Re: [OAUTH-WG] Variant of Web Server Flow w/o direct communication
Evan Gilbert <uidude@google.com> Wed, 21 April 2010 00:45 UTC
Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8DAB3A67E3 for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 17:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.989
X-Spam-Level:
X-Spam-Status: No, score=-104.989 tagged_above=-999 required=5 tests=[AWL=-0.502, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxJTWtFDHIhQ for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 17:45:47 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 77DB73A67D4 for <oauth@ietf.org>; Tue, 20 Apr 2010 17:45:47 -0700 (PDT)
Received: from wpaz24.hot.corp.google.com (wpaz24.hot.corp.google.com [172.24.198.88]) by smtp-out.google.com with ESMTP id o3L0jXwV010883 for <oauth@ietf.org>; Tue, 20 Apr 2010 17:45:33 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271810733; bh=L4jsO8CzuYLRxTFyUD0Eez+ja+g=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=DXU7gq0mr4j331wMz073R+XgQSs6mOb+KrPBBVQidChvBIgrV+xSvwksVi9l/s068 YeIhLdBM6CWJZrILDtalQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=EY8KZ2oBGZ0rdfLOjmRfg3cyFzS+GAjWqvVTIJCnh9c4IXCEcCICHtl96B2qLOuAt NRCLKsY7no+8yyIk/gnig==
Received: from yxe41 (yxe41.prod.google.com [10.190.2.41]) by wpaz24.hot.corp.google.com with ESMTP id o3L0iwtG002455 for <oauth@ietf.org>; Tue, 20 Apr 2010 17:45:32 -0700
Received: by yxe41 with SMTP id 41so4414882yxe.14 for <oauth@ietf.org>; Tue, 20 Apr 2010 17:45:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.179.14 with HTTP; Tue, 20 Apr 2010 17:45:10 -0700 (PDT)
In-Reply-To: <4BCE071E.5030008@lodderstedt.net>
References: <4BCE071E.5030008@lodderstedt.net>
From: Evan Gilbert <uidude@google.com>
Date: Tue, 20 Apr 2010 17:45:10 -0700
Received: by 10.151.20.11 with SMTP id x11mr7685194ybi.216.1271810730468; Tue, 20 Apr 2010 17:45:30 -0700 (PDT)
Message-ID: <q2oc8689b661004201745wbf45d637w6c224d09513e7be2@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="000e0cd4b11acff1c90484b4820d"
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Variant of Web Server Flow w/o direct communication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2010 00:45:49 -0000
On Tue, Apr 20, 2010 at 12:57 PM, Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi all, > > I would like to propose an additional variant of the Web Server Flow w/o > the need for direct communication between client and authorization server in > order to obtain authorized access/refresh tokens. Instead access and refresh > tokens should directly be send back with the redirect to the client as it is > the case in the User-Agent Flow. > Question (and sorry if I'm being dense) - what is the delta between Web Server flow + verification_code=false and User-Agent flow? > > As a major advantage the authorization server can be stateless with respect > to authorization transaction data because there is no need to hold such data > until the client obtains the tokens from the authorization server (callback, > client, verification code, identity and so on). This simplifies the > cluster/loadbalancing/fail-over architecture of the authorization server. > Moreover, the load on the authz server should be reduced and the client > saves the roundtrip time of the second call. This is even more important if > clients extensively use the new "immediate" parameter to implement a SSO > alike behavior and use this flow very often. > > The pattern proposed can be found in SAML and is very similar to the OpenId > authentication process. > > Proposal: Add an optional parameter "verification_code" to the request > (section 3.5.2.1.). > > verification_code > OPTIONAL. The parameter value must be set to "true" or "false" > (case sensitive). If set to "true" and the end user grants access, > the redirection URI includes a code the client uses to obtain > refresh and access token via a direct POST request. If set to > "false" and the end user grants access, the redirection URI includes > access and refresh token as well as the expires_in value in > query parameters. > Defaults to "true" if omitted. > > Security Considerations > > Threats: > A malicious client may pretend to be a legitimate client well-known to the > authorization server. It may attain an access token approved by the end user > and misuse it. > > Countermeasures: > I see two potential countermeasures: > a) The response is encrypted with the client_secret and thus can only be > decrypted by the legitmate client (similar to the way Kerberos handles such > things). > - The authorization process is not refused early > - requires an encrypted container as parameter > + identity theft is prevented > b) The request is signed (and thus authenticated) with an HMAC-256 based on > the client_secret. > + The inbound request can already be refused if a signature is missing or > invalid. > - token data are sent over the use agent in plaint text (which might be > acceptable since this are user data) > > Is there support for this proposal? > > regards, > Torsten. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Marius Scurtescu
- [OAUTH-WG] Variant of Web Server Flow w/o direct … Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt