Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
Ash Narayanan <ashvinnarayanan@gmail.com> Sat, 16 October 2021 01:45 UTC
Return-Path: <ashvinnarayanan@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AADCE3A14FF for <oauth@ietfa.amsl.com>; Fri, 15 Oct 2021 18:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6hHhfhjYtil for <oauth@ietfa.amsl.com>; Fri, 15 Oct 2021 18:45:25 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65B603A14FC for <oauth@ietf.org>; Fri, 15 Oct 2021 18:45:25 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id l16-20020a9d6a90000000b0054e7ab56f27so420834otq.12 for <oauth@ietf.org>; Fri, 15 Oct 2021 18:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tFVkLsASUAKZSFEM/A3m5CddiCku+Oi0BEg1eTZAp1c=; b=ooe82ToQgA8WGqzzNetAMFTu6tWCd864TLh7xwZHr95//gtaJMKrYSl12jxIzC1Vkh rW/0W9XXnmdCHxfojAjj2QgijePjLLPMP1P3tSuYjHGc6x8KuX1vkieMQORGP8eTj6u9 LK3y1arwA8ZLYLH/pgRhF8k20Sco/NL8YX2jszyKEveiuhU+9qO7Sx74OL3sEZno73b4 7Ecv9AkwUnCt6tZxsW10lgpFizG3hKQonPD9kC9gGXvKMTGswQ2f+SonLCchH2gZU516 FmDT963f6xQVQuns/QO8YNY/3nP9YD+u3Go4M3Gw5bmtxgS2vEfxdwYonVASfc5HgWs4 /L7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tFVkLsASUAKZSFEM/A3m5CddiCku+Oi0BEg1eTZAp1c=; b=1yA4y/yhfdmPWffcEq00JLBVinppUnIj0zjzZv3Q8A6b4C0DkehBWWsffvRXvGfHY+ gR9gyOzzXZzl8tP7qd8ZDPGoF9wDiRNu6hlqVHrttPU0f9lNvjN9Pnh9oFQVaZs3e0Rx eflQAW8SO84vbGeOCcvPupeLTP/GByH/fiTvncFZa7/j72KnNdx3AQ2ThR8hMsEys9Ts qN6X4dGd6DHyOO8/VNTIayc+t8JfZIbrXfjmQSVPSE8z0zBPubtvvRrtdAUNcVDJ1T6l kdlOkqstMPYO3HXwhtgDYDLvTceV4AL3FFjpfYEWJxTUAXEjktvWhGQmj20uZmCrD1G5 PMMA==
X-Gm-Message-State: AOAM532X9euznlG9/UnMqpLWPsyzUbb8jE5/ACCAe9C9A0yrsoPHgW7Q 76Xa9E2VVLB4K79ij9Q1Twkf8QFHE7OLUHRHXC8f1hG9wKbpYw==
X-Google-Smtp-Source: ABdhPJwKwzb4mJYqTLoWc366wLK4fG0eQH/d0KQ3HLsyp0wUEujCjHw4V1Fs6cs4BX/X6nMSNwRKSPZi6v6YRH1ZJQs=
X-Received: by 2002:a9d:289:: with SMTP id 9mr11272175otl.172.1634348724468; Fri, 15 Oct 2021 18:45:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com> <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com> <CA+k3eCQtO-Qa7+yigjnsdhXHSqst-QZFHQPY-zYxewmmgWwXmg@mail.gmail.com> <CAFtv1m7hy2eMq821VKwdi9kzqwybKYypfmQvScJYe3gmTwOiDg@mail.gmail.com>
In-Reply-To: <CAFtv1m7hy2eMq821VKwdi9kzqwybKYypfmQvScJYe3gmTwOiDg@mail.gmail.com>
From: Ash Narayanan <ashvinnarayanan@gmail.com>
Date: Sat, 16 Oct 2021 12:45:13 +1100
Message-ID: <CAFvbn=YuZdTZ0_CiTxZhCg-Uu_Dq2d2mjpDqWgPztpt05poLRg@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, domingos.creado@authlete.com
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002946f405ce6e77f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mDM4qOAOO0K1OGvyCmbAI8GzobE>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Oct 2021 01:45:31 -0000
This works for me: > As such, I'd suggest removing the credentialed concept entirely and using > sec 2.4, as appropriate or needed, to discuss the subtleties of the various > ways clients establish themselves with an AS and the implications to the > amount of trust that can be placed therein. I know the WG likely spent a bit of time coming up with the term 'credentialed', and it is a good concept, but the term appears to be creating confusion. Both confidential/credentialed are required to have credentials; the only distinction the way I see it is the manner in which these clients obtain their credentials. With confidential, it's static (with credential rotation if needed), and with credentialed, it's dynamic. This distinction can be part of the *subtleties* that can be talked about under 2.4, as Brian mentions. Now that just leaves the issue of what goes under sec 2.1. It could just contain the examples of different client types as it currently has (web-based, browser-based, native,...). Domingos wrote: > I guess it is fair to say that when we are talking about credentialed > clients, we are targeting native apps > I don't see why it doesn't also apply to browser-based apps such as SPAs. This goes back to my original point of why the following comment currently only exists for native apps under 2.1: > On the other hand, dynamically issued credentials such as access tokens > or refresh, tokens can receive an acceptable level of protection. On Sat, Oct 16, 2021 at 8:01 AM Domingos Creado < domingos.creado@authlete.com> wrote: > I guess it is fair to say that when we are talking about credentialed > clients, we are targeting native apps that after getting installed use a > ceremony (probably using Dynamic client registration) to establish a > credential for that specific instance on AS. Do you foresee other use cases? > Back to David's point, the trust on that client depends upon the ceremony > for establishing the credential or actions the resource owner might take > after that. For instance: here in Brazil, some banks require you to go to > an ATM to "approve" the client, and after that, access restrictions are > lifted. > In my point of view, the credentialed concept does not bring enough > semantics to be used on the document, as there are too many moving parts > that build or not the trust on the client. > I think it makes more sense to shed some light on scope granting > considering the trust on the confidential client and/or the assurance of > the authentication. > > On Fri, Oct 15, 2021 at 3:34 PM Brian Campbell <bcampbell= > 40pingidentity.com@dmarc.ietf.org> wrote: > >> Looking/searching through >> https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html and all >> the occurrences of "credentialed" outside of sec 2.4 and the text I was >> complaining about previously are treating confidential and credentialed the >> same. I.e. "If the client is confidential or credentialed", "Confidential >> or credentialed clients MUST", "authentication for confidential and >> credentialed clients", etc. So the distinction/definition isn't serving a >> meaningful function in the rest of the document. As such, I'd suggest >> removing the credentialed concept entirely and using sec 2.4, as >> appropriate or needed, to discuss the subtleties of the various ways >> clients establish themselves with an AS and the implications to the amount >> of trust that can be placed therein. >> >> On Mon, Oct 11, 2021 at 4:53 PM David Waite <david= >> 40alkaline-solutions.com@dmarc.ietf.org> wrote: >> >>> >>> > On Oct 11, 2021, at 11:52 AM, Dick Hardt <dick.hardt@gmail.com> wrote: >>> > >>> > >>> > Thanks for the feedback Brian. We have struggled in how to concisely >>> describe credentialed clients. >>> > >>> > "identifying a client" can be interpreted a number of ways. >>> > >>> > The intent is that the AS knows a credentialed client is the same >>> client it previously interacted with, but that the AS can not assume any >>> other attributes of the client, for example that it is a client from a >>> given developer, or has a specific name. >>> >>> It sounds like the goal is to distinguish authenticating the client from >>> trust of the client pedigree, e.g. the only authenticity of a public client >>> might be that it can catch the redirect_uri, and the only authenticity of a >>> dynamically registered client is what you required and verified up to that >>> point. >>> >>> Some of that trust may be on confidentiality of data, prior reputation, >>> safeguards to prevent token exfiltration or unauthorized token use locally, >>> etc. >>> >>> A credentialed client is not more trusted than a confidential client - >>> it is just more uniquely identifiable. A public client does not have a >>> mechanism (within OAuth today) to prove its trustworthiness on request >>> because it is not authenticated as the party with that trust. You instead >>> would need to e.g. do client registration with a software statement. >>> >>> It may help to know what actions are MUST NOT or SHOULD NOT for >>> credentialed clients vs confidential clients. Without that, the distinction >>> seems it should be self contained in 2.1 like the client profiles, and >>> maybe the term confidential client be explained to be a misnomer and more >>> broadly explained that confidential vs public client is _not_ to meant to >>> be a described as a trust distinction. >>> >>> -DW >>> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-04.t… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-… Aaron Parecki
- [OAUTH-WG] OAuth2.1 credentialed client Ash Narayanan
- [OAUTH-WG] convert to credentialed client... ( wa… Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Dick Hardt
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … David Waite
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Warren Parad
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan
- Re: [OAUTH-WG] convert to credentialed client... … Brian Campbell
- Re: [OAUTH-WG] convert to credentialed client... … Domingos Creado
- Re: [OAUTH-WG] convert to credentialed client... … Ash Narayanan