IETF Logo Mail Archive

Re: [OAUTH-WG] oauth with command line clients

Justin Richer <jricher@mit.edu> Mon, 19 June 2017 16:03 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B7D12ECBE for <oauth@ietfa.amsl.com>; Mon, 19 Jun 2017 09:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.211
X-Spam-Level:
X-Spam-Status: No, score=-2.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHmg_2RZd-Zy for <oauth@ietfa.amsl.com>; Mon, 19 Jun 2017 09:03:04 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27FF313153D for <oauth@ietf.org>; Mon, 19 Jun 2017 09:03:03 -0700 (PDT)
X-AuditID: 12074425-ef5ff70000006cb7-29-5947f5b58aa9
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 58.85.27831.5B5F7495; Mon, 19 Jun 2017 12:03:01 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v5JG30sr032571; Mon, 19 Jun 2017 12:03:01 -0400
Received: from [10.0.3.41] (h198.196.135.40.static.ip.windstream.net [40.135.196.198]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v5JG2ukx017159 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 19 Jun 2017 12:02:59 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <5864CD7E-875C-4775-988F-3E0D2FB74F7B@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_398501EB-44E2-4AA4-BE02-B151391B7894"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 19 Jun 2017 11:02:57 -0500
In-Reply-To: <7f013f54-3484-b15a-8dca-71209d48cede@redhat.com>
Cc: Phil Hunt <phil.hunt@oracle.com>, Aaron Parecki <aaron@parecki.com>, "<oauth@ietf.org>" <oauth@ietf.org>
To: Bill Burke <bburke@redhat.com>
References: <a496c372-b700-c6ad-06e7-c257c10d5986@redhat.com> <CAGBSGjoarSVOEdqjPJXL6BfuACnZeks4LEyBpaMSb+TQ_WFNFw@mail.gmail.com> <83057e12-1d09-1b2c-88a4-b1918c9a0b5b@mit.edu> <A743D557-F3BB-49EB-919D-90EFCE4A98A8@oracle.com> <7f013f54-3484-b15a-8dca-71209d48cede@redhat.com>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrEKsWRmVeSWpSXmKPExsUixG6nrrv1q3ukQccec4tzq9wserfuZLQ4 +fYVm8WC+Y3sDiweS5b8ZPL4+PQWi0fDzDSP9/uusgWwRHHZpKTmZJalFunbJXBl3J66jKWg 8Qpjxc3mJtYGxs3zGLsYOTkkBEwknjxfxtbFyMUhJLCYSWLxgguMEM5GRol5n76zg1QJCVxm ktg+oRjEZhNQlZi+poWpi5GDg1fASuL5Z2aQMLNAksT6v6tYIML6Er3PweYLC5hLdOz6xQpi swB1fp6+HWwip4CdRPvq26wQraUSl16sZQKxRQSUJFb9nAB1z1wmidOr+9ggDpWVuDX7EvME Rv5ZSNbNQlgHEdaWWLbwNTOErSmxv3s5C6a4hkTnt4msCxjZVjHKpuRW6eYmZuYUpybrFicn 5uWlFula6OVmluilppRuYgQHv4vqDsY5f70OMQpwMCrx8C547R4pxJpYVlyZe4hRkoNJSZTX djtQiC8pP6UyI7E4I76oNCe1+BCjBAezkghv0yOgHG9KYmVValE+TEqag0VJnFdcozFCSCA9 sSQ1OzW1ILUIJivDwaEkwcsHjHIhwaLU9NSKtMycEoQ0EwcnyHAeoOGfQG7hLS5IzC3OTIfI n2LU5bg3e+sXJiGWvPy8VClx3ogvQEUCIEUZpXlwc0BJS6P9yLFXjOJAbwnzeoBU8QATHtyk V0BLmICWMJ9xAVlSkoiQkmpgrJvf9Zk56eKkR1Msi7StLV8EugvO2/qE092dI9O/dU3DDyUX VoMPAkvYXux7UTj51M7UgK65ki+23np2dNnevCNTnVv9ZGUCnn06pWQtYBxvOff3+rYnu8K2 NQcsnd/ZJ1S8L+UA37bDCc6Wkziep8md0Jx5d57J7Jx2W8MTx74/XDjt+ssyOyWW4oxEQy3m ouJEAOKtFF41AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kTlSxy1j1THdXqSf-qtE_Yoau5Q>
Subject: Re: [OAUTH-WG] oauth with command line clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2017 16:03:08 -0000

While it does add a vector for user error, the codes aren’t long and cryptic. Most implementations are 6 or 8 characters, and it’s recommended that they be case insensitive and not have ambiguous characters (I vs 1, O vs 0). And they should be all low ASCII, even just a subset of uppercase letters as suggested on the spec itself. These aren’t authorization codes or access tokens, which are meant to be machine-readable and high entropy. 

 — Justin

> On Jun 17, 2017, at 9:24 AM, Bill Burke <bburke@redhat.com> wrote:
> 
> I guess the auth code flow could be used with the command line tool using the OpenID Connect "display" parameter with a value of "command-line" or "text" or something when it makes its auth request.  I could go the route of defining what "command-line" display value would mean in OIDC land.  Awkward from an implementation point of view, but a viable path.
> Quite honestly, I just dont' see how any app developer would want to require device flow.  It is a bad user experience.  I would even go as far to say that the device flow is an unacceptable user experience.  Especially if cut and paste is not possible and the human has to enter in some kind of long cryptic code by hand.
> 
> 
> 
> On 6/12/17 2:34 PM, Phil Hunt wrote:
>> +1 
>> 
>> The point of OAuth is to break away from using UID/Password (basic auth).   
>> 
>> The device flow is the best way to allow stronger authentication of the authorizing user while still allowing a limited input device (e.g. command line) to work.
>>   
>> Phil
>> 
>> Oracle Corporation, Identity Cloud Services Architect & Standards
>> @independentid
>> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>> On Jun 12, 2017, at 11:22 AM, Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>>> 
>>> I second the recommendation to use the device flow for this kind of system. The commandline client would print out a text string for the user to enter into their browser elsewhere. 
>>> If you can pop up a system browser then it's even easier and you can just use the auth code flow, but it's a lot to assume that a commandline app can have that kind of capability available to it. Printing out a string? That's easy and universal. That's why I say go with the device flow.
>>> 
>>> The thing is, at the end of the day, you need the user to authenticate to the AS if you're going to get delegated access from them. That's really the whole point of the OAuth protocol, after all. So you can either do that in a local browser of some kind (like popping a system browser), on another device (with the device flow), or you can be evil and use the username/password grant and just steal the user's credentials yourself. If it's not clear, I don't recommend that, basically ever. 
>>>  -- Justin
>>> 
>>> On 6/11/2017 11:58 PM, Aaron Parecki wrote:
>>>> I've seen this done a few ways:
>>>> 
>>>> * The Device Flow: https://tools.ietf.org/html/draft-ietf-oauth-device-flow <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Doauth-2Ddevice-2Dflow&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=gWeHcqrhQt-ijJ5-UXHxML5rMtR05GjKVyxqZBEeQAM&e=> which is what you see on browserless devices like the Apple TV logging in to a cable provider from your phone. A short code is generated and displayed on the screen, you launch a browser on your phone and enter the code. This would work just as well from the command line on the same device.
>>>> * I've also seen apps use the authorization flow, by displaying the authorization URL on the command line prompt and instructing the user to open it in a browser. The redirect URI is a hosted web page that displays the authorization code and instructs the user to                       paste it back at the terminal.
>>>> * The command line app can launch an HTTP server on localhost and use that as the redirect URL for the authorization code flow. This option ends up being the most seamless since it works like a traditional flow without any special instructions to the user.
>>>> 
>>>> ----
>>>> Aaron Parecki
>>>> aaronparecki.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__aaronparecki.com&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=Zn85klv9a00I3Uo74zgqAelgrFUFQc72PdFwg4gkECQ&e=>
>>>> @aaronpk <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_aaronpk&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=g5RjhR9W1VYt00S4dV0t9ijZ4gC4HE93waQ_t7mUzUs&e=>
>>>> 
>>>> 
>>>> On Sun, Jun 11, 2017 at 8:52 PM, Bill Burke <bburke@redhat.com <mailto:bburke@redhat.com>> wrote:
>>>> Has anybody done any spec work around doing oauth from command line interfaces?  We're looking for something where the auth server can generate text-based challenges that are rendered in the console window that query for simple text input over possibly multiple requests.  I'm not talking about Resource Owner or Client Credentials grant.  The command line client may not know the credential types required for a successful token request. It would be easy to write a simple protocol, but I'd rather just do something around any existing internet draft or rfc that somebody has put some thought into.  Hope I'm making sense here.
>>>> 
>>>> Thanks,
>>>> 
>>>> Bill Burke
>>>> 
>>>> Red Hat
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=eodAcEm9pUWInxQkdRWT7sN0sZWWlo8oCtmgdjHY6oI&e=>
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=eodAcEm9pUWInxQkdRWT7sN0sZWWlo8oCtmgdjHY6oI&e=>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=eodAcEm9pUWInxQkdRWT7sN0sZWWlo8oCtmgdjHY6oI&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k&s=eodAcEm9pUWInxQkdRWT7sN0sZWWlo8oCtmgdjHY6oI&e=> 
>> 
>

v2.23.0 | Report a Bug | By Email