Re: [OAUTH-WG] OAuth Digest, Vol 136, Issue 9

Bhupinder Saini <bhupinder@openitio.com> Thu, 20 February 2020 11:39 UTC

Return-Path: <bhupinder@openitio.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66071200F7 for <oauth@ietfa.amsl.com>; Thu, 20 Feb 2020 03:39:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openitio.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id abU7b8VxX4_5 for <oauth@ietfa.amsl.com>; Thu, 20 Feb 2020 03:39:39 -0800 (PST)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110065.outbound.protection.outlook.com [40.107.11.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83A2812001A for <oauth@ietf.org>; Thu, 20 Feb 2020 03:39:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MSnm6aJnRW1XpgCfgTWYLXrIK2w6lu/wStqMDQR2b/n6gOHIB4awNT1AeBPTUM/eQAg1/nnzdEL/oFhGPug1lM8VnDs+keoJGV8+9eDt8/fpezAQs4J3/SxrRp4o6zN8dDG8uf6udTyYrhqlPnYJE61ho125SrU9fPrXhnIIs2O0CQLoLRc9jFhBJPb88PWgNGeE/O0s4CbDg77srF7XSQfoEObWzzefs/q/hfemI+bSoqi9zR1wVA4j0BIhZoM554mU/8okh9wFn7naes3NCMSnLg/IVCW72U9SCj7u2fqczM2BZQaeC77rVwCY5jvli3+8d2i7DhmihHc9oyMKEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Np6+V2RljeT9FZ11wszcdlq8mZ1fBUOnLJIznzM1bFw=; b=P3Jn6SXiFfjMFSCFaxDzvQZ7fkRBCbhdcqbM7FeYY+/QOtUuYLjcOVmeDPYX6BO1K3FCsT//HsLKHjlwCOpqGyTrGVvzbunmi/kMebPrLo2IuyrCztNvTs4RndG1UmwqYr0MkmeNxtTQYhwcxTfb39/Fl5C2TDiS6beO/jv/lbYpCjZqhJGtLZElIWaOOb8/DjKpnhFpQM5BzErYyuQW6kMXEoL1hG/tEaVLc261JDl3aUWjVFDiX9oVCsFxPjpAmjsVXa/LfuDGpXETRmatcd1vTCT/MVSrzkmHO1Y4qxQSJy5mtuUc4iAgjU/0s1CNzmZ9dr2R3QW2W5z+XD9oCQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=openitio.com; dmarc=pass action=none header.from=openitio.com; dkim=pass header.d=openitio.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openitio.onmicrosoft.com; s=selector1-openitio-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Np6+V2RljeT9FZ11wszcdlq8mZ1fBUOnLJIznzM1bFw=; b=egtMmTPuO0/1hXNPG3ESPWpi4+NGQiyNP4BiHHoQ6Zxp3ozzNJliqNEd5gtQY/wlfu8V+F+DKRUW+DB4dqaZbnO/3wCegjq1VykVG2tTwJX7xvH2PWOSs3vcDx8hfVqxanACP2iXoZU/TuarlvaC5ATI+8Ltgx0PIDO/KC0ys5k=
Received: from LO2P265MB0544.GBRP265.PROD.OUTLOOK.COM (10.166.103.15) by LO2P265MB1104.GBRP265.PROD.OUTLOOK.COM (20.176.145.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.29; Thu, 20 Feb 2020 11:39:36 +0000
Received: from LO2P265MB0544.GBRP265.PROD.OUTLOOK.COM ([fe80::912b:d131:ea66:3f07]) by LO2P265MB0544.GBRP265.PROD.OUTLOOK.COM ([fe80::912b:d131:ea66:3f07%5]) with mapi id 15.20.2729.032; Thu, 20 Feb 2020 11:39:36 +0000
From: Bhupinder Saini <bhupinder@openitio.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth Digest, Vol 136, Issue 9
Thread-Index: AQHV52InUOk7IBSkmESEfNh7rxWutKgj9hWA
Date: Thu, 20 Feb 2020 11:39:35 +0000
Message-ID: <DDF7FE7C-C17B-4AE4-92E5-998E1AC7DE8D@openitio.com>
