Re: [OAUTH-WG] Review of draft-ietf-oauth-native-apps-05
Samuel Erdtman <samuel@erdtman.se> Wed, 02 November 2016 06:15 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B251293F2 for <oauth@ietfa.amsl.com>; Tue, 1 Nov 2016 23:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UB8CvwRJcYvw for <oauth@ietfa.amsl.com>; Tue, 1 Nov 2016 23:15:05 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 918BA12964B for <oauth@ietf.org>; Tue, 1 Nov 2016 23:15:05 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id n67so14898387wme.1 for <oauth@ietf.org>; Tue, 01 Nov 2016 23:15:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VfwsQAqXo0f7onBIWUGs1x2AL+GW/5txqo096zmKkMM=; b=AOeP6PoQuBWL5WgbVR7nM7CSJ5jE/dD8GhdvQQAWDHDg6WQqb8Y2n44eGsoNxSqJLf w5oD6kuvjOppQCVEdbh/5wi7gmByrNgbU3Xhx4eZpjFdA9ge3DY3MMtCwHqNxxrkoy3z UXX4Tnv11ZIBusy0wqxL4kZ1Qx5WXAda3xBeIb8gEgNJbCgxXPncE+2xKTyIj7pz4Q/a GybuuR7QtdebD9akV+nxUPvGBunydgQZ8THj/gLIJvHFUpn3CaxwPsZRBX4Jsn3OxTKU V1CfGK0ddVJkvV5of/4dIZ8LIS/Davq00fDU1r4mORbSgRT0hQXVSKINXLSg3uicUdsT sslw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VfwsQAqXo0f7onBIWUGs1x2AL+GW/5txqo096zmKkMM=; b=cSymtJ5bYVxBLzefAgt4uXJN3xROhbPyCkpU3vRCZNhRdtGRaIXczzGNhAHbboj3gd 3w2LnfsdGxTMAlyT7RLtCyXZxmEm7e/v85ls5lkIQIBdKsZIiQemOZWwi0bfyORC3HD/ opb2Z0eoK3vHJ/sIcUpVSB3DjyX2QzIiJLfWd+5O9Q7I4UHByuDpx6UjU/K4RsuHumJV h0Hd67QWsb5A3qDSoF9xP24PWQ55BP8NvIjrVSEVwazDFdmCF7GEb8CSlHo3C/hpU46s atgQj0xrdSPSpAoP9++Ng72SivSWmCGG0H+El+ff2AM8sG2wNzq+PiWW/QenBShDyCyu OL9A==
X-Gm-Message-State: ABUngvf0xoxTjBQBN4oDfdByLeAbHY9ZL21CamYlt4BylQRXEVWMllKOkJEFDHpnNuaKZR4u3I2+vqgix4lKTw==
X-Received: by 10.28.169.4 with SMTP id s4mr1231760wme.65.1478067303945; Tue, 01 Nov 2016 23:15:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Tue, 1 Nov 2016 23:15:03 -0700 (PDT)
In-Reply-To: <CAAP42hC3LqK=wrQtccyD9rvx0WjpL8SVVhonYp2p8ua__-NUqw@mail.gmail.com>
References: <CAF2hCbZRyGSkKorKV1Vre-wdKWksbhMEDfoNUP3bHgjBccb-yw@mail.gmail.com> <CAAP42hC3LqK=wrQtccyD9rvx0WjpL8SVVhonYp2p8ua__-NUqw@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Wed, 02 Nov 2016 07:15:03 +0100
Message-ID: <CAF2hCba_hj+OQoT_hNCCq2nEw8x4sqSQ82nhae99rDrwiHXQ2A@mail.gmail.com>
To: William Denniss <wdenniss@google.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/alternative; boundary="001a114b91829b2df405404b5c85"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TY2YauiyNsGP6WqcZrwCh5jGzio>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-native-apps-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 06:15:09 -0000
see inline Hannes could you have a look at the comment on Security Considerations. On Tue, Nov 1, 2016 at 7:01 PM, William Denniss <wdenniss@google.com> wrote: > Hi Samuel, > > Thanks for your review! I've replied inline: > > On Tue, Nov 1, 2016 at 9:41 AM, Samuel Erdtman <samuel@erdtman.se> wrote: > >> Hi, >> >> Thanks for the great work of putting this together. I have a few comments >> on the current draft. See below >> >> Best Regards >> Samuel Erdtman >> >> >> >> 5. Using Inter-app URI Communication for OAuth >> The end of this section is a bit confusing with first a MUST statement >> and then a RECOMMENDED statement >> “Native apps MUST use an external user-agent to perform OAuth” >> and >> “This best practice focuses on the browser as the RECOMMENDED external >> user-agent for native apps.” >> >> > The browser is one external user-agent. Using an external agent is a MUST > to comply with this BCP, and the browser is the RECOMMENDED user agent. > My comment is not that something is formally wrong, just that I had to read it twice before I got it. I´m fine with keeping as is, just wanted to hilight the potential confusion. > > >> >> 7.1.1. Custom URI Scheme Namespace Considerations >> “For example, an app that controls the domain name "app.example.com" >> can use "com.example.app:/" as their custom scheme.” >> drop the slash in the custom schema. >> > > Done. > > >> 7.2. App-claimed HTTPS URI Redirection >> “When the browser encounters a claimed URL, instead of the >> page being loaded in the browser, the native app is