Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
William Denniss <wdenniss@google.com> Wed, 30 May 2018 22:27 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C5C712D93E for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 15:27:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXVZhMKc1_0L for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 15:27:42 -0700 (PDT)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27EB512E044 for <oauth@ietf.org>; Wed, 30 May 2018 15:27:42 -0700 (PDT)
Received: by mail-vk0-x233.google.com with SMTP id g72-v6so12131140vke.2 for <oauth@ietf.org>; Wed, 30 May 2018 15:27:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AY3ORyYNF8NHoiNbAw8WL5s8/aQE3RozcRgJa8Xw/qw=; b=Ha+AH1GSroj4sp9esiy6JCgANOBkyRW2DVgTEMltRA8mwMrGt6enkzLHTE0QcvMgU6 9H/1bJOlp5LXHoROSwZmTdASJV1GognpD25S+ehI65N3iVg+h1edWr/0Y/mX9qyQoCwE 4yDMSE7zabH1AA+KgS4kXuayHx83UKXa4tLT/xxBpGNCXwJuKaAXIhGQLUfgGfR3+nW3 1i2hb38n6fJfSa52svy3nE6l6Z7J1eD+8i/ea6COoJ1ZczzqgQrY6akWbHo4HjkobU0t Cgi7lcad6pCZO1+VOH4MWQZw4T9qoMqdT+oEN00J2EKzavY0TkPWtvAKCZeBJkSvqGDb +L+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AY3ORyYNF8NHoiNbAw8WL5s8/aQE3RozcRgJa8Xw/qw=; b=JyV/8RudkmX52xtri/migqwiZ0gx34jSSUOwkFbKl7EVpy2E84vE8UUi3f5sHwPZER jjmjPgc5mGfhWpBB3ZCE7eKxNHzXY2FMcJzsqWdipJphEA/70LWjEZU6cnwBCyDss+MQ QuwjHb8tx33K6syy+gGZyXRrfVQd4xa5PrAN1PVv5lewu2f+d8XGgORRok0fvcPgiosg ofD4p28pvo0orbIgylX3XTiZ8Nai2DSTRdztcnyH9GFcYmQ+uDi22D9hTBEk+pUfTM/k BQVqky+xaGv2Ugd1d5SfkhMQV6vyFt89Q4hdoJayBLvfmdT4uP8qv/TA06X16VtPKNUa gphw==
X-Gm-Message-State: ALKqPweWVldqTs4MMMLy8uoZ217LtgMbmz87yNS2V8sYSP0M2usg9Dg5 bG6/ZBWDTjW4Bp4ykV33PSJ58RrxIbZptWjuCcJ5iQ==
X-Google-Smtp-Source: ADUXVKJzbpueRPQCOPP0A4J4Scl2hJJxMaQIHOpu36O79T5JhgRSKnI23BBJ5EZnE/pXBnLP4ZH7PgeDEHTUhRFJOM8=
X-Received: by 2002:a1f:d906:: with SMTP id q6-v6mr2721108vkg.197.1527719260442; Wed, 30 May 2018 15:27:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:2110:0:0:0:0:0 with HTTP; Wed, 30 May 2018 15:27:19 -0700 (PDT)
In-Reply-To: <CAEqOSkcquQ4GXhhOV30TsOEYSV5fuG_PtO7TFo_pE_zVAJd0zA@mail.gmail.com>
References: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com> <CAEqOSkfwdn-+1zFBgpgk3Mr6HYy-OvKNdVRKZtdP9c6HVHC60Q@mail.gmail.com> <CAAP42hAA8FC8B8bhDdCAg=5TnDjZXr76UiMLNABEG23GRFdeyQ@mail.gmail.com> <CAEqOSkcquQ4GXhhOV30TsOEYSV5fuG_PtO7TFo_pE_zVAJd0zA@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 30 May 2018 15:27:19 -0700
Message-ID: <CAAP42hBznvLPe8JLy1HYxFQ2bWxGW5mbpa8hcAv6K8jM3EkQxw@mail.gmail.com>
To: Andrew Sciberras <andrewsciberras@pingidentity.com>
Cc: ietf@ietf.org, IETF-Announce <ietf-announce@ietf.org>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-device-flow@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d67cce056d73db57"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pErfF3_uRqu9-Yg3k4BKBY-wDFU>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 22:27:46 -0000
Hi Andrew, On Wed, May 30, 2018 at 3:18 PM, Andrew Sciberras < andrewsciberras@pingidentity.com> wrote: > Hi William > > You are right that the document explicitly indicates which error codes may > be returned. However I think it's ambiguous as to which error within > Section 5.2 of RFC6749 would apply in the scenario of a user not granting > access. > > I think that this ambiguity is highlighted further by the Google > implementation (https://developers.google.com/identity/protocols/ > OAuth2ForDevices#step-6-handle-responses-to-polling-requests) not > adhering to the explicit statement of the document and electing to use a > (more appropriate) error code that exists outside of section 5.2. > > Oh, I see what you mean now. Yes, given this is an authorization request, not a token request, the errors from Section 4.1.2.1 <https://tools.ietf.org/html/rfc6749#section-4.1.2> are more relevant. I believe it was the authors intention to reference that set of errors, so I will plan to update the doc to reference 4.1.2.1 instead. Good catch! Thank you. > > On Thu, May 31, 2018 at 8:06 AM, William Denniss <wdenniss@google.com> > wrote: > >> Hi Andrew, >> >> On Wed, May 30, 2018 at 2:35 PM, Andrew Sciberras <andrewsciberras@pingidentity.com> wrote: >> >> Hello >>> >>> >>> Do we feel that the document should be more specific in addressing