References: <mailman.76.1582142417.22041.oauth@ietf.org> <CAKykFnJWQgKN2C5SJZFbmJphKL+=sc_NUbtRms-gbhCJMKyxHA@mail.gmail.com>
In-Reply-To: <CAKykFnJWQgKN2C5SJZFbmJphKL+=sc_NUbtRms-gbhCJMKyxHA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=bhupinder@openitio.com;
x-originating-ip: [82.211.74.240]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 39b9b19c-5063-495e-7359-08d7b5f98fcf
x-ms-traffictypediagnostic: LO2P265MB1104:
x-microsoft-antispam-prvs: <LO2P265MB11043769A91FEE2697760EE7C1130@LO2P265MB1104.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 031996B7EF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(136003)(39830400003)(34096005)(346002)(396003)(189003)(199004)(6486002)(6916009)(316002)(508600001)(86362001)(6506007)(53546011)(5660300002)(966005)(186003)(45080400002)(36756003)(66946007)(6512007)(81166006)(71200400001)(8676002)(8936002)(2906002)(2616005)(76116006)(66556008)(81156014)(26005)(66476007)(33656002)(64756008)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:LO2P265MB1104; H:LO2P265MB0544.GBRP265.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: openitio.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mYkdF+Eiz2v4B7UONs086EZJNtwNh8EoQpeVb3FAACT4VoM1Bt+TTcXZZcXzsbcd13H9W10C66T2GvWYASkMXBjZl8mo+7I9YGQ0P2CcJp97ZyyJqcsl5PX+jxrLJGE4QxKciWvieYgYaswvJabxlLoAYK7bHuMHw/jp4ZEZCLO+njQ87lvsPTN+7qR2LIVnYtnY3X95jU6x4yDgiptXlmmc9ot/JtS5RKWbq4w8Wi7ksK9QKh+xlWdSW/Zk9uMnLE7u17KkUlPnKDpKtWQxDuSKZk7DMD2PNLPBzPTCIU2G7XLmYXSL1HEgIBCeKAZMsP4pYadFKlOjrT0th07YoMFNtPvPtxJWOnGniYUSvEhErhOYcjjqsI807L8Tph+oJe/m8EuPwbd+hI8rP56lW6j0Qd5TQF4iGUeLVdR+8GGnMY6h/bxfSmQI/mtOyuuEhIWqVfWmwbxRcvPk+Fr9erBUR+WXyqes8grk5909KGIlbTyp3ApK5RJHIkUjXUNo0hIqjbKv96ue0JbED/G4gg==
x-ms-exchange-antispam-messagedata: x4huOclqBnIBMg1cVtMzVUF+DgxtCeeZYWW0GbmnLL7k5m5ZBVXoTFQtGmiFac8KgL9F3K+cNn9DWCiRGCktwRmb9ZdbY3c1PzLROLUwzdoI18/GGa1+uYJzyThQgyfZ3DcAiuTheWNoGhSsu/kE7g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DDF7FE7CC17B4AE492E5998E1AC7DE8Dopenitiocom_"
MIME-Version: 1.0
X-OriginatorOrg: openitio.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 39b9b19c-5063-495e-7359-08d7b5f98fcf
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2020 11:39:35.9358 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73136153-a822-4a60-9bd3-a945eed0054a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: x2BRmxrpm+2T+nICWUpwFZbqKiZfKHWnGIDd9ZLMFjEASrX9PLBDuMz57FJ/Z205h6bFRXOa8OXlUsb1tkaOpw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P265MB1104
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Vo6v9b_meHZRvy-PezVIfIhcRzE>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 136, Issue 9
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 11:39:42 -0000

