[OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00
Lisa Dusseault <lisa@rtfm.com> Fri, 26 July 2024 17:10 UTC
Return-Path: <lisa.dusseault@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F47EC14F73E for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2024 10:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.653
X-Spam-Level:
X-Spam-Status: No, score=-1.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6WABwNFSEKt for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2024 10:10:46 -0700 (PDT)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0990C14F738 for <oauth@ietf.org>; Fri, 26 Jul 2024 10:10:46 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id 5614622812f47-3db22c02a42so112526b6e.3 for <oauth@ietf.org>; Fri, 26 Jul 2024 10:10:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail-com.20230601.gappssmtp.com; s=20230601; t=1722013846; x=1722618646; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8gS4sa/5YQS05PQSaMmmOr5oXdGA7jbpd9JRG/OmEVI=; b=bglAMTb+6TTLWKDmx1zFicOaNbSCKgsyopGnUX0bm8yBJGfUH5YrkcDrKLUSGZUFfw FkGnpLctC6c+IytsjajSKaxav8QmGR7ROJeadWk6n+ApS1Fd14fwjcAogoDh8XEZ6nu8 hBGjgg52Fj1z8SSy962CpUAdhb6JmeAj2ZejtssVuS9qP+QsqcNaT3CwNekeJPyralpY xNDGzpzr8Mr5cFtNDwjVxAfDOUeucQaztl1h4AI91KOVX6Tjc3zXRFG87K9w7M+hJO4O 3v42FClsXcY1APxUDiW/flCayA5xqOU1r+9th5V+HaxvMRD0Z+7Hz9pB0q/qaNdH+eL3 doBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722013846; x=1722618646; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8gS4sa/5YQS05PQSaMmmOr5oXdGA7jbpd9JRG/OmEVI=; b=jh7SCphgijP2hx19zHkXdJW0waMXFY9h11UcTjFUWb8muCZF2uisTpfxu8maL60yRd rzICH+14cibKj06tvXWcG50SNLcAlka/War+HlTSbrz57aOPPCRGhxSH4Q3iRapVmxcP Zmt3nAhqryeB4F3ScJMqtFTJX17wbDYJ3nhLl5MV/o5pjO5KR9eUAlcnyoazH+9aB26c 1mN8/7vb4rMgs9gOr3WV9MKtM8QSdwNRIJn5OY60zuPIj6XUGn2ujkgS0Nq3VSAuUlKY V1uAIrbfQ3lUC7op1UszDdlbLE2vPqotePo2uMK0StVgcN/EhBPTCQZiRoY+C++oK9s9 cIkg==
X-Forwarded-Encrypted: i=1; AJvYcCWr7vne7MKTipCnoAc8XxdtZJ6gReUETYVu6AzG97kAq/rxyO7Riu0iusajQLzRkqNuq9uilNLtlN4vzU86Zg==
X-Gm-Message-State: AOJu0YxNuaVnD7jC3aUBu0WZi0MA177OwB7FWpaIQHek17cI02Tjrs1n eqRs0JmZZAu6+9rHXVUXtYDUyrGGqj8kqYZHXtM1ZH/5Kiio4HVolE1nXWBj+OHrVGBnuXLErQU tnCuJ3dSRd22JFcoCiY2C/Dtu3WqC/wj7
X-Google-Smtp-Source: AGHT+IFdkx/zfbNjfAVsxVxBeblGI6lT3dERv9CSLEYdPSUYziqt52lwD5urqkDG86XHpGFJ40q04ekIRuut2Ng0CFA=
X-Received: by 2002:a05:6358:6f04:b0:1a2:59e:e887 with SMTP id e5c5f4694b2df-1adba41b600mr48586855d.7.1722013845763; Fri, 26 Jul 2024 10:10:45 -0700 (PDT)
MIME-Version: 1.0
References: <9fcdd58c-3d20-4c2c-a1db-1a3894b66053@dogfoodapp.fastmail.com> <0624AC87-176B-49C9-B80D-C8466094FE37@brandedcode.com>
In-Reply-To: <0624AC87-176B-49C9-B80D-C8466094FE37@brandedcode.com>
From: Lisa Dusseault <lisa@rtfm.com>
Date: Fri, 26 Jul 2024 10:10:34 -0700
Message-ID: <CAEi+uC49tW1faEO9PHvw3TCgRxqnpDTJbj6VtmL=OrFHQ2dLvQ@mail.gmail.com>
To: Emelia Smith <emelia=40brandedcode.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000093419f061e2997be"
Message-ID-Hash: D7CIZJ7Z3OR254WXL7OOLT3VR335IZPC
X-Message-ID-Hash: D7CIZJ7Z3OR254WXL7OOLT3VR335IZPC
X-MailFrom: lisa.dusseault@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Neil Jenkins <neilj=40fastmailteam.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ewlhhwx21JYvnR1AdMfe1N0vHAU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Yes, and: protocol names should be part of the scope names, but I can imagine so many use cases for finer-grained access. Many clients might want read-only access to something like calendar or email data, and the user might find it safer to grant read-only access than full access. As always, there's a tradeoff between options and complexity! The OAuth resource metadata approach does not work for feature advertisement in the non-HTTP server use cases. There are still mail servers that don't support HTTP! CalDAV, however, it would work fine for. Lisa On Thu, Jul 25, 2024 at 11:18 PM Emelia Smith <emelia= 40brandedcode.com@dmarc.ietf.org> wrote: > Hi Neil, > > I mentioned in the zulip chat that I rather like the idea of using > protocol names as scopes, but that maybe you'd want them to be finer > grained. > > On second pass, I'm wondering if it'd make sense to expose a list of > supported resources & protocols for the authorization server, not just > relying on scopes? > > Maybe through using Protected Resources Metadata? > https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-07.html > > Yours, > Emelia > > On 26. Jul 2024, at 07:48, Neil Jenkins <neilj= > 40fastmailteam.com@dmarc.ietf.org> wrote: > > > Hi George, > > Thanks for the feedback. > > Section 1.1 > * is there a reason that only email address based login identifiers are > supported? It seems like this profile could be used for other use cases as > well. > > > No, this should just be username. (It is of course likely to be an email > address, but you're right: there's no reason it has to be for the purposes > of this document.) > > Section 1.2 > * I would recommend this document be more generic and then a specific > profile for say IMAP can be defined that then also defines the scopes > required for use with an IMAP server. > * This document can just say that scopes required are out of scope (pun > intended) > > > As mentioned at the IETF meeting this week, it's definitely an open > question whether scopes should be part of this document or a separate one. > I can certainly see an advantage to leaving it out of this profile and then > having another document that pulls it all together (referencing an > autodiscovery RFC, OAuth profile RFC, and listing the scopes). > > Section 2.1 > * Recommend changing the last sentence to... The rest of this document > describes in detail each of the above steps. > > > Sure, that reads better. > > Section 2.2 > * I recognize that Security Considerations will be filled out in a future > version. A topic that needs to be present is the potential implications of > proceeding with the flow when not all the required metadata fields are > present. I suspect most authorization servers do not have a > 'registration_endpoint' URL in their metadata configuration :) > > > If the server's metadata doesn't conform to this profile, then clients > supporting the profile are likely to abort. The point of this profile is to > say "if you implement this as a client you will be able to authenticate > with any server that implements this" and vice versa. If you don't > implement it, you're not following the profile, and there is no > interoperability guaranteed. > > * Can you clarify why the 'token_endpoint_auth_methods_supported' MUST > include "none"? If the client is dynamically registering, then it can > receive it's own instance specific client_id and client_secret which allows > it to authenticate to the token endpoint. Not requiring client > authentication seems dangerous. > * Similar comment for 'revocation_endpoint_auth_methods_supported' > > > We made this none, because the RFC7591 > <https://www.rfc-editor.org/rfc/rfc7591> refers to the client secret as > only "used by confidential clients", which open native clients running on > the user's machine are not. I guess my main question is what does this gain > us? I would rather reduce options wherever possible to increase > interoperability and security while keeping complexity to a minimum. If we > presume there is no security difference in how the client stores the > refresh token and any client secret, what does the client secret add in > this case? > > Section 2.3 > * I do not think the developer should be able to do the registration. > Instead, this should be required to be completed by the client. This will > be the expectation of the Authorization Server if it supports Dynamic > Client Registration. > > > Agreed. > > * There are security implication with using a custom scheme. Best practice > for mobile apps is to use claimed URIs rather than custom schemes. If > custom schemes are the only option in certain cases the risk need to be > clearly called out in the Security Considerations section. > > > This profile is intended for native apps only, which is enforced by only > allowing localhost or private-use schemes for the redirect_uri. Being > able to dynamically register like this to do the OAuth flow would make it > too easy for a phishing site to get the user to grant them access to their > mail/contacts/calendars etc. — with a native app, it could already fake a > browser window and phish the user undetectably, so we're not making the > security situation worse. If the user's downloaded something malicious, > they've already lost. > > * I'm strongly against allowing the 'token_endpoint_auth_method' to be > "none". There is no reason that the default of 'client_secret_basic' can't > be used (as far as I understand the profile). I recommend that the > registration response from the Authorization Server also include a > 'client_secret'. The client can then store the secret appropriately on the > device. This secret is instance specific and hence the device must be > compromised to extract that secret and impersonate the user. > > Section 2.5 > * I believe the client should authenticate itself via some mechanism and > not just present the client_id > > > As above, I'm happy to change this if there's a security advantage. I'm > just trying to understand why the client would be able to store the client > secret securely but not the refresh token (which is also needed to > impersonate the user). And if it can store both the same, how the client > secret adds any extra security? > > Cheers, > Neil. > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Feedback on draft-jenkins-oauth-public… George Fletcher
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Neil Jenkins
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Emelia Smith
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Lisa Dusseault