Re: [OAUTH-WG] Returning tokens directly to a human user

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 06 March 2015 23:01 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75B181A1B22 for <oauth@ietfa.amsl.com>; Fri, 6 Mar 2015 15:01:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKqEsZtq6FN1 for <oauth@ietfa.amsl.com>; Fri, 6 Mar 2015 15:01:29 -0800 (PST)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E30B1A01E7 for <oauth@ietf.org>; Fri, 6 Mar 2015 15:01:28 -0800 (PST)
Received: by wevm14 with SMTP id m14so62314620wev.13 for <oauth@ietf.org>; Fri, 06 Mar 2015 15:01:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=M/GVIakaDfYsYBV5DXKagJmnBzd1TEOZSv04mWGhRVo=; b=fiEj2Hi5n8o8K/KYK8joskFuShk40IcWEJNcpNxlShWSO6O/fY3C89jKqC/z4u5jOH DJBii55NK2ugQmEDaebRNNprinxxcSglCilvzACeb+z+DFhzIw7rhcIWl05kFqcSGyrK f57fajYyY+D95aWpKAM4IhqD56++omKQFEoyfVGKhqb+xmwhhvaqeKcfqNOebMu0ZvT9 tOGIuCbI0ZQd7qbbBWYqHkdegsOut4nLXpSIzKSFrV8YgEqxjyrawUv5vxjhOxxCStc5 Q2Wp9Fmit2t2QjZku8PmvbpJPUDrGWfHxkcwNrGyEdgskS0OJi3aT174Qw96YEHnJf// FgcQ==
X-Received: by 10.194.120.40 with SMTP id kz8mr34418365wjb.21.1425682887337; Fri, 06 Mar 2015 15:01:27 -0800 (PST)
Received: from [192.168.2.7] ([89.100.10.58]) by mx.google.com with ESMTPSA id v5sm4181157wiw.24.2015.03.06.15.01.25 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Mar 2015 15:01:25 -0800 (PST)
Message-ID: <54FA31C4.9030901@gmail.com>
Date: Fri, 06 Mar 2015 23:01:24 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Justin Richer <jricher@mit.edu>
References: <54F59359.5020601@gmx.net> <2A7D9B45-2459-4558-8356-CAB1029D113D@MIT.EDU> <4E1F6AAD24975D4BA5B1680429673943A2E78D9F@TK5EX14MBXC292.redmond.corp.microsoft.com> <, > <54F7C2B7.7090304@mit.edu> <4E1F6AAD24975D4BA5B1680429673943A2E79640@TK5EX14MBXC292.redmond.corp.microsoft.com> <54F9E246.70901@gmail.com> <52A4984A-5ACE-472D-986D-54012EB620C2@mit.edu> <54FA2AD7.7000500@gmail.com> <8E4D4A6C-A5CC-44E2-9AD3-7C9859F4D05C@mit.edu>
In-Reply-To: <8E4D4A6C-A5CC-44E2-9AD3-7C9859F4D05C@mit.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/bNxTaUuqEZL5CPBvDZcWUOx-cOA>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Returning tokens directly to a human user
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 23:01:31 -0000

Hi Justin,

Thanks for typing it all, appreciated... I guess the idea here is 
basically introduce a little web app 'intermediary' that will act as if 
it were a client except that it will show whatever it receives back from 
AS to the user.
So we still have a common processing path at AS, as if it were a regular 
authorization code flow. I think I got it...

Thanks for the advice - enjoy the weekends
Sergey

On 06/03/15 22:47, Justin Richer wrote:
>
>> On Mar 6, 2015, at 5:31 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>>
>> Hi
>> On 06/03/15 18:28, Justin Richer wrote:
>>> All you’re really doing here is having a more manual and less automated portion for part of the process. You’d want to do this using a registered redirect URI that hosts the HTML page, and then you’d need a control in the app itself where the user could interact.
>>>
>>> I would personally recommend using this approach to move an authorization code manually instead of moving an access token. Assuming your client can access the auth server directly (using the backchannel, no browser), you should be able to POST to the token endpoint and get the token directly without the user having to handle it. The reason being that auth codes are client-limited and much more time-limited, and their leakage doesn’t immediately lead to leakage of API access.
>>>
>> Right now this is what I'm considering, whether to restrict it to the client getting the tokens itself, with the inserted code, or indirectly, after the user does it. We already support the former for public clients, I guess in the latter case a token will also be linked to a client because a user will enter a client id when requesting a token.
>>
>> Just not sure yet if a 3rd party client will be 'prepared' as you say to interact directly with AS, I guess it will be given that it is expected it should be able to refresh…
>
>>
>>
>>> We had a similar approach with a limited client back in the OAuth 1.0 days, where we had an HTML page that would print the oauth_verify code on the screen that the user would type into the application. These days, on most platforms, it’s much easier to register a custom URL handler or use another system service to get the code directly that this hack has all but disappeared, at least in my view.
>>
>> Can you give me a favor and clarify a bit what you mean when referring to a registered URL handler ? A user signs in, requests a code or a token for a specific client, AS returns it to the user directly. I guess it can redirect the user to some other web application which is where the user will interact and get the code or token. What a registered URL handler can change in this process, make it more automated ? (I understand working with the code is better in general…)
>
> I mean not doing anything special with the OAuth grants: use the redirects that are already there, just do something special with the page you’re redirected to that will display the code/token to the user and instruct them to paste it into the client appropriately. It can even be a pretty static page, with a bit of javascript to pull off the return values.
>
> So you could build it like this: the user starts off at some webpage that says “Authorize AppX” and clicks that. This redirects them to the authorization endpoint, just like normal. Note that this redirect will include the client ID and scopes and all that, just like normal. Then the user logs in, authorizes, and is redirected back to AppX’s redirect_uri, just like normal. This redirect URI will be on the same service that hosts the “start off” page, if you want, so you can even check the “state” value against a stored cookie or session for extra protection. That page pops off the code or token parameter and displays it to the user, telling them how to get it into the client. Once the code or token is in the client, it goes on its way.
>
> This all works without changing OAuth at all, and the auth server and resource server can be completely off-the-shelf. You’re effectively splitting the client in half: there’s a web-based half that deals with the authorization redirect, and a native half that deals with the code/token swap and the protected API calls. You use a person to glue them together.
>
> I’ve built this kind of thing before, and it works well until people fall apart moving the displayed code between the web page and the rest of the application. That’s why a lot of apps, where possible, have just gone to popping up a browser. Dick’s recommendation to look at settop boxes and other apps that *can’t* pop up a browser is a good recommendation.
>
>   — Justin
>
>
>>
>> Thanks, Sergey
>>
>>>
>>>   — Justin
>>>
>>>> On Mar 6, 2015, at 12:22 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>>>>
>>>> Hi All,
>>>>
>>>> We might have a requirement to support a case where AS returns an access token directly to a human user, with the user subsequently configuring a confidential client with this token. The actual client is not capable of supporting a (more dynamic) code flow at this stage.
>>>>
>>>> So it is nearly like an implicit code flow except that the user is asked upfront which clients can get the tokens allocated and the token is returned in the HTML response without redirecting and placing the token in a fragment.
>>>>
>>>> Apparently a number of big providers do just that, let users allocate tokens for some clients with the users expected to copy the tokens into the confidential clients afterwards.
>>>>
>>>> I'd like to ask, it is a reasonable approach, to have tokens transferred manually into the confidential client ?
>>>>
>>>> Would it be more appropriate for a user to request a code and then copy it to the confidential client and expect it to get the tokens itself. I guess the problem here may be a code is short lived, but so is a typical access token - but the latter can be supported by a refresh one.
>>>>
>>>> Another question: does it even qualify as an OAuth2 grant for token exchange, the process of a user pre-authorizing a client and getting not a code but tokens back ? I guess it does, so how a grant like this one would typically be called ? We'd have no problems with assigning some custom name to such a grant but curious how others approach it...
>>>>
>>>> Thanks, Sergey
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>