IETF Logo Mail Archive

Re: [OAUTH-WG] First Draft of OAuth 2.1

George Fletcher <gffletch@aol.com> Thu, 12 March 2020 18:58 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1403A1055 for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 11:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3-ZbHpZwWLh for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 11:58:12 -0700 (PDT)
Received: from sonic317-32.consmr.mail.ne1.yahoo.com (sonic317-32.consmr.mail.ne1.yahoo.com [66.163.184.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4EA03A1022 for <oauth@ietf.org>; Thu, 12 Mar 2020 11:58:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1584039491; bh=ee17OebLQDpJC/eqPosWxQHvKOao22XIvc/teyH41sQ=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=qhMeWToa4GAp4MWTrx1F3y8O6PoDP6/96VQpKNPn7f0NFNfKi8yrMN6Z+waJGQyESpFsOxTvYCaeRzFwx/9DTCMG4R/iGq/uXddFBz+cFveU+yh/IGlJ1V6T7qTdoG25GiFsvcVPhBfTZcnVJC3AyFW/EMHltkg2367P9uz7nAUoCYqA51vCSdLkxRd8RAKYCjaPWsIZhkuUsSEFGlv28RBpmxU2NpUTbAEW/mYs7DZgoiIdQd1mLOvTLbgPNOG90LAhqUe/3VIyy0C673bVeRzyzf8T7ChEXdMZbgSfXfyGIOsJq5rCm1Kgr+znJnFzJ5hcVrWLCeN8j/fUYUe6/g==
X-YMail-OSG: BFEV7mwVM1k.CZEgeFwZBX4tlZejI9HHBqn9VYwcKShA1buc.I_Np.dQMnKFjM7 ZJEpESne_wJa0I5voyU_g3XA0EZUzaCEhKHTrU7fAzEixoB4kyjijFK.f3netbvqAnVU15i8KgHC OmdoDN1alUG4HUsUVqACtGqIn8zzB0m12bjF91KTjS6NOgylv0wn2l1cXFUAXry0KMUaAved0Oqk qxBW0ePbAyTFuE43mY2fVCxQYT_rpThYNmdrKPSoS.BNVa6Twgw.LyblKvnqXT8v0bdfJ6hMm87W XqKUYf6Y9W70i0q1hXd4lchMNojZJyQu5dWfImkHPerUQXfOA_Z1gfZ.KCDwBNEZD5MC8CF_KbtF ijwGdoGrqN.WaAkh3jYm4gzPTrJ1sc6Wvs6XpK.VU.Uou3O04uEQWcRLFSdRDgZXZDQ6TFePpdyX 746LBy5j1SOJadyzto9cdnJYX8elcNiIXxpfFHqtwXz_1lIRxN35l2vUhUaHbb.5.wisP_OvdyPf UuwxzUXX05S40XYhQmcnTjWAiQtY9nxNma4jS4iYwTk380PJY5a2Q5bz8cpjFydK6w9pxaFLxMMc efnoFhQlizGCoxV7HKEqmV95Yv8lp1KPHOVNPsMP19bYBiy1r6GNHXgJUz0bC9o6OjYOKG15gTLk 8Ysis.wYv61b7zWJypHJAZ8IaDU6TEsNSJOjE7BE9JR9CbhW8obrHvhVMdAlBOrmx9aJO4df.xG1 pyHZix1UZpWgDLLyoo7BN9AWUi9XUxI7T9BtAFEX102yiJyGBhxdZGZOCYdd0sYPCZbCnIj1GNGS 77tKhvlABfSNalYDjmrzOsq6dSxWtjJi1TPvxiPlMn8_z3WrjfbvhYxja22xSosTpaE4pKay46nN sq0ZJIjH5Fkkh7zXsy7xV853xRnXd5vdf3a8OlNpqqJhedUAmFRNuVBoWPJxaCnto1vkVgCzDSGS 4PRKP2XQHDNCabrzHokD4lriPVuZgItFRMyacCfzzuv_kIsKIrdi5T0tDIznyjKHCY.4.YaQxsfq KM9rSAgd_aM4Lvu_5apnwFEunSBAtWBQfBvyLBpGYyF8.3rrjTym.y4.tMndwr.qrUwMNWKSKTJX EF46bWiC2SRTyC37zZohoSQojDZa0vTTsBGJvZUn.2nc93B8HKzoOshs6fx5LPPKtvYy.f76TSQf h2CMyXOyKceZhrzuKO8YnOImPz_Nw4tUC0jtDlDU8skhytIjKNTIdeKYdO5HV2w287FbXozAxtcw Ru5Y_qOOwUPXBUGHK.ZEvC5VEfVO5pnVew8z_NYs9dGud4keKKd9FuPW6lgAqfLT_HTHnT2T5akD J5IEYiwI53iU61E4aOr3F3uOlWRQcICJKn0Mts8f.JlThcUzK379qUDQS
Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Thu, 12 Mar 2020 18:58:11 +0000
Received: by smtp412.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID b250028f587c5716a754743afd55a99d; Thu, 12 Mar 2020 18:58:08 +0000 (UTC)
To: oauth@ietf.org
References: <CAGBSGjp6xRL21fdY+dosAhwS3Db6z1hxHU5uPGGprC-c_Ec-Cg@mail.gmail.com> <CAO_FVe40ONas2em6gGviEgdh_bf4qG+PnQD+G+KR+QPcY+V8Bw@mail.gmail.com> <CAO_FVe63-iCzqRCE0W18Y4sQsdKbaYj4y0fxCU32RoR53c9zEA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <2f5f2fd7-a6fc-cf1f-7f3b-b0a05069f7a5@aol.com>
Date: Thu, 12 Mar 2020 14:58:07 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <CAO_FVe63-iCzqRCE0W18Y4sQsdKbaYj4y0fxCU32RoR53c9zEA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------20050652C6C7F6304411EFA5"
Content-Language: en-US
X-Mailer: WebService/1.1.15342 hermes Apache-HttpAsyncClient/4.1.4 (Java/1.8.0_241)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Tab5qQVKQlMt4H1t9w7hCcUwaA4>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 18:58:22 -0000

