Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
Domingos Creado <domingos.creado@authlete.com> Fri, 15 October 2021 21:01 UTC
Return-Path: <domingos.creado@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40A6A3A0B52 for <oauth@ietfa.amsl.com>; Fri, 15 Oct 2021 14:01:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjevPWpFsPAd for <oauth@ietfa.amsl.com>; Fri, 15 Oct 2021 14:01:30 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5903A0B45 for <oauth@ietf.org>; Fri, 15 Oct 2021 14:01:30 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id h19so20565371uax.5 for <oauth@ietf.org>; Fri, 15 Oct 2021 14:01:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P9sNuuMjyf5PIl/6TU0YpvoqY/L2MdQtRU8N6jKN91Q=; b=cby4eLmfr7rJYX8aUwKx9c9FCbFjF8vJsRiKVIb9YVOOKgnIKs1Z6Nxle9YSRkLSg2 Lgo2BsDNqvqDP2g6ROhqPz5hW2KwqCUdstBzjTsSDQAwKUS+MclKo1sfU709VIMTqoy7 8TAMGvQOYETnph/dXG2ywwZtcwQSqMZXB6gcBaA6WXQNNJUqVtML7cNqAFoxjriaaUgV lPhGQsqkqH514ze1Rcqhte4/H/U8L8ocLpX26FhbQYE91+BODrCuo73Mu/nQ0clttwk0 iCu1OSiEffGr6bIF65CCs26x2geR06ASNtWkI3vGSu9Oo78Du3oo7RyR9j+zGmiXdv1+ xXAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P9sNuuMjyf5PIl/6TU0YpvoqY/L2MdQtRU8N6jKN91Q=; b=7agb/zW1+hibseKKhx2nauwrzeA8xrgDHPY136cw6yBVecxeldE/DjS+/4NeNINlU+ b59nPQ3zaFTHxpIMP7HPcahs6nYnforPjkahGcNEy95cWBV80/p/paR4XWuAlRDOKZ3y 7szS57cjvAnVgnYxwQ2KazmxaqQe2XCjNaQ0DlSSmxjI8wjLLPpDwLgiAyUzuiGR32cO zOVYjYQ6TjJo82whu0mdcS5IC+NlS4gkmnyuPa4ujJNTa/xydRTVexdAW/QTiYwo+mgk fc7gFFqeLDQABzBdCGsadWeMjTd6u1sqEWoVnx+wTPkwCE01STG4zkLOwjUUDa343s0r 1kQQ==
X-Gm-Message-State: AOAM5315EZNH0rDvJqX8YtgtpuowzT51euECtLUD3Mf9vab/KPEen99E AzgrTU0L9gKFttVuyUWEf9DmAlagbsBduOHfEH1rH8aV9EbTfw==
X-Google-Smtp-Source: ABdhPJyQ590uncxaItyltMCZr3PedYUzgf50qLhlP+2TdafP0vUvMVPMCdn2olLTNCO7oBp203bOWG0HU4aNANTsEcY=
X-Received: by 2002:a9f:3012:: with SMTP id h18mr15015250uab.56.1634331688975; Fri, 15 Oct 2021 14:01:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com> <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com> <CA+k3eCQtO-Qa7+yigjnsdhXHSqst-QZFHQPY-zYxewmmgWwXmg@mail.gmail.com>
In-Reply-To: <CA+k3eCQtO-Qa7+yigjnsdhXHSqst-QZFHQPY-zYxewmmgWwXmg@mail.gmail.com>
From: Domingos Creado <domingos.creado@authlete.com>
Date: Fri, 15 Oct 2021 18:01:16 -0300
Message-ID: <CAFtv1m7hy2eMq821VKwdi9kzqwybKYypfmQvScJYe3gmTwOiDg@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c44e5b05ce6a7fe6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Tnq5D2LcLru89_kauSD05XlFm0Q>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2021 21:01:36 -0000
I guess it is fair to say that when we are talking about credentialed clients, we are targeting native apps that after getting installed use a ceremony (probably using Dynamic client registration) to establish a credential for that specific instance on AS. Do you foresee other use cases? Back to David's point, the trust on that client depends upon the ceremony for establishing the credential or actions the resource owner might take after that. For instance: here in Brazil, some banks require you to go to an ATM to "approve" the client, and after that, access restrictions are lifted. In my point of view, the credentialed concept does not bring enough semantics to be used on the document, as there are too many moving parts that build or not the trust on the client. I think it makes more sense to shed some light on scope granting considering the trust on the confidential client and/or the assurance of the authentication. On Fri, Oct 15, 2021 at 3:34 PM Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org> wrote: > Looking/searching through > https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html and all the > occurrences of "credentialed" outside of sec 2.4 and the text I was > complaining about previously are treating confidential and credentialed the > same. I.e. "If the client is confidential or credentialed", "Confidential > or credentialed clients MUST", "authentication for confidential and > credentialed clients", etc. So the distinction/definition isn't serving a > meaningful function in the rest of the document. As such, I'd suggest > removing the credentialed concept entirely and using sec 2.4, as > appropriate or needed, to discuss the subtleties of the various ways > clients establish themselves with an AS and the implications to the amount > of trust that can be placed therein. > > On Mon, Oct 11, 2021 at 4:53 PM David Waite <david= > 40alkaline-solutions.com@dmarc.ietf.org> wrote: > >> >> > On Oct 11, 2021, at 11:52 AM, Dick Hardt <dick.hardt@gmail.com> wrote: >> > >> > >> > Thanks for the feedback Brian. We have struggled in how to concisely >> describe credentialed clients. >> > >> > "identifying a client" can be interpreted a number of ways. >> > >> > The intent is that the AS knows a credentialed client is the same >> client it previously interacted with, but that the AS can not assume any >> other attributes of the client, for example that it is a client from a >> given developer, or has a specific name. >> >> It sounds like the goal is to distinguish authenticating the client from >> trust of the client pedigree, e.g. the only authenticity of a public client >> might be that it can catch the redirect_uri, and the only authenticity of a >> dynamically registered client is what you required and verified up to that >> point. >> >> Some of that trust may be on confidentiality of data, prior reputation, >> safeguards to prevent token exfiltration or unauthorized token use locally, >> etc. >> >> A credentialed client is not more trusted than a confidential client - it >> is just more uniquely identifiable. A public client does not have a >> mechanism (within OAuth today) to prove its trustworthiness on request >> because it is not authenticated as the party with that trust. You instead >> would need to e.g. do client registration with a software statement. >> >> It may help to know what actions are MUST NOT or SHOULD NOT for >> credentialed clients vs confidential clients. Without that, the distinction >> seems it should be self contained in 2.1 like the client profiles, and >> maybe the term confidential client be explained to be a misnomer and more >> broadly explained that confidential vs public client is _not_ to meant to >> be a described as a trust distinction. >> >> -DW >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-04.t… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-… Aaron Parecki
- [OAUTH-WG] OAuth2.1 credentialed client Ash Narayanan
- [OAUTH-WG] convert to credentialed client... ( wa… Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Dick Hardt
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … David Waite
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Warren Parad
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Domingos Creado
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan