[OAUTH-WG] New draft: OAuth Profile for Open Public Clients

Neil Jenkins <neilj@fastmailteam.com> Fri, 17 May 2024 03:55 UTC

Return-Path: <neilj@fastmailteam.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 028CAC151525 for <oauth@ietfa.amsl.com>; Thu, 16 May 2024 20:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b="Bvi95RcW"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="QCqKqZ7c"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXq51dw6vePH for <oauth@ietfa.amsl.com>; Thu, 16 May 2024 20:55:42 -0700 (PDT)
Received: from wfout3-smtp.messagingengine.com (wfout3-smtp.messagingengine.com [64.147.123.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4025C14CE27 for <oauth@ietf.org>; Thu, 16 May 2024 20:55:42 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailfout.west.internal (Postfix) with ESMTP id 585F21C001A3 for <oauth@ietf.org>; Thu, 16 May 2024 23:55:36 -0400 (EDT)
Received: from imap43 ([10.202.2.93]) by compute5.internal (MEProxy); Thu, 16 May 2024 23:55:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=cc:content-type:content-type:date:date:from :from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm1; t=1715918135; x=1716004535; bh=BrVXANn8S7 1dHdwiKv6AJzaLecRFaLKz2PveWvmzFho=; b=Bvi95RcW6LH7GzoYHmqPmFr1CB KKrc3ULBr5u5IZDj4TAvTfsyAq0WVG4T+LOP+NlsA8YpfhOlAfia/6ciEmKF8YaT tthbqZK/JkKpD7g50BZ9SBeWj9jbJDJ4uPsLAtr0Nf/+BOB0qijErM4jD73VbhI/ Q5Wuj9eVWtuX+cMUTpodPuqntKcivqnYofHXgcWHtat7vg228y9tCwU9LQebYUha bofBpiL04T2Ojrozs2PcKvBd2uL9tlaPw9W9Zs0KNZVDoQFnAWFRyeR9qzbzdp4J vSBiba8RTCLHB/5flQrWZd1PPJOMQJq8aLjtjEjVi0GGjmUKF8dkiJNgddBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1715918135; x=1716004535; bh=BrVXANn8S71dHdwiKv6AJzaLecRFaLKz2Pv eWvmzFho=; b=QCqKqZ7czZKFltjTkALpaByKg3NvcX9QM2xuz/kVRy9lhOTPduW zkZhf7nqifQazLWbUUHl5OJczerMjcA5IzTwGmimjni/NcG2y9m9XtsP+eM/qTzj 5blbVgB6KHcI+VMkWXIgDPJVM8jvF8myoagtYLhK0BIqV6zIuli0d3PNLqUHeM3Z Bu+sR8xqYMp30NSspY496LVPDjEReF6upquwd9mtzE4milOFTCps0QZdEm3HIVfu K/YBL0MMvTUDYHZJloMmb2yE486Hiwx+WLhmnxyYP1XZPpRuoZGvcNT5bIMBWQFk n/Bnc62lHYWHcONb9oROHcATDaJplivEw+g==
X-ME-Sender: <xms:N9VGZsQY9mUb9On04omU1Da0SwYTIS-t9eYYiEzPxeHhiu1K5QE62Q> <xme:N9VGZpy_rphCNay1-AzAqsps0cK-Z6UM2gQMlTtKgFz-m90FoDoGF6jLMFyzfHNfN 11NBqxgvFZZNw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdehfedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkfffhvffutgesrgdtreerreerjeenucfhrhhomhepfdfpvghilhcu lfgvnhhkihhnshdfuceonhgvihhljhesfhgrshhtmhgrihhlthgvrghmrdgtohhmqeenuc ggtffrrghtthgvrhhnpefffeeujeefiefgfeffhfeigeevheejtedvudfftdehgeeluedv heeufedugeffueenucffohhmrghinhepihgvthhfrdhorhhgpdhfrghsthhmrghilhdrtg homhdprhhftgdqvgguihhtohhrrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepnhgvihhljhesfhgrshhtmhgrihhlthgvrghmrdgtoh hm
X-ME-Proxy: <xmx:N9VGZp0VvuUINO0MhiBiQYxhikIuLxEPLqmmz4SK779OGLrNt_R9tQ> <xmx:N9VGZgCu-fBtOdE88wAB4zJ4VhJXaNSLMoKIs6ubeOZO85taedqhUQ> <xmx:N9VGZlja5pCK3Krx2G1f5o50f2CI-_JsmLKse7XxxYR3t6Uu7ykYtQ> <xmx:N9VGZsqjfDR-k3tq5A8DfhL0o_7nCEb1uYDjiCIc16qfsWNVD3N3hQ> <xmx:N9VGZlJp63cvqBdj4rYMSf2Oob--biPMtBMfqZ2wpoGGYabCWjyu7rvK>
Feedback-ID: ibc614277:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id AE7892D4007D; Thu, 16 May 2024 23:55:35 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-480-g515a2f54a-fm-20240515.001-g515a2f54
MIME-Version: 1.0
Message-Id: <bf5fe9a6-99ab-4c63-99d5-80a13003ed5e@dogfoodapp.fastmail.com>
Date: Fri, 17 May 2024 13:55:35 +1000
From: Neil Jenkins <neilj@fastmailteam.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="81497610f67945a9ad71565461d205e0"
Message-ID-Hash: TEGTOBOAQYZYHKTPOWZMU2333LMOX5ZA
X-Message-ID-Hash: TEGTOBOAQYZYHKTPOWZMU2333LMOX5ZA
X-MailFrom: neilj@fastmailteam.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] New draft: OAuth Profile for Open Public Clients
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jmNaB7uFkddARnszWF2QGvauvpU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hello all,

I have published a draft document I'd like to introduce to the working group to consider: OAuth Profile for Open Public Clients <https://www.ietf.org/archive/id/draft-jenkins-oauth-public-00.html>.

*Background*

I work for Fastmail <https://www.fastmail.com/>, and we organised a conference at the end of last year with a bunch of the other major mailbox providers to work on interoperability and improving the open ecosystem. The topic most on everyone's minds was authentication.

Unlike all the walled garden messaging systems, email remains to a large extent open. There are standard protocols (IMAP [RFC9051] <https://www.rfc-editor.org/rfc/rfc9051.html>, SMTP [RFC5321] <https://datatracker.ietf.org/doc/html/rfc5321>, and more recently JMAP [RFC8620] <https://datatracker.ietf.org/doc/html/rfc8620>[RFC8621] <https://datatracker.ietf.org/doc/html/rfc8621>) so you can have clients and servers built by different vendors, with no pre-existing relationship. Indeed, there are probably thousands of clients, and hundreds of thousands of servers out there. The situation is similar with contacts and calendars.

Most server providers (and indeed many client authors) would like to move to a more secure authentication system, but at the moment basic auth is the only interoperable mechanism. Many clients have hardcoded Gmail/Microsoft OAuth flows (as those companies are big enough to force them to do so!), but this does not scale. At the conference we worked on building an OAuth profile that we believe can significantly increase security compared to the current status quo, to allow native Email/Contacts/Calendar clients to authenticate with an arbitrary server.

I have talked to a few of you individually at the last couple of IETF meetings, and have finally had time to write up our proposal.

*Next steps*

First of all, hopefully the working group can agree that this is a problem space that is significant, and worth addressing. If so, I hope it chooses to adopt this document as  a good starting point. I am not sure whether this should be a BCP rather than Standards Track — it deliberately does not introduce anything new, just combines a lot of existing standards in a specific way suitable for this use case.

I will not be in Vancouver in person, but will join remotely. I do plan to be in Dublin. My current understanding is there are vendors such as Apple looking to start implementing something in this space in the nearish future, and obviously we would all like an agreed profile to ensure interoperability! They may be able to send someone to Vancouver.

I would be very happy to bring on a co-author (or indeed largely pass it over to them, as I am very busy with other work at the moment, hence the delay in getting this draft together). I will certainly remain involved in any discussions around this area of course.

I look forward to your feedback.

Cheers,
Neil.