Re: [OAUTH-WG] OAuth 2.0: client_secret, state
"Manger, James H" <James.H.Manger@team.telstra.com> Mon, 22 March 2010 22:54 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3FA528C1CE for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 15:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.788
X-Spam-Level: *
X-Spam-Status: No, score=1.788 tagged_above=-999 required=5 tests=[AWL=-0.046, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUV+eyTUbhmC for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 15:54:42 -0700 (PDT)
Received: from mailipbo.ntcif.telstra.com.au (mailipbo.ntcif.telstra.com.au [202.12.233.29]) by core3.amsl.com (Postfix) with ESMTP id C461828C1CB for <oauth@ietf.org>; Mon, 22 Mar 2010 15:54:41 -0700 (PDT)
Received: from unknown (HELO mailbi.ntcif.telstra.com.au) ([202.12.162.19]) by mailipbi.ntcif.telstra.com.au with ESMTP; 23 Mar 2010 09:54:59 +1100
Received: from mail2.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.ntcif.telstra.com.au (Postfix) with ESMTP id 9BB58FF85; Tue, 23 Mar 2010 09:54:58 +1100 (EST)
Received: from WSMSG3703.srv.dir.telstra.com (wsmsg3703.srv.dir.telstra.com [172.49.40.171]) by mail2.cdn.telstra.com.au (Postfix) with ESMTP id 66AE741D50; Tue, 23 Mar 2010 09:54:25 +1100 (EST)
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Tue, 23 Mar 2010 09:54:58 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: David Recordon <recordond@gmail.com>, Luke Shepard <lshepard@facebook.com>, OAuth WG <oauth@ietf.org>
Date: Tue, 23 Mar 2010 09:54:57 +1100
Thread-Topic: [OAUTH-WG] OAuth 2.0: client_secret, state
Thread-Index: AcrJ6GygxK8934qxRD6n2IeTcvWg2gAJGKmw
Message-ID: <255B9BB34FB7D647A506DC292726F6E11253230F19@WSMSG3153V.srv.dir.telstra.com>
References: <526C3C44-18CF-4A94-A4C6-72702F73AC83@facebook.com> <255B9BB34FB7D647A506DC292726F6E112531C851D@WSMSG3153V.srv.dir.telstra.com> <fd6741651003221052x357eb64fj2ffc1544650b9599@mail.gmail.com>
In-Reply-To: <fd6741651003221052x357eb64fj2ffc1544650b9599@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth 2.0: client_secret, state
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2010 22:54:42 -0000
Luke & David, The different security characteristics of TLS client certs (or TLS-PSK, or TLS-SRP, or HTTP BASIC, or cookies, or IPsec...) vs oauth_client_secret-in-body don't require any change to the *flow*. The interaction model does not change. We need to limit the complexity of adding new flows to situations were they are necessary: Web servers can keep app secrets, web clients cannot => separate flows. Web servers can redirect browsers, devices have no browser => separate flows. 3-legged involves 3 parties, 2-legged only has 2 parties => separate flows. "red" client auth, "blue" client auth => same flows work. This is not an issue about client certs -- certs are just one stark example. -- James Manger ---------- Subject: Re: [OAUTH-WG] OAuth 2.0: client_secret, state On Mon, Mar 22, 2010 at 5:11 AM, Manger, James H > 1. CLIENT SECRET > Client authentication needs to be independent of OAuth. > The Web Server Flow sends oauth_client_secret to the access token request endpoint along with other oauth_ parameters. This is a poor design. > > Consider, for instance, a service that authenticates clients with TLS client certs. Such clients don't have a shared secret to put in the oauth_client_secret parameter so they cannot perform protocol in this OAuth 2 draft. > Even if client certs are rare, the issue is that there is no reason why client certs should prevent OAuth 2 from working. > > Servers that can authenticate clients are likely to offer them various APIs in addition to the OAuth get-a-token calls. The same client authentication mechanism used for those calls should be reused for the get-a-token calls. > > I suggest dropping the oauth_client_secret, perhaps adding text such as: > "Servers that require clients to be pre-registered may require this client request to be authenticated." Luke said: It would be great to support client certificates as a means to authenticate OAuth applications. However, that should be a new flow, as it has different security characteristics. David said: Agreed with Luke. This should be a new flow if you're using TLS client certs.
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] First draft of OAuth 2.0 Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Luke Shepard
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Mark Mcgloin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Paul Madsen
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Brian Eaton
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Hans Granqvist
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Marius Scurtescu