Re: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless and Input Constrained Devices

William Denniss <wdenniss@google.com> Tue, 02 January 2018 22:13 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1A571270AB for <oauth@ietfa.amsl.com>; Tue, 2 Jan 2018 14:13:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhG_F-vpFUBm for <oauth@ietfa.amsl.com>; Tue, 2 Jan 2018 14:13:53 -0800 (PST)
Received: from mail-yb0-x236.google.com (mail-yb0-x236.google.com [IPv6:2607:f8b0:4002:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AC101241F8 for <oauth@ietf.org>; Tue, 2 Jan 2018 14:13:53 -0800 (PST)
Received: by mail-yb0-x236.google.com with SMTP id w1so19224045ybe.10 for <oauth@ietf.org>; Tue, 02 Jan 2018 14:13:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WaTMKl2tsDh1GeQ2f6LIsi53O26P0P+5BVFFCUGgPbw=; b=EuH6FpGVIqLd/3ALE8pk8EHpJXr6HuCCGG5m5Oe4EriXsisGeHii2L1DpH+7tF//9d Ihrv53YC16FN9dDkhVrJ8xlzfgt5BAM8t4YgK+1IdmPrXmE+UAXt495XB5XlJxl885fl uun+lfDVFH583Gc6hxmrBEI6fWpYcSCRYBIpSf20nfAXuhc9kU2/tCCovH/d6H6wGVAc 4ArbMGUC+4yImMxxOS3IdBdUGsP0jyGK3sy+mw2Vnn5uKwtNQk00XUOasfvYL0GV+Yj+ MCH+p1eEZTrKcLZ5GtH62jP9VFe0UWGOhBghR0Ro96rdJPTY++h1zaKOnVPlCz4PlhFV i+xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WaTMKl2tsDh1GeQ2f6LIsi53O26P0P+5BVFFCUGgPbw=; b=JV744i9L9h/AdBR7Crit5g+FmnPiT11coc46rnsDp9KQmVBzSvSTbAuazKmy98oE5p jHlA7KCFuc/lf/3nN9GHwio9dskwt1hJmW39LrO7mViV8liO/eXxjgpH5C+7xoM6aUkS mcS7nBeMGDh2COwk1i2Vx/gr6G3gtV+nddow+74Iy/dpXybUy809QPC7Wv3yov+oJ7nD AlVOapdHCjwTRH+JaaZbuyFWuECF+aKf4FQiIVzs9QZAPKZqjrhxMsCRbpoKt2bBL0ns HEFwK5miU3RboA7AbLnn0GPwHej4UZI8TAwMZfO+q+vj2X29Orub7k3CZMlw+J384lmM 8llQ==
X-Gm-Message-State: AKGB3mJXSzuWgE5SgH/qx9hhWFSPxgFahwltnYNx44QnlQDwEHC4S94I 4b/63lS8aOr3JJHGEinlv3j2gaqeyMdecwg4b6JTiWIY
X-Google-Smtp-Source: ACJfBovcGCdo59U5zM4XozbwnNqddcnxXq8mPv8ViIWaSe97v1en6hBEOoFuRCT847SQ8gZElyk39Xbj9NW4lprhI5Q=
X-Received: by 10.37.171.67 with SMTP id u61mr38832911ybi.91.1514931231994; Tue, 02 Jan 2018 14:13:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.160.146 with HTTP; Tue, 2 Jan 2018 14:13:31 -0800 (PST)
In-Reply-To: <CAGL6ep+w8UZ=smE0kd=tBUyYbfhkkcHQVpoT+poGzDhm3_3cfQ@mail.gmail.com>
References: <CAGL6epLJHUn+4E1jksJW=Zpu=DE84uQgARhHyPH3H8yAAkijOg@mail.gmail.com> <4e14a1ec-8b6d-476b-3949-8a0b63017232@connect2id.com> <CAAP42hBY74goaNvJBb0yQ9AG4aQAmyVGxJFxHrUYtDdefouEJA@mail.gmail.com> <b123d697-25ae-43df-2ef9-388c0adfdb92@connect2id.com> <CAAP42hBxPhq_pMN7fON=HVW5kE=E=Xqt8Yo-9JHJOTBp6MuFLQ@mail.gmail.com> <CAGL6ep+w8UZ=smE0kd=tBUyYbfhkkcHQVpoT+poGzDhm3_3cfQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Tue, 2 Jan 2018 14:13:31 -0800
Message-ID: <CAAP42hCSD_iMG3QSmwRo_KXt0wRyMib1=8LDb2NmakSR2PDcKQ@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c19ec74f1d7300561d2694c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k0J-6rR-ZkxbwruJ_8kSnWlr0Rw>
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless and Input Constrained Devices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2018 22:13:55 -0000

Rifaat,

Thank you!


On Tue, Jan 2, 2018 at 1:30 PM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
wrote:

> William,
>
> I will start working on the write-up soon.
>
> Regards,
>  Rifaat
>
>
>
> On Tue, Jan 2, 2018 at 4:07 PM, William Denniss <wdenniss@google.com>
> wrote:
>
>>
>> On Fri, Dec 15, 2017 at 11:12 PM, Vladimir Dzhuvinov <
>> vladimir@connect2id.com> wrote:
>>
>>> On 15/12/17 00:43, William Denniss wrote:
>>> > On Fri, Dec 8, 2017 at 11:42 AM, Vladimir Dzhuvinov <
>>> vladimir@connect2id.com
>>> >> wrote:
>>> >> Hi,
>>> >>
>>> >> I just got a question on Twitter about the slow_down error:
>>> >>
>>> >> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#
>>> section-3.5
>>> >>
>>> >> The question was why slow_down is communicated via HTTP status code
>>> 400
>>> >> and not 429 (Too Many Requests).
>>> >>
>>> > We could, it seems to match the intent of that error code. Main reason
>>> it's
>>> > not like that so far is that 400 is the default for OAuth, I fear
>>> people
>>> > may not be checking for a 429. We don't strictly *need* the 429, since
>>> > we're returning data in machine readable format one way or another
>>> (i.e.
>>> > it's easy for the client to extract the "slow_down" response either
>>> way),
>>> > which differs from HTML over HTTP which is intended for end-user
>>> > consumption, making the specific status code more important.
>>> Yes, on a 400 clients will need to check the error JSON object anyway,
>>> so the "slow_down" cannot be missed. Whereas with 429 that becomes more
>>> likely.
>>>
>>> +1 to return "slow_down" with status 400 as it is with the other OAuth
>>> error codes.
>>>
>>
>> Thanks for considering this Vladimir. To conclude this topic, it seems
>> there are no compelling reasons to change to the 429, and a reasonable
>> explanation of why it's a 400, so I think we should keep things as-is.
>>
>> Rifaat: The deadline has passed on the WGLC, and I believe all comments
>> raised have been addressed. Can we now advance the draft?
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>