Re: [OAUTH-WG] Device Authorization Grant Interval

William Denniss <wdenniss@google.com> Mon, 03 June 2019 17:05 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D5C01206CD for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2019 10:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.508
X-Spam-Level:
X-Spam-Status: No, score=-17.508 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jaHkypzM7rVc for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2019 10:05:32 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A6BE12071C for <oauth@ietf.org>; Mon, 3 Jun 2019 10:05:29 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id d17so2574937oth.5 for <oauth@ietf.org>; Mon, 03 Jun 2019 10:05:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OPqA85ynSIsybwfeD4QGyuZJrswxAjRXuR446d/RBHw=; b=NDoe6mWNiqwzembDZb8eE+fOzBGOXpJMYahJNnXuaOJXAnI6Yh2RDQy2ndH0Dqz64b 2Yjl0PBjZJ6MHHE4zNnDV6lE6N3vaYtqJmPmIp6XQ+pVnHu28GrwiMssOAZaNVBEYPt1 g8tWg6mYrGBlhHLVsMXdetEX1u4BFWoE+TCX+kl/UlSFQ6HCsQvK9K51TDDz5gj9bZmv annDsxOV/Vy6vdShtp/wJPACwtZ5oVtocnlLri/DV5WEZvXMuin55hCPN0yghmkSdwuX NFGB5H0HpTvFqbfsQqCDJKkNQtCPIABZ/5YkjDyNZI0jeXnsWlW9M6oTH511BN2ccgqp VdZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OPqA85ynSIsybwfeD4QGyuZJrswxAjRXuR446d/RBHw=; b=VOsIwPt4Jm2Gqja/h8+6VdgDl4VbU5q8x2guN1tUHFhK/1ZQo1DI2sOJ8Tj1l4vhU2 IGxqnZIALPicFR8Rpeb9TCVg3KIz5OIS9CcDweenuXAwKTVe+zKIhJEsjl2O3kb6qvMm sCi+TSjbSjLm80E98kI/ADn0t7YDkn4moAqsUc1cDhNcVhyog1KIW+0e2VZkdi/W+v1I 8zqEuBCx/rLSJCHxOCNCIecA8o+U5ywEbRhux69F9fRVZTh+ajooFmGqPTPhotzcpRaf hVPOn7koBDHY3RSHvrGYypXEhZveFJtA8gmCNbNPEXqctlWRXeq+/tlu+UjA9FfANils CxHg==
X-Gm-Message-State: APjAAAXyLhytgekewYiWKvxKiXWhjq4pMa0UZduRHwbCC3zrwRyky7jK 3n0aGMZTic/9QevnA5sAKsIvz1sBo6Di8kipTBZTkvwP6Fs=
X-Google-Smtp-Source: APXvYqwfrUPrS4dA+jh1ctCtmchUiFnFGsDY7gRDFNc5+fRHbD5qJ1CqTpeif6wcgV9NAGg4xPCo4J964cxQ3ZTT5AY=
X-Received: by 2002:a9d:3f37:: with SMTP id m52mr1851524otc.181.1559581528091; Mon, 03 Jun 2019 10:05:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAM7dPt0nS=+6oACUTc=sXnw3dpEqMB3ETq03iYnM1HsLv2_OQg@mail.gmail.com> <CE182107-09A2-49EB-9CBD-7354F051D2FA@authlete.com> <CAM7dPt2C=xnpXySpJnPW4vBGX-B4Nmnsthbxtvx+yPqMQXviKQ@mail.gmail.com>
In-Reply-To: <CAM7dPt2C=xnpXySpJnPW4vBGX-B4Nmnsthbxtvx+yPqMQXviKQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 03 Jun 2019 10:05:16 -0700
Message-ID: <CAAP42hA_RT3aT_a_ZkvUvs-wtYteebYhQVfhCUQc=r9b07jGQw@mail.gmail.com>
To: Janak Amarasena <janakama360@gmail.com>
Cc: Joseph Heenan <joseph@authlete.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fb7b13058a6e5e17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lxAQkOjwA7L5Tkh3Ov52E2cB6B8>
Subject: Re: [OAUTH-WG] Device Authorization Grant Interval
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 17:05:38 -0000

The "slow_down" error response is defined for well-meaning clients. In my
own client implementations, this has the effect of increasing the interval
used
<https://github.com/google/GTMAppAuth/blob/0a606bef46c3299609e9a6f478dd79df3c3f7dc0/Source/GTMTVAuthorizationService.m#L231-L234>
.

For a misbehaving client (one that doesn't honor "slow_down" and continues
to poll too rapidly), a hard error as previously suggested seems
appropriate.



On Mon, Jun 3, 2019 at 9:55 AM Janak Amarasena <janakama360@gmail.com>
wrote:

> Hi Joseph,
>
> Thank you for the information, this what I was also thinking. It would be
> nice if this can be defined in the specification itself, maybe as a
> recommendation as there can be wrongly written client applications or even
> if some party is trying to do a brute force attack.
>
> Best Regards,
> Janak
>
> On Sun, Jun 2, 2019 at 1:40 PM Joseph Heenan <joseph@authlete.com> wrote:
>
>> Hi Janak,
>>
>> Interestingly this came up when discussing the CIBA specification (which
>> builds upon device authorization grant to some extent) recently:
>> https://bitbucket.org/openid/mobile/issues/135/token-endpoint-response-when-client-polls
>>
>> The thought that group came up with is that returning ‘invalid_request’
>> would be appropriate - ideally appropriate error_description to make it
>> easy to understand what’s going on.
>>
>> Cheers,
>>
>> Joseph
>>
>>
>> > On 21 May 2019, at 06:21, Janak Amarasena <janakama360@gmail.com>
>> wrote:
>> >
>> > Hi all,
>> >
>> > In the OAuth2 Device Authorization Grant, what would be an appropriate
>> response if the client does not respect the set polling interval and keeps
>> on polling with a lower interval?
>> >
>> > Thank you,
>> > Best Regards,
>> >
>> > Janak Amarasena
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>