Re: [OAUTH-WG] First Draft of OAuth 2.1
George Fletcher <gffletch@aol.com> Thu, 12 March 2020 18:58 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1403A1055 for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 11:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3-ZbHpZwWLh for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 11:58:12 -0700 (PDT)
Received: from sonic317-32.consmr.mail.ne1.yahoo.com (sonic317-32.consmr.mail.ne1.yahoo.com [66.163.184.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4EA03A1022 for <oauth@ietf.org>; Thu, 12 Mar 2020 11:58:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1584039491; bh=ee17OebLQDpJC/eqPosWxQHvKOao22XIvc/teyH41sQ=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=qhMeWToa4GAp4MWTrx1F3y8O6PoDP6/96VQpKNPn7f0NFNfKi8yrMN6Z+waJGQyESpFsOxTvYCaeRzFwx/9DTCMG4R/iGq/uXddFBz+cFveU+yh/IGlJ1V6T7qTdoG25GiFsvcVPhBfTZcnVJC3AyFW/EMHltkg2367P9uz7nAUoCYqA51vCSdLkxRd8RAKYCjaPWsIZhkuUsSEFGlv28RBpmxU2NpUTbAEW/mYs7DZgoiIdQd1mLOvTLbgPNOG90LAhqUe/3VIyy0C673bVeRzyzf8T7ChEXdMZbgSfXfyGIOsJq5rCm1Kgr+znJnFzJ5hcVrWLCeN8j/fUYUe6/g==
X-YMail-OSG: BFEV7mwVM1k.CZEgeFwZBX4tlZejI9HHBqn9VYwcKShA1buc.I_Np.dQMnKFjM7 ZJEpESne_wJa0I5voyU_g3XA0EZUzaCEhKHTrU7fAzEixoB4kyjijFK.f3netbvqAnVU15i8KgHC OmdoDN1alUG4HUsUVqACtGqIn8zzB0m12bjF91KTjS6NOgylv0wn2l1cXFUAXry0KMUaAved0Oqk qxBW0ePbAyTFuE43mY2fVCxQYT_rpThYNmdrKPSoS.BNVa6Twgw.LyblKvnqXT8v0bdfJ6hMm87W XqKUYf6Y9W70i0q1hXd4lchMNojZJyQu5dWfImkHPerUQXfOA_Z1gfZ.KCDwBNEZD5MC8CF_KbtF ijwGdoGrqN.WaAkh3jYm4gzPTrJ1sc6Wvs6XpK.VU.Uou3O04uEQWcRLFSdRDgZXZDQ6TFePpdyX 746LBy5j1SOJadyzto9cdnJYX8elcNiIXxpfFHqtwXz_1lIRxN35l2vUhUaHbb.5.wisP_OvdyPf UuwxzUXX05S40XYhQmcnTjWAiQtY9nxNma4jS4iYwTk380PJY5a2Q5bz8cpjFydK6w9pxaFLxMMc efnoFhQlizGCoxV7HKEqmV95Yv8lp1KPHOVNPsMP19bYBiy1r6GNHXgJUz0bC9o6OjYOKG15gTLk 8Ysis.wYv61b7zWJypHJAZ8IaDU6TEsNSJOjE7BE9JR9CbhW8obrHvhVMdAlBOrmx9aJO4df.xG1 pyHZix1UZpWgDLLyoo7BN9AWUi9XUxI7T9BtAFEX102yiJyGBhxdZGZOCYdd0sYPCZbCnIj1GNGS 77tKhvlABfSNalYDjmrzOsq6dSxWtjJi1TPvxiPlMn8_z3WrjfbvhYxja22xSosTpaE4pKay46nN sq0ZJIjH5Fkkh7zXsy7xV853xRnXd5vdf3a8OlNpqqJhedUAmFRNuVBoWPJxaCnto1vkVgCzDSGS 4PRKP2XQHDNCabrzHokD4lriPVuZgItFRMyacCfzzuv_kIsKIrdi5T0tDIznyjKHCY.4.YaQxsfq KM9rSAgd_aM4Lvu_5apnwFEunSBAtWBQfBvyLBpGYyF8.3rrjTym.y4.tMndwr.qrUwMNWKSKTJX EF46bWiC2SRTyC37zZohoSQojDZa0vTTsBGJvZUn.2nc93B8HKzoOshs6fx5LPPKtvYy.f76TSQf h2CMyXOyKceZhrzuKO8YnOImPz_Nw4tUC0jtDlDU8skhytIjKNTIdeKYdO5HV2w287FbXozAxtcw Ru5Y_qOOwUPXBUGHK.ZEvC5VEfVO5pnVew8z_NYs9dGud4keKKd9FuPW6lgAqfLT_HTHnT2T5akD J5IEYiwI53iU61E4aOr3F3uOlWRQcICJKn0Mts8f.JlThcUzK379qUDQS
Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Thu, 12 Mar 2020 18:58:11 +0000
Received: by smtp412.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID b250028f587c5716a754743afd55a99d; Thu, 12 Mar 2020 18:58:08 +0000 (UTC)
To: oauth@ietf.org
References: <CAGBSGjp6xRL21fdY+dosAhwS3Db6z1hxHU5uPGGprC-c_Ec-Cg@mail.gmail.com> <CAO_FVe40ONas2em6gGviEgdh_bf4qG+PnQD+G+KR+QPcY+V8Bw@mail.gmail.com> <CAO_FVe63-iCzqRCE0W18Y4sQsdKbaYj4y0fxCU32RoR53c9zEA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <2f5f2fd7-a6fc-cf1f-7f3b-b0a05069f7a5@aol.com>
Date: Thu, 12 Mar 2020 14:58:07 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <CAO_FVe63-iCzqRCE0W18Y4sQsdKbaYj4y0fxCU32RoR53c9zEA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------20050652C6C7F6304411EFA5"
Content-Language: en-US
X-Mailer: WebService/1.1.15342 hermes Apache-HttpAsyncClient/4.1.4 (Java/1.8.0_241)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Tab5qQVKQlMt4H1t9w7hCcUwaA4>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 18:58:22 -0000
I also am in favor of not requiring "sender constraint" as a MUST. SHOULD or RECOMMENDED is fine. Many websites are NOT Single-Page-Apps and as such DPOP doesn't work for those environments. Converting all web based environments to SPAs so not viable. Thanks, George On 3/12/20 2:28 PM, Vittorio Bertocci wrote: > damnit, i hit enter too soon. > Hey guys, > thanks for putting this together. > I am concerned with the real world impact of imposing sender constraint | > rotation as a MUST on refresh tokens in every scenario. > Sender constraint isn't immediately actionable - we just had the discussion > for dPOP, hence I won't go in the details here. > Rotation isn't something that can be added without significant impact on > development and runtime experiences: > > - on distributed scenarios, it introduces the need to serialize access > to shared caches > - network failures can lead to impact on experience- stranding clients > which fail to receive RTn+1 during RTn redemption in a limbo where user > interaction might become necessary, disrupting experience or functionality > for scenarios where the user isn't available to respond. > - remediations currently in the wild for this are either clunky (grace > periods) or downright cumbersome (waiting for the AT refreshed via RTn to > be used by the client to invalidate RTn, which locks RS and AS in a > transaction that is both expensive and itself subject to network failure) > > I think it's fine to recommend using those mechanisms with a SHOULD, but > imposing those complexities to everyone in the core is asking too much IMO. > Thanks > V. > > On Thu, Mar 12, 2020 at 11:24 AM Vittorio Bertocci <Vittorio@auth0.com> > wrote: > >> Hey guys, >> thanks for putting this together. >> I am concerned with the real world impact of imposing sender constraint | >> rotation as a MUST on refresh tokens in every scenario. >> Sender constraint isn't immediately actionable - we just had the >> discussion for dPOP, hence I won't go in the details here. >> Rotation isn't something that can be added without significant impact on >> development and runtime experiences: >> >> - on distributed scenarios, it introduces the need to serialize access >> to shared caches >> - network failures can lead to impact on experience- stranding clients >> which fail to receive RTn+1 during RTn redemption in a limbo where user >> interaction might become necessary, disrupting experience or functionality >> for scenarios where the user isn't available to respond. >> - >> >> >> >> On Wed, Mar 11, 2020 at 5:28 PM Aaron Parecki <aaron@parecki.com> wrote: >> >>> I'm happy to share that Dick and Torsten and I have published a first >>> draft of OAuth 2.1. We've taken the feedback from the discussions on >>> the list and incorporated that into the draft. >>> >>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01 >>> >>> A summary of the differences between this draft and OAuth 2.0 can be >>> found in section 12, and I've copied them here below. >>> >>>> This draft consolidates the functionality in OAuth 2.0 (RFC6749), >>>> OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange >>>> (RFC7636), OAuth 2.0 for Browser-Based Apps >>>> (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current >>>> Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage >>>> (RFC6750). >>>> >>>> Where a later draft updates or obsoletes functionality found in the >>>> original [RFC6749], that functionality in this draft is