Re: [OAUTH-WG] Review of Device Flow Draft
William Denniss <wdenniss@google.com> Thu, 20 July 2017 17:55 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C217D12F3CB for <oauth@ietfa.amsl.com>; Thu, 20 Jul 2017 10:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21CvQ35OkgoO for <oauth@ietfa.amsl.com>; Thu, 20 Jul 2017 10:55:12 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63720131D24 for <oauth@ietf.org>; Thu, 20 Jul 2017 10:55:12 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id t2so14099327qkc.1 for <oauth@ietf.org>; Thu, 20 Jul 2017 10:55:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QThHdUd9vjYajovgWQGrhNYv+63+nwDaXVB5vuv3TL8=; b=p2PHmTLOVPRkGulc/MVQBsFpPZsX+46WvRttwi6PZLW9Ffo8RZ6vhLHpTdsWvxZwzA 9e+V+T6qCnLQJpIJ6XDeN8VCUa8ylvnCNN25za5xjG5hjWFp0J7Q2hZQlUeOeA1jyan0 touUAIxpBXU1YWjOQ+ux0pzVtNO0M7bFDG/VZnBl9txkYYl8s5xSho2ym1DCCXd8YMLE IAqwMeWl4mRDAxkwBeUHPo95kVbkkNpBTI3JPDtTWTk+Jx5PIQ2ojsx/++GuXYtpCsk0 NP/RXbd1gLB7eRyYl39TtirUmkKYMA1u/rzjpULwjOMfZuWb6krEx9/xjq9B2xucA5Sd qI5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QThHdUd9vjYajovgWQGrhNYv+63+nwDaXVB5vuv3TL8=; b=O6OEApggftyB1RC3xHa2P0W2lxmkwLmUOHsLVp/4nJ67RbC6zXLX6HraxWgMYsqYpm SXruxxCVb6kRWPlVEpUYknHMr+duP6veIog+a4EIux1QV4b5pvpdkiOA0UVbFGO1nHkh XjaOtvq9dF0SGsCyBzhPccAjfURU7l/J3VsKFYK26Mi+2X751PbsLUfMqSaOXpX1sOre xxQkn3PkwfXSqTUXJwo4T5HPrUAjgvIpVHfAcryfCu1XUuEn+AJOOwqAmS5dmg0IR1Wk /Phg1zgvAT7qwZbCnZYqUo7ex5taQ7o+phtoXdgTIW92pPHvSQqegxWwc5onM0b1oQAr 8Fag==
X-Gm-Message-State: AIVw110sb16BRVuWBfQ41ogs8giAcBDRV/YgWIR8hH0IpV9ktGZM99wE fhAr0iV0+aTd5U5dnS9Bhx4rOkzpaAYR
X-Received: by 10.55.156.134 with SMTP id f128mr5659590qke.184.1500573311189; Thu, 20 Jul 2017 10:55:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.18.144 with HTTP; Thu, 20 Jul 2017 10:54:50 -0700 (PDT)
In-Reply-To: <D458A46E-2E08-45EF-BE1B-26BBD22F152A@mit.edu>
References: <D458A46E-2E08-45EF-BE1B-26BBD22F152A@mit.edu>
From: William Denniss <wdenniss@google.com>
Date: Thu, 20 Jul 2017 18:54:50 +0100
Message-ID: <CAAP42hAcB+ZO6fErf=YAeamtfW=gQtvWEe4AArguM6GqGDQisw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c05dbae2cb99e0554c373ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YXDQbddXFiHrcaQpTOt4FCrSoao>
Subject: Re: [OAUTH-WG] Review of Device Flow Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 17:55:21 -0000
Thank you for the review Justin. - §3.3¶3 as mentioned above, the polling could be continuous (timer-based) > or in reaction to a user action at the device. There are no protocol > differences and the AS shouldn’t do try and inform the user, but we can at > least mention that in our description of polling. +1 and I will highlight this in the IETF99 review. - §3.3.1 I still think this optimized all-in-one URI should be a separate > parameter from the AS so as not to conflate it with the “plain” > verification URI. This would allow for all-in-one URLs that differ significantly from the current composite ones, is that why you're suggesting this? (if so: to solve what use-case?) What benefits do you see in this alternative approach? I think generally it's seen as bad form to repeat information, so keen to here why you think this is the case. Are you dialing in to the WG meeting tomorrow? Other than those two topics, the rest seem pretty uncontentious, I will review and action as appropriate before the next draft. Please call out any other items in this list that you feel warrant group discussion at IETF99. William On Thu, Jul 6, 2017 at 7:48 PM, Justin Richer <jricher@mit.edu> wrote: > Finally had a chance to review the device flow draft in earnest. Overall > it’s really great, and we’ve implemented it in a few places (see my recent > post on one interesting use case). Just a few notes: > > - use of “flow” has largely been replaced by “authorization grant” in > other documents and we should be consistent here > - use of “end-user” has been replaced by “resource owner” in other > documents and we should be consistent here > - “input constrained” should be “input-constrained” as used in the title, > abstract, and introduction. > - §1¶3 could be rewritten to a bulleted list of requirements instead for > readability > - §1¶4 could add something to address recent discussion on the list: > “While this polling is usually automatic and repeated on a regularly timed > basis, the client could poll based on user action with the device such as a > button press.” > - §1 diagram (D) should state that the user is prompted to enter the user > code given in (C) and that the user does so — leaving it out is an > optimization (see below) and the likely exception > - §2 should probably be §1.1, or move the protocol flow to §1.1 and make > §2 into §1.2 > - §2 should import all terms used from 6749/6750 explicitly > - §2 should we define “secondary device” once at the top instead of the > parenthetical definition used throughout? > - §3.1¶1 Wording is awkward with double “by” phrases, suggest: “The client > initiates the authorization grant request by making an HTTP POST request to > the device authorization endpoint.” > - §3.2 add xref to JSON (7159), response is a JSON object with the > following members (not parameters) > - §3.2 is there any requirement for the verification_uri to be over HTTPS? > I can’t see any discussion of this anywhere and it should probably at least > be in the security considerations, if not an outright requirement. We say > that authentication is done in a tls-protected session in §3.3 but we don’t > say anything about the actual URL or the page in which the user enters the > code. > - §3.3¶3 as mentioned above, the polling could be continuous (timer-based) > or in reaction to a user action at the device. There are no protocol > differences and the AS shouldn’t do try and inform the user, but we can at > least mention that in our description of polling. > - §3.3.1 I still think this optimized all-in-one URI should be a separate > parameter from the AS so as not to conflate it with the “plain” > verification URI. > - §3.4¶3 instead of “based on the error code in the response” perhaps > “until the authorization server indicates the device code has expired or > was cancelled.” — I’m less sure about the wording here but as written it > feels awkward. > - §3.5 I agree with the point made on the list about the error code, > “access_denied” would fit this bill but right now it’s only specified on > authorization endpoint response, so let’s add its use to the token response > here > - §3.5¶4 says to return “invalid_grant” if the codes are expired, but in > the same section it says to use “expired_code”. > - §3.5¶5 the interval between polls SHOULD be at least the “interval” > value. Also, it MUST be greater than zero … William … > - §5.2 “user’s session and device”, use of “device” here is confusing > since this is the “device” flow. Maybe explicitly call out this as the > “secondary device” > - §5.5 extra “or” in list in final sentence > > > — Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Review of Device Flow Draft Justin Richer
- Re: [OAUTH-WG] Review of Device Flow Draft William Denniss
- Re: [OAUTH-WG] Review of Device Flow Draft Justin Richer