IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.0: client_secret, state

"Manger, James H" <James.H.Manger@team.telstra.com> Mon, 22 March 2010 22:54 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3FA528C1CE for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 15:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.788
X-Spam-Level: *
X-Spam-Status: No, score=1.788 tagged_above=-999 required=5 tests=[AWL=-0.046, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUV+eyTUbhmC for <oauth@core3.amsl.com>; Mon, 22 Mar 2010 15:54:42 -0700 (PDT)
Received: from mailipbo.ntcif.telstra.com.au (mailipbo.ntcif.telstra.com.au [202.12.233.29]) by core3.amsl.com (Postfix) with ESMTP id C461828C1CB for <oauth@ietf.org>; Mon, 22 Mar 2010 15:54:41 -0700 (PDT)
Received: from unknown (HELO mailbi.ntcif.telstra.com.au) ([202.12.162.19]) by mailipbi.ntcif.telstra.com.au with ESMTP; 23 Mar 2010 09:54:59 +1100
Received: from mail2.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.ntcif.telstra.com.au (Postfix) with ESMTP id 9BB58FF85; Tue, 23 Mar 2010 09:54:58 +1100 (EST)
Received: from WSMSG3703.srv.dir.telstra.com (wsmsg3703.srv.dir.telstra.com [172.49.40.171]) by mail2.cdn.telstra.com.au (Postfix) with ESMTP id 66AE741D50; Tue, 23 Mar 2010 09:54:25 +1100 (EST)
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Tue, 23 Mar 2010 09:54:58 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: David Recordon <recordond@gmail.com>, Luke Shepard <lshepard@facebook.com>, OAuth WG <oauth@ietf.org>
Date: Tue, 23 Mar 2010 09:54:57 +1100
Thread-Topic: [OAUTH-WG] OAuth 2.0: client_secret, state
Thread-Index: AcrJ6GygxK8934qxRD6n2IeTcvWg2gAJGKmw
Message-ID: <255B9BB34FB7D647A506DC292726F6E11253230F19@WSMSG3153V.srv.dir.telstra.com>
References: <526C3C44-18CF-4A94-A4C6-72702F73AC83@facebook.com> <255B9BB34FB7D647A506DC292726F6E112531C851D@WSMSG3153V.srv.dir.telstra.com> <fd6741651003221052x357eb64fj2ffc1544650b9599@mail.gmail.com>
In-Reply-To: <fd6741651003221052x357eb64fj2ffc1544650b9599@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth 2.0: client_secret, state
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2010 22:54:42 -0000

Luke & David,

The different security characteristics of TLS client certs (or TLS-PSK, or TLS-SRP, or HTTP BASIC, or cookies, or IPsec...) vs oauth_client_secret-in-body don't require any change to the *flow*. The interaction model does not change.

We need to limit the complexity of adding new flows to situations were they are necessary:
Web servers can keep app secrets, web clients cannot => separate flows.
Web servers can redirect browsers, devices have no browser => separate flows.
3-legged involves 3 parties, 2-legged only has 2 parties => separate flows.
"red" client auth, "blue" client auth => same flows work.

This is not an issue about client certs -- certs are just one stark example.

-- 
James Manger

----------
Subject: Re: [OAUTH-WG] OAuth 2.0: client_secret, state

On Mon, Mar 22, 2010 at 5:11 AM, Manger, James H
> 1. CLIENT SECRET
> Client authentication needs to be independent of OAuth.
> The Web Server Flow sends oauth_client_secret to the access token request endpoint along with other oauth_ parameters. This is a poor design.
>
> Consider, for instance, a service that authenticates clients with TLS client certs. Such clients don't have a shared secret to put in the oauth_client_secret parameter so they cannot perform protocol in this OAuth 2 draft.
> Even if client certs are rare, the issue is that there is no reason why client certs should prevent OAuth 2 from working.
>
> Servers that can authenticate clients are likely to offer them various APIs in addition to the OAuth get-a-token calls. The same client authentication mechanism used for those calls should be reused for the get-a-token calls.
>
> I suggest dropping the oauth_client_secret, perhaps adding text such as:
> "Servers that require clients to be pre-registered may require this client request to be authenticated."

Luke said:
It would be great to support client certificates as a means to authenticate OAuth applications. However, that should be a new flow, as it has different security characteristics.

David said:
Agreed with Luke.  This should be a new flow if you're using TLS client certs.

v2.23.0 | Report a Bug | By Email