[OAUTH-WG] FW: draft-ietf-oauth-device-flow: url with code

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 01 March 2017 00:24 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDB931293E9 for <oauth@ietfa.amsl.com>; Tue, 28 Feb 2017 16:24:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=teamtelstra.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrYds8d8vZ9s for <oauth@ietfa.amsl.com>; Tue, 28 Feb 2017 16:24:02 -0800 (PST)
Received: from ipxdno.tcif.telstra.com.au (ipxdno.tcif.telstra.com.au [203.35.82.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 407A312941D for <oauth@ietf.org>; Tue, 28 Feb 2017 16:23:59 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.35,222,1483966800"; d="scan'208,217";a="1642391"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipodni.tcif.telstra.com.au with ESMTP; 01 Mar 2017 11:23:56 +1100
X-IronPort-AV: E=McAfee;i="5800,7501,8453"; a="295547123"
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcani.tcif.telstra.com.au with ESMTP; 01 Mar 2017 11:23:56 +1100
Received: from wsapp5863.srv.dir.telstra.com (10.75.131.32) by wsmsg3702.srv.dir.telstra.com (172.49.40.170) with Microsoft SMTP Server (TLS) id 8.3.485.1; Wed, 1 Mar 2017 11:23:56 +1100
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp5863.srv.dir.telstra.com (10.75.131.32) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 1 Mar 2017 11:23:55 +1100
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (10.172.101.126) by wsapp5585.srv.dir.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Wed, 1 Mar 2017 11:23:55 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=teamtelstra.onmicrosoft.com; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=WDi/RiEe+95NeaGDGCPcyRk5fDdbWIVTNihN+eN6lfY=; b=e2n9RQTAlnlmD8yCg20h6WhSy612Wf300ACCAhDPZLnWqzz+ArMJQYCUunawN5g5thc5sEisC5lTaY7vJkJ603PzH86srxsRXeVuXSVpExjIS9TwOIAGqaAQJ4e/KbU08uISaxeoe2rY3EdsU1UsPnQqEpEpbqFzQx9lg5w0+10=
Received: from SYXPR01MB1615.ausprd01.prod.outlook.com (10.175.209.15) by SYXPR01MB1615.ausprd01.prod.outlook.com (10.175.209.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Wed, 1 Mar 2017 00:23:51 +0000
Received: from SYXPR01MB1615.ausprd01.prod.outlook.com ([10.175.209.15]) by SYXPR01MB1615.ausprd01.prod.outlook.com ([10.175.209.15]) with mapi id 15.01.0933.020; Wed, 1 Mar 2017 00:23:51 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "oauth@ietf.org" <oauth@ietf.org>, William Denniss <wdenniss@google.com>, "mbj@microsoft.com" <mbj@microsoft.com>, "ve7jtb@ve7jtb.com" <ve7jtb@ve7jtb.com>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>
Thread-Topic: draft-ietf-oauth-device-flow: url with code
Thread-Index: AdKRRh/IkJeVOoDTRW+gjblgguPT/QA23hYg
Date: Wed, 01 Mar 2017 00:23:51 +0000
Message-ID: <SYXPR01MB16152987001DF96C3660FD6DE5290@SYXPR01MB1615.ausprd01.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-originating-ip: [203.35.9.18]
x-ms-office365-filtering-correlation-id: 27780d37-910b-4278-7437-08d460393cdb
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SYXPR01MB1615;
x-microsoft-exchange-diagnostics: 1; SYXPR01MB1615; 7:h1+JogIuOvRmQYzlisfZmsRy8dOBPqyyxzEGjyidOG1LjVAfrq/aV4fXjcBxA4ZP6uuPvVr9I3FXDy0WQJlaIlHA64ospftTUg0/0QLdB3URG5j8bMkjJpz9uSQHDvYBVsGgr9qLDa67eOfVKNMLRAd5HEFSeH0OP2GS9VVKzPk3H9fTj2dalQXLgS48WVAZ8uMvAqhUexukvZMrfFvczk9a/3UtZeML8dw+2Ad0tdVSYKjVnkFm8js53VHdPlTrGOO5bukFYOlW9FlBPFwvqlJdTmzvspqjMR17Ug3BzQrYmoGNvsAYYGPjJ3/ZbLRdSNaNfzfoczjtt9wQTn3wQQ==
x-microsoft-antispam-prvs: <SYXPR01MB161538862A02EAD012FE07D1E5290@SYXPR01MB1615.ausprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123558025)(20161123562025)(20161123555025)(20161123564025)(20161123560025)(6072148); SRVR:SYXPR01MB1615; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB1615;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39450400003)(377454003)(189002)(199003)(24454002)(86362001)(2201001)(2421001)(5660300001)(1511001)(92566002)(53546006)(7696004)(53936002)(38730400002)(42882006)(101416001)(229853002)(54356999)(2900100001)(6436002)(7736002)(66066001)(50986999)(606005)(77096006)(74316002)(33656002)(6506006)(25786008)(7906003)(106356001)(55016002)(105586002)(230783001)(6306002)(9686003)(54896002)(97736004)(236005)(99286003)(8666007)(189998001)(3280700002)(2473003)(122556002)(8676002)(2561002)(2906002)(68736007)(3660700001)(790700001)(81156014)(81166006)(8936002)(102836003)(6116002)(3846002)(2501003); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB1615; H:SYXPR01MB1615.ausprd01.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SYXPR01MB16152987001DF96C3660FD6DE5290SYXPR01MB1615ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 00:23:51.5093 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1615
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/epSU1irDiaNX5J1HrW6MEaIH_mw>
Subject: [OAUTH-WG] FW: draft-ietf-oauth-device-flow: url with code
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 00:24:06 -0000

Resending; not sure that OAuth email list is working at the moment.

From: Manger, James
Sent: Tuesday, 28 February 2017 9:53 AM
To: oauth@ietf.org
Subject: draft-ietf-oauth-device-flow: url with code

How about combining the verification_uri and user_code?

The Device Flow provides a verification_uri and user_code, both of which have to be copied to a web browser on, say, a mobile phone. The main model in this draft is that the user copies the uri, then the resulting web page prompts for the code. The draft also mentions other possibilities such as Bluetooth to do the “copying”. Transmitting a URI via Bluetooth, or NFC, or QR code, is quite common. In such cases it would be nicer to transmit the user_code as part of the URI.

Perhaps both modes could be supported by saying the user_code can be included as a query parameter on the verification_uri when it is more convenient for a device to transmit a single URI. Authorization Servers MUST accept this. The choice is to use user_code as the complete query string (eg https://example.com/device?wdjb-mjht) or specify a “code” parameter name (eg https://example.com/device?code=wdjb-mjht).


Recommending case-insensitive punctuation-ignoring alphabetic codes is good, but how does a user know this is the case for a particular code? Perhaps the advice needs to be to use a “fancy” input field with javascript to convert to uppercase as the user types and handle punctuation?


[§6.1] The example user code “WDJB-MJHT” doesn’t have “24^8 bits of entropy”, but “log2(24 ^ 8) = 36.7 bits of entropy”.

--
James Manger


On Mon, Feb 27, 2017 at 9:46 AM, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
        Title           : OAuth 2.0 Device Flow for Browserless and Input Constrained Devices
        Filename        : draft-ietf-oauth-device-flow-04.txt

Abstract:
   This OAuth 2.0 authorization flow for browserless and input
   constrained devices, often referred to as the device flow, enables
   OAuth clients to request user authorization from devices that have an
   Internet connection, but don't have an easy input method (such as a
   smart TV, media console, picture frame, or printer), or lack a
   suitable browser for a more traditional OAuth flow.  This
   authorization flow instructs the user to perform the authorization
   request on a secondary device, such as a smartphone.  There is no
   requirement for communication between the constrained device and the
   user's secondary device.

https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04