I also am in favor of not requiring "sender constraint" as a MUST. 
SHOULD or RECOMMENDED is fine. Many websites are NOT Single-Page-Apps 
and as such DPOP doesn't work for those environments. Converting all web 
based environments to SPAs so not viable.

Thanks,
George

On 3/12/20 2:28 PM, Vittorio Bertocci wrote:
> damnit, i hit enter too soon.
>    Hey guys,
> thanks for putting this together.
> I am concerned with the real world impact of imposing sender constraint |
> rotation as a MUST on refresh tokens in every scenario.
> Sender constraint isn't immediately actionable - we just had the discussion
> for dPOP, hence I won't go in the details here.
> Rotation isn't something that can be added without significant impact on
> development and runtime experiences:
>
>     - on distributed scenarios, it introduces the need to serialize access
>     to shared caches
>     - network failures can lead to impact on experience- stranding clients
>     which fail to receive RTn+1 during RTn redemption in a limbo where user
>     interaction might become necessary, disrupting experience or functionality
>     for scenarios where the user isn't available to respond.
>     - remediations currently in the wild for this are either clunky (grace
>     periods) or downright cumbersome (waiting for the AT refreshed via RTn to
>     be used by the client to invalidate RTn, which locks RS and AS in a
>     transaction that is both expensive and itself subject to network failure)
>
> I think it's fine to recommend using those mechanisms with a SHOULD, but
> imposing those complexities to everyone in the core is asking too much IMO.
> Thanks
> V.
>
> On Thu, Mar 12, 2020 at 11:24 AM Vittorio Bertocci <Vittorio@auth0.com>
> wrote:
>
>> Hey guys,
>> thanks for putting this together.
>> I am concerned with the real world impact of imposing sender constraint |
>> rotation as a MUST on refresh tokens in every scenario.
>> Sender constraint isn't immediately actionable - we just had the
>> discussion for dPOP, hence I won't go in the details here.
>> Rotation isn't something that can be added without significant impact on
>> development and runtime experiences:
>>
>>     - on distributed scenarios, it introduces the need to serialize access
>>     to shared caches
>>     - network failures can lead to impact on experience- stranding clients
>>     which fail to receive RTn+1 during RTn redemption in a limbo where user
>>     interaction might become necessary, disrupting experience or functionality
>>     for scenarios where the user isn't available to respond.
>>     -
>>
>>
>>
>> On Wed, Mar 11, 2020 at 5:28 PM Aaron Parecki <aaron@parecki.com> wrote:
>>
>>> I'm happy to share that Dick and Torsten and I have published a first
>>> draft of OAuth 2.1. We've taken the feedback from the discussions on
>>> the list and incorporated that into the draft.
>>>
>>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01
>>>
>>> A summary of the differences between this draft and OAuth 2.0 can be
>>> found in section 12, and I've copied them here below.
>>>
>>>> This draft consolidates the functionality in OAuth 2.0 (RFC6749),
>>>> OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange
>>>> (RFC7636), OAuth 2.0 for Browser-Based Apps
>>>> (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current
>>>> Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage
>>>> (RFC6750).
>>>>
>>>>    Where a later draft updates or obsoletes functionality found in the
>>>>    original [RFC6749], that functionality in this draft is updated with
>>>>    the normative changes described in a later draft, or removed
>>>>    entirely.
>>>>
>>>>    A non-normative list of changes from OAuth 2.0 is listed below:
>>>>
>>>>    *  The authorization code grant is extended with the functionality
>>>>       from PKCE ([RFC7636]) such that the only method of using the
>>>>       authorization code grant according to this specification requires
>>>>       the addition of the PKCE mechanism
>>>>
>>>>    *  Redirect URIs must be compared using exact string matching as per
>>>>       Section 4.1.3 of [I-D.ietf-oauth-security-topics]
>>>>
>>>>    *  The Implicit grant ("response_type=token") is omitted from this
>>>>       specification as per Section 2.1.2 of
>>>>       [I-D.ietf-oauth-security-topics]
>>>>
>>>>    *  The Resource Owner Password Credentials grant is omitted from this
>>>>       specification as per Section 2.4 of
>>>>       [I-D.ietf-oauth-security-topics]
>>>>
>>>>    *  Bearer token usage omits the use of bearer tokens in the query
>>>>       string of URIs as per Section 4.3.2 of
>>>>       [I-D.ietf-oauth-security-topics]
>>>>
>>>>    *  Refresh tokens must either be sender-constrained or one-time use
>>>>       as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]
>>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12
>>>
>>> I'm excited for the direction this is taking, and it has been a
>>> pleasure working with Dick and Torsten on this so far. My hope is that
>>> this first draft can serve as a good starting point for our future
>>> discussions!
>>>
>>> ----
>>> Aaron Parecki
>>> aaronparecki.com
>>> @aaronpk
>>>
>>> P.S. This notice was also posted at
>>> https://aaronparecki.com/2020/03/11/14/oauth-2-1
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email