how >>> the authorization service should respond to a device access token request >>> when the user has refused to grant access to the device? >>> >>> >>> The document currently indicates in section 3.5 that a success response >>> defined in section 5.1 of RFC6749, an error as defined in section 5.2 of >>> RFC6749 (this includes invalid_request, invalid_client, invalid_grant, >>> unauthorized_client, unsupported_grant_type, and invalid_scope), or a new >>> device flow error code (authorization_pending, slow_down, and >>> expired_token) may be returned in a response to a device token request. >>> >>> >>> It doesn’t seem that any of these options are appropriate to convey that >>> a user has refused to grant access to the device. >>> >>> >>> The Google implementation appears to be using the access_denied error >>> code from section 4.1.2.1 of RFC6749. While this would seem to be the most >>> suitable error code, the document does not explicitly indicate it as a >>> permitted response. >>> >> >> Actually, this is indicated explicitly I believe: >> >> If the user has approved the grant, the token endpoint responds with a >> success response defined in Section 5.1 of [RFC6749]; *otherwise it >> responds with an error, as defined in Section 5.2 of [RFC6749].* >> > In addition to the error codes defined in Section 5.2 of [RFC6749], the >> following error codes are specific for the device flow: >> >> >>> >>> I believe that clarifying the response error code in the condition where >>> a user has refused access to the client would be beneficial, remove >>> ambiguity, and promote greater consistency across implementations. >>> >>> >>> Regards >>> >>> Andrew Sciberras >>> >>> >>> On Wed, May 30, 2018 at 8:20 AM, The IESG <iesg-secretary@ietf.org> >>> wrote: >>> >>>> >>>> The IESG has received a request from the Web Authorization Protocol WG >>>> (oauth) to consider the following document: - 'OAuth 2.0 Device Flow for >>>> Browserless and Input Constrained Devices' >>>> <draft-ietf-oauth-device-flow-09.txt> as Proposed Standard >>>> >>>> The IESG plans to make a decision in the next few weeks, and solicits >>>> final >>>> comments on this action. Please send substantive comments to the >>>> ietf@ietf.org mailing lists by 2018-06-12. Exceptionally, comments may >>>> be >>>> sent to iesg@ietf.org instead. In either case, please retain the >>>> beginning of >>>> the Subject line to allow automated sorting. >>>> >>>> Abstract >>>> >>>> >>>> This OAuth 2.0 authorization flow for browserless and input >>>> constrained devices, often referred to as the device flow, enables >>>> OAuth clients to request user authorization from devices that have an >>>> Internet connection, but don't have an easy input method (such as a >>>> smart TV, media console, picture frame, or printer), or lack a >>>> suitable browser for a more traditional OAuth flow. This >>>> authorization flow instructs the user to perform the authorization >>>> request on a secondary device, such as a smartphone. There is no >>>> requirement for communication between the constrained device and the >>>> user's secondary device. >>>> >>>> >>>> >>>> >>>> The file can be obtained via >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ >>>> >>>> IESG discussion can be tracked via >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ballot/ >>>> >>>> >>>> No IPR declarations have been submitted directly on this I-D. >>>> >>>> >>>> The document contains these normative downward references. >>>> See RFC 3967 for additional information: >>>> rfc6819: OAuth 2.0 Threat Model and Security Considerations >>>> (Informational - IETF stream) >>>> draft-recordon-oauth-v2-device: OAuth 2.0 Device Profile >>>> (None - ) >>>> rfc6755: An IETF URN Sub-Namespace for OAuth (Informational - IETF >>>> stream) >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >>> >> >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* >
- [OAUTH-WG] Last Call: <draft-ietf-oauth-device-fl… The IESG
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Eric Fazendin
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Naveen Agarwal
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… George Fletcher
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss