much sense though.
>>
>> I think it may be a good idea to describe how this spec is supposed to
>> interoperate with other specifications, especially those that extend
>> the Authorization Endpoint. This definition can never be complete, as
>> new specs will be defined after this one, but it can at least try to
>> describe the general rules that apply.
>>
>> PS. Other specifications also define additional parameters that may be
>> useful, such as: 'resource' from Resource Indicators for OAuth 2.0 and
>> 'include_granted_scopes' from OAuth 2.0 Incremental Authorization.
>>
>> Best regards,
>> Emond Papegaaij
>> Topicus KeyHub
>>
>> On Fri, Mar 8, 2019 at 10:24 PM Brian Campbell
>> <bcampbell@pingidentity.com> wrote:
>> >
>> > While probably not terribly important from an interoperability
>> perspective, I agree that does seem like an omission.
>> >
>> > I took a quick look at our implementation and bad requests to the
>> device authorization endpoint will indeed return what is a standard OAuth
>> 2.0 error response normally from the token endpoint with invalid_client or
>> invalid_scope error codes. And a little bit of poking at Google's device
>> authorization endpoint suggests it behaves similarly. I suspect it's pretty
>> typical.
>> >
>> >
>> >
>> > On Fri, Mar 8, 2019 at 5:28 AM Emond Papegaaij <
>> emond.papegaaij@gmail.com> wrote:
>> >>
>> >> Dear all,
>> >>
>> >> I'm working on an implementation of the OAuth 2.0 Device Flow for
>> Browserless
>> >> and Input Constrained Devices and noticed a possible omission in the
>> spec.
>> >> Section 3.2 describes the Device Authorization Response, but only the
>> success
>> >> response is specified, not the error response. I would have expected a
>> >> standard OAuth 2.0 error response, probably with the following error
>> codes:
>> >> invalid_request, invalid_client and invalid_scope.
>> >>
>> >> Best regards,
>> >> Emond Papegaaij
>> >> Topicus KeyHub
>> >>
>> >>
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/oauth
>> >
>> >
>> > CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
- [OAUTH-WG] OAuth 2.0 Device flow error response Emond Papegaaij
- Re: [OAUTH-WG] OAuth 2.0 Device flow error respon… Brian Campbell
- Re: [OAUTH-WG] OAuth 2.0 Device flow error respon… Emond Papegaaij
- Re: [OAUTH-WG] OAuth 2.0 Device flow error respon… Filip Skokan
- Re: [OAUTH-WG] OAuth 2.0 Device flow error respon… William Denniss
- Re: [OAUTH-WG] OAuth 2.0 Device flow error respon… Emond Papegaaij