[OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00

Lisa Dusseault <lisa@rtfm.com> Fri, 26 July 2024 17:10 UTC

Return-Path: <lisa.dusseault@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F47EC14F73E for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2024 10:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.653
X-Spam-Level:
X-Spam-Status: No, score=-1.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6WABwNFSEKt for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2024 10:10:46 -0700 (PDT)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0990C14F738 for <oauth@ietf.org>; Fri, 26 Jul 2024 10:10:46 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id 5614622812f47-3db22c02a42so112526b6e.3 for <oauth@ietf.org>; Fri, 26 Jul 2024 10:10:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail-com.20230601.gappssmtp.com; s=20230601; t=1722013846; x=1722618646; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8gS4sa/5YQS05PQSaMmmOr5oXdGA7jbpd9JRG/OmEVI=; b=bglAMTb+6TTLWKDmx1zFicOaNbSCKgsyopGnUX0bm8yBJGfUH5YrkcDrKLUSGZUFfw FkGnpLctC6c+IytsjajSKaxav8QmGR7ROJeadWk6n+ApS1Fd14fwjcAogoDh8XEZ6nu8 hBGjgg52Fj1z8SSy962CpUAdhb6JmeAj2ZejtssVuS9qP+QsqcNaT3CwNekeJPyralpY xNDGzpzr8Mr5cFtNDwjVxAfDOUeucQaztl1h4AI91KOVX6Tjc3zXRFG87K9w7M+hJO4O 3v42FClsXcY1APxUDiW/flCayA5xqOU1r+9th5V+HaxvMRD0Z+7Hz9pB0q/qaNdH+eL3 doBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722013846; x=1722618646; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8gS4sa/5YQS05PQSaMmmOr5oXdGA7jbpd9JRG/OmEVI=; b=jh7SCphgijP2hx19zHkXdJW0waMXFY9h11UcTjFUWb8muCZF2uisTpfxu8maL60yRd rzICH+14cibKj06tvXWcG50SNLcAlka/War+HlTSbrz57aOPPCRGhxSH4Q3iRapVmxcP Zmt3nAhqryeB4F3ScJMqtFTJX17wbDYJ3nhLl5MV/o5pjO5KR9eUAlcnyoazH+9aB26c 1mN8/7vb4rMgs9gOr3WV9MKtM8QSdwNRIJn5OY60zuPIj6XUGn2ujkgS0Nq3VSAuUlKY V1uAIrbfQ3lUC7op1UszDdlbLE2vPqotePo2uMK0StVgcN/EhBPTCQZiRoY+C++oK9s9 cIkg==
X-Forwarded-Encrypted: i=1; AJvYcCWr7vne7MKTipCnoAc8XxdtZJ6gReUETYVu6AzG97kAq/rxyO7Riu0iusajQLzRkqNuq9uilNLtlN4vzU86Zg==
X-Gm-Message-State: AOJu0YxNuaVnD7jC3aUBu0WZi0MA177OwB7FWpaIQHek17cI02Tjrs1n eqRs0JmZZAu6+9rHXVUXtYDUyrGGqj8kqYZHXtM1ZH/5Kiio4HVolE1nXWBj+OHrVGBnuXLErQU tnCuJ3dSRd22JFcoCiY2C/Dtu3WqC/wj7
X-Google-Smtp-Source: AGHT+IFdkx/zfbNjfAVsxVxBeblGI6lT3dERv9CSLEYdPSUYziqt52lwD5urqkDG86XHpGFJ40q04ekIRuut2Ng0CFA=
X-Received: by 2002:a05:6358:6f04:b0:1a2:59e:e887 with SMTP id e5c5f4694b2df-1adba41b600mr48586855d.7.1722013845763; Fri, 26 Jul 2024 10:10:45 -0700 (PDT)
MIME-Version: 1.0
References: <9fcdd58c-3d20-4c2c-a1db-1a3894b66053@dogfoodapp.fastmail.com> <0624AC87-176B-49C9-B80D-C8466094FE37@brandedcode.com>
In-Reply-To: <0624AC87-176B-49C9-B80D-C8466094FE37@brandedcode.com>
From: Lisa Dusseault <lisa@rtfm.com>
Date: Fri, 26 Jul 2024 10:10:34 -0700
Message-ID: <CAEi+uC49tW1faEO9PHvw3TCgRxqnpDTJbj6VtmL=OrFHQ2dLvQ@mail.gmail.com>
To: Emelia Smith <emelia=40brandedcode.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000093419f061e2997be"
Message-ID-Hash: D7CIZJ7Z3OR254WXL7OOLT3VR335IZPC
X-Message-ID-Hash: D7CIZJ7Z3OR254WXL7OOLT3VR335IZPC
X-MailFrom: lisa.dusseault@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Neil Jenkins <neilj=40fastmailteam.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ewlhhwx21JYvnR1AdMfe1N0vHAU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Yes, and:  protocol names should be part of the scope names, but I can
imagine so many use cases for finer-grained access.  Many clients might
want read-only access to something like calendar or email data, and the
user might find it safer to grant read-only access than full access. As
always, there's a tradeoff between options and complexity!

The OAuth resource metadata approach does not work for feature
advertisement in the non-HTTP server use cases.  There are still mail
servers that don't support HTTP!  CalDAV, however, it would work fine for.

Lisa

On Thu, Jul 25, 2024 at 11:18 PM Emelia Smith <emelia=
40brandedcode.com@dmarc.ietf.org> wrote:

> Hi Neil,
>
> I mentioned in the zulip chat that I rather like the idea of using
> protocol names as scopes, but that maybe you'd want them to be finer
> grained.
>
> On second pass, I'm wondering if it'd make sense to expose a list of
> supported resources & protocols for the authorization server, not just
> relying on scopes?
>
> Maybe through using Protected Resources Metadata?
> https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-07.html
>
> Yours,
> Emelia
>
> On 26. Jul 2024, at 07:48, Neil Jenkins <neilj=
> 40fastmailteam.com@dmarc.ietf.org> wrote:
>
> 
> Hi George,
>
> Thanks for the feedback.
>
> Section 1.1
> * is there a reason that only email address based login identifiers are
> supported? It seems like this profile could be used for other use cases as
> well.
>
>
> No, this should just be username. (It is of course likely to be an email
> address, but you're right: there's no reason it has to be for the purposes
> of this document.)
>
> Section 1.2
> * I would recommend this document be more generic and then a specific
> profile for say IMAP can be defined that then also defines the scopes
> required for use with an IMAP server.
> * This document can just say that scopes required are out of scope (pun
> intended)
>
>
> As mentioned at the IETF meeting this week, it's definitely an open
> question whether scopes should be part of this document or a separate one.
> I can certainly see an advantage to leaving it out of this profile and then
> having another document that pulls it all together (referencing an
> autodiscovery RFC, OAuth profile RFC, and listing the scopes).
>
> Section 2.1
> * Recommend changing the last sentence to... The rest of this document
> describes in detail each of the above steps.
>
>
> Sure, that reads better.
>
> Section 2.2
> * I recognize that Security Considerations will be filled out in a future
> version. A topic that needs to be present is the potential implications of
> proceeding with the flow when not all the required metadata fields are
> present. I suspect most authorization servers do not have a
> 'registration_endpoint' URL in their metadata configuration :)
>
>
> If the server's metadata doesn't conform to this profile, then clients
> supporting the profile are likely to abort. The point of this profile is to
> say "if you implement this as a client you will be able to authenticate
> with any server that implements this" and vice versa. If you don't
> implement it, you're not following the profile, and there is no
> interoperability guaranteed.
>
> * Can you clarify why the 'token_endpoint_auth_methods_supported' MUST
> include "none"? If the client is dynamically registering, then it can
> receive it's own instance specific client_id and client_secret which allows
> it to authenticate to the token endpoint. Not requiring client
> authentication seems dangerous.
> * Similar comment for 'revocation_endpoint_auth_methods_supported'
>
>
> We made this none, because the RFC7591
> <https://www.rfc-editor.org/rfc/rfc7591> refers to the client secret as
> only "used by confidential clients", which open native clients running on
> the user's machine are not. I guess my main question is what does this gain
> us? I would rather reduce options wherever possible to increase
> interoperability and security while keeping complexity to a minimum. If we
> presume there is no security difference in how the client stores the
> refresh token and any client secret, what does the client secret add in
> this case?
>
> Section 2.3
> * I do not think the developer should be able to do the registration.
> Instead, this should be required to be completed by the client. This will
> be the expectation of the Authorization Server if it supports Dynamic
> Client Registration.
>
>
> Agreed.
>
> * There are security implication with using a custom scheme. Best practice
> for mobile apps is to use claimed URIs rather than custom schemes. If
> custom schemes are the only option in certain cases the risk need to be
> clearly called out in the Security Considerations section.
>
>
> This profile is intended for native apps only, which is enforced by only
> allowing localhost or private-use schemes for the redirect_uri. Being
> able to dynamically register like this to do the OAuth flow would make it
> too easy for a phishing site to get the user to grant them access to their
> mail/contacts/calendars etc. — with a native app, it could already fake a
> browser window and phish the user undetectably, so we're not making the
> security situation worse. If the user's downloaded something malicious,
> they've already lost.
>
> * I'm strongly against allowing the 'token_endpoint_auth_method' to be
> "none". There is no reason that the default of 'client_secret_basic' can't
> be used (as far as I understand the profile). I recommend that the
> registration response from the Authorization Server also include a
> 'client_secret'. The client can then store the secret appropriately on the
> device. This secret is instance specific and hence the device must be
> compromised to extract that secret and impersonate the user.
>
> Section 2.5
> * I believe the client should authenticate itself via some mechanism and
> not just present the client_id
>
>
> As above, I'm happy to change this if there's a security advantage. I'm
> just trying to understand why the client would be able to store the client
> secret securely but not the refresh token (which is also needed to
> impersonate the user). And if it can store both the same, how the client
> secret adds any extra security?
>
> Cheers,
> Neil.
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>