IETF Logo Mail Archive

Re: [OAUTH-WG] user-agent flow needs a rewrite

Luke Shepard <lshepard@facebook.com> Tue, 13 July 2010 08:16 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 351F93A6A1E for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 01:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=1.299, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-Rl0-pnB8rK for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 01:16:27 -0700 (PDT)
Received: from mx-out.facebook.com (outappmail004.snc4.facebook.com [66.220.144.158]) by core3.amsl.com (Postfix) with ESMTP id 1D1E63A69FB for <oauth@ietf.org>; Tue, 13 Jul 2010 01:16:27 -0700 (PDT)
Received: from [10.129.72.184] ([10.129.72.184:61885] helo=mx-out.facebook.com) by mta001.snc4.facebook.com (envelope-from <lshepard@facebook.com>) (ecelerity 2.2.2.45 r(34222M)) with ESMTP id 36/92-04269-E7E1C3C4; Tue, 13 Jul 2010 01:06:23 -0700
Received: from [10.18.255.121] ([10.18.255.121:26867] helo=mail.thefacebook.com) by mta004.ash1.facebook.com (envelope-from <lshepard@facebook.com>) (ecelerity 2.2.2.45 r(34067)) with ESMTP id 7E/5C-26055-E7E1C3C4; Tue, 13 Jul 2010 01:06:22 -0700
Received: from SC-MBX05.TheFacebook.com ([fe80::e59b:c260:d8e5:3944]) by sc-hub04.TheFacebook.com ([fe80::8df5:7f90:d4a0:bb9%11]) with mapi; Tue, 13 Jul 2010 01:06:21 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Thread-Topic: [OAUTH-WG] user-agent flow needs a rewrite
Thread-Index: AcsgsTNdzUBzvAJKTDKhTG0SEXY31QATP8RnAGewCIA=
Date: Tue, 13 Jul 2010 08:06:19 +0000
Message-ID: <ABEF9F68-F006-4BDD-804D-DEF9CB4C1E29@facebook.com>
References: <C85F1725.36FD1%eran@hueniverse.com>
In-Reply-To: <C85F1725.36FD1%eran@hueniverse.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_ABEF9F68F0064BDD804DDEF9CB4C1E29facebookcom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 08:16:28 -0000

On Jul 11, 2010, at 6:37 AM, Eran Hammer-Lahav wrote:

The server can’t trust what the client is asking unless the client is authenticated *and* the server can trust that authentication (i.e. Client secret not used in a user-agent). For that, you need to establish some form of trust with the client which in today’s world means registration. If you are going to perform registration, that’s where you should ask about the nature of the client so you can optimize the user experience and the overall security.

There are examples of clients that pre-register, but operate in multiple contexts. For example, an app may have both a web and a mobile version, and require different auth flows depending. We have found it useful to be able to specify in the request what type of client is making the request.

I am a big fan of pre-registration but I prefer being explicit in the request about what should be returned.

The way I understand the Twitter use case is that the client isn’t just a user-agent trying to get both an access token and authorization code (or refresh token), but a more complex client which includes both a user-agent and web-based components, each providing a different functionality, but both using the same, single end-user authorization (i.e. The end-user is asked once).

Facebook also really wants this. And we'd like to be able to return the verification code in the fragment.

I just read this bit:

   If the response type is "code_and_token", the authorization server
   adds the "code" and "state" parameters to the redirection URI query
   component and the "access_token", "scope", and "expires_in" to the
   redirection URI fragment using the
   "application/x-www-form-urlencoded" format as defined by

That strikes me as very odd - returning some params in the query, and others in the fragment is just weird. I think the request should specify whether it wants the response in the fragment or query. There are a few ways to do this:

1/ Use a 'type' param, and define the response format along with the type (for instance, user-agent means it's returned in the fragment)
2/ If the user requests either token or code_and_token, then the response comes in the fragment. Else, in the url.
3/ Create another parameter to specify how the response should come.

My preference is for #1, but I know you've tried to wrangle the spec and decided not to - and that seems fine. So then I would prefer #2.

v2.35.0 | Report a Bug | By Email | System Status