IETF Logo Mail Archive

Re: [OAUTH-WG] Client authentication requirement

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 15 June 2011 19:58 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C70211E812B for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 12:58:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.375
X-Spam-Level:
X-Spam-Status: No, score=-2.375 tagged_above=-999 required=5 tests=[AWL=-0.077, BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_WEOFFER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18aVQc-bkh2C for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 12:58:40 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id E521D11E810D for <oauth@ietf.org>; Wed, 15 Jun 2011 12:58:39 -0700 (PDT)
Received: (qmail 12191 invoked from network); 15 Jun 2011 19:58:39 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Jun 2011 19:58:39 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Wed, 15 Jun 2011 12:58:32 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 15 Jun 2011 12:58:12 -0700
Thread-Topic: [OAUTH-WG] Client authentication requirement
Thread-Index: AcwrjLxzhu8fFwX2TWaTKnjGz12sjAACLsOw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234475E986B88@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234475E986AF7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTi=EAr2oH9JAX4gaEgRqbS-jeU4N-g@mail.gmail.com>
In-Reply-To: <BANLkTi=EAr2oH9JAX4gaEgRqbS-jeU4N-g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234475E986B88P3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client authentication requirement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 19:58:42 -0000

Well, that's where this is coming from...

Client registration needs to be defined, and it should be specific about the requirements for clients capable of authentication vs. not, as well as the redirection URI registration requirements for using the implicit grant type (see other message).

We need to be clear about the value of client authentication, and what does it enables us to do.

The only value I know of for client authentication is when using an authorization code, it prevents others from stealing the code and using it. This enables the authorization server to present information about the client to the user with more confidence which helps the user make better decisions.

But I have no idea why we need client authentication for using a refresh token?

I can see the value of using client authentication with the username/password grant type, to restrict most clients from being allowed to use this flow, but at the same time, the most likely clients to use this grant type are those who cannot authentication (native applications).

This is goo.

EHL



From: Brian Campbell [mailto:bcampbell@pingidentity.com]
Sent: Wednesday, June 15, 2011 11:47 AM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Client authentication requirement

Also seems this is related to the topic of native/mobile clients.  As I understand it, native apps using the authorization code grant/flow have been the primary motivator for keeping client authentication optional.  Anonymous client have come up too.


On Wed, Jun 15, 2011 at 11:26 AM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:
Client authentication has been one of the main problem areas in OAuth 1.0 and 2.0 does nothing to resolve it (arguably, it makes it more confusing).

Because of the desire to allow any client type in any deployment environment, we ended up with a barely defined client authentication model. We offer password-based client authentication using HTTP Basic (and an alternative parameter), but leave it optional.

It has been suggested that by doing so, we have made the protocol security hard to define and harder to implement properly. The document was written largely with the requirement to use client authentication with any request to the access token endpoint. However, it does allow unauthenticated requests in section 3.

Are there any other client properties than the client's ability to authenticate with regards to security?

We have one grant type without client authentication (implicit), two with optional authentication (authorization code and username/password), and one with required authentication (client credentials).

I would like to go back to requiring client authentication for the access token endpoint, using HTTP Basic or other schemes. To leave the door open for clients incapable of authenticating to use the endpoint, we will add a security consideration section discussing the ramifications of using the access token endpoint without client authentication.

This suggestions is linked to the topic of refresh tokens which I'll post separately.

EHL


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email