[OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00
Emelia Smith <emelia@brandedcode.com> Fri, 26 July 2024 06:17 UTC
Return-Path: <emelia@brandedcode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDC3CC16942A for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2024 23:17:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.213
X-Spam-Level:
X-Spam-Status: No, score=-1.213 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brandedcode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WhxNOb79G7RN for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2024 23:17:01 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6341BC1519A5 for <oauth@ietf.org>; Thu, 25 Jul 2024 23:17:01 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-4277a5ed48bso13015915e9.2 for <oauth@ietf.org>; Thu, 25 Jul 2024 23:17:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brandedcode.com; s=google; t=1721974619; x=1722579419; darn=ietf.org; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:from:to:cc:subject:date :message-id:reply-to; bh=K3KmQLFakcCPfjI4SZ9XggnLllStc8hZdkXAhkRVlX8=; b=QrrJ31StOk3j8L0t5i6WNTHa2g1YhGdgwe2hoejsRJMHjBpCeqVta0Ws6jmoWH5gZT 8AK7LA5HZswBfbQ8jvCkQ6hQX1bOf239vDoxWReMQiXD5tJVs6rZGUKyG0pqGzb+J8EL pCt4+YJbCcVAT2vesDyLzJIfoQIwTpNaNqriM9QfasV4+WwDcRcEqAewvjEkyIgtLvQ+ 8JzRADjS0z0gC3NuwXF3N+ystTYYOIGZK0CbIiCGD+8j5o9lUYA+W0E8vqREP4VZhhe9 10p48n3c5iMZruoMLu/EbioHJygvyVIS7bRt0ECvbZp0+vi5owiHXJVzyMYsvRlWRdg0 t0HA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721974619; x=1722579419; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=K3KmQLFakcCPfjI4SZ9XggnLllStc8hZdkXAhkRVlX8=; b=lX+SYgRHQgJNEnjunpMXl6OHpO2Vx9ChR+kDYge30FMX6wZKmtLHGxXvxSTSjGlwvm QqwTIPEF3TJ7IbtqPQGFgNe0OvVPRUPWUZ7OTvLE5siPgV0v3oWg/EqvQ/cWF/H89/08 QHAHLkQemBOKcT8XULZYbbcBTs1EK3g0b762FpZ2fn7SeicmuYSVwSR5aDnO7uJapNaB Yxbh4awd54XKLVJTL6k4RrQyMPI/aYrGqjzQkmyFDtNuXaY426woej/xdk07ITIrluiG 5dPqo95QO3fw8n0dTFdFiA9JmCPIsKP/5wpZaEMe4z91wrcXtIavnlY2D9v2z4yJKS4t ZAfw==
X-Gm-Message-State: AOJu0YxpkpH5vYorkGGPOlayJwwS/EMsu4w23AQjaCrdRq+y1X//EMNJ ih6gdLO5v3aOZT+Cks1NryOnfPt6Yj4QNulV6Cty2oSTCeAynmV68I1/JNtJJ4cCh2BEQqU0Dd/ c
X-Google-Smtp-Source: AGHT+IG6UdDqKy697OGluQBPiPkBPgzaec86nmCnJAcNHKYhMpiNWcwGQSVSPo4f+Y9LoUylUM1DTQ==
X-Received: by 2002:a05:600c:4fc1:b0:426:6138:34b3 with SMTP id 5b1f17b1804b1-428055088ffmr32502295e9.5.1721974619095; Thu, 25 Jul 2024 23:16:59 -0700 (PDT)
Received: from smtpclient.apple (p200300ef2f3a05e80ccd96372b150458.dip0.t-ipconnect.de. [2003:ef:2f3a:5e8:ccd:9637:2b15:458]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-428057a6368sm63203355e9.38.2024.07.25.23.16.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 25 Jul 2024 23:16:58 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-C75AE17C-06CF-412F-B48C-FBEDE0F5FA82"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Emelia Smith <emelia@brandedcode.com>
In-Reply-To: <9fcdd58c-3d20-4c2c-a1db-1a3894b66053@dogfoodapp.fastmail.com>
Date: Fri, 26 Jul 2024 08:16:47 +0200
Message-Id: <0624AC87-176B-49C9-B80D-C8466094FE37@brandedcode.com>
References: <9fcdd58c-3d20-4c2c-a1db-1a3894b66053@dogfoodapp.fastmail.com>
To: Neil Jenkins <neilj=40fastmailteam.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: BCENZMCB2FGHWHNUCVDYA3Q7LS2GR77C
X-Message-ID-Hash: BCENZMCB2FGHWHNUCVDYA3Q7LS2GR77C
X-MailFrom: emelia@brandedcode.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-public-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/myxdN9r_N6zDXVDjdnBTeWt_4aU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
On 26. Jul 2024, at 07:48, Neil Jenkins <neilj=40fastmailteam.com@dmarc.ietf.org> wrote:
Hi George,Thanks for the feedback.Section 1.1
* is there a reason that only email address based login identifiers are supported? It seems like this profile could be used for other use cases as well.No, this should just be username. (It is of course likely to be an email address, but you're right: there's no reason it has to be for the purposes of this document.)Section 1.2* I would recommend this document be more generic and then a specific profile for say IMAP can be defined that then also defines the scopes required for use with an IMAP server.* This document can just say that scopes required are out of scope (pun intended)As mentioned at the IETF meeting this week, it's definitely an open question whether scopes should be part of this document or a separate one. I can certainly see an advantage to leaving it out of this profile and then having another document that pulls it all together (referencing an autodiscovery RFC, OAuth profile RFC, and listing the scopes).Section 2.1* Recommend changing the last sentence to... The rest of this document describes in detail each of the above steps.Sure, that reads better.Section 2.2* I recognize that Security Considerations will be filled out in a future version. A topic that needs to be present is the potential implications of proceeding with the flow when not all the required metadata fields are present. I suspect most authorization servers do not have a 'registration_endpoint' URL in their metadata configuration :)If the server's metadata doesn't conform to this profile, then clients supporting the profile are likely to abort. The point of this profile is to say "if you implement this as a client you will be able to authenticate with any server that implements this" and vice versa. If you don't implement it, you're not following the profile, and there is no interoperability guaranteed.* Can you clarify why the 'token_endpoint_auth_methods_supported' MUST include "none"? If the client is dynamically registering, then it can receive it's own instance specific client_id and client_secret which allows it to authenticate to the token endpoint. Not requiring client authentication seems dangerous.* Similar comment for 'revocation_endpoint_auth_methods_supported'We made this none, because the https://www.rfc-editor.org/rfc/rfc7591" rel="nofollow">RFC7591 refers to the client secret as only "used by confidential clients", which open native clients running on the user's machine are not. I guess my main question is what does this gain us? I would rather reduce options wherever possible to increase interoperability and security while keeping complexity to a minimum. If we presume there is no security difference in how the client stores the refresh token and any client secret, what does the client secret add in this case?Section 2.3* I do not think the developer should be able to do the registration. Instead, this should be required to be completed by the client. This will be the expectation of the Authorization Server if it supports Dynamic Client Registration.Agreed.* There are security implication with using a custom scheme. Best practice for mobile apps is to use claimed URIs rather than custom schemes. If custom schemes are the only option in certain cases the risk need to be clearly called out in the Security Considerations section.This profile is intended for native apps only, which is enforced by only allowing localhost or private-use schemes for theredirect_uri
. Being able to dynamically register like this to do the OAuth flow would make it too easy for a phishing site to get the user to grant them access to their mail/contacts/calendars etc. — with a native app, it could already fake a browser window and phish the user undetectably, so we're not making the security situation worse. If the user's downloaded something malicious, they've already lost.* I'm strongly against allowing the 'token_endpoint_auth_method' to be "none". There is no reason that the default of 'client_secret_basic' can't be used (as far as I understand the profile). I recommend that the registration response from the Authorization Server also include a 'client_secret'. The client can then store the secret appropriately on the device. This secret is instance specific and hence the device must be compromised to extract that secret and impersonate the user.Section 2.5* I believe the client should authenticate itself via some mechanism and not just present the client_idAs above, I'm happy to change this if there's a security advantage. I'm just trying to understand why the client would be able to store the client secret securely but not the refresh token (which is also needed to impersonate the user). And if it can store both the same, how the client secret adds any extra security?_______________________________________________Cheers,Neil.
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org
- [OAUTH-WG] Feedback on draft-jenkins-oauth-public… George Fletcher
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Neil Jenkins
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Emelia Smith
- [OAUTH-WG] Re: Feedback on draft-jenkins-oauth-pu… Lisa Dusseault