[OAUTH-WG] Re: First party apps review notes
Dean Saxe <dean.saxe@beyondidentity.com> Tue, 12 November 2024 14:30 UTC
Return-Path: <dean.saxe@beyondidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B8AFC151993 for <oauth@ietfa.amsl.com>; Tue, 12 Nov 2024 06:30:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=beyondidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sT8S_y-ilAto for <oauth@ietfa.amsl.com>; Tue, 12 Nov 2024 06:30:39 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0483C14F6F3 for <oauth@ietf.org>; Tue, 12 Nov 2024 06:30:39 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-2fb57f97d75so54340081fa.2 for <oauth@ietf.org>; Tue, 12 Nov 2024 06:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beyondidentity.com; s=google-bid; t=1731421838; x=1732026638; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=tYMtQMkhPWA0flsR9pHqf8gWBkVeBqmP2wLnVL7HcnI=; b=Si2xw5V5z3BsrvaLji2CcSvJEIKR+4rUWVWZwdnqW3ZP3vBmbloCpIHDQ9+Z50omyC D8R+pWRvJ+FKC86I0i+MKDDRZingrKGsJ8wibh1TqMz/vNEOBHZ2vusR64I6muqqNKKj B3qoLek0aYzrZhkz1qav2Itmo6Qnln/F144BZ40BmQ8UNJz0RQ0UtByTyeA9Mhqbg8w2 Uaxy+hG0x/XS9twFr8aITfWEyDPQcLL3VIAVE/XVE9yENBwCztZe/izpjjHQkLgpI7UY 8cGiilObqm0ngt+yXF5BztiYZXI+vg5Lfpwjrwv4AeoPAoox5vdCc6yAkKdF+OkrB+xQ L1qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731421838; x=1732026638; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tYMtQMkhPWA0flsR9pHqf8gWBkVeBqmP2wLnVL7HcnI=; b=G7Mtlp0YOUDb/45IOG1+x+oMeIvRh2LysInawTEMDPeqDpu2nhQccz31auJTRFGGTw rxQ6uoICzwwguKWV8K8dUbjI5SYPjmhaT7y0rc06Zwxv21UUx5K6/mvBD+Jqo6M2fSV5 BHhSphVsB2pymeKV32lvrY+frvCd7ygiAEePHdaXkuBCDFwLtzVIDjgpnhJh1cvnlK5H 0vKVQph7Fvbu5Euy0FQJEVaY5wiup0zje92TzvlzUPX4aYRyKLp+FLBiWPn0rA4EKN65 OwRO5Slilu5KWVP6ttGmwARn/puXypGnOtUvDK0VJTEVAkaJHkNBKNABWyMrSDK85wsv hmKA==
X-Gm-Message-State: AOJu0YzwDgbqyoS2rAjppzoDRQ/gnXMFBPweRvxf4D1bo18+RNAK546L K/fG+2R0qcxmL0+pnLAdSnUlLxMwFmncwmGiFmeDMmAZ5+COoTbfT9ksaPEQWSAeEnyzeu5Yyi/ qAGHXN5fIq0m9olIAjaeQvVLqxN9hHyuqXtCCpAax46GzGnnGaOI=
X-Google-Smtp-Source: AGHT+IFZ9Yoo4AYWdwW+SPR/6QlGEqAp/3bgc3xqBe1JL20UpMLgXaDXS2c7cUctGBM1tNfIoCLBtgRDf88UnR1cils=
X-Received: by 2002:a2e:a551:0:b0:2fb:4b40:1e18 with SMTP id 38308e7fff4ca-2ff2016fc88mr74856531fa.13.1731421837671; Tue, 12 Nov 2024 06:30:37 -0800 (PST)
Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Tue, 12 Nov 2024 09:30:37 -0500
Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Tue, 12 Nov 2024 09:30:35 -0500
MIME-Version: 1.0 (Mimestream 1.4.1)
References: <CALH0CC1t_Yo0c6xSDFmaA+aED-RVSKfHK4=+fwEQtXoeri=hYg@mail.gmail.com>
In-Reply-To: <CALH0CC1t_Yo0c6xSDFmaA+aED-RVSKfHK4=+fwEQtXoeri=hYg@mail.gmail.com>
From: Dean Saxe <dean.saxe@beyondidentity.com>
Date: Tue, 12 Nov 2024 09:30:37 -0500
Message-ID: <CALH0CC1XOJ=AhErZaCTyudPKs=qj_RXz6jauhaN+DVbziDcWcw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000975bba0626b80fc4"
Message-ID-Hash: OSGOH46C3DROEM5FDUT4A26OPUY4MZMV
X-Message-ID-Hash: OSGOH46C3DROEM5FDUT4A26OPUY4MZMV
X-MailFrom: dean.saxe@beyondidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: First party apps review notes
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZxBHdFbEL75vSLLxwnt-Qv8b8O0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
This morning I opened issues 114 - 124 to cover the items below. https://github.com/oauth-wg/oauth-first-party-apps/issues -dhs -- Dean H. Saxe, CIDPRO <https://idpro.org/cidpro/> Principal Engineer Office of the CTO Beyond Identity dean.saxe@beyondidentity.com On Nov 6, 2024 at 11:40:43 AM, Dean Saxe <dean.saxe@beyondidentity.com> wrote: > Following the discussion at the second OAuth WG meeting at IETF121, I > reviewed draft-parecki-oauth-first-party-apps-02. (N.B. This was the doc I > had on my Kindle when I started the review. Aaron confirmed that the doc > is the same as draft-ietf-oauth-first-party-apps-00, the latest doc just > represents a naming change.) > > I have a few comments on the draft below. I will file issues/PRs in > GitHub for any comments that warrant an issue or PR (though it may take me > a few days…). > > > - The draft notes multiple times that the new endpoint and the > protocol are only for first party apps and not third party apps, yet in 1.1 > it states, “[…] the authorization server SHOULD take measures to prevent > use by third party applications.” I believe the SHOULD should be changed > to a MUST. > - Sections 3.2 and 3.3 both use the language “re-authorization of the > user is required” when the AS responds with an error to presentation of a > refresh token (3.2) or the RS requires step up per RFC9470 (3.3). In both > of these cases, re-authorization is required, however, I believe that the > requirement is actually re-authentication of the user in order to > re-authorize them. I suggest changing both instances to re-authorization. > - Section 4.1 identifies that it is out of scope to define how to > handle a parameter that has no meaning in this use cases. The draft can be > more explicit and state that these parameters MAY be ignored since they are > irrelavant. > - 5.2.2 defines an error_uri. This seems unnecessary - and is defined > as optional - since this is only usable by first party apps. This can be > removed from the draft since first party app developers will have no need > for this data. > - 5.3.1 specifies the auth_session as a random string or JWE. The > draft should specify the minimum length of this random string, e.g. >16 > bytes, to avoid collisions. > - 5.3.1 mandates the auth_session is bound to the device, yet offers > no guidance on how to do so. > - 6.1 states that the token endpoint response MAY include the auth_session > parameter. This is required for messages returned from the AS, I am > unclear why it is not required when a token endpoint response is returned. > 6.2 has the same issue. > - 9.1 explicitly states that the draft is not prescriptive about how > the “first partyness” of the app is determined. Given the risk of the use > of third party apps with this protocol, the draft should aim to be > prescriptive regarding how “first partyness” is assessed. Similarly, the > draft should be more direct in the text that SPAs SHOULD NOT be used as > first party apps due to the challenges they present. 9.8 identifies SPAs at > NOT RECOMMENDED. > - Appendix A.1 step 4, the user is prompted for their activation > secret before the client can sign the challenge. > - Appendix A.1 step 4 change “platform authenticator” to “passkey”. > The passkey may reside in a platform authenticator, a first or third party > passkey provider, or on a hardware key. > > > I hope the authors find these comments helpful. > -dhs > > -- > Dean H. Saxe, CIDPRO <https://idpro.org/cidpro/> > Principal Engineer > Office of the CTO > Beyond Identity > dean.saxe@beyondidentity.com > > >
- [OAUTH-WG] First party apps review notes Dean Saxe
- [OAUTH-WG] Re: First party apps review notes Dean Saxe