updated with >>>> the normative changes described in a later draft, or removed >>>> entirely. >>>> >>>> A non-normative list of changes from OAuth 2.0 is listed below: >>>> >>>> * The authorization code grant is extended with the functionality >>>> from PKCE ([RFC7636]) such that the only method of using the >>>> authorization code grant according to this specification requires >>>> the addition of the PKCE mechanism >>>> >>>> * Redirect URIs must be compared using exact string matching as per >>>> Section 4.1.3 of [I-D.ietf-oauth-security-topics] >>>> >>>> * The Implicit grant ("response_type=token") is omitted from this >>>> specification as per Section 2.1.2 of >>>> [I-D.ietf-oauth-security-topics] >>>> >>>> * The Resource Owner Password Credentials grant is omitted from this >>>> specification as per Section 2.4 of >>>> [I-D.ietf-oauth-security-topics] >>>> >>>> * Bearer token usage omits the use of bearer tokens in the query >>>> string of URIs as per Section 4.3.2 of >>>> [I-D.ietf-oauth-security-topics] >>>> >>>> * Refresh tokens must either be sender-constrained or one-time use >>>> as per Section 4.12.2 of [I-D.ietf-oauth-security-topics] >>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12 >>> >>> I'm excited for the direction this is taking, and it has been a >>> pleasure working with Dick and Torsten on this so far. My hope is that >>> this first draft can serve as a good starting point for our future >>> discussions! >>> >>> ---- >>> Aaron Parecki >>> aaronparecki.com >>> @aaronpk >>> >>> P.S. This notice was also posted at >>> https://aaronparecki.com/2020/03/11/14/oauth-2-1 >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] First Draft of OAuth 2.1 Aaron Parecki
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Schanzenbach, Martin
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Peck, Michael A
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Pedro Igor Craveiro e Silva
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Vittorio Bertocci
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Vittorio Bertocci
- Re: [OAUTH-WG] [EXTERNAL] Re: First Draft of OAut… Mike Jones
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Torsten Lodderstedt
- Re: [OAUTH-WG] First Draft of OAuth 2.1 George Fletcher
- Re: [OAUTH-WG] [EXTERNAL] Re: First Draft of OAut… Torsten Lodderstedt
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Vittorio Bertocci
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Pedro Igor Silva
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Torsten Lodderstedt
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Pedro Igor Silva
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Torsten Lodderstedt
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Aaron Parecki
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Torsten Lodderstedt
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Aaron Parecki
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Brian Campbell
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Brian Campbell
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Pedro Igor Silva
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Vittorio Bertocci
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Dominick Baier
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Torsten Lodderstedt
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Torsten Lodderstedt
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Neil Madden
- Re: [OAUTH-WG] First Draft of OAuth 2.1 Aaron Parecki