IETF Logo Mail Archive

[OAUTH-WG] OAuth 2.0: client_secret, state

"Manger, James H" <James.H.Manger@team.telstra.com> Mon, 22 March 2010 12:11 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21F4E3A67D1 for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 05:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.835
X-Spam-Level: *
X-Spam-Status: No, score=1.835 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATeJ2M8y0YCn for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 05:11:42 -0700 (PDT)
Received: from mailipao.ntcif.telstra.com.au (mailipao.ntcif.telstra.com.au [202.12.233.27]) by core3.amsl.com (Postfix) with ESMTP id E8E783A6B2D for <oauth@ietf.org>; Mon, 22 Mar 2010 05:11:27 -0700 (PDT)
Received: from unknown (HELO mailbi.ntcif.telstra.com.au) ([202.12.162.19]) by mailipai.ntcif.telstra.com.au with ESMTP; 22 Mar 2010 23:11:43 +1100
Received: from mail.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.ntcif.telstra.com.au (Postfix) with ESMTP id 9D5DAFF81; Mon, 22 Mar 2010 23:11:42 +1100 (EST)
Received: from WSMSG3703.srv.dir.telstra.com (wsmsg3703.srv.dir.telstra.com [172.49.40.171]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id XAA14651; Mon, 22 Mar 2010 23:11:42 +1100 (EST)
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Mon, 22 Mar 2010 23:11:41 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: David Recordon <davidrecordon@facebook.com>, OAuth WG <oauth@ietf.org>
Date: Mon, 22 Mar 2010 23:11:34 +1100
Thread-Topic: OAuth 2.0: client_secret, state
Thread-Index: AcrHzK+rSVNNclfBQN6aW1dAZfzZmAB2+vFQ
Message-ID: <255B9BB34FB7D647A506DC292726F6E112531C851D@WSMSG3153V.srv.dir.telstra.com>
References: <526C3C44-18CF-4A94-A4C6-72702F73AC83@facebook.com>
In-Reply-To: <526C3C44-18CF-4A94-A4C6-72702F73AC83@facebook.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
x-cr-puzzleid: {61D4D252-2C7D-480F-9C02-1B1A4FFB6B2D}
x-cr-hashedpuzzle: Dhv8 EUc4 IZJL Jekp JgF9 MAym Mw34 M+tR NJ7d NjZp Ok8e Pk+Y QSr9 R24c WXAe WrLJ; 2; ZABhAHYAaQBkAHIAZQBjAG8AcgBkAG8AbgBAAGYAYQBjAGUAYgBvAG8AawAuAGMAbwBtADsAbwBhAHUAdABoAEAAaQBlAHQAZgAuAG8AcgBnAA==; Sosha1_v1; 7; {61D4D252-2C7D-480F-9C02-1B1A4FFB6B2D}; agBhAG0AZQBzAC4AaAAuAG0AYQBuAGcAZQByAEAAdABlAGEAbQAuAHQAZQBsAHMAdAByAGEALgBjAG8AbQA=; Mon, 22 Mar 2010 12:11:34 GMT; TwBBAHUAdABoACAAMgAuADAAOgAgAGMAbABpAGUAbgB0AF8AcwBlAGMAcgBlAHQALAAgAHMAdABhAHQAZQA=
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: [OAUTH-WG] OAuth 2.0: client_secret, state
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2010 12:11:43 -0000

Thanks for writing this draft for OAuth 2.0, David.
A couple of comments.

1. CLIENT SECRET
Client authentication needs to be independent of OAuth.
The Web Server Flow sends oauth_client_secret to the access token request endpoint along with other oauth_ parameters. This is a poor design.

Consider, for instance, a service that authenticates clients with TLS client certs. Such clients don't have a shared secret to put in the oauth_client_secret parameter so they cannot perform protocol in this OAuth 2 draft.
Even if client certs are rare, the issue is that there is no reason why client certs should prevent OAuth 2 from working.

Servers that can authenticate clients are likely to offer them various APIs in addition to the OAuth get-a-token calls. The same client authentication mechanism used for those calls should be reused for the get-a-token calls.

I suggest dropping the oauth_client_secret, perhaps adding text such as:
"Servers that require clients to be pre-registered may require this client request to be authenticated."


2. STATE
OAuth has various parameter that are used to carry state for another party in a message, which is helpful for building scalable systems. OAuth should avoid duplicating these fields or defining their semantics when they are opaque to the party carrying them. This will keep the protocol simpler, without losing any functionality.

oauth_client_state is unnecessary as it is always accompanied by oauth_callback_url that can encode the state directly. The examples could include, say, ...callback_url=http://client.example.com/cb%3Fstate=FSR63fs&oauth_mode=... to reflect likely cases. It is still simple to compare the callback to a pre-register value if required (eg compare suffix, or compare ignoring additional query params).

oauth_scope is unnecessary as it is server-specific and can be encoded directly in the server-specific URIs. A client with no server-specific knowledge has no way of using oauth_scope, which is a sign it is better omitted from the spec and left to specific servers when describing their access/authz URIs. I have no problems with a service saying its user authz URI is, say, http://example.com/authz?scope={all|blog}.


And a few minor issues:

3. If you want to return error params in the body of a 401 the important feature is setting Content-Type to application/x-www-form-urlencoded. This isn't mentioned in the text or example.

4. The Username and Password Flow has oauth_client_secret in the example but not in the expected list of parameters.

5. Just call it TLS (not TLS/SSL).


-- 
James Manger

v2.23.0 | Report a Bug | By Email