IETF Logo Mail Archive

Re: [OAUTH-WG] Client credentials for native applications: seeking clarification

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 21 October 2011 08:41 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C767621F8B19 for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2011 01:41:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, SARE_SUB_ENC_UTF8x2=0.246]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EsVS6YSM4hLI for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2011 01:41:31 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.27]) by ietfa.amsl.com (Postfix) with ESMTP id 659DE21F8B12 for <oauth@ietf.org>; Fri, 21 Oct 2011 01:41:30 -0700 (PDT)
Received: from [80.187.111.55] (helo=nothing) by smtprelay04.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1RHAfC-0001qa-4V; Fri, 21 Oct 2011 10:41:29 +0200
References: <CAFRu7dkSjEbMdb1Je5fnMiULZSP03frW5D8xh2zhS38=1O0s1g@mail.gmail.com>
User-Agent: K-9 Mail for Android
In-Reply-To: <CAFRu7dkSjEbMdb1Je5fnMiULZSP03frW5D8xh2zhS38=1O0s1g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----5TRU9CL84I9VMTTB1PTMLBELQF48SP"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Fri, 21 Oct 2011 10:38:40 +0200
To: Forest <tadaforest@gmail.com>, oauth@ietf.org
Message-ID: <fc863271-8a02-45de-958e-c3dba6757c39@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: Re: [OAUTH-WG] Client credentials for native applications: seeking clarification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2011 08:41:32 -0000

Hi,

there is no contradiction. The subtle difference lays in the word "instance". Using secrets for a software package (and all of its installations) is useless and therefore not allowed. If you are able to issue a distinct id/secret pair to every installation of your app, this is fine. 

For a the complete rationale pls. take a look into http://tools.ietf.org/html/draft-lodderstedt-oauth-security/.

The question is whether you really want to authenticate the client or the user. For users, resource owner password is an option. I agree with you that the user experience is bad. You may consider to use another device (pc, smartphone) to perform the authorization flow. You may take a look onto the device flow proposal. Alternatively, you could utilize the code flow on the secondary device and ask the user to enter the code on the TV Set.

regards,
Torsten.




Forest <tadaforest@gmail.com> schrieb:

Hi there.

I've been considering OAuth 2 and its "client credentials" grant type
for use with applications that run on televisions and other consumer
devices. It is appealing mainly because it requires no built-in web
browser and no cumbersome data entry for the user. (Similar to the
Netflix device registration procedure.) However, I think I've run
into a snag.

Section 4.4 of draft-ietf-oauth-v2-22 says:
"The client credentials grant type MUST only be used by confidential clients."

Since Section 2.1 defines confidential clients as distinct from
"clients executing on the resource owner's device", I have the
impression that this forbids pretty much any device in the user's
possession from using client credentials. (Except perhaps the rare
gadget that embeds encrypted storage and physical safeguards against
key discovery.) I suppose this would mean OAuth 2 is unsuitable for
the task at hand.

However, Section 10.1 says:
"The authorization server MAY issue a client password or other
credentials for a specific installation of a native application client
on a specific device."

This seems to contradict Section 4.4, although if I understand it
correctly, it would allow me to use client credentials as I had hoped
without violating the spec. That's encouraging. Maybe I can use
OAuth 2 after all, so long as each installed instance of my
application gets its own credentials.

So, I could use some clarification on a few points:

1. Is that quote in Section 10.1 meant to be an exception to the one
in Section 4.4? If so, I would suggest rephrasing 4.4 to allow for
the exception and to make it easier for OAuth 2 implementors to
discover.

2. If it is not intended as an exception, meaning that apps running on
consumer devices are not to be issued client credentials, what is the
recommended alternative? Section 1.3.3 suggests resource owner
password credentials when "other authorization grant types are not
available", and using a "long-lived access token or refresh token". I
suppose this approach would enable OAuth on devices that have no web
browser, though it would create a usability problem by requiring users
to enter their credentials using awkward, frustrating input devices
(like 5-button remote controls). Perhaps more importantly, it begs
the question of how storing a long-lived token is any more secure than
storing client credentials. After all, both could grant access, both
could be revoked, and both could be exposed just as easily. Which
brings me to my third question:

3. From whom is a "confidential" client expected to keep its
credentials secret? From the resource owner? (I suppose this would
make sense for a server-side application trusted by many users, but it
makes little sense for a consumer device, since a user is unlikely to
give out his own device's credentials and could more easily give out
his own password.) From other applications running on the same
device? (This makes sense, but devices with sandboxed per-application
storage would seem to warrant an exception from the "clients executing
on the resource owner's device" generalization in Section 2.1.) From
the world at large? (If this is the only level of confidentiality
then I would think "clients executing on the resource owner's device"
would easily qualify as confidential.)

Thanks, all. I look forward to a better understanding of what is intended here.
_____________________________________________

OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email