IETF Logo Mail Archive

Re: [OAUTH-WG] Suggested enhancement of the OAuth Device Flow

Justin Richer <jricher@mit.edu> Fri, 07 July 2017 11:55 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3994812EAAA for <oauth@ietfa.amsl.com>; Fri, 7 Jul 2017 04:55:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDWoP8aqMVuW for <oauth@ietfa.amsl.com>; Fri, 7 Jul 2017 04:55:05 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76209129AD2 for <oauth@ietf.org>; Fri, 7 Jul 2017 04:55:05 -0700 (PDT)
X-AuditID: 12074424-1d9ff70000001c32-d2-595f7697bb27
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id FA.75.07218.7967F595; Fri, 7 Jul 2017 07:55:03 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v67Bt2Kw031063 for <oauth@ietf.org>; Fri, 7 Jul 2017 07:55:03 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v67Bt1VE012774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Fri, 7 Jul 2017 07:55:02 -0400
To: oauth@ietf.org
References: <mailman.73.1499367624.15598.oauth@ietf.org> <86D2DFE8-DBAC-4B78-B471-07E246185E5F@iwelcome.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <71e43e3c-2bd3-d706-2c82-6020de8ff881@mit.edu>
Date: Fri, 07 Jul 2017 07:54:13 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <86D2DFE8-DBAC-4B78-B471-07E246185E5F@iwelcome.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixG6noju9LD7S4MlFeYuTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEr4/y112wFCwUrHi5ZxdzA2M/XxcjJISFgIrHjwH+mLkYuDiGB xUwSJw+fYgRJCAkcZZT43BwJkXjPJHHp112gBAeHsICbxO5pVSA1IgJCEs939jFB1OdJLJrc BdbLJqAqMX1NC1icV8BK4vTvG2wgNouAisT5d2fB4qICMRLXZt5hhagRlDg58wkLiM0p4CCx 5/g/sDnMAmYS8zY/ZIaw5SWat86GssUlbj2ZzzSBUWAWkvZZSFpmIWmZhaRlASPLKkbZlNwq 3dzEzJzi1GTd4uTEvLzUIl1zvdzMEr3UlNJNjOBQdVHZwdjd432IUYCDUYmHd4dLXKQQa2JZ cWXuIUZJDiYlUd43PvGRQnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4m72BcrwpiZVVqUX5MClp DhYlcV5xjcYIIYH0xJLU7NTUgtQimKwMB4eSBG9iCVCjYFFqempFWmZOCUKaiYMTZDgP0PAi cZDhxQWJucWZ6RD5U4y6HKtm/vzGJMSSl5+XKiXOexpkkABIUUZpHtwcUIpJeHvY9BWjONBb wrwbi4GqeIDpCW7SK6AlTEBLFBtjQJaUJCKkpBoYNY/tmno78c26y0GCOyLOnNPybOu/11S9 YudDsU0vV91Md80x3iQWVqwu5Dr76A+F5den+a87zqEnmLHbb0HmgpNX/q69dmBawtoNzbVq IqXbRO31Dj0QbLl1/pyIvp7D8vJfUV27j1zZxHBjyqQzG+59M1Ws66maqbzKLTWwIUzVUi5Y 4/79BCWW4oxEQy3mouJEAIygtd0MAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_fSLdZnmljIxuaXbrNS1TKrGJL0>
Subject: Re: [OAUTH-WG] Suggested enhancement of the OAuth Device Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 11:55:07 -0000

I proposed this exact thing many years ago:

https://tools.ietf.org/html/draft-richer-oauth-instance-00

At the time there wasn't very much interest in it, as people were 
looking at using Dynamic Registration, with its attendant unique client 
IDs, to solve that same problem.

  -- Justin


On 7/7/2017 2:33 AM, Jaap Francke wrote:
> Hi all,
>
> Recently we were working with one of our customers to implement the device flow as part of our IDaaS.
> One of the requirements was the ability to revoke tokens for one of the devices at the Resource Server.
>
> In our use case, we used the terminolgy ‘pairing a device to the enduser’s account’ to describe the process of authorising a device to access the resource owner’s resources.
> The resource owner may want to ‘unpair’ a device from a list of paired devices without having access to the device itself (anymore). Think about a stolen/lost kind of situation.
> We are looking for ways to allow the user to unpair one of his devices at the Authorisation Server.
> Since the Device Flow exchanges only the ‘generic’ client_id with the Authorisation Server, there is no logical way at the Resource Server to make a distinction between various devices (having the same client_id) that may be paired to the same Resource Owner.
>
> My suggestion is the following
> - add an optional parameter to the device authorisation request (or device access token request): 'device_identifier'. A device can use this to make (for example) its serial-number known at the Resource Server.
> - add an optional parameter to the device access token response that allows to communicate a name for the device as may have been given to it by the resource owner while allowing the clients access (E). This parameter could be something like ‘device_name’. The device may be able to display this ‘device_name’ on its display.
>
> Please consider this as a suggested enhancement of the Device Flow specifications.
>
> Kind regards,
>
> Jaap Francke
> Product Manager, iWelcome
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email