IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2 scheme

"William J. Mills" <wmills@yahoo-inc.com> Fri, 08 April 2011 06:56 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8156A3A6989 for <oauth@core3.amsl.com>; Thu, 7 Apr 2011 23:56:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aEioof-o7dMm for <oauth@core3.amsl.com>; Thu, 7 Apr 2011 23:56:01 -0700 (PDT)
Received: from web32303.mail.mud.yahoo.com (web32303.mail.mud.yahoo.com [68.142.207.151]) by core3.amsl.com (Postfix) with SMTP id C15233A6889 for <oauth@ietf.org>; Thu, 7 Apr 2011 23:56:00 -0700 (PDT)
Received: (qmail 47231 invoked by uid 60001); 8 Apr 2011 06:57:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1302245859; bh=FvsAo0RNbVQlPcQAJGSLrwG29hENCBQW7DHAqOY0r94=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=I88pLLXUHIrwopK9y4T8Ykmvok0N75eAon4j+VVwoerfAbShJEXmaIJWHpnJ9IwhVyAYDoAosw9msYovc+RiVNLnlnR6mMWYIlZK55bBI5uh6+mZEEd71y8xS+j2IlRRS1x677TB7PTxIcc5R0m19yxsby+gRQ/gR/L6UoV0zzU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=EzpnbDpLFXt5XIr3sSNzeeYZhdCRvkcNBbu9uWXefx8qZcainELOMmNfmuE9rWMBWue+aeCfpADk6gG+c8zZK8qMAQBNNy94gcn8OS8efc5ZhgQsV4RQ12oH1sakZmQK2yOjnHRW/C4itdeuUOsUXXpZuZt9+n9aeOiJwrIAIuw=;
Message-ID: <864433.29776.qm@web32303.mail.mud.yahoo.com>
X-YMail-OSG: kKVG2isVM1meKuiJlFmxKPFYm3Ckz.t9TbdnfGPQr4qn74T CCFZo94UBA4WeXPv3vPNpjKPvjuNYceSlFZ1nexFQzovUGkrvRInfsfzCHpE TQaKHPqtwv6kQjkgES5bPq3JlBTcx1AR9ln6whrnnQLnHX._sHpOjx_GR0tk cueusNnuQQ7uM0NHC5xqLzh3LPf.zF.fJIYpjfmJooIQQshJDazaRRMEEL4h UYZabuRYzn6q1Y_UlD_7s7OPkoGUJHz.R2bj53T4kKAGfiMSU_Y2bguopYj8 dGNyyTgWeIuYmRizATTP5hRW2tN0FLCs5YuxPm1SycETpOAHNDROLlYZozR2 0baWW_84BEHiz5cfbumOq.GiusJe1QOKn8dgnBJcffumHur1fXLA3kQ--
Received: from [209.131.62.115] by web32303.mail.mud.yahoo.com via HTTP; Thu, 07 Apr 2011 23:57:39 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.110.299900
References: <90C41DD21FB7C64BB94121FBBC2E7234465664E11D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E11281CAB8DB@WSMSG3153V.srv.dir.telstra.com> <249220.24403.qm@web32303.mail.mud.yahoo.com> <90C41DD21FB7C64BB94121FBBC2E7234465664E3B2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E11281D30832@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 07 Apr 2011 23:57:39 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, Eran Hammer-Lahav <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11281D30832@WSMSG3153V.srv.dir.telstra.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1871004363-1302245859=:29776"
Subject: Re: [OAUTH-WG] OAuth2 scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2011 06:56:03 -0000

I found when I started trying to put this into WWW-Authenticate header it ended up with a lot of extensions and parsing.  Link headers make sense to me in that the client that needs to know where the authenticator for a site is can look at the linking relationships, and a registry already exists for defining them because we're extending the current model that pretty much fits.

We need to convey the same information no matter what we do.

As for error codes, I think that's orthogonal to the discovery information.  

-bill



________________________________
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>; William J. Mills <wmills@yahoo-inc.com>; OAuth WG <oauth@ietf.org>
Sent: Thursday, April 7, 2011 11:47 PM
Subject: RE: [OAUTH-WG] OAuth2 scheme


 
A WWW-Auth header is a server’s security statement about how to gain access.
A Link header is a server’s statement of a relationship to another URI.
 
I find the Links+WWW-Auth approach more complex, less intuitive, and not as good a match for HTTP semantics.
Each WWW-Auth header in my approach is a standalone statement of a path the client can take to gain access. When an OAuth2 flow is a possible path, include a “WWW-Auth: OAuth2 …” response header.
Using Links+WWW-Auth requires interpreting a combination of headers.
 
draft-mills-kitten-sasl-oauth-01#section-7.2 has an example of a error response:
   HTTP/1.1 401 Unauthorized
   WWW-Authenticate: BEARER realm="example.com"
   Link: <https://login.yahoo.com/oauth> rel="oauth2-authenticator"
   Link: <https://login.yahoo.com/oauth> rel="ouath2-token"
 
A Link header is a nice, clean, intuitive approach for delivering a static token endpoint URI.
However, that is not actually what a client needs in an HTTP error response. The client needs to know what to do next, in the context of this request and the credentials it included. That is more dynamic.
 
Consider the error codes that Mike Jones & others want to standardise/register across authentication schemes. They are needed to know which OAuth2 flow to perform (eg try a refresh if the token has expired; redo user delegation if more scope is needed).
 
Should the error code go in an OAuth2 Link header? That feels a bit strange. It requires extra parameters to be defined for specific Link relations (possible, but not as intuitive). No one has suggested this, though I think it is the correct design if Links+WWW-Auth is used.
The other option is to put the error code in the WWW-Auth header for a specific scheme. Which scheme? Every scheme for which OAuth2 could deliver a token now needs to be modified so its error response can include OAuth2-specific details. That is feasible for the Bearer scheme, but not generally. There is no WWW-Auth header to put the error code in if, say, the TLS layer is used for client authentication (eg TLS-PSK or TLS-SRP or …).
This might be a trivial issue if OAuth2 is only ever used with the Bearer HTTP schemes – but it does illustrate a design flaw: one more unnecessary strong coupling between the authentication mechanism and the OAuth2 delegation/authorization flows.
 
 
--
James Manger
 
 
From:Eran Hammer-Lahav [mailto:eran@hueniverse.com] 
Sent: Friday, 8 April 2011 12:04 PM
To: William J. Mills; Manger, James H; OAuth WG
Subject: RE: [OAUTH-WG] OAuth2 scheme
 
I agree that Link headers are much better fit for relaying discovery information than a half HTTP authentication scheme. Overall, I find James’ proposal to be too complex and not intuitive to people familiar with existing HTTP authentication schemes (it is novel and well thought, and it does work, just not as most people expect discovery to).
 
EHL
 
From:oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William J. Mills
Sent: Thursday, April 07, 2011 7:01 PM
To: Manger, James H; OAuth WG
Subject: Re: [OAUTH-WG] OAuth2 scheme
 
In the SASL mechanism draft spec where we went with that is to use LINK headers.  See
http://tools.ietf.org/html/draft-mills-kitten-sasl-oauth-01 if you want to take a look.  WWW-Authenticate headers return the supported authentication schemes and LINK headers tell you there are OAuth endpoints you can interact with.
 
It's a swag at discovery in band, might work here too.
 

________________________________
 
From:"Manger, James H" <James.H.Manger@team.telstra.com>
To: OAuth WG <oauth@ietf.org>
Sent: Thursday, April 7, 2011 6:48 PM
Subject: Re: [OAUTH-WG] OAuth2 scheme


We should define a “WWW-Authenticate: OAuth2 …” response header – not to encompass the MAC, Bearer, and any other generic HTTP authentication scheme, but as a way for a server to tell the client that it can perform an OAuth2 get-a-token flow to gain access. When the sort of OAuth2 flow depends on the error with a current token (eg expired vs invalid) then the “WWW-Authenticate: OAuth2 …” response header needs to reflect this. It could do so be including an error code. A better, more direct, approach is to explicitly identify “refresh flow” and/or “user-delegation flow” and/or “assertion flow” etc.
 
Bearer or OAuth2 WWW-Authenticate response header?
The rule should be:
#1. If the client can fix an error by sending an “Authorization: Bearer …” request header (or the query or POST alternative) then the server should return “WWW-Authenticate: Bearer …”.
 
#2. If the client can fix an error by performing an OAuth2 flow at an authorization server then the resource server should return “WWW-Authenticate: OAuth2 …”.
 
The server can return both response headers if both options are possible.
 
There is no point in re-presenting a rejected Bearer token so #1 isn’t that useful. It could be appropriate if no token was presented as the client might have a token, but didn’t know this resource needed it. It might be appropriate if a client presented a token with insufficient scope as the client might have another token with the right scope so “WWW-Authenticate: Bearer scope=…” could help. #1 is not really necessary when a presented token is invalid or expired as the client needs to get a new one (eg using an OAuth2 flow that is outside the scope of the Bearer scheme).
 
I don’t think an error code in a “WWW-Authenticate: Bearer …” response helps a client retry the request with a “Authorization: Bearer …” header that will work.
An error code might help a client choose the right OAuth2 flow (eg refresh vs new user-delegation) so it might have a place in #2, a “WWW-Authenticate: OAuth2 …” response header.
 
Eran said to Mike:
> Alternatively, if you have use cases or requirements for introducing just the WWW-Authenticate side of an OAuth2 authorization scheme (your open issue), which includes an ‘error’ attribute for use with the proposed registry, please present those and explain how it will work alongside the Bearer and MAC schemes (as currently drafted).
 
The “discovery” use-case in this email warrants the WWW-Authenticate side of an OAuth2 scheme.
An error attribute (plus a registry) might help, but we need the rest of the details of the response header first.
It works well alongside Bearer and MAC schemes: a “WWW-Auth.: OAuth2” response points to OAuth2 flows the client can try; a “WWW-Auth.: MAC/Bearer” response points to retrying a request with “Authz: MAC/Bearer”. Even when a client is given multiple options it will know which to choose based on its context (eg if it doesn’t have another Bearer token it will ignore the “WWW-Auth: Bearer” response and follow the “WWW-Auth: OAuth2” response).
 
 
--
James Manger

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email