[OAUTH-WG] Review of draft-ietf-oauth-device-flow-06
Samuel Erdtman <samuel@erdtman.se> Thu, 07 September 2017 20:11 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E545120720 for <oauth@ietfa.amsl.com>; Thu, 7 Sep 2017 13:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZ7zhswghkAH for <oauth@ietfa.amsl.com>; Thu, 7 Sep 2017 13:11:31 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57D1A132FB1 for <oauth@ietf.org>; Thu, 7 Sep 2017 13:11:30 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id y29so360667pff.0 for <oauth@ietf.org>; Thu, 07 Sep 2017 13:11:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=B9dW/7WJ+zm4+8VagwFN4rLPilWKbCBOvSJFNDYsGns=; b=mr6vFXW4fWN6jc1WoDAX1vh141K8UOBz9so7pW6jE7t+ysvKW1BW2l5fC05jVQ/bEx q6C1L9oQV9IvIwfPVI/1A9YOGt0tgFRu9JetOrbiB/4NH8cP7pW4DaTlei7xJ26/pUng 20pfqATFRkYQ1emFZg84ia0HSAqaFxnAKLJeXeYFGVZW+VBYw+RWIsOuaDa5yIO+qVgM pcRCrwxaPKnfcqERDhWBSGJFqdQSbOchsCCVQpOJAnWIKtL3xzwc0XOvpMeRDkvKVjS4 I5uMTGJImdFsqVIfDl3htqUPG18xxSyLLg8RohjwzA7RBc/GR7mNVkLKiYJncjgMAYcF bccw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=B9dW/7WJ+zm4+8VagwFN4rLPilWKbCBOvSJFNDYsGns=; b=CO3WCsb3mW+76BSeLA6jbm/Zj9RHHtB54p2d+7uD3WbvlvaTOz6bJbfBucAJaDy8NL jI7hefkvnsWc8XhJu8SbKfnuzvl5ndZ4p69+u8Jcf0N/ieky6GVK+be6aGOADhkjNz95 ois+waHukr4Yj9CNG4K91GYPUIcf/E/QHfpjjps40SuCAd27m9S3dUUGgOmC/OUXV7ZB aviJzArkzTi3eX/h8Cko+xRGBM8RW/3LrGnKOVZTZ8YAsLmgYKerY70TQNsx6wnOb8Xw MVSobByK1XuoWS9bet1CR/LiW6+kJW6FD+PvMyzbAP+i31OrsryD2iKuYZSwLhiOtEHn kuYw==
X-Gm-Message-State: AHPjjUg7mgXWoMtjCxZLJc/7nzCmpr/uhao5DrJIn/WBSqZTF9CesnVr 04thfgWmzsPzl2w0liwvsSucoXEJyTm0u9xc5QSgpUef5KY=
X-Google-Smtp-Source: ADKCNb4zo/zx47DnlYDIEuUP6RGjTEAc6YnRu0Qobi+3XP0FijtqMWIF4+OkNvDWx73aEGBRfhGXP4ecVMnD88Y9itg=
X-Received: by 10.99.55.2 with SMTP id e2mr583406pga.226.1504815090483; Thu, 07 Sep 2017 13:11:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.155.15 with HTTP; Thu, 7 Sep 2017 13:11:29 -0700 (PDT)
From: Samuel Erdtman <samuel@erdtman.se>
Date: Thu, 07 Sep 2017 22:11:29 +0200
Message-ID: <CAF2hCbbLr88b97ic1zdrsWtVh-7hFonfFf+E8iEKZxUp1_fhLQ@mail.gmail.com>
To: draft-ietf-oauth-device-flow.authors@ietf.org
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c003a2aebd95505589f10ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/b1KJQb2gsTuQcWS9QZIza39ocwA>
Subject: [OAUTH-WG] Review of draft-ietf-oauth-device-flow-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 20:11:33 -0000
Hi Authors Thanks for writing this very useful draft. I have some review comments that I hope will be useful. As a general comment, has it been considered to include CoAP mappings too? it might be good to reach even more constrained devices (maybe another draft). 1. Introduction Missing newline between Step E and D 1. Introduction The bullet list with the polling of the client and the user authorisation is a bit hard to read, step D comes again after E. Maybe it would be easier to read if using decimal numbers. ‘1. Introduction’ and ‘3. Protocol’ I would like to move the ascii art and the corresponding list of steps from ‘1. Introduction’ to ‘3. Protocol’ and use the terminology explained in ‘2. Terminology’ 3.1. Device Authorization Request Is there no authentication? e.g. use of client secret? (or Pre-Shared Key or Raw Public key as described in draft-erdtman-ace-rpcc) I don’t think client identification is enough I think it should authenticate, at least as the recommendation. 3.2. Device Authorization Response I would like to change verification_uri be optional. If for example the device vendor has a companion app that app could easily have the verification_uri, that would simplify for the user that would only have to enter the code. (and it could save some bytes). 3.2. Device Authorization Response I think it would make sense to add an optional parameter with the token endpoint uri, in that way it does not have to be hardcoded in the client (or discovered) but the AS can tell the client where to get the token. Or it could be done with a redirect to the token URL or the Device Verification Code could be a the URL to poll instead. 3.4. Device Access Token Request client_id, it says REQUIRED but then it states that it is to be used only if “client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749].” I think the parameter should be optional and authentication required. 3.2. Device Authorization Response and 3.5. Device Access Token Response “The interval at which the client polls MUST NOT be more frequent than the "interval" parameter returned in the Device Authorization Response (see Section 3.2).” “OPTIONAL. The minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint.” Feels like a contradiction between the parameter description and token endpoint response. I would like to have MUST in both cases. 3.5. Device Access Token Response I think last paragraph is better suited in the introduction section. 5.2. Device Trustworthiness I think device authentication should/could be mentioned here
- [OAUTH-WG] Review of draft-ietf-oauth-device-flow… Samuel Erdtman
- Re: [OAUTH-WG] Review of draft-ietf-oauth-device-… Samuel Erdtman
- Re: [OAUTH-WG] Review of draft-ietf-oauth-device-… William Denniss