Re: [OAUTH-WG] Flowchart for legs of OAuth
"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Tue, 05 April 2011 15:12 UTC
Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0509B3A6949 for <oauth@core3.amsl.com>; Tue, 5 Apr 2011 08:12:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.426
X-Spam-Level:
X-Spam-Status: No, score=-6.426 tagged_above=-999 required=5 tests=[AWL=0.173, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 546oG4jBsH6d for <oauth@core3.amsl.com>; Tue, 5 Apr 2011 08:12:38 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id CAE6B3A680D for <oauth@ietf.org>; Tue, 5 Apr 2011 08:12:37 -0700 (PDT)
Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id p35FEIVI017640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 5 Apr 2011 10:14:19 -0500 (CDT)
Received: from USNAVSXCHHUB03.ndc.alcatel-lucent.com (usnavsxchhub03.ndc.alcatel-lucent.com [135.3.39.112]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p35FEIvm012093 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 5 Apr 2011 10:14:18 -0500
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.119]) by USNAVSXCHHUB03.ndc.alcatel-lucent.com ([135.3.39.112]) with mapi; Tue, 5 Apr 2011 10:14:18 -0500
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: "'torsten@lodderstedt.net'" <torsten@lodderstedt.net>, Skylar Woodward <skylar@kiva.org>
Date: Tue, 05 Apr 2011 10:14:17 -0500
Thread-Topic: Re: [OAUTH-WG] Flowchart for legs of OAuth
Thread-Index: AcvzUHUXqXeCWhZOS9OZUHVWGT24OQAUUvsg
Message-ID: <5710F82C0E73B04FA559560098BF95B12505F041B7@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <22FB565B-A701-4502-818F-15164D9E201A@oracle.com> <AANLkTimGjiCGk5dpA=YVzq5vDkLR2+caSz=pZ5WiZO9H@mail.gmail.com> <3C84AD7A-F00F-43EC-AAD3-AD2DCFB46B0E@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4D84F7E2.6090305@redhat.com> <16B9A882-6204-4CBD-B7E3-1D806AF5056C@oracle.com> <4D8A5054.4050006@lodderstedt.net> <BANLkTiniuuRXtkzLubgOjVursVtOGjFe6A@mail.gmail.com> <7616C235-2913-4EE0-A710-F47A4CC9E424@oracle.com> <BANLkTi=XyF25vB6qKX2q8iOpEaZ1yQx9Jw@mail.gmail.com> <65E3F250-5111-4692-BFA7-F5B838E9B41D@gmail.com> <BANLkTik5u5+jjTwnwNCQVyzMux4aMB98yg@mail.gmail.com> <5710F82C0E73B04FA559560098BF95B12505F041B5@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <4D9A318D.3090908@lodderstedt.net><38AE5D29-996A-49AA-89A0-3A15AB4C0823@kiva.org> <1567368214-1301980513-cardhu_decombobulator_blackberry.rim.net-2135712133-@b1.c11.bise7.blackberry>
In-Reply-To: <1567368214-1301980513-cardhu_decombobulator_blackberry.rim.net-2135712133-@b1.c11.bise7.blackberry>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10
Cc: Kris Selden <kris.selden@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2011 15:12:39 -0000
+1 for making the specification clear. It should say that the native application clients participating in the authorization code flow do not use the client secrets. Zachary -----Original Message----- From: torsten@lodderstedt.net [mailto:torsten@lodderstedt.net] Sent: Tuesday, April 05, 2011 1:15 AM To: Skylar Woodward Cc: Zeltsan, Zachary (Zachary); Kris Selden; oauth@ietf.org Subject: AW: Re: [OAUTH-WG] Flowchart for legs of OAuth Hi Skylar, Thank you for sharing this information with us. Some thougts: The empty string makes your implementation syntactically compliant but does obviously not comply with its semantics and the security considerations/expectations associated with a secret. Moreover, what about interoperability? I think not using secrets for such clients is the honest solution. We can just change the spec's text to express what we think is the right way. regards, Torsten. Gesendet mit BlackBerry(r) Webmail von Telekom Deutschland -----Original Message----- From: Skylar Woodward <skylar@kiva.org> Date: Mon, 4 Apr 2011 19:14:53 To: Torsten Lodderstedt<torsten@lodderstedt.net> Cc: Zeltsan, Zachary (Zachary)<zachary.zeltsan@alcatel-lucent.com>; Kris Selden<kris.selden@gmail.com>; oauth@ietf.org<oauth@ietf.org> Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth In our implementation (not yet public) we accept the empty string ("") as the value for clients not issued secrets. While this was done to simplify the interface and implementation, it would make it compliant in my view. In this case, the authorization server is validating the credentials, which are the client ID and the empty string, which is equivalent security-wise to any other length of "secret" issued to a native client. Besides, for many providers, the client credentials will only be a client ID. They would plan to secure all exchanges over TLS and credentials serve just as a tracking device or at best, a weak form of identification. skylar On Apr 4, 2011, at 5:01 PM, Torsten Lodderstedt wrote: > Am 04.04.2011 21:38, schrieb Zeltsan, Zachary (Zachary): >> According to section "6 Refreshing an Access Token" (-13.txt), client when making a request for exchanging a refresh token for an access token has to include its authentication credentials, and the "authorization server MUST validate the client credentials". >> How can this be done if a client is an application that can't have a client secret? >> The authorization code grant does require client authentication (per section 4.1): >> >> (D) The client requests an access token from the authorization >> server's token endpoint by authenticating using its client >> credentials, and includes the authorization code received in the >> previous step. >> >> It appears that the clients that cannot keep its secret cannot use (be issued) the refresh tokens. > > In my opinion, this part of the spec is misleading. Authorization code MUST be possible without client authentication. Otherwise, OAuth is useless for native apps. > > http://tools.ietf.org/html/draft-lodderstedt-oauth-securityconsiderations-01#section-2.10 describes how the flow can be protected in such cases. > > regards, > Torsten. >> Zachary >> >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Marius Scurtescu >> Sent: Monday, April 04, 2011 2:30 PM >> To: Kris Selden >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth >> >> On Mon, Apr 4, 2011 at 10:47 AM, Kris Selden<kris.selden@gmail.com> wrote: >>> A typical iPhone app cannot be shipped with a client secret and rightly or wrongly users expect to only have to enter their credentials once. >>> >>> What is the best profile to use for an app that can't have a client secret and needs a refresh token or a long lived access token? >> The authorization code grant, aka web server flow. >> >> The spec is misleading in this respect IMO. >> >> Marius >>_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anthony Nadalin
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth David Primmer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Eran Hammer-Lahav
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anil Saldhana
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Kris Selden
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Kris Selden
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anthony Nadalin
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth torsten
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Chuck Mortimore
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth torsten
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt