Re: [OAUTH-WG] Review of Device Flow Draft

Justin Richer <> Thu, 20 July 2017 19:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D9937129B61 for <>; Thu, 20 Jul 2017 12:23:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sPwsnBiQRxXY for <>; Thu, 20 Jul 2017 12:23:25 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4539112009C for <>; Thu, 20 Jul 2017 12:23:25 -0700 (PDT)
X-AuditID: 1209190f-ec3ff700000053a9-35-5971032a6db8
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id F2.97.21417.A2301795; Thu, 20 Jul 2017 15:23:24 -0400 (EDT)
Received: from (OUTGOING-AUTH-1.MIT.EDU []) by (8.13.8/8.9.2) with ESMTP id v6KJNLnG021345; Thu, 20 Jul 2017 15:23:22 -0400
Received: from artemisia.richer.local ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id v6KJNJiJ013629 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 20 Jul 2017 15:23:20 -0400
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CBFE5C87-06EC-4B29-8ABF-D596525A4BEC"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 20 Jul 2017 15:23:19 -0400
In-Reply-To: <>
Cc: "<>" <>
To: William Denniss <>
References: <> <>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCKsWRmVeSWpSXmKPExsUixCmqrKvDXBhp8GUfo8XJt6/YLDbNaWZ3 YPJYsKnUY8mSn0wBTFFcNimpOZllqUX6dglcGUt+TWIteNnJWLFl8WfWBsYlJV2MHBwSAiYS /fcduhi5OIQEFjNJPNz2jQnC2cgocXz/Z0YI5yGTRNOkw2xdjJwcbAKqEtPXtDCB2LwCVhKn l/5kBLGZBZIkts54yQgylVdAX6L3OZgpLGAs8X5mGkgFC1Bn38zbYNWcAoESPVOnsIKUMAuo S7SfdAEJiwhoSrw8e4AFxBYSaGSU2PBSGsSWEJCVuDX7EvMERv5ZSHbNQtgFEdaWWLbwNTOE rSmxv3s5C6a4hkTnt4msCxjZVjHKpuRW6eYmZuYUpybrFicn5uWlFuma6OVmluilppRuYgQH tCT/DsY5Dd6HGAU4GJV4eBnWFUQKsSaWFVfmHmKU5GBSEuVlCQQK8SXlp1RmJBZnxBeV5qQW H2KU4GBWEuE9/RUox5uSWFmVWpQPk5LmYFES5xXXaIwQEkhPLEnNTk0tSC2CycpwcChJ8JYx FUYKCRalpqdWpGXmlCCkmTg4QYbzAA3/AFLDW1yQmFucmQ6RP8XoyrGgZ8MXJo5NM35+Y+J4 NeE/kDz0+8R3Jo5jIFKIJS8/L1VKnLebEahZAKQ5ozQPbj4ocSW8PWz6ilEc6F1h3mcgVTzA pAe34RXQciag5Y/cQD4rLklESEk1MJrcjb4gOu2x/D2zz9M7G90y3TyZTLjOCCrW/+KfwHnH UH9u/ZyGAKGtzdWu6z7zFyX6FTgyaVmW9t/8/JyV3cNyzZTvl47McZq94JJinK15Z/oT7y99 OYvNfh3ZKNY6+/STB8xFZRq1Xx/s/yDL9vbHmh3bVDUvNE5zssrd8iL8TfryzizNH0osxRmJ hlrMRcWJADKAyyM3AwAA
Archived-At: <>
Subject: Re: [OAUTH-WG] Review of Device Flow Draft
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Jul 2017 19:23:28 -0000


> On Jul 20, 2017, at 1:54 PM, William Denniss <> wrote:
> Thank you for the review Justin.
> - §3.3¶3 as mentioned above, the polling could be continuous (timer-based) or in reaction to a user action at the device. There are no protocol differences and the AS shouldn’t do try and inform the user, but we can at least mention that in our description of polling.
> +1 and I will highlight this in the IETF99 review.

Sounds good!

> - §3.3.1 I still think this optimized all-in-one URI should be a separate parameter from the AS so as not to conflate it with the “plain” verification URI.
> This would allow for all-in-one URLs that differ significantly from the current composite ones, is that why you're suggesting this?  (if so: to solve what use-case?)
> What benefits do you see in this alternative approach?
> I think generally it's seen as bad form to repeat information, so keen to here why you think this is the case.

The benefit is that each item of data is good for exactly one thing. One is something the user needs to go and interact with and type the code, one is where the user doesn’t need to type the code. Right now there’s no way to tell them apart. Imagine if you’ve got a simple device that displays the URI and code to the user, like the set-top-box case. It tells the user: “Go to <> and type in CODE-HERE”. So the user types in the longer URL and isn’t prompted to enter the code that they were told they’d have to enter. Did it work like it was supposed to even though the instructions didn’t line up with how the AS (correctly) processed things? I just see it leading to confusion where you’ve got one client that assumes it’s baked in and one server that assumes it’s not, or vice versa, leading to interop issues that could be easily avoided.

> Are you dialing in to the WG meeting tomorrow?

Yes, I’ll be dialing in. 3:30am my time so I can’t guarantee how chatty I’ll be, but I’ll be on. :)

> Other than those two topics, the rest seem pretty uncontentious, I will review and action as appropriate before the next draft. Please call out any other items in this list that you feel warrant group discussion at IETF99.

Sounds good — overall it’s a very solid draft. 

 — Justin

> On Thu, Jul 6, 2017 at 7:48 PM, Justin Richer < <>> wrote:
> Finally had a chance to review the device flow draft in earnest. Overall it’s really great, and we’ve implemented it in a few places (see my recent post on one interesting use case). Just a few notes:
> - use of “flow” has largely been replaced by “authorization grant” in other documents and we should be consistent here
> - use of “end-user” has been replaced by “resource owner” in other documents and we should be consistent here
> - “input constrained” should be “input-constrained” as used in the title, abstract, and introduction.
> - §1¶3 could be rewritten to a bulleted list of requirements instead for readability
> - §1¶4 could add something to address recent discussion on the list: “While this polling is usually automatic and repeated on a regularly timed basis, the client could poll based on user action with the device such as a button press.”
> - §1 diagram (D) should state that the user is prompted to enter the user code given in (C) and that the user does so — leaving it out is an optimization (see below) and the likely exception
> - §2 should probably be §1.1, or move the protocol flow to §1.1 and make §2 into §1.2
> - §2 should import all terms used from 6749/6750 explicitly
> - §2 should we define “secondary device” once at the top instead of the parenthetical definition used throughout?
> - §3.1¶1 Wording is awkward with double “by” phrases, suggest: “The client initiates the authorization grant request by making an HTTP POST request to the device authorization endpoint.”
> - §3.2 add xref to JSON (7159), response is a JSON object with the following members (not parameters)
> - §3.2 is there any requirement for the verification_uri to be over HTTPS? I can’t see any discussion of this anywhere and it should probably at least be in the security considerations, if not an outright requirement. We say that authentication is done in a tls-protected session in §3.3 but we don’t say anything about the actual URL or the page in which the user enters the code.
> - §3.3¶3 as mentioned above, the polling could be continuous (timer-based) or in reaction to a user action at the device. There are no protocol differences and the AS shouldn’t do try and inform the user, but we can at least mention that in our description of polling.
> - §3.3.1 I still think this optimized all-in-one URI should be a separate parameter from the AS so as not to conflate it with the “plain” verification URI.
> - §3.4¶3 instead of “based on the error code in the response” perhaps “until the authorization server indicates the device code has expired or was cancelled.” — I’m less sure about the wording here but as written it feels awkward.
> - §3.5 I agree with the point made on the list about the error code, “access_denied” would fit this bill but right now it’s only specified on authorization endpoint response, so let’s add its use to the token response here
> - §3.5¶4 says to return “invalid_grant” if the codes are expired, but in the same section it says to use “expired_code”.
> - §3.5¶5 the interval between polls SHOULD be at least the “interval” value. Also, it MUST be greater than zero … William …
> - §5.2 “user’s session and device”, use of “device” here is confusing since this is the “device” flow. Maybe explicitly call out this as the “secondary device”
> - §5.5 extra “or” in list in final sentence
>  — Justin
> _______________________________________________
> OAuth mailing list
> <>
> <>