[OAUTH-WG] can public clients be as safe in Auth Code Grants?
Bill Burke <bburke@redhat.com> Tue, 04 March 2014 16:56 UTC
Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D97F31A01A8 for <oauth@ietfa.amsl.com>; Tue, 4 Mar 2014 08:56:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.449
X-Spam-Level:
X-Spam-Status: No, score=-7.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3nOWTGHFiNZt for <oauth@ietfa.amsl.com>; Tue, 4 Mar 2014 08:56:35 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5E21A00BB for <oauth@ietf.org>; Tue, 4 Mar 2014 08:56:35 -0800 (PST)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s24GuVjF006024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Tue, 4 Mar 2014 11:56:31 -0500
Received: from [10.10.49.213] (vpn-49-213.rdu2.redhat.com [10.10.49.213]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s24GqNSV009193 for <oauth@ietf.org>; Tue, 4 Mar 2014 11:52:24 -0500
Message-ID: <531604CC.5020409@redhat.com>
Date: Tue, 04 Mar 2014 11:52:28 -0500
From: Bill Burke <bburke@redhat.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/csZyrtmXspClyHhMdrFtVVnwUA4
Subject: [OAUTH-WG] can public clients be as safe in Auth Code Grants?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 16:56:38 -0000
Section 3.2.1 talks about the need for and benefits of confidential clients. For Auth Code Grants, can't public clients be as safe as confidential clients if: * HTTPS is being used for all communication * Valid redirect_uri patterns are registered at the Auth Server for the public clients * Auth server validates the client's redirect_uri when processing a Authorization Request. The browser would ensure you are redirecting to a valid domain. * "state" parameter is validated by the client from the Authorization Response. * Client sends its "client_id" and "redirect_uri" when making a Access Token Request * Auth server revalidates "client_id", "redirect_uri" to data used to create the Auth Code. Nobody could fake being the public client because an auth code could only be sent to the registered redirect URLs of the public client. As for the statement that it might be easier to change client credentials than to revoke refresh tokens, couldn't his also be mitigated if the Auth Server supported setting a revocation policy for the client? Thanks in advance. Bill p.s. FYI, maybe I did something wrong, but I couldn't seem to get anything posted on the Google Group for OAuth. Hope its ok to post these kinds of questions here. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com