Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Breno de Medeiros <breno@google.com> Thu, 15 March 2012 19:30 UTC
Return-Path: <breno@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50D7621F84E4 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 12:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.92
X-Spam-Level:
X-Spam-Status: No, score=-101.92 tagged_above=-999 required=5 tests=[AWL=-0.757, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, SARE_UNN=1.814, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syR3aSNwdMB9 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6B23E21F8503 for <oauth@ietf.org>; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
Received: by iazz13 with SMTP id z13so4987716iaz.31 for <oauth@ietf.org>; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=UZK3pVmBNkSeyey+YfvjrwKfBVg7a+RMYhmKEacVvgA=; b=JmcjUxEsvXN/MhcoVPCtNg97dHmjxfdKi6+z7Pev9B1AzMWbR7KlXXE075uC1DA2x/ VV8mWBQIMHRCIfZeWc4a0LDZm5koriak63hOzTnUppQeGZCtAPaI2cO3MYtB8ZvmBVq0 EawPQhm+whnnx3ZgWPl2g1bG94NcwMlJIvrM5h85kqhEe+r2S/zEAZBRG3FYjmdt1A+i D4bYF+eXf/RxCc+fuDjHioDnpjN08UTBFXJk2PLToh08dh41uMryEIosb8gR3cLP3Mfa ZPyA2ARqlQIz2W7e4PqAtnn0eF8F37gRE2CVhJSF3k9ytJlhW9I4LUVwWDfU/7ZhoDtg iaoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=UZK3pVmBNkSeyey+YfvjrwKfBVg7a+RMYhmKEacVvgA=; b=MgWmTdNpcx5HXr/5vEDEqoDKedje4Ed2LzPBJPILuv0bZbAh3gfLpM30RV5ulmfzwZ S5WCwrjcmeOyHiZreeLPjMEJpkcgebRuMay04tz+9IIq0tX9v3jPzcW8Z+4i4hhTYU+9 ULhH1NL/zdcwI/r7GkM1eSI2uQqqu+BwcKjUAHCDWPOxs7BPKiWvtbIf4IwrG4dyGIh2 IFlmsDGBa5SPfzf5Hx3HlW2e0asJU4pZ0dFVOSCc2ICtFU4hF2d34nBhtaZt0GUeQizF hmPRcfeZZwLOMj5U3j1x+q02DO52/9SN4VTUe8P4fZyD3jVmVJiLpg9LbeUtM2M8wXZR ml1Q==
Received: by 10.50.207.5 with SMTP id ls5mr10777482igc.51.1331839805042; Thu, 15 Mar 2012 12:30:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.207.5 with SMTP id ls5mr10777429igc.51.1331839804002; Thu, 15 Mar 2012 12:30:04 -0700 (PDT)
Received: by 10.231.41.137 with HTTP; Thu, 15 Mar 2012 12:30:03 -0700 (PDT)
In-Reply-To: <CB878C9B.16532%eran@hueniverse.com>
References: <CAAJ++qF_YZFZZNqNrQzT0SYD06SMaAGo8rvmtYLHw+SFoq4iKA@mail.gmail.com> <CB878C9B.16532%eran@hueniverse.com>
Date: Thu, 15 Mar 2012 12:30:03 -0700
Message-ID: <CAAJ++qFYrWR5HeV41C-miJY60g_QZ7xp5qgZRTyVUHjcM5rUeQ@mail.gmail.com>
From: Breno de Medeiros <breno@google.com>
To: Eran Hammer <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQkZLMyqsnE8zeXHyPbMiEuZN0GZ1os/XAPvtHD1jtNaWsIQdaduOxJ2Lv4U+PiU4qkJQfYqnUldlZ7P8EPRqLfKhsyS+YESCX9SOERYZMGWTUOBs69SnYA0xIJGbfCOBJC/094y
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 19:30:06 -0000
I am proposing the entire removal of: "A client application consisting of multiple components, each with its own client type (e.g. a distributed client with both a confidential server-based component and a public browser-based component), MUST register each component separately as a different client to ensure proper handling by the authorization server." In particular the example of a server-side component versus browser-based components is particularly unhelpful since it violates the entire principle of why two response_type 'code' and 'token' were defined, and how OAuth2 is typically implemented. That's when I claim this normative language is redefining the protocol. On Thu, Mar 15, 2012 at 12:13, Eran Hammer <eran@hueniverse.com> wrote: > Which text in -25 are you proposing we remove exactly? I can't judge the > text below without the full context of where and how it is proposed in the > current document. > > Also, you are ignoring my detailed analysis of the current facts. We have > two client types and the issue here is what to do with other, undefined > types. > > EH > > > On 3/15/12 11:54 AM, "Breno de Medeiros" <breno@google.com> wrote: > >>My proposal is to remove any reference to registration (which is a red >>herring and has raised all the problems we refer here) and refer to >>client authentication instead. >> >>Proposal: >> >>"Clients may be implemented as a distributed set of components that >>run in different security contexts. For instance, a single client may >>include a webserver component and a script component in a browser. It >>is not appropriate for the different components to utilize the same >>client authentication mechanisms, since client authentication >>credentials that are held securely in one context cannot be deployed >>securely in another. >> >>Servers MUST mitigate security threats from client components that >>cannot hold client credentials as securely by distinguishing them from >>client components that can. Example of suitable measures are: >> >>- Requiring separate registration of components such as web server and >>a mobile application. >>- Restricting the time validity of tokens issued to clients that hold >>no authentication credentials, such as browser script-based >>components." >> >>Please don't truncate explanations in the interest of space if the >>resulting text is confusing and possibly misleading. Better to say >>nothing instead. >> >>On Thu, Mar 15, 2012 at 11:32, Eran Hammer <eran@hueniverse.com> wrote: >>> Here are the facts: >>> >>> The authorization server must know the client type in order to enforce >>>many >>> of the requirements in the specification. >>> The requirement to provide a client type is not decorated with a MUST or >>> SHALL but that is implied. >>> The specification only defines two client types: public and >>>confidential. >>> There is no client type defined for a hybrid client. >>> The specification needs to address the very common use case of clients >>>with >>> both public and private components. >>> >>> I don't want to discuss in the specification how client identifiers are >>> provisioned, nor do I want to discuss the potential binding of response >>> types to client types. But we do need to provide some guidance to >>>clients >>> and authorization servers what to do with clients that do not fit the >>> current type definitions. >>> >>> It is far too late for us to define a new client type, along with all >>>the >>> security considerations that such type imply. Our entire security >>> consideration section and protocol design are based on have a well >>>defined >>> client type. >>> >>> Requiring separate registration for each component is the most >>> straight-forward solution. Allowing the authorization server to offer >>> alternatives is the backdoor to enable extensibility. >>> >>> Within these constraints, I am open to other prose or creative >>>solutions. >>> But the add-ons proposed are all ugly hacks. They clarify specific >>>questions >>> raised which I do not believe represent the core confusion here which is >>> what is the right way to handle hybrid clients. >>> >>> The best way to move forward is to take a minute and ask the group to >>>share >>> how they handle such cases or how they think they should be handled. >>>Based >>> on that we can come up with a clear solution. >>> >>> EH >>> >>> From: Breno de Medeiros <breno@google.com> >>> Date: Thu, 15 Mar 2012 09:56:13 -0700 >>> To: Eran Hammer-Lahav <eran@hueniverse.com> >>> Cc: Nat Sakimura <sakimura@gmail.com>, OAuth WG <oauth@ietf.org> >>> >>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23 >>> >>> >>> >>> On Thu, Mar 15, 2012 at 07:45, Eran Hammer <eran@hueniverse.com> wrote: >>>> >>>> This add-on is unnecessary. It already says the authorization server >>>>can >>>> handle it any way it wants. The fact that other registration options >>>>are >>>> possible clearly covers the client identifier reuse case. As for the >>>> response type, that¹s not an issue but more of an optimization for an >>>>edge >>>> case raised. >>> >>> >>> It still feels like a horse by committee to me. "unless the >>> authorization server provides other registration options to specify such >>> complex clients." seems a very round about way to say that the core spec >>> already provides for such arrangements in the most common scenario. It >>>is a >>> bit of a stretch to say that the server provides "other registration >>> options" by simply following strategy already laid out in the spec. >>> >>> In particular, I feel that this wording will be harmful to register >>>extended >>> behavior, e.g., alternative response_types by leading to fruitless >>> conversations about spec compliance in the absence of real security >>>risks. >>> >>> I do not believe the current text is the best representation of the >>>spirit >>> in which the spec was written (in particular the effort to specify two >>>flows >>> in detail to deal with precisely this issue) and possibly lead to >>>harmful >>> future interpretation. >>> >>>> >>>> >>>> >>>> EH >>>> >>>> >>>> >>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>>>Of >>>> Nat Sakimura >>>> Sent: Thursday, March 15, 2012 2:04 AM >>>> To: Breno de Medeiros; OAuth WG >>>> >>>> >>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23 >>>> >>>> >>>> >>>> >>>> >>>> So, Eran's first proposal: >>>> >>>> >>>> >>>> A client application consisting of multiple components, each with its >>>> own client type (e.g. a distributed client with both a confidential >>>> server-based component and a public browser-based component), MUST >>>> register each component separately as a different client to ensure >>>> >>>> proper handling by the authorization server, unless the authorization >>>> server provides other registration options to specify such complex >>>> clients. >>>> >>>> >>>> >>>> kind of meets my concern. There seems to be another issue around the >>>> usefulness of return_type in such case raised by Breno, and if I >>>>understand >>>> it correctly, Eran's answer was that these separate components may >>>>have the >>>> same client_id so that return_type is a valid parameter to be sent at >>>>the >>>> request. >>>> >>>> >>>> >>>> So, to clarify these, perhaps changing the above text slightly to the >>>> following solves the problem? >>>> >>>> >>>> >>>> A client application consisting of multiple components, each with its >>>> own client type (e.g. a distributed client with both a confidential >>>> server-based component and a public browser-based component), MUST >>>> register each component separately as a different client to ensure >>>> >>>> proper handling by the authorization server, unless the authorization >>>> server provides other registration options to specify such complex >>>> clients. >>>> >>>> Each component MAY have the same client_id, in which case the server >>>> >>>> judges the client type and the associated security context based on >>>> the response_type parameter in the request. >>>> >>>> >>>> >>>> Would it solve your problem, Breno? >>>> >>>> >>>> >>>> Best, >>>> >>>> >>>> >>>> =nat >>>> >>>> >>> >>> >>> >>> >>> -- >>> --Breno >> >> >> >>-- >>--Breno > -- --Breno
- [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. … Marius Scurtescu
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Marius Scurtescu
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Richer, Justin P.
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Nat Sakimura
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… John Bradley
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Nat Sakimura
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… John Bradley