IETF Logo Mail Archive

Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Fri, 03 August 2018 23:37 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 044F4130E6F; Fri, 3 Aug 2018 16:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72S1wNbj8kdq; Fri, 3 Aug 2018 16:37:23 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8069130EE4; Fri, 3 Aug 2018 16:37:22 -0700 (PDT)
X-AuditID: 1209190e-12dff70000007f09-90-5b64e730640e
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 4C.2A.32521.137E46B5; Fri, 3 Aug 2018 19:37:21 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w73NbGpp011010; Fri, 3 Aug 2018 19:37:17 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w73NbAdM018018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 3 Aug 2018 19:37:13 -0400
Date: Fri, 03 Aug 2018 18:37:11 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: William Denniss <wdenniss=40google.com@dmarc.ietf.org>
Cc: Alissa Cooper <alissa@cooperw.in>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org
Message-ID: <20180803233710.GZ68224@kduck.kaduk.org>
References: <153305269020.3071.5881779499900104302.idtracker@ietfa.amsl.com> <CAAP42hCVBG6vnaazuo1A7sxj5zYj_MJfY8fHujWP0M9Mjdh3TQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAAP42hCVBG6vnaazuo1A7sxj5zYj_MJfY8fHujWP0M9Mjdh3TQ@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBKsWRmVeSWpSXmKPExsUixG6nomv4PCXaYP5DfYvpZ/4yWlxYMYfN YsaficwWt+euZLM4+fYVm8W2bQcZHdg8vjx5yeRxYtkVVo8lS34yBTBHcdmkpOZklqUW6dsl cGVs73zBXnCVp6L39jfGBsbXnF2MnBwSAiYS+07cZ+xi5OIQEljMJNHfe40VwtnAKNH7dRET hHOFSWL9z83MIC0sAioSe/4/YQKx2YDshu7LQHEODhEBK4mWj0YgYWaB5YwSN9qzQWxhgUyJ Rzc3sILYvEDbtlxrgFowmVFi3+FPUAlBiZMzn7BANKtL/Jl3CWwms4C0xPJ/HBBheYnmrbPB TuAUCJSY03sKrFVUQFlib98h9gmMgrOQTJqFZNIshEmzkExawMiyilE2JbdKNzcxM6c4NVm3 ODkxLy+1SNdYLzezRC81pXQTIygSOCX5djBOavA+xCjAwajEw8tQkxItxJpYVlyZe4hRkoNJ SZTX9DJQiC8pP6UyI7E4I76oNCe1+BCjBAezkghv+gGgHG9KYmVValE+TEqag0VJnPdeTXi0 kEB6YklqdmpqQWoRTFaGg0NJgvfeU6BGwaLU9NSKtMycEoQ0EwcnyHAeoOHNIDW8xQWJucWZ 6RD5U4y6HH/eT53ELMSSl5+XKiXOq/oMqEgApCijNA9uDiiBSWTvr3nFKA70ljDvMpBRPMDk BzfpFdASJqAl2Y6JIEtKEhFSUg2Mu3ir5AREkt5+95y46d1W5a/bv9s7RS898lqJQ/NO72sj wbMvi5wXrVqha2XQJpEoOjdlwcQDdvmqKY/5lhRvNCt4kuJ65HIwy9o27h2naiYZHZ7G06r1 QUdsV5beV8eL8p5qDXsmViueEw8NVJx/y+tXoceu0F///fSSbrcHNT7MuhtuMSVGiaU4I9FQ i7moOBEAVeHKojsDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lLvkD7ohtf-wTvLKoWLMQi7NHJM>
Subject: Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 23:37:26 -0000

On Thu, Aug 02, 2018 at 11:41:05AM -0700, William Denniss wrote:
> Alissa,
> 
> Thank you for your review. Replies inline:
> 
> On Tue, Jul 31, 2018 at 8:58 AM, Alissa Cooper <alissa@cooperw.in> wrote:
> 
> >
> > Section 3.3:
> >
> > "It is NOT RECOMMENDED for authorization servers to include the user
> >    code in the verification URI ("verification_uri"), as this increases
> >    the length and complexity of the URI that the user must type."
> >
> > I don't fully understand the justification for the normative requirement
> > here.
> > The user ultimately ends up typing in both strings, right? Is it so much
> > more
> > complex to type them both into a browser bar contiguously than to type the
> > uri
> > into the browser bar and the code into some form field on the page such
> > that
> > the normative requirement is warranted?
> >
> 
> Yes, the user will need to type both strings regardless.
> 
> The main reason for the recommended separation is that the URI can't be
> validated/corrected – either they type it correctly and they get to the
> page, or they don't. But for the user-code, the page can display an error
> if the user types it wrong. The belief is that it's a better user
> experience that they get to the page, and then continue the input from
> there rather than get browser errors if they typed the user-code part of
> the URI wrong.

I am hardly a URI expert, so salt as appropriate, but if the user code was
in the query string, would the server still be able to generate a useful
error page if the user code was typed incorrectly?

-Benjamin

v2.23.0 | Report a Bug | By Email