Hello All

I have recently joined this working group but have I have been IAM consultant for 15+ years.
My opinion and experience on following:

  *   Implicit Grant – Definitely Dropped
  *   Password Grant – Definitely Dropped

I had so many conversation with App (WEB/MOBILE) developers on NOT using them in last few years, now with revised 2.1 we can avoid those conversations. Although these grants made it look less complex but never really aligned to utilise the full security of OAUTH2.

I favour the vote to drop them for good and make Oauth 2.1 clean as following:

  *   Authorisation Code Grants
  *   Client Credentials

Thanks
Bhupinder Singh

From: OAuth <oauth-bounces@ietf.org> on behalf of Bruno Brito <bhdebrito@gmail.com>
Date: Wednesday, 19 February 2020 at 20:21
To: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 136, Issue 9

No, I cannot see any use case where authorization code cannot replace implicit. Go ahead and remove it!

Bruno

On Wed, Feb 19, 2020 at 5:01 PM <oauth-request@ietf.org<mailto:oauth-request@ietf.org>> wrote:
Send OAuth mailing list submissions to
        oauth@ietf.org<mailto:oauth@ietf.org>

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.ietf.org/mailman/listinfo/oauth
or, via email, send a message with subject or body 'help' to
        oauth-request@ietf.org<mailto:oauth-request@ietf.org>

You can reach the person managing the list at
        oauth-owner@ietf.org<mailto:oauth-owner@ietf.org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OAuth digest..."
Today's Topics:

   1. Re: OAuth 2.1 - drop implicit flow? (Dominick Baier)
   2. Re: OAuth Digest, Vol 136, Issue 7 (Torsten Lodderstedt)
   3. Re: [EXTERNAL]  OAuth 2.1: dropping password grant (Dick Hardt)



---------- Forwarded message ----------
From: Dominick Baier <dbaier@leastprivilege.com<mailto:dbaier@leastprivilege.com>>
To: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>, oauth@ietf.org<mailto:oauth@ietf.org>
Cc:
Bcc:
Date: Tue, 18 Feb 2020 22:49:05 -0800
Subject: Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
No - please get rid of it.

———
Dominick Baier


On 18. February 2020 at 21:32:31, Dick Hardt (dick.hardt@gmail.com<mailto:dick..hardt@gmail.com>) wrote:
Hey List

(I'm using the OAuth 2.1 name as a placeholder for the doc that Aaron, Torsten, and I are working on)

Given the points Aaron brought up in

https://mailarchive.ietf.org/arch/msg/oauth/hXEfLXgEqrUQVi7Qy8X_279DCNU


Does anyone have concerns with dropping the implicit flow from the OAuth 2.1 document so that developers don't use it?

/Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



---------- Forwarded message ----------
From: Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>>
To: Bruno Brito <bhdebrito@gmail.com<mailto:bhdebrito@gmail.com>>
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Bcc:
Date: Wed, 19 Feb 2020 08:25:19 +0100
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 136, Issue 7
Hi Bruno,

thanks for your insights.

The recommendation is not only based on security considerations but just utility. As soon as one wants to integrate federated login or multi factor authentication,  ROPG reaches its limits.

Moreover, how do those teams implement user registration and user account recovery? In my experience, implementing this in a native experience will significantly increase cost of the implementation.

Two reasons to go with the code flow.

best regards,
Torsten.

> Am 19.02.2020 um 01:49 schrieb Bruno Brito <bhdebrito@gmail.com<mailto:bhdebrito@gmail.com>>:
>



---------- Forwarded message ----------
From: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>
To: Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>
Cc: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Bcc:
Date: Wed, 19 Feb 2020 11:35:03 -0800
Subject: Re: [OAUTH-WG] [EXTERNAL]  OAuth 2.1: dropping password grant
Tony: are you ok with dropping password grant?

You reference valid use cases. If you think it should continue, would you provide the use cases?

[Image removed by sender.]ᐧ

On Tue, Feb 18, 2020 at 12:57 PM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
The security topics says MUST. If you want to change that, then that is a different discussion. :)

In the OAuth 2.1 document, it would just not be included. Applications can continue to be OAuth 2.0 compliant.

BUT ... if there are valid, new use cases. Please describe them! Perhaps it should not be dropped.


On Tue, Feb 18, 2020 at 12:54 PM Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote:
I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still.

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of Dick Hardt
Sent: Tuesday, February 18, 2020 12:37 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [EXTERNAL] [OAUTH-WG] OAuth 2.1: dropping password grant

Hey List

(Once again using the OAuth 2.1 name as a placeholder for the doc that Aaron, Torsten, and I are working on)

In the security topics doc

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#section-2.4<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-14%23section-2.4&data=02%7C01%7Ctonynad%40microsoft.com%7C47bb597eef584c95ba4108d7b4b274b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637176550905333283&sdata=nA1S7TBfZg6cSwY2hI8hpRXhIA2joaaJFmNXrATgr2Y%3D&reserved=0>

The password grant MUST not be used.

Some background for those interested. I added this grant into OAuth 2.0 to allow applications that had been provided password to migrate. Even with the caveats in OAuth 2.0, implementors decide they want to prompt the user to enter their credentials, the anti-pattern OAuth was created to eliminate.


Does anyone have concerns with dropping the password grant from the OAuth 2.1 document so that developers don't use it?

/Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth