[OAUTH-WG] Authorization server antipattern: not recording client type
M Hickford <mirth.hickford@gmail.com> Mon, 10 April 2023 10:09 UTC
Return-Path: <matt.hickford@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEDD7C151B3C; Mon, 10 Apr 2023 03:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmYPFKrn_0Vz; Mon, 10 Apr 2023 03:09:16 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCFE6C151B31; Mon, 10 Apr 2023 03:09:16 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id ud9so11112987ejc.7; Mon, 10 Apr 2023 03:09:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681121354; x=1683713354; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=OnyxMy/wsF7AnHRbYzInZ0d1dNK2IAUaXyuwKcAbdso=; b=p1mucfANYrUrb/wi+4rInO0gWdeIAsYN1n0DgyVG0EI1uKlM+PmVIxD5zgmMvNQIlL VCclSCzKlBnrXxx8SwkurvM4C1leZdqI+Py4xmTeoKOLKbPQxqUsFv3+/SXXWhFDlV/t eBsw58myea9ge6iqCj7H2P1tlFl7gSn/eZrYXi0XDMctfpd11rhQOIVZvurn/AX+GAtq UuLHpM03VlR7vQi6PSVaoEjE4yfwCvnmS1YKTZ/ja8RujQxsWd2j7Ji0sX19CJcCoIgj +65Ajhw4xqhoCrKLGz6FsIN45FfqWbStHk/gRe9m/mQUAQsZjME6ltMSnO+GIt7FmEKN HI0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681121354; x=1683713354; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=OnyxMy/wsF7AnHRbYzInZ0d1dNK2IAUaXyuwKcAbdso=; b=LwD17AVlf5iWvymag74rBFV0wXxuZNplip0az/GR8e0KrjpH5RWkXkFvWYd7IY8Fms yv290/WuSEyxyVvwYQNEnP/GmZNNkc/8OUlvkXiI2L3VP6ZOghEfja9SI6eYgpqrvLx0 uPGP8m3yeUUzd81Queg/HC13cjgypeBSopXajn+omw2lKcYSIRSCN54F7wF+XIC6NSK8 umo0r3EoG1YiaqpolULG8W14OeJrbBSbdEPmiTaUxxVIFR/jIOXNI7mLbu+MMXgoIueM rpLI2jMdv1gmmh96+QqYvR4hM7KywTlR3pE0t1xXQSxW0UtQLHq1Im99sqpu6GSrB4zN fVBg==
X-Gm-Message-State: AAQBX9ch+TnqsBBl8kLMZaIW2WNpBZjr9kU4jGB39VKsgtObkGf2XS4W xL7lp+Xxu1t+qaHjVzae0qV1KgAxNsuogZ0Tb9oTwud5dWg=
X-Google-Smtp-Source: AKy350YNapADkGwZVCDaOIKg4JXMuG7FxOYFnbSMw/s2U3PrjFemgnMU29g7G3+DCEeRzXtmb+ZLXrspTLVem32UDsw=
X-Received: by 2002:a17:906:e107:b0:94a:469f:6eb8 with SMTP id gj7-20020a170906e10700b0094a469f6eb8mr2964497ejb.5.1681121353898; Mon, 10 Apr 2023 03:09:13 -0700 (PDT)
MIME-Version: 1.0
From: M Hickford <mirth.hickford@gmail.com>
Date: Mon, 10 Apr 2023 11:08:37 +0100
Message-ID: <CAGJzqskos+=gcSqaD7FK4RyJXSgXM3pujJLF1LwtU9cp5uWWAA@mail.gmail.com>
To: oauth@ietf.org, draft-ietf-oauth-security-topics@ietf.org, draft-ietf-oauth-v2-1@ietf.org, draft-ietf-oauth-v2@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iJ6WAbJzHWiGmaFO-qAzg30B_28>
Subject: [OAUTH-WG] Authorization server antipattern: not recording client type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2023 10:09:21 -0000
OAuth defines two client types, confidential and public. https://datatracker.ietf.org/doc/html/rfc6749#section-2.1 > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. Yet I've come across multiple authorization servers that don't record the client type during registration [1][2]. This is an antipattern. Such servers typically assume all clients to be confidential, neglecting security measures appropriate for public clients. Is this authorization server antipattern worth discussing in OAuth 2.0 Security Best Current Practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics ? The instruction is implicit but easy to miss in RFC 6749 because the text puts the onus on the client developer rather than the authorization server https://datatracker.ietf.org/doc/html/rfc6749#section-2 > When registering a client, the client developer SHALL: specify the client type Thankfully draft OAuth 2.1 is strong and unambiguous https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-registration-of-native-app- > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly [1] screenshots of client registration with various authorization servers https://imgur.com/a/GADt0MO