launched instead >> with the URL supplied as a launch parameter.” >> drop one “instead” changing it to: >> “When the browser encounters a claimed URL, instead of the >> page being loaded in the browser, the native app is launched >> with the URL supplied as a launch parameter.” >> >> > Good catch, thanks. > > 7.2. App-claimed HTTPS URI Redirection >> If this is the recommended way to do it when possible maybe it should be >> first? >> > > It's ideal in a security sense, but less broadly supported currently than > custom URI schemes. The order is roughly based on popularity. > makes sense > > 8.1. Embedded User-Agents >> “Embedded user-agents are an alternative method for authorization >> native apps.” >> change to >> “Embedded user-agents are an alternative method to authorize >> native apps.” >> or >> “Embedded user-agents are an alternative method for authorization >> of native apps.” >> > > Fixed in 06. > > > >> 8. Security Considerations >> I see normative language here (MUST, RECOMMENDED, SHOULD, etc.), and it >> felt a bit odd to me to have that under Security Considerations. Not sure >> if there are guidelines around that, but to me it would make sense to keep >> the normative parts out of Security Considerations. And it says >> “Considerations”, to me that sounds mor like things to think about then >> this is how it works. >> > > I actually thought it was common, but I might be wrong. I'll wait and see > if others weigh in on this too. > Sounds like a plan. > > 8.2. Protecting the Authorization Code >> >> “A limitation of using custom URI schemes for redirect URIs is that >> multiple apps can typically register the same scheme, which makes it >> indeterminate as to which app will receive the Authorization Code. >> PKCE [RFC7636] details how this limitation can be used to execute a >> code interception attack (see Figure 1). Loopback IP based redirect >> URIs may be susceptible to interception by other apps listening on >> the same loopback interface.” >> >> I think it would be preferable to separate custom URI and Loopback IP >> based redirect. >> > > Can add a paragraph break. > Thanks > > 8.2. Protecting the Authorization Code >> “Loopback IP based redirect >> URIs may be susceptible to interception by other apps listening on >> the same loopback interface.” >> Are you referring to an application listening to loopback traffic or an >> application killing the original application and start listening on the >> same port. The second alternative would be relatively intrusive and notable. >> > > The former. The assumption is that other desktop apps may be able to > observe all local HTTP traffic on the loopback interface. > Ok > > Appendix A. Server Support Checklist >> 1. Support custom URI-scheme redirect URIs. >> I could not see that this was required in section Section 7.1. >> > > It's there in section 7: > "To fully support this best practice, authorization servers MUST support > the following three redirect URI options. Native apps MAY use > whichever redirect option suits their needs best, taking into > account > platform specific implementation details." > My bad, I missed it. > > >> >> Appendix A. Server Support Checklist >> 5. Support PKCE. >> in Section 8.2 it says MUST >> “Authorization servers MUST support PKCE [RFC7636] >> for public native app clients.” >> > > "Recommended" is used in normal sentence case here, but I can see how that > might be confusing, perhaps I should delete that word. Will think about > this section. > > Incidentally, the idea for Appendix A was a non-normative checklist of > items for authorization servers to collect the core requirements of the > BCP, and give developers a quick way to evaluate authorization server > compliance. > I like the idea of the checklist. > > 06 changes staged: https://github.com/WilliamDenniss/oauth-native- > apps/pull/3 > >
- [OAUTH-WG] Review of draft-ietf-oauth-native-apps… Samuel Erdtman
- Re: [OAUTH-WG] Review of draft-ietf-oauth-native-… William Denniss
- Re: [OAUTH-WG] Review of draft-ietf-oauth-native-… Samuel Erdtman