IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Breno de Medeiros <breno@google.com> Thu, 15 March 2012 19:30 UTC

Return-Path: <breno@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50D7621F84E4 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 12:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.92
X-Spam-Level:
X-Spam-Status: No, score=-101.92 tagged_above=-999 required=5 tests=[AWL=-0.757, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, SARE_UNN=1.814, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syR3aSNwdMB9 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6B23E21F8503 for <oauth@ietf.org>; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
Received: by iazz13 with SMTP id z13so4987716iaz.31 for <oauth@ietf.org>; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=UZK3pVmBNkSeyey+YfvjrwKfBVg7a+RMYhmKEacVvgA=; b=JmcjUxEsvXN/MhcoVPCtNg97dHmjxfdKi6+z7Pev9B1AzMWbR7KlXXE075uC1DA2x/ VV8mWBQIMHRCIfZeWc4a0LDZm5koriak63hOzTnUppQeGZCtAPaI2cO3MYtB8ZvmBVq0 EawPQhm+whnnx3ZgWPl2g1bG94NcwMlJIvrM5h85kqhEe+r2S/zEAZBRG3FYjmdt1A+i D4bYF+eXf/RxCc+fuDjHioDnpjN08UTBFXJk2PLToh08dh41uMryEIosb8gR3cLP3Mfa ZPyA2ARqlQIz2W7e4PqAtnn0eF8F37gRE2CVhJSF3k9ytJlhW9I4LUVwWDfU/7ZhoDtg iaoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=UZK3pVmBNkSeyey+YfvjrwKfBVg7a+RMYhmKEacVvgA=; b=MgWmTdNpcx5HXr/5vEDEqoDKedje4Ed2LzPBJPILuv0bZbAh3gfLpM30RV5ulmfzwZ S5WCwrjcmeOyHiZreeLPjMEJpkcgebRuMay04tz+9IIq0tX9v3jPzcW8Z+4i4hhTYU+9 ULhH1NL/zdcwI/r7GkM1eSI2uQqqu+BwcKjUAHCDWPOxs7BPKiWvtbIf4IwrG4dyGIh2 IFlmsDGBa5SPfzf5Hx3HlW2e0asJU4pZ0dFVOSCc2ICtFU4hF2d34nBhtaZt0GUeQizF hmPRcfeZZwLOMj5U3j1x+q02DO52/9SN4VTUe8P4fZyD3jVmVJiLpg9LbeUtM2M8wXZR ml1Q==
Received: by 10.50.207.5 with SMTP id ls5mr10777482igc.51.1331839805042; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.207.5 with SMTP id ls5mr10777429igc.51.1331839804002; Thu, 15 Mar 2012 12:30:04 -0700 (PDT)
Received: by 10.231.41.137 with HTTP; Thu, 15 Mar 2012 12:30:03 -0700 (PDT)
In-Reply-To: <CB878C9B.16532%eran@hueniverse.com>
References: <CAAJ++qF_YZFZZNqNrQzT0SYD06SMaAGo8rvmtYLHw+SFoq4iKA@mail.gmail.com> <CB878C9B.16532%eran@hueniverse.com>
Date: Thu, 15 Mar 2012 12:30:03 -0700
Message-ID: <CAAJ++qFYrWR5HeV41C-miJY60g_QZ7xp5qgZRTyVUHjcM5rUeQ@mail.gmail.com>
From: Breno de Medeiros <breno@google.com>
To: Eran Hammer <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQkZLMyqsnE8zeXHyPbMiEuZN0GZ1os/XAPvtHD1jtNaWsIQdaduOxJ2Lv4U+PiU4qkJQfYqnUldlZ7P8EPRqLfKhsyS+YESCX9SOERYZMGWTUOBs69SnYA0xIJGbfCOBJC/094y
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 19:30:06 -0000

I am proposing the entire removal of:

"A client application consisting of multiple components, each with its
own client type (e.g. a distributed client with both a confidential
server-based component and a public browser-based component), MUST
register each component separately as a different client to ensure
proper handling by the authorization server."

In particular the example of a server-side component versus
browser-based components is particularly unhelpful since it violates
the entire principle of why two response_type 'code' and 'token' were
defined, and how OAuth2 is typically implemented. That's when I claim
this normative language is redefining the protocol.


