[OAUTH-WG] Review of draft-ietf-oauth-device-flow-06
Samuel Erdtman <samuel@erdtman.se> Thu, 07 September 2017 20:11 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E545120720 for <oauth@ietfa.amsl.com>; Thu, 7 Sep 2017 13:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZ7zhswghkAH for <oauth@ietfa.amsl.com>; Thu, 7 Sep 2017 13:11:31 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57D1A132FB1 for <oauth@ietf.org>; Thu, 7 Sep 2017 13:11:30 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id y29so360667pff.0 for <oauth@ietf.org>; Thu, 07 Sep 2017 13:11:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=B9dW/7WJ+zm4+8VagwFN4rLPilWKbCBOvSJFNDYsGns=; b=mr6vFXW4fWN6jc1WoDAX1vh141K8UOBz9so7pW6jE7t+ysvKW1BW2l5fC05jVQ/bEx q6C1L9oQV9IvIwfPVI/1A9YOGt0tgFRu9JetOrbiB/4NH8cP7pW4DaTlei7xJ26/pUng 20pfqATFRkYQ1emFZg84ia0HSAqaFxnAKLJeXeYFGVZW+VBYw+RWIsOuaDa5yIO+qVgM pcRCrwxaPKnfcqERDhWBSGJFqdQSbOchsCCVQpOJAnWIKtL3xzwc0XOvpMeRDkvKVjS4 I5uMTGJImdFsqVIfDl3htqUPG18xxSyLLg8RohjwzA7RBc/GR7mNVkLKiYJncjgMAYcF bccw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=B9dW/7WJ+zm4+8VagwFN4rLPilWKbCBOvSJFNDYsGns=; b=CO3WCsb3mW+76BSeLA6jbm/Zj9RHHtB54p2d+7uD3WbvlvaTOz6bJbfBucAJaDy8NL jI7hefkvnsWc8XhJu8SbKfnuzvl5ndZ4p69+u8Jcf0N/ieky6GVK+be6aGOADhkjNz95 ois+waHukr4Yj9CNG4K91GYPUIcf/E/QHfpjjps40SuCAd27m9S3dUUGgOmC/OUXV7ZB aviJzArkzTi3eX/h8Cko+xRGBM8RW/3LrGnKOVZTZ8YAsLmgYKerY70TQNsx6wnOb8Xw MVSobByK1XuoWS9bet1CR/LiW6+kJW6FD+PvMyzbAP+i31OrsryD2iKuYZSwLhiOtEHn kuYw==
X-Gm-Message-State: AHPjjUg7mgXWoMtjCxZLJc/7nzCmpr/uhao5DrJIn/WBSqZTF9CesnVr 04thfgWmzsPzl2w0liwvsSucoXEJyTm0u9xc5QSgpUef5KY=
X-Google-Smtp-Source: ADKCNb4zo/zx47DnlYDIEuUP6RGjTEAc6YnRu0Qobi+3XP0FijtqMWIF4+OkNvDWx73aEGBRfhGXP4ecVMnD88Y9itg=
X-Received: by 10.99.55.2 with SMTP id e2mr583406pga.226.1504815090483; Thu, 07 Sep 2017 13:11:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.155.15 with HTTP; Thu, 7 Sep 2017 13:11:29 -0700 (PDT)
From: Samuel Erdtman <samuel@erdtman.se>
Date: Thu, 07 Sep 2017 22:11:29 +0200
Message-ID: <CAF2hCbbLr88b97ic1zdrsWtVh-7hFonfFf+E8iEKZxUp1_fhLQ@mail.gmail.com>
To: draft-ietf-oauth-device-flow.authors@ietf.org
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c003a2aebd95505589f10ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/b1KJQb2gsTuQcWS9QZIza39ocwA>
Subject: [OAUTH-WG] Review of draft-ietf-oauth-device-flow-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 20:11:33 -0000
Hi Authors
Thanks for writing this very useful draft.
I have some review comments that I hope will be useful.
As a general comment, has it been considered to include CoAP mappings too?
it might be good to reach even more constrained devices (maybe another
draft).
1. Introduction
Missing newline between Step E and D
1. Introduction
The bullet list with the polling of the client and the user authorisation
is a bit hard to read, step D comes again after E. Maybe it would be easier
to read if using decimal numbers.
‘1. Introduction’ and ‘3. Protocol’
I would like to move the ascii art and the corresponding list of steps from
‘1. Introduction’ to ‘3. Protocol’ and use the terminology explained in
‘2. Terminology’
3.1. Device Authorization Request
Is there no authentication? e.g. use of client secret? (or Pre-Shared Key
or Raw Public key as described in draft-erdtman-ace-rpcc)
I don’t think client identification is enough I think it should
authenticate, at least as the recommendation.
3.2. Device Authorization Response
I would like to change verification_uri be optional. If for example the
device vendor has a companion app that app could easily have the
verification_uri, that would simplify for the user that would only have to
enter the code. (and it could save some bytes).
3.2. Device Authorization Response
I think it would make sense to add an optional parameter with the token
endpoint uri, in that way it does not have to be hardcoded in the client
(or discovered) but the AS can tell the client where to get the token. Or
it could be done with a redirect to the token URL or the Device
Verification Code could be a the URL to poll instead.
3.4. Device Access Token Request
client_id, it says REQUIRED but then it states that it is to be used only
if “client is not authenticating with the authorization server as described
in Section 3.2.1. of [RFC6749].”
I think the parameter should be optional and authentication required.
3.2. Device Authorization Response and 3.5. Device Access Token Response
“The interval at which the client polls MUST NOT be more frequent than
the "interval" parameter returned in the Device Authorization
Response (see Section 3.2).”
“OPTIONAL. The minimum amount of time in seconds that the client
SHOULD wait between polling requests to the token endpoint.”
Feels like a contradiction between the parameter description and token
endpoint response. I would like to have MUST in both cases.
3.5. Device Access Token Response
I think last paragraph is better suited in the introduction section.
5.2. Device Trustworthiness
I think device authentication should/could be mentioned here
- [OAUTH-WG] Review of draft-ietf-oauth-device-flow… Samuel Erdtman
- Re: [OAUTH-WG] Review of draft-ietf-oauth-device-… Samuel Erdtman
- Re: [OAUTH-WG] Review of draft-ietf-oauth-device-… William Denniss