Re: [OAUTH-WG] AD Review of -22 (part II)

Eran Hammer <eran@hueniverse.com> Thu, 26 January 2012 17:50 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0D2421F86C5 for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2012 09:50:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.488
X-Spam-Level:
X-Spam-Status: No, score=-2.488 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqO3AouHWwYk for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2012 09:50:05 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id DFE3B21F86C3 for <oauth@ietf.org>; Thu, 26 Jan 2012 09:50:04 -0800 (PST)
Received: (qmail 14586 invoked from network); 26 Jan 2012 17:49:56 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.46) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 26 Jan 2012 17:49:55 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT004.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Thu, 26 Jan 2012 10:49:54 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Justin Richer <jricher@mitre.org>
Date: Thu, 26 Jan 2012 10:49:44 -0700
Thread-Topic: [OAUTH-WG] AD Review of -22 (part II)
Thread-Index: AczcM+Pw8LQB8XjcRf2yEXiu/gaxegAF4yzA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AAB969E8@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723453AAB96544@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4F215DEE.6020608@mitre.org>
In-Reply-To: <4F215DEE.6020608@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of -22 (part II)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2012 17:50:05 -0000

> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Thursday, January 26, 2012 6:07 AM
> To: Eran Hammer
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] AD Review of -22 (part II)
> 
> I realize that -23 is already published with the below text, but since this is a
> whole new section and nobody else seemed to bring it up, I wanted to make
> sure it wasn't missed by the WG.

> I think it's a good idea to call it out, and I don't want to "sugarcoat" it either,
> but the phrase "this specification is likely to produce a wide range of non-
> interoperable implementations" is a bit overdramatic in its tone. Instead, I
> think we should point to other documents that are being developed explicitly
> along side of this, such as at the beginning of RFC2904
> (http://tools.ietf.org/html/rfc2904). I suggest text like the following instead:
>
> OAuth 2.0 provides a rich authorization framework with well-defined security
> properties. However, as a rich and highly extensible framework with many
> optional components, this specification does not seek to define all
> components needed for a fully interoperable deployment within this
> document. Instead, this specification is intended to work with complimentary
> documents that define token types [MAC] [Bearer], token formats [JWT]
> [SAML], client registration [Dynamic Reg?], endpoint discovery [XRD] [SWD],
> and other considerations.
> This protocol was designed with the clear expectation that future work will
> define prescriptive profiles and extensions necessary to achieve full web-
> scale interoperability.

This does sugarcoat the fact that 2.0 does not provide *any* guaranteed interoperability. The implementations I've seen so far have simply adopted a *profile* of this document along with bearer tokens. We've already seen feedback on this list where client developers were surprised and frustrated with such implementations when trying to reuse code across providers and this is only going to get more noticeable. And then of course we have the insane complexity of the over-architected solutions, adding layer after layer to solve problems that are as simple as making a parameter required and well specified.

We've also seen questions about providers looking to claim OAuth 2.0 support while maintaining all their existing architecture and security properties, seeking to push the boundaries of what is permitted by the specification. We've gone to a place where *anything* can be made to look like OAuth. We've seen implementations doing nothing but exchanging SAML assertions for JSON-formatted assertions (or other SAML assertions), without any actual resource owner participation, calling itself OAuth. And sadly, it can.

I'm against adding such a laundry list of references. I am also opposed to implying that using these extensions will achieve interoperability because they will not in their current state. The only way to achieve interoperability at this point is by getting rid of most of the optional components (removed or made required), and tightening the definition of others. Or alternatively, come out with a full blown discovery and negotiation protocol - something that would be extremely premature at this point. How can you design a good discovery/negotiation protocol before you have even a partial picture of what it is you want to discovery/negotiate.

Instead, I proposing a small tweak (marked with [[ ]]) to the language:

---
1.7.  Interoperability

   OAuth 2.0 provides a rich authorization framework with well-defined
   security properties.  However, as a rich and highly extensible
   framework with many optional components, [[ on its own, ]] this specification is likely
   to produce a wide range of non-interoperable implementations.  In
   addition, this specification leaves a few required components
   partially or fully undefined (e.g. client registration, authorization
   server capabilities, endpoint discovery).

   This protocol was designed with the clear expectation that future work
   will define prescriptive profiles and extensions necessary to achieve
   full web-scale interoperability.
---

I can appreciate feeling a little sting from such a disclaimer but we all deserve it for failing to do our job. We took on a successful, simple, narrow, and useful protocol and turned it into mush because after more than 2 years we have failed to find common ground on almost anything that is required to achieve interoperability. Instead we now rely on popular providers such as Facebook and Twitter to set the tone for the rest of the industry, filling in the gaps.

My personal frustration is from the fact that a significant number of working group members put the interest of their corporate overlord above what is good for the web. They have aggressively promoted an agenda based on product lines already in advance stages of development and refused to compromise if that meant making changes to their products. We have produced the closest heir to WS-* I've seen in many years, and that's nothing to be proud of.

The result is pretty obvious: claiming OAuth 2.0 support or even compliance is meaningless. It's the difference between dancing the tango and dancing to rock music. One gives you a beautifully synced performance while the other put personal expression on a pedestal. Which one do you think is better for a web protocol?

It's time to own the results of our work and to clearly state that this is the best we were able to produce, and let the industry take over and solve through running code the problems we were too fragmented to solve here.

EHL