On Thu, Mar 15, 2012 at 12:13, Eran Hammer <eran@hueniverse.com> wrote:
> Which text in -25 are you proposing we remove exactly? I can't judge the
> text below without the full context of where and how it is proposed in the
> current document.
>
> Also, you are ignoring my detailed analysis of the current facts. We have
> two client types and the issue here is what to do with other, undefined
> types.
>
> EH
>
>
> On 3/15/12 11:54 AM, "Breno de Medeiros" <breno@google.com> wrote:
>
>>My proposal is to remove any reference to registration (which is a red
>>herring and has raised all the problems we refer here) and refer to
>>client authentication instead.
>>
>>Proposal:
>>
>>"Clients may be implemented as a distributed set of components that
>>run in different security contexts. For instance, a single client may
>>include a webserver component and a script component in a browser. It
>>is not appropriate for the different components to utilize the same
>>client authentication mechanisms, since client authentication
>>credentials that are held securely in one context cannot be deployed
>>securely in another.
>>
>>Servers MUST mitigate security threats from client components that
>>cannot hold client credentials as securely by distinguishing them from
>>client components that can. Example of suitable measures are:
>>
>>- Requiring separate registration of components such as web server and
>>a mobile application.
>>- Restricting the time validity of tokens issued to clients that hold
>>no authentication credentials, such as browser script-based
>>components."
>>
>>Please don't truncate explanations in the interest of space if the
>>resulting text is confusing and possibly misleading. Better to say
>>nothing instead.
>>
>>On Thu, Mar 15, 2012 at 11:32, Eran Hammer <eran@hueniverse.com> wrote:
>>> Here are the facts:
>>>
>>> The authorization server must know the client type in order to enforce
>>>many
>>> of the requirements in the specification.
>>> The requirement to provide a client type is not decorated with a MUST or
>>> SHALL but that is implied.
>>> The specification only defines two client types: public and
>>>confidential.
>>> There is no client type defined for a hybrid client.
>>> The specification needs to address the very common use case of clients
>>>with
>>> both public and private components.
>>>
>>> I don't want to discuss in the specification how client identifiers are
>>> provisioned, nor do I want to discuss the potential binding of response
>>> types to client types. But we do need to provide some guidance to
>>>clients
>>> and authorization servers what to do with clients that do not fit the
>>> current type definitions.
>>>
>>> It is far too late for us to define a new client type, along with all
>>>the
>>> security considerations that such type imply. Our entire security
>>> consideration section and protocol design are based on have a well
>>>defined
>>> client type.
>>>
>>> Requiring separate registration for each component is the most
>>> straight-forward solution. Allowing the authorization server to offer
>>> alternatives is the backdoor to enable extensibility.
>>>
>>> Within these constraints, I am open to other prose or creative
>>>solutions.
>>> But the add-ons proposed are all ugly hacks. They clarify specific
>>>questions
>>> raised which I do not believe represent the core confusion here which is
>>> what is the right way to handle hybrid clients.
>>>
>>> The best way to move forward is to take a minute and ask the group to
>>>share
>>> how they handle such cases or how they think they should be handled.
>>>Based
>>> on that we can come up with a clear solution.
>>>
>>> EH
>>>
>>> From: Breno de Medeiros <breno@google.com>
>>> Date: Thu, 15 Mar 2012 09:56:13 -0700
>>> To: Eran Hammer-Lahav <eran@hueniverse.com>
>>> Cc: Nat Sakimura <sakimura@gmail.com>, OAuth WG <oauth@ietf.org>
>>>
>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>
>>>
>>>
>>> On Thu, Mar 15, 2012 at 07:45, Eran Hammer <eran@hueniverse.com> wrote:
>>>>
>>>> This add-on is unnecessary. It already says the authorization server
>>>>can
>>>> handle it any way it wants. The fact that other registration options
>>>>are
>>>> possible clearly covers the client identifier reuse case. As for the
>>>> response type, that¹s not an issue but more of an optimization for an
>>>>edge
>>>> case raised.
>>>
>>>
>>> It still feels like a horse by committee to me. "unless the
>>> authorization server provides other registration options to specify such
>>> complex clients." seems a very round about way to say that the core spec
>>> already provides for such arrangements in the most common scenario. It
>>>is a
>>> bit of a stretch to say that the server provides "other registration
>>> options" by simply following strategy already laid out in the spec.
>>>
>>> In particular, I feel that this wording will be harmful to register
>>>extended
>>> behavior, e.g., alternative response_types by leading to fruitless
>>> conversations about spec compliance in the absence of real security
>>>risks.
>>>
>>> I do not believe the current text is the best representation of the
>>>spirit
>>> in which the spec was written (in particular the effort to specify two
>>>flows
>>> in detail to deal with precisely this issue) and possibly lead to
>>>harmful
>>> future interpretation.
>>>
>>>>
>>>>
>>>>
>>>> EH
>>>>
>>>>
>>>>
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>>>Of
>>>> Nat Sakimura
>>>> Sent: Thursday, March 15, 2012 2:04 AM
>>>> To: Breno de Medeiros; OAuth WG
>>>>
>>>>
>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> So, Eran's first proposal:
>>>>
>>>>
>>>>
>>>>   A client application consisting of multiple components, each with its
>>>>   own client type (e.g. a distributed client with both a confidential
>>>>   server-based component and a public browser-based component), MUST
>>>>   register each component separately as a different client to ensure
>>>>
>>>>   proper handling by the authorization server, unless the authorization
>>>>   server provides other registration options to specify such complex
>>>> clients.
>>>>
>>>>
>>>>
>>>> kind of meets my concern. There seems to be another issue around the
>>>> usefulness of return_type in such case raised by Breno, and if I
>>>>understand
>>>> it correctly, Eran's answer was that these separate components may
>>>>have the
>>>> same client_id so that return_type is a valid parameter to be sent at
>>>>the
>>>> request.
>>>>
>>>>
>>>>
>>>> So, to clarify these, perhaps changing the above text slightly to the
>>>> following solves the problem?
>>>>
>>>>
>>>>
>>>>   A client application consisting of multiple components, each with its
>>>>   own client type (e.g. a distributed client with both a confidential
>>>>   server-based component and a public browser-based component), MUST
>>>>   register each component separately as a different client to ensure
>>>>
>>>>   proper handling by the authorization server, unless the authorization
>>>>   server provides other registration options to specify such complex
>>>> clients.
>>>>
>>>>   Each component MAY have the same client_id, in which case the server
>>>>
>>>>   judges the client type and the associated security context  based on
>>>>   the response_type parameter in the request.
>>>>
>>>>
>>>>
>>>> Would it solve your problem, Breno?
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> =nat
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> --
>>> --Breno
>>
>>
>>
>>--
>>--Breno
>



-- 
--Breno

v2.23.0 | Report a Bug | By Email