[OAUTH-WG] Different use case for the Device Flow
Justin Richer <jricher@mit.edu> Sat, 01 July 2017 00:42 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 285A212EB0F for <oauth@ietfa.amsl.com>; Fri, 30 Jun 2017 17:42:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMJ94I_xtZ6x for <oauth@ietfa.amsl.com>; Fri, 30 Jun 2017 17:42:50 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4960512EB17 for <oauth@ietf.org>; Fri, 30 Jun 2017 17:42:50 -0700 (PDT)
X-AuditID: 1209190d-d83ff7000000498b-49-5956f0086654
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id BF.C6.18827.800F6595; Fri, 30 Jun 2017 20:42:49 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v610gl1p021833 for <oauth@ietf.org>; Fri, 30 Jun 2017 20:42:48 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v610gk11012915 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Fri, 30 Jun 2017 20:42:47 -0400
From: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Message-Id: <76A645C6-DA62-45A8-8D4D-B44322583DA7@mit.edu>
Date: Fri, 30 Jun 2017 20:42:45 -0400
To: "<oauth@ietf.org>" <oauth@ietf.org>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJIsWRmVeSWpSXmKPExsUixG6nosv5ISzS4N9XRouTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEro/VRK3PBbYWKG9fnMDUw7pPqYuTkkBAwkXgz/QVzFyMXh5DA YiaJC7M/sUM4xxglpmw+yALhfGOSWN3XwgbSwiagKjF9TQsTiM0soC7xZ94lZghbW2LZwtdA NgcHr4C+RO9zRpCwMJC599kSdhCbV8BK4suubWBjWIDGHHu/ixXEFgEas+b8TyaIi2Qlbs2+ xDyBkXcWkg2zkGyYhbBhASPzKkbZlNwq3dzEzJzi1GTd4uTEvLzUIl0jvdzMEr3UlNJNjKBQ 4pTk3cH4767XIUYBDkYlHt4NIWGRQqyJZcWVuYcYJTmYlER5V14LjRTiS8pPqcxILM6ILyrN SS0+xCjBwawkwvvsLVA5b0piZVVqUT5MSpqDRUmcV1yjMUJIID2xJDU7NbUgtQgmK8PBoSTB ++8dUKNgUWp6akVaZk4JQpqJgxNkOA/Q8ClnQIYXFyTmFmemQ+RPMepyvJrw/xuTEEtefl6q FNAakEECIEUZpXlwc0ApIOHtYdNXjOJAbwnz7gSp4gGmD7hJr4CWMAEtEZ4RArKkJBEhJdXA qDr1menh4FsMPgUZf3vfOUssPHDko86U3qumyiFCBgfyvvP7Gll5ZLRWlvVdudn6tKrsZ5xz /JSttStsa05ynog24G1p+ShZ8/HTv9r4E49yT+j905R4+Svlk+zXc7NUpl2/8bk1/WVt1prA NXOa3kb1NN3U/lFl/m/LIoF3LkL168Pund0spMRSnJFoqMVcVJwIAGo9k3PcAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VzEo9rqC3kmqCuLFR-JcYQvIM3Q>
Subject: [OAUTH-WG] Different use case for the Device Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jul 2017 00:42:52 -0000
Since the draft is close to final, I wanted to write to the list about a use case in a project that I’m working on that I think is valuable input into the Device Flow discussion. This use case exercises the device flow OAuth extension grant in an interesting way. The usual line of thinking for using this flow is that there’s a disadvantaged device, like a set-top box, that the user needs to grant access to using a separate personal computer. In this use case, there are still two devices but it’s the permissions that vary between them, not the platform capabilities. The device ultimately getting the access token is the user’s personal mobile device (a phone or tablet), but they’re unable to log in and authorize the device directly on the device itself. Instead, the user needs to bring their device to an authorized kiosk staffed by a trained entity who has the authority to onboard the device to the user’s account. Good news is that so far we’ve been able to build this out using the device flow with no modifications to the protocol, but since our use is different we thought it would be good for the community to see its details. The flow starts with the user on their device, we’ll use a smartphone in our example. The user provides an identifier to their account, and the device starts the device flow to the server including this identifier as an additional parameter. The AS generates a device and user code pair and ties that to the account indicated by the identifier. Later, the user brings their device in to the staffed kiosk, where the authorized staff verifies the user (using a physical ID card) and the device (using the user code) against the “pending” requests for that user’s account. The staff person makes sure that the user who’s present is the same as the user in the pending request and approves the connection. At the AS this sets a flag on the device code and binds it strongly to that user’s account. Note that it’s the staff person who’s logged in, but the binding is to the proofed user’s account. This decision is written to an audit log (a good potential application for the SecEvents group, since it’s an event with multiple parties that needs to be verifiable). Later, the user gets their device online again and it trades the device code for the access token, and now it can call the APIs as needed. The time gaps in this use case are much larger than is typical with the device flow. When setting up a set-top box, it would be expected that everything gets set up within a few minutes. However, the requirement for the user to potentially travel to a trusted kiosk means that our device codes last for up to a week. And once the device is approved by the authorized staff person at the kiosk, the user has *another* week to get their device back online to trade the device code in for an access token. If either of those windows are missed, they have to start the whole process over again. Apart from the account identifier in the initial request for the device code (which we read as being allowed), there are no changes to the device code flow protocol. The account identifier is more for increasing the usability of the entire system, as it allows a user’s pending devices to be verified more quickly at the kiosk. Also, in this particular deployment, it’s used along with dynamic registration and private_key_jwt authentication for the clients, which allows for greater security for the overall protocol and greater separation of client instances from each other. We’re interested to hear people’s feedback on our use of the device flow, and curious if anyone else is using it in a similar fashion. Even though it’s different, it still fits the spirit of “two devices with different capabilities” present in the draft. — Justin
- [OAUTH-WG] Different use case for the Device Flow Justin Richer