IETF Logo Mail Archive

Re: [OAUTH-WG] Flowchart for legs of OAuth

Marius Scurtescu <mscurtescu@google.com> Tue, 05 April 2011 00:07 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA5173A6823 for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 17:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.929
X-Spam-Level:
X-Spam-Status: No, score=-105.929 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QWiMbQZYs+ri for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 17:07:34 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 0FE333A6821 for <oauth@ietf.org>; Mon, 4 Apr 2011 17:07:33 -0700 (PDT)
Received: from kpbe14.cbf.corp.google.com (kpbe14.cbf.corp.google.com [172.25.105.78]) by smtp-out.google.com with ESMTP id p3509FOt004762 for <oauth@ietf.org>; Mon, 4 Apr 2011 17:09:16 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1301962156; bh=P37qIhRpwVNB7DrN4F9KLw2YFpo=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=IYKsloZXS3tdyTrwPycIT0pNlFDsM/bYdsc1zoWzAio+1SbP3Jr+oqFrFjs8QUxEo JJ1E3UNRIQm69k4kR88lQ==
Received: from gyh4 (gyh4.prod.google.com [10.243.50.196]) by kpbe14.cbf.corp.google.com with ESMTP id p3509ESE018905 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Mon, 4 Apr 2011 17:09:14 -0700
Received: by gyh4 with SMTP id 4so2932539gyh.26 for <oauth@ietf.org>; Mon, 04 Apr 2011 17:09:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=LPcunTVkA1KsHgg0JOFXUgsbGoXgjChdEStwAR5MGuE=; b=AnPrNYk1ZwNgjOuPsa7lYZdCynHlNbLWVNHZ31RPB8fTM0vhEZEeIhaspsWwNFzFBI V5H7+k29G+QujRbvPqCw==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=gQQfhR5ZgVrXhvLgCKrvwcg1q+1iTyXam8oQ7Yjj6Q9iod7iVpPXCgkokIjVlQe682 vq2uDw6qEZX2zO+i5H3w==
Received: by 10.91.202.13 with SMTP id e13mr8081211agq.33.1301962154185; Mon, 04 Apr 2011 17:09:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.34.4 with HTTP; Mon, 4 Apr 2011 17:08:54 -0700 (PDT)
In-Reply-To: <38AE5D29-996A-49AA-89A0-3A15AB4C0823@kiva.org>
References: <22FB565B-A701-4502-818F-15164D9E201A@oracle.com> <AANLkTimGjiCGk5dpA=YVzq5vDkLR2+caSz=pZ5WiZO9H@mail.gmail.com> <3C84AD7A-F00F-43EC-AAD3-AD2DCFB46B0E@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4D84F7E2.6090305@redhat.com> <16B9A882-6204-4CBD-B7E3-1D806AF5056C@oracle.com> <4D8A5054.4050006@lodderstedt.net> <BANLkTiniuuRXtkzLubgOjVursVtOGjFe6A@mail.gmail.com> <7616C235-2913-4EE0-A710-F47A4CC9E424@oracle.com> <BANLkTi=XyF25vB6qKX2q8iOpEaZ1yQx9Jw@mail.gmail.com> <65E3F250-5111-4692-BFA7-F5B838E9B41D@gmail.com> <BANLkTik5u5+jjTwnwNCQVyzMux4aMB98yg@mail.gmail.com> <5710F82C0E73B04FA559560098BF95B12505F041B5@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <4D9A318D.3090908@lodderstedt.net> <38AE5D29-996A-49AA-89A0-3A15AB4C0823@kiva.org>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 04 Apr 2011 17:08:54 -0700
Message-ID: <BANLkTim6MWQ5SQQGAUA6RX4f5fZ0=FraJQ@mail.gmail.com>
To: Skylar Woodward <skylar@kiva.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: Kris Selden <kris.selden@gmail.com>, "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2011 00:07:34 -0000

On Mon, Apr 4, 2011 at 4:14 PM, Skylar Woodward <skylar@kiva.org> wrote:
> In our implementation (not yet public) we accept the empty string ("") as the value for clients not issued secrets. While this was done to simplify the interface and implementation, it would make it compliant in my view.  In this case, the authorization server is validating the credentials, which are the client ID and the empty string, which is equivalent security-wise to any other length of "secret" issued to a native client.

I am splitting hairs now, but according to the spec an empty parameter
value should be treated the same as if the parameter was not sent at
all. So, empty secret violates the requirement for the parameter to be
present.

Marius

v2.23.0 | Report a Bug | By Email