Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

William Denniss <> Tue, 21 February 2017 20:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A3FD51297FE for <>; Tue, 21 Feb 2017 12:18:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Sn3ciNJeEFWS for <>; Tue, 21 Feb 2017 12:18:10 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CD8DC1296EE for <>; Tue, 21 Feb 2017 12:18:09 -0800 (PST)
Received: by with SMTP id b16so71943715qte.0 for <>; Tue, 21 Feb 2017 12:18:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=naigTecoKxeN5MtdqbThI6/KpaoayC5lX7YOSEnX0iA=; b=dvFZvyU6JVPfPYlKmTbVpJugPBaZATNRSL/GF0xQr5NESFg8QKnhp4RNtGKaG7EiHQ 5L/hhn9aWrKED/XN2iLicjzYSd9azN5TymZs3ZyksVUK+BVIif2BIEcxVw+GLYhyqJHJ IMGMT9Ix9YLso0vsBcV0ywkPuZeK+R7FzEWgDoABS+5lmNHvQIR660kyUAjptHWvF/uY fFTcVM4x4J+siiJs5txvpK1nNnpMYCSA7BVvgy0r5Rswm275ebLzfNqu3+0wYKd8u/av Agd97cCh3M92CoVT0K6hLakAHpZNsEqC/NvmQz00pnm+pcqH0HrLSuBeOZENz82TFY48 vbnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=naigTecoKxeN5MtdqbThI6/KpaoayC5lX7YOSEnX0iA=; b=ShiRnmsvW3dsZ/855z8V4C5m81VUPIFJ89YbFA/GDka1esA4NOWHGq8BT2MwCj92C9 IkjS33h6waCVjnoMa47DOJmyChljioqcy0qmcqD9KVGglHIkMmx7gE+JCqGmfHT2j5gc RlOTPa3gNcLeTIo20VF7RLK64shEAitOfrzxsu2oHVQH5vFFHEg+NQj/w2MK11sYNVUJ lXSPlyuzovxiY7CJ6o6wN/rSx6u99ncuv8GeGIkDUnvO3EW5tX9Ths7WD7EaaT2lwfOi 5+i40QWqZ4WfqK3TT/q4Qtw+2oSZDj3J8AOHvAmgge4heXNRjdUCtCmdMIdvhs9YQWV4 oJJA==
X-Gm-Message-State: AMke39mweO3C/fKXy1YF+EKn83Lxqg7HO7yyPrgosHw42JCv5OvtLM7EyFKALxyt8LWHRmlYdTxP43nd7j5RV3sR
X-Received: by with SMTP id 35mr25729479qtq.216.1487708288392; Tue, 21 Feb 2017 12:18:08 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 21 Feb 2017 12:17:47 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
From: William Denniss <>
Date: Tue, 21 Feb 2017 12:17:47 -0800
Message-ID: <>
To: Denis <>
Content-Type: multipart/alternative; boundary="001a114136da0fb30f0549101479"
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Feb 2017 20:18:12 -0000

The only real requirement in that section I guess is the use of PKCE
(8.2).  That requirement could be moved to the body of the doc, while
keeping the longer discussing around code interception in the security
considerations.  To me the remaining text are indeed security best
practices / clarifications.

Other OAuth WG RFCs have requirement level capitalization in the Security
Section like RFC7591. I always assumed these were best-practice security
requirements. But if the style is really not to do this, the requirement
level capitalization could be dropped from that section in the native apps

On Tue, Feb 21, 2017 at 12:50 AM, Denis <> wrote:

> I *don't thin**k* it's normal to have normative text in the Security
> Considerations, hence I support Samuel's position.
> Let us look at the first MUST from RFC 6749 in the Security Considerations
> section:
>    The authorization server *MUST *authenticate the client *whenever possible*.
> This sentence is incorrect. The right sentence should be :
>    The authorization server *should *authenticate the client whenever possible.
> RFC 6749 is not an example to follow.
> Denis
> I do think it's normal to have normative text in the Security
> Considerations.  RFC6749 has a lengthy Security Considerations section
> <> with a lot of normative
> text.
> Think of it this way: Sections 4 to 7 describe how to use native app URI
> schemes to perform OAuth flows from the app to browser and back. If you
> only read those sections, you could have a functioning (but potentially
> insecure) OAuth flow in a native app. The security section adds some
> security requirements and clarifications for implementing Sections 4-7,
> like using PKCE, and more.
> Reviewing sub-section by sub-section:
> 8.1 Definitely belongs here, as the the whole BCP is about native-app URI
> schemes, whereas doing OAuth in a WebView doesn't need those (as the client
> can just pluck out the code from any redirect URI)
> 8.2 Requires that servers who want to follow the native apps BCP support
> PKCE, and recommends that they reject requests from clients who don't.
> This *could* be in the main doc, but since PKCE is an existing thing, and
> is purely additive from a security perspective, I think this reference
> works fine. Originally I talked about PKCE more in the doc body, but some
> reviewers thought it was then a little duplicative of the PKCE doc itself.
> 8.3 This reads like classic security considerations to me, clarifying some
> details of 7.3
> 8.4 Part of this reads a little new-ish, regarding distinguishing native
> clients from web ones. But on review, I think could just be re-worded to
> reference RFC6749 Section 2.1.
> 8.5 This one belongs where it is since the body of the BCP is talking
> about the code flow.
> 8.6 Totally belongs.
> 8.7 to 8.11 belong IMO, they are security clarifications of long-standing
> topics.
> My methodology when reviewing this was: is the text introducing a new
> topic directly related to native apps or sections 4-7, or does it discuss
> an old security topic in the context of native apps, or add security
> related discussions of the content in 4-7. Of all those, I really only see
> a bit of new topic related to native apps in 8.4, and in actual fact it
> that sub-section should probably be reworded since RFC6749 already
> establishes the public client type, which native apps are and a reference
> would be more appropriate (which would reduce it to just clarifying an old
> topic).
> What do you think of this analysis? Do you have any specific sections or
> text you feel are better suited in the document body?  I will take an
> action item to revise section 8.4.
> On Mon, Feb 20, 2017 at 9:57 PM, Samuel Erdtman <> wrote:
>> Hi,
>> I just had a question on best practice. In this document a large part of
>> the normative text is located under Security Considerations.
>> I had previously seen Security Considerations as things to think about
>> when implementing not so much as MUSTs and MUST NOTs.
>> I think it is okay to have it this way but it surprised me a bit and
>> wanted to ask if there is any best practice for the Security Considerations
>> section saying what type of information it should include.
>> Best Regards
>> Samuel Erdtman
> _______________________________________________
> OAuth mailing listOAuth@ietf.org
> _______________________________________________
> OAuth mailing list