[OAUTH-WG] OAuth 2.1 - recalling ROPC

Francis Pouatcha <fpo@adorsys.de> Tue, 12 May 2020 03:00 UTC

Return-Path: <fpo@adorsys.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 240C43A08C4 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 20:00:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id komPTEZgOZGb for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 20:00:47 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAC803A08C3 for <oauth@ietf.org>; Mon, 11 May 2020 20:00:46 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id s8so13462028wrt.9 for <oauth@ietf.org>; Mon, 11 May 2020 20:00:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:from:date:message-id:subject:to; bh=ofmtoG1tywggCdnYyshUX++DsNcvpM1cO8y11EinJg0=; b=c5WQj8lMwblqW8BFjOpWUkWLHyQ0lZAzHBtUAns5N1z6lfCA8emx562MOqhYZzwLp7 Cf3x4MzXzVogMcqKXZXM35ZoQ1yVHToXjlu9YV8EuWRJopgfUj5TUXnpgv+W1Iml+IvR Y1z1Nh+z9SScwdgiuDKb7Lg9mKtZrYoVUL400=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ofmtoG1tywggCdnYyshUX++DsNcvpM1cO8y11EinJg0=; b=djbAMPNBmD/TdV3JZdLpwsDyqPkB1mAKpYL58kSEtDlokJuePPc7M+5Z3IoqcDzJrD zhxNdmk2UkfhAia9lZ3Ubk19LKNDdmNIV2cpw7LLt4jN0KDnjyStjmKtHtiQAqoaXLkE 5gENO6oOP+RRr5Ups26SAAa2POrjPs3I0ettco71JYTWpuOo9AP78HUtHFReVDypE/EM J9R5jab/U1q6AhPRwdBfB8MjG8GcTrPmgbbqwYA4JBqHvL5q2jsnjDvTMQEiYTKTHEY8 FY90ZIdYFX4qk7zATjZ8YtqiD/UZr9EBDhptnXCuIy6XqtsHtjapwNCkFhAOszjx+ms8 WqRw==
X-Gm-Message-State: AGi0PuYcycpsSJ9ZLrHoT50la0wG3uL5T7tR8ThyuJqOl6fo/zDNKKMw 6cj/3mIV1Elf3IvPzuMeQ7hSHw85KUC/I0BXFzL1uNFVG/X/3A==
X-Google-Smtp-Source: APiQypIHBHBKJoEDzWih1OorgIL8esRAYf2+djdGpyOSxo/qsuhlu+08VO9mIZnRwxxyvjlZ8FG/QWI/akYDy3a9H80=
X-Received: by 2002:adf:f34e:: with SMTP id e14mr18026178wrp.371.1589252444722; Mon, 11 May 2020 20:00:44 -0700 (PDT)
MIME-Version: 1.0
From: Francis Pouatcha <fpo@adorsys.de>
Date: Mon, 11 May 2020 23:00:34 -0400
Message-ID: <CAOW4vyNY768vqFtxxHXNd2u+VXFoiW=+BG+AJNW0Ee9H13V3zQ@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d29ad05a56aabce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jAHbqg8T6EvmtjqarzBQJ3KHZao>
Subject: [OAUTH-WG] OAuth 2.1 - recalling ROPC
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 03:00:49 -0000

I am against OAuth 2.1 discarding the use of ROPC (Resource Owner Password
Credentials) with the following reasoning:

Auth Code Grant:
There are  many use cases on the market where redirection based flows do
not work. As  we see in the "OAuth 2.1 - require PKCE?" thread, the
complexity of user agents on non controllable client devices still make
user agent redirection a challenge.

Client Credentials Grant:
Requires the registration of an oAuth client.
- Citing the iot device use cases Beena which do not have a comfortable way
to have iot devices register with AS.
- This is a registration flow for the oAuth client role  and for the RO
(Resource Owner). Remember resource owner credentials might be sourced from
system external to the AS  like company's LDAP. oAuth Client Credentials
are generally managed by the AS.
For these reasons, we shall not use Client Credential Grant to manage RO

Having an oAuth Client proxy the auth request of the RO to the AS only
presents a security risk if the oAuth Client is a third party application.
Therefore, the decision on whether to accept ROPC for a specified client
shall be left to the AS. Discarding this use case will take a lot of
business from oAuth servers back to the old market.

Beside this, I mentioned in my previous post that there are use cases in
the market where permanent passwords are replaced with one time passwords.

A lot of work is also being done in the direction of having the RO send
signed proof of ownership to the AS through the ROPC  flow using the
password field.

Therefore, I am ok with raising the attention of  implementers the same way
we are doing with PKCE,  mentioning that ROPC  must only be used if  AS /
oAuth Client can guarantee security of the RO credentials exposed to the
oAuth Client.

Francis Pouatcha
Co-Founder and Technical Lead at adorys