Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
Brian Campbell <bcampbell@pingidentity.com> Mon, 11 October 2021 20:57 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E26B63A0BA3 for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 13:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4G4Uk87nZWf for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 13:57:00 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B3B43A0B9D for <oauth@ietf.org>; Mon, 11 Oct 2021 13:56:57 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id i24so76768274lfj.13 for <oauth@ietf.org>; Mon, 11 Oct 2021 13:56:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r0HPJRgkWTgKIZ7/pnTc9LVtNEq590nL/VUoPl5evK4=; b=XPtRW7/dSKXiGT5c3h9BU3bTXnH+Rl3+ml5wu9A9LDl5Gag3C+bDL3udcGL1zeemaz tGn76RvQKlWGCVmI3O9ub3OEigl6u7r1HP0z+OSxqWRhtFG5aFDxluMbTvv9glonXrR9 VRau9OYlp2jpIslu8A4OzCpudJ/d6TOwVDI4WiGMS/1b+XICa0D5NIGxUkNUgaM7C0Rl uyz+RLJHeRpll2HCjumrjX4YInbwcHo8QmM+7aCXfexZrmrnw6/5dfeyVUVOQ6HtS5fh X91XEZtvEM5fsJ52N1IomW5ptxbVt1qYwEPbFgQWdHwRJaTZYzb8uKAsDxBzxj2Wh722 Z6gA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r0HPJRgkWTgKIZ7/pnTc9LVtNEq590nL/VUoPl5evK4=; b=uRLJy/kok2lU/A3qayr8oztQn3Y/HIJ1knHrpnCJthV/t6ifbg5g47mZ8qh5CXl54c Nv3t0lZH8eFgg7nCQkqDN2tmJfhkQmBrmgix1oZyR76CP7OZ+W+tybd9EUO5XW8zesUG oUxRpZ1oX2fYTtciy2vivjlw7Z5xX1zatW20P+3ylYy114krvJTuOfZ/gSATkPDMZmrS VWZN6CQ/dY6NRiYcgSaWQalPmhBwpNw+wV5/Of5gJOjmQI0kXiMk63kInb9m+N2Owlr0 XeirtfHOav2GObz8FwnR6qa4+fvTa2Oz+zvornvL5/juqenSJeAF70+QbCckIVAjgOE7 oerA==
X-Gm-Message-State: AOAM531k5D5df4XcYxkcecnGUdqz5ejq3aPsgEpssV3EpXv5pkdv9jAw wfXUch3CDnZmhYjkLTwM6Kb1JH6uWswzXNlSMpPoCpMJh5beO6296AiGarnr7lKY+3em0bUsYaf ORXHj0WsMtlLjQw==
X-Google-Smtp-Source: ABdhPJw+KTNV8fXfI8gp1dgyBQYVQ96fcSlzEpFYtxITC32O8Je+iln53yoRO5n0ekH5UPx2IHbKEMOJaYh3sC8+xO0=
X-Received: by 2002:a2e:8957:: with SMTP id b23mr25693873ljk.239.1633985814999; Mon, 11 Oct 2021 13:56:54 -0700 (PDT)
MIME-Version: 1.0
References: <163347956410.26563.6262394233835671220@ietfa.amsl.com> <CAGBSGjryjQ3pnh+RnGnxqjCENgG-6td1JBSG4tV9VZfVSaKvnQ@mail.gmail.com> <CAFvbn=YisYSbu8sL+TLgRakJ52oA6TEQSJ8i_4+9qNNQ0b9bkA@mail.gmail.com> <CA+k3eCTsi37FGKwCdA4CJgJ3PFux8JJxV4aDk42X5p61a70qBQ@mail.gmail.com> <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com>
In-Reply-To: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 11 Oct 2021 14:56:27 -0600
Message-ID: <CA+k3eCSOig4HbZZetsmVU5hQXMjsrqTopeyfQ7-gMesyS5dgVA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Ash Narayanan <ashvinnarayanan@gmail.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000124d3005ce19f8b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aJSdhApeZGu72zylDhzLuiUjDAc>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 20:57:06 -0000
I understand that struggle and honestly really have no idea how to phrase it better. Maybe using words more like what you just described as the intent? And/or discuss this at the interim. Or... that particular bit of text could maybe just be removed... maybe? To me "identifying a client" evoked memories of the text in the last paragraph of https://datatracker.ietf.org/doc/html/rfc6749?#section-3.2.1 which talks about a client using the client_id request parameter to "identify itself"[***]. That text in 6749 has kinda formed a mental model for me where client identification (just with id) is weaker than client authentication (id + credential), which makes the "MUST NOT rely on credentialed client authentication for the purpose of identifying the client" text feel contradictory. Though when looking back at 6749 I notice that https://datatracker.ietf.org/doc/html/rfc6749?#section-2.3 has very similar text so maybe the contradiction is only in my mind. But I dunno - what would establishing an authentication method with a public client even entail? And what would that mean for the vast majority of public clients (SPA & native on device) where there are many instances of the client that share the same client id? What else other than identifying would a client identifier with established credential be used for? I suppose that, if I were to have a suggestion, it would be for those two sentences to be removed from https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#section-2.4 and the intent as you describe it be more/better included in the client types section https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#name-client-types *** It looks like this bit of text from 6749, "A client MAY use the "client_id" request parameter to identify itself when sending requests to the token endpoint. In the "authorization_code" "grant_type" request to the token endpoint, an unauthenticated client MUST send its "client_id" to prevent itself from inadvertently accepting a code intended for a client with a different "client_id". This protects the client from substitution of the authentication authorization code. (It provides no additional security for the protected resource.)" has been dropped from v2.1. But should probably be put back. It's implied in the draft by the client_id text in https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#name-token-endpoint that says ""client_id": REQUIRED, if the client is not authenticating with the authorization server ..." But that text came from https://datatracker.ietf.org/doc/html/rfc6749?#section-4.1.3 which is contextually specific to the code grant and shouldn't have been moved into a general token endpoint requirement. There are grant types / token endpoint requests that allow for an unauthenticated and unidentified client and so can be made with no client auth and no client_id parameter. So, to summarize, put the lost text back into https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#section-3.2.1 or maybe better into https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#section-4.1.3 and move the "client_id" bit from https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#section-3.2.2 to the authz code part https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#section-4.1.3 On Mon, Oct 11, 2021 at 11:52 AM Dick Hardt <dick.hardt@gmail.com> wrote: > Thanks for the feedback Brian. We have struggled in how to concisely > describe credentialed clients. > > "identifying a client" can be interpreted a number of ways. > > The intent is that the AS knows a credentialed client is the same client > it previously interacted with, but that the AS can not assume any other > attributes of the client, for example that it is a client from a given > developer, or has a specific name. > > How to phrase and describe this would be welcome! > > > ᐧ > > On Mon, Oct 11, 2021 at 10:35 AM Brian Campbell <bcampbell= > 40pingidentity.com@dmarc.ietf.org> wrote: > >> Credentialed clients might be worthwhile item for the interim. I think I >> sorta get what the credentialed clients distinction is trying to do but the >> way it manifests in the draft is somewhat bewildering. One example I've >> struggled to make sense of is the following text from >> https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html#section-2.4 >> - I honestly don't understand what it really means and what actual >> ramifications would be to implementations/deployments: >> >> "The authorization server MAY establish a client authentication method >> with public clients, which converts them to credentialed clients. However, >> the authorization server MUST NOT rely on credentialed client >> authentication for the purpose of identifying the client." >> >> >> On Fri, Oct 8, 2021 at 8:57 PM Ash Narayanan <ashvinnarayanan@gmail.com> >> wrote: >> >>> I'm not sure if these items have been brought up previously or are >>> already on the agenda to be discussed at the interim meeting. >>> >>> Referring to the latest draft ( >>> https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html) ... >>> >>> 1. The definition given under section 2.1 Client Types is: >>> >>>> Clients that have credentials but no prior relationship with the AS are >>>> designated as "credentialed clients" >>> >>> >>> This does not seem like the best or even the right definition to me. The >>> definition as it stands, is in two parts: >>> a) "Clients that have credentials" >>> b) Clients that have "no prior relationship with the AS" >>> >>> With (a), the typical use-case is an app that runs on the end-user >>> device and dynamically registers itself with the AS. Such a client does not >>> "have" credentials to begin with, or at least the use of the word "have" >>> here, if it's intended to mean "at some point will have", does not >>> differentiate it from confidential clients, which are also defined to be >>> clients "that have credentials". >>> Instead, a better choice of words for credentialed clients may be >>> "Clients that dynamically obtain credentials". >>> >>> (b) is not necessarily true, because the credentialed client may very >>> well be a known client and therefore have a prior relationship with the AS. >>> Think of (common) scenarios where the AS and client are both part of the >>> same organisation or a peer organisation, and therefore the client metadata >>> an AS receives in a dynamic registration request is already known to the >>> AS. An AS may only decide to accept dynamic registrations from such known >>> clients. >>> >>> Of course I may not be interpreting "prior relationship" as it may be >>> intended, in which case that needs to be clarified somewhere. >>> >>> >>> 2. Continuing with section 2.1 Client Types, for a native application, >>> it says: >>> >>>> On the other hand, dynamically issued credentials such as access tokens >>>> or refresh tokens can receive an acceptable level of protection. >>> >>> >>> Why is this also not mentioned for a browser-based application? Unless >>> I'm mistaken, in terms of accessibility for an intruder, in-memory for a >>> native app is equivalent to in-memory for an SPA and local storage for a >>> native app is equivalent to local storage for an SPA. >>> >>> >>> Cheers, >>> Ash >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-04.t… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-… Aaron Parecki
- [OAUTH-WG] OAuth2.1 credentialed client Ash Narayanan
- [OAUTH-WG] convert to credentialed client... ( wa… Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Dick Hardt
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … David Waite
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Warren Parad
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Domingos Creado
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan