IETF Logo Mail Archive

Re: [OAUTH-WG] Client authentication in the Device Authorization Request

Brian Campbell <bcampbell@pingidentity.com> Mon, 11 March 2019 20:57 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ECC6131181 for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 13:57:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.01
X-Spam-Level:
X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CiZ963G2qKY for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2019 13:57:44 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 858B91311C3 for <oauth@ietf.org>; Mon, 11 Mar 2019 13:57:44 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id y6so92819ioq.10 for <oauth@ietf.org>; Mon, 11 Mar 2019 13:57:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LwyfQNo//2ujo4n12yzXLvsv8sWe5P7p/LVN64rREQk=; b=Rt/ge1BFiTAqTF+wMq2MdK7naFEOaHUa61E5z+YoBT6/mIXafEDVzj3GWKBigGQRSa DdSm4rM0OL5qjiLt4nqk5GNBJ3K/O1hOqcbR31cpot9lmGnwfbtyVRAKSxTk8xjfTA2w Kwmi7cTdzrIa5n9a8JlxEej9w20zpCaU6KI28=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LwyfQNo//2ujo4n12yzXLvsv8sWe5P7p/LVN64rREQk=; b=tKi+nph8Ob3ZCLIvbGCmN9Q/NETMLmhWU4U8/K0VEwwzD/t+8cm6KQysmN8KPIimZJ t4ThW8AabK8YOvvC8oBqRfYklD1p62XGVejcRHsQMVjZLHmKdWJCjK8smwocNxqvFncv X+sF9ST5QWbIYeOUomQPYpABTEavdCDCRYU93jB6WM2GSE+3ZzbN97OHPobCvRSnlXxX k5Rj6n2BFkFskAZhY4+Z21p5LE8hphWvyGz09fThUw22jS3yIMcfbw87yATvlQH+bjur sVCEjGERwGKG8v7drL66TsVqWkBwkTX1TRv+5hKbQYSePqarFIQfRzrfZOxDiMLAHfWF 36gg==
X-Gm-Message-State: APjAAAUTaTZMb6iApMgTb+YbdeWf7KyYE2eA5xo6hBFwhbWsUog/V1pF hwoq+wNfI56EN1QraTl5J7oD4iA23nsakKWyHBbTrpZaHIZawg/QXhOcrxIAdHVThk257+W5ltI 5G+qFiRNFoX2VbA==
X-Google-Smtp-Source: APXvYqy8+2nUT8T41Aa1VEAPso4wHyjPCEE8RzpZLOb4XCHl6FzTkLQM4VKYGNGz3gODidi4jWbNM3rTTauhAaRFkro=
X-Received: by 2002:a6b:5c0a:: with SMTP id z10mr5942073ioh.138.1552337863706; Mon, 11 Mar 2019 13:57:43 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCS8ZvCAGy_0Vi+XxyY6O11ZANAEE8vMcACfUP3=UmRu-g@mail.gmail.com> <CA+k3eCR=j9d6Rim3fEv_S_WbmcnKWqKGNXSdUuLfdGUL_CKiXw@mail.gmail.com> <CALAqi__RUaSOCVHYrByWP2EJVrL-wXoiLtgEi_Jr1fdxNud47Q@mail.gmail.com> <CALAqi_8Orve3YTRKWZGWLkAzegoG5w_wzntxGAtJh0H6B3QNaA@mail.gmail.com> <CA+k3eCRfYsYhr08eWw+0Zg=pLS1-D5WOZCzz+UpdXU05go1AuQ@mail.gmail.com> <7c605f52-ff7f-49cd-0a4e-af3aa15663be@aol.com> <710ACBA5-C43D-4396-A3AE-9D7156204E3E@oracle.com> <CAAP42hBjHsXer7c_wTRn07TndO_XbGdV-o3MbjSA0=8XphWetw@mail.gmail.com> <CA+k3eCTJzy=AuxfH2xedDREzUEYoVZE1F0qz=udM1STNBnopfQ@mail.gmail.com> <CAAP42hCPCQG0AZSmQDE3UL2bk7LDqsg5T9ktR4wB3sKbFpd2pw@mail.gmail.com>
In-Reply-To: <CAAP42hCPCQG0AZSmQDE3UL2bk7LDqsg5T9ktR4wB3sKbFpd2pw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 11 Mar 2019 14:57:16 -0600
Message-ID: <CA+k3eCSDnedS3wzS-_Da6F2xzOOTk5MXiLUDd69H5HFgZHo_Xg@mail.gmail.com>
To: William Denniss <wdenniss=40google.com@dmarc.ietf.org>
Cc: Phil Hunt <phil.hunt@oracle.com>, George Fletcher <gffletch@aol.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f025fb0583d7d2a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bkRaM4MtuNB6gdtDFtV2S6yRuo8>
Subject: Re: [OAUTH-WG] Client authentication in the Device Authorization Request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 20:57:53 -0000

All sounds good to me. Thanks again for picking this one up quickly.

On Mon, Mar 11, 2019 at 2:43 PM William Denniss <wdenniss=
40google.com@dmarc.ietf.org> wrote:

>
>
> On Mon, Mar 11, 2019 at 1:21 PM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> And thank you, William, for being responsive about it.
>>
>>
>> On Mon, Mar 11, 2019 at 1:18 PM William Denniss <wdenniss=
>> 40google.com@dmarc.ietf.org> wrote:
>>
>>> Thank you Brian for raising this.
>>>
>>> Yes, the expectation I believe is to follow the same approach as the
>>> token endpoint. As the spec is primarily for public clients, that's what we
>>> documented explicitly but it's worth calling out.
>>>
>>> Would the following text suffice in order to "inherit" the client
>>> authentication requirements of the token endpoint do you think?
>>>
>>>     "The client authentication requirements of Section 3.2.1 of RFC6749
>>> apply to requests on this endpoint."
>>>
>>
>> I think so, yes.
>>
>> Although given the primary focus being for public clients, it might be
>> helpful to have a little qualifying text here catering to that most common
>> case. I guess I'm just looking to try and avoid folks mistakenly
>> interpreting that to mean that client authentication is always required and
>> so somehow public clients can't do this flow. Something like the following
>> (wording could maybe be improved but hopefully conveys the idea):
>>
>> 'The client authentication requirements of Section 3.2.1 of RFC6749 apply
>> to requests on this endpoint, which means that confidential clients (those
>> that have established client credentials) authenticate in the same manner
>> as when making requests to the token endpoint and public clients provide
>> the "client_id" parameter to identify themselves.'
>>
>>
>
> The context helps, thanks for the suggested text, I used it and it's
> staged locally now.
>
>
>>
>>
>>> Then there's the matter of the REQUIRED "client_id" parameter. Perhaps
>>> we could say "REQUIRED, unless the client authenticates per Section 2.3 of
>>> RFC6749"
>>>
>>
>> I kinda prefer the text you have already in section 3.4:
>>
>>   " client_id
>>       REQUIRED, if the client is not authenticating with the
>>       authorization server as described in Section 3.2.1. of [RFC6749]."
>>
>>
> hah yeah I prefer that construction too, forgot I'd already given it that
> treatment elsewhere.
>
> Also staged locally.
>
> Thanks again for reporting this!
>
>
>>
>>
>>>
>>> On Mon, Mar 11, 2019 at 10:30 AM Phil Hunt <phil.hunt@oracle.com> wrote:
>>>
>>>> +1 to using same authentication requirements as for token endpoint.
>>>>
>>>> Phil
>>>>
>>>> On Mar 11, 2019, at 10:27 AM, George Fletcher <
>>>> gffletch=40aol.com@dmarc.ietf.org> wrote:
>>>>
>>>> +1
>>>>
>>>> to using the same client authn method as for the /token endpoint
>>>>
>>>> On 3/11/19 12:31 PM, Brian Campbell wrote:
>>>>
>>>>
>>>>
>>>> On Mon, Mar 11, 2019 at 10:22 AM Filip Skokan <panva.ip@gmail.com>
>>>> wrote:
>>>>
>>>>> Strike that, it should maybe just use the registered auth method for
>>>>> the token endpoint?
>>>>>
>>>>
>>>> Yeah, that's what I'd think would be the way to go.
>>>>
>>>>
>>>>>
>>>>> If there's auth we should also make it clear that client_id should not
>>>>> be omitted from the request body and it must be the same as the one
>>>>> provided with client authentication.
>>>>>
>>>>>
>>>> Fair point.
>>>>
>>>>
>>>>
>>>>
>>>>> S pozdravem,
>>>>> *Filip Skokan*
>>>>>
>>>>>
>>>>> On Mon, 11 Mar 2019 at 17:14, Filip Skokan <panva.ip@gmail.com> wrote:
>>>>>
>>>>>> If we're about to add client authentication for the
>>>>>> device_authorization_endpoint, i'd say we should also register for
>>>>>> device_authorization_endpoint_auth_method,
>>>>>> device_authorization_endpoint_auth_signing_alg client metadata. Maybe
>>>>>> define the default value to be "none" / not provided to be in line with the
>>>>>> late draft implementations. Wdyt?
>>>>>>
>>>>>> S pozdravem,
>>>>>> *Filip Skokan*
>>>>>>
>>>>>>
>>>>>> On Mon, 11 Mar 2019 at 17:08, Brian Campbell <bcampbell=
>>>>>> 40pingidentity.com@dmarc.ietf.org> wrote:
>>>>>>
>>>>>>> I do realize it's very late in the process for this document but
>>>>>>> believe these omissions can be addressed in the document with only minor
>>>>>>> changes/additions and that it'd be better late than not at all..
>>>>>>>
>>>>>>> On Mon, Mar 11, 2019 at 10:03 AM Brian Campbell <
>>>>>>> bcampbell@pingidentity.com> wrote:
>>>>>>>
>>>>>>>> Another omission[1] (maybe, I believe it is anyway) to the Device
>>>>>>>> Flow is that client authentication isn't defined for the device
>>>>>>>> authorization request to device authorization endpoint.
>>>>>>>>
>>>>>>>> I suspect that it's largely an oversight because public clients are
>>>>>>>> really the conical use-case for the device flow and no authentication is
>>>>>>>> needed or possible in that case. There are, however, likely to be cases
>>>>>>>> where a client with credentials will do the device flow and it would be
>>>>>>>> good for the AS to be able to properly authenticate such clients before
>>>>>>>> setting up and saving the state for the transaction. Having normal client
>>>>>>>> authentication at device authorization endpoint also brings better
>>>>>>>> consistency to client identification/authentication for requests made
>>>>>>>> directly from client to AS.
>>>>>>>>
>>>>>>>>
>>>>>>>> [1] error responses from the device authorization endpoint should
>>>>>>>> probably also be defined
>>>>>>>> https://mailarchive.ietf.org/arch/msg/oauth/DMTUR1msdNQPiLh0xVXe39933k4
>>>>>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_oauth_DMTUR1msdNQPiLh0xVXe39933k4&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=0mpCioWFgFIBMvwRTGb0v6ZawCSwMK9a2YH4G_yoRoo&e=>
>>>>>>>>
>>>>>>>>
>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>> review, use, distribution or disclosure by others is strictly
>>>>>>> prohibited...  If you have received this communication in error, please
>>>>>>> notify the sender immediately by e-mail and delete the message and any file
>>>>>>> attachments from your computer. Thank you.*
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=>
>>>>>>>
>>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=>
>>>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited..
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>>
>>>> _______________________________________________
>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=>
>>>>
>>>>
>>>> --
>>>> Identity Standards Architect
>>>> Verizon Media                     Work: george.fletcher@oath.com
>>>> Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_gffletch&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=fm9UvoaRS-A1-2CXwQEgOZ7fWb-PGvleny8Ccwq-SRs&e=>
>>>> Office: +1-703-265-2544           Photos: http://georgefletcher.photography <https://urldefense.proofpoint..com/v2/url?u=http-3A__georgefletcher.photography&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=pHcwrS-xhaUz37RAgViALdKPBAFeoFc7nLxxs2NywdQ&e=>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>>
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=T9FBaSmKjH9DP1tZy7yS2PWNPsktsU0izt30MhOcMpw&s=A-TWytTVW596UG0zc6oz1rozU_auZJ0bIPSGqtXnTGA&e=
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any file
>> attachments from your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email