[OAUTH-WG] First-party apps - my comments
"yaronf.ietf@gmail.com" <yaronf.ietf@gmail.com> Thu, 04 April 2024 15:54 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1601BC1654E9 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2024 08:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8Bigxunq5-g for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2024 08:54:40 -0700 (PDT)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29B3AC1519AB for <oauth@ietf.org>; Thu, 4 Apr 2024 08:54:40 -0700 (PDT)
Received: by mail-qk1-x72f.google.com with SMTP id af79cd13be357-78a5580333bso65555485a.2 for <oauth@ietf.org>; Thu, 04 Apr 2024 08:54:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712246078; x=1712850878; darn=ietf.org; h=content-transfer-encoding:to:message-id:thread-topic:subject:from :date:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=u4Iu4FomAmwE3yn+ie0MQNmoLTE3qsqKUdWeiCoudyw=; b=S6DH2F1upv5whiYfhChI4ruEBM+AoGUO+mkNsHD3YLP0xqKJWcLOLV7i8HVmVRDjiM qrDQ8TZyFyz5xov2foy8nvrbFpG0kNjL7SE4fzIl4uYV6ir45I99TYKbvlRQzJb+/Go+ 0h5xC9CfiawPcK36CrCV8MeEjjgL2U5bXgbjcobRRY4nL+F7Co1LFH2HhmI0NmX+uE45 CvAuEnedEatbydXzTxo3ZwcotJ8WMd6vShoYJRMLzhncQVY8R7/i6sp521xRmkYA8Twm V94FAWt3w54Hc5pdrYzvX9j3FPvVkYikqXrzfeWYwa1iBm9vHETdwc0W+IbzhVV4gA8k +0aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712246078; x=1712850878; h=content-transfer-encoding:to:message-id:thread-topic:subject:from :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=u4Iu4FomAmwE3yn+ie0MQNmoLTE3qsqKUdWeiCoudyw=; b=krebgKMf3/+X0qoiXe6CMN6Pp4XckUbpZhvNaDG732f+Qz1srSrcaAoL2CTLV+1CjU K7hiM0CKNoS6j9R1n/GfafjVSsVSYadl8IorUXbCD6n+Swk+V3/YJ+s2i6npMOzmZ2TO QZtc4adjWvvyaYFMx6DnhpfXN97zX2CdH27dIf392eNvzssAY/rZkM7DT1CZyoYjVBwV jv9xRBiYjuY9u1IM2xIMQXuC8sbMsHJzHq2QjKcdDKvZ3FVXOFJOofswGDDiku4fxLmv 0qSXlx50x541qG6jH1DeUMnLg/VFNSJinivyJOHCopJmEzzB91KMkpupfAZgrTgWI8bg f3mA==
X-Gm-Message-State: AOJu0YxrTzFdx7DzOzY9xo9dzM15bG1WrCcQJtNZAJVEdfeBAeQCd+80 ewSMbi+Ktva2mLOUApOupg6cUjpRihFURMAhMk98omkVi4Wl4+LigayRStNt
X-Google-Smtp-Source: AGHT+IFBo79pFHPclba51XqKtDlobSty6WYqx3C7nJv+tIdlvleQ/IYUq0beBl0/Y4a56f1RVLa+bg==
X-Received: by 2002:a05:6214:27e5:b0:699:16a7:7b2e with SMTP id jt5-20020a05621427e500b0069916a77b2emr3437735qvb.19.1712246078388; Thu, 04 Apr 2024 08:54:38 -0700 (PDT)
Received: from macos-F7LQR2FV6V ([77.125.223.114]) by smtp.gmail.com with ESMTPSA id ob12-20020a0562142f8c00b0069046d929a3sm7506322qvb.145.2024.04.04.08.54.37 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Apr 2024 08:54:38 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 04 Apr 2024 18:54:33 +0300
From: "yaronf.ietf@gmail.com" <yaronf.ietf@gmail.com>
Thread-Topic: First-party apps - my comments
Message-ID: <BEED0378-AB1E-7749-A7D4-EC6932C729D5@hxcore.ol>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pSEjT38t10uATy7QmDSQzL_CDFE>
Subject: [OAUTH-WG] First-party apps - my comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 15:54:44 -0000
Below are my comments to draft-parecki-oauth-first-party-apps-01.
I tried but didn’t manage to use the ietf-comment tool to automatically open issues, sorry about that. You may have better luck there.
Thanks,
Yaron
# Yaron Sheffer's comments on draft-parecki-oauth-first-party-apps-01
## Comments
### Endpoint name
Sec. 1: Why does the new endpoint's name include the word "endpoint"? After reading further I understand that this is not the endpooint but the metadata that refers to it, so I suggest to remove the name from the Introduction.
### Motivation
Sec. 1: before diving into the technical solution, please motivate the need for it. The 4th paragraph alludes to "usability concerns" but more background would be helpful.
### Interaction with "native SSO"
Sec. 1.1: the paragraph that talks about Native SSO is about what you shouldn't do. It would be nice to also say what you can do, i.e. whether there's some possible integration between the two approaches.
Related to that, the text about multiple applications and an SDK does not directly contradict Sec. 9.7.3 but the two could be improved, e.g. by clarifying the cases when Native SSO is not applicable.
### Limitations of this spec
I think Sec. 1.2 needs to be polished, because right now it sounds like it is bailing out on a detailed specification. E.g. we could say that while interoperability is less important, there are security concerns we aim to address in a uniform way through this spec.
### Returning a token from the endpoint
Sec. 3.1: why doesn't the new endpoint return an access token when successful? Yes this is possibly premature optimization, but it sounds harmless enough. Even if we don't specify it, people are still likely to do it - so shouldn't we have an opinion on whether it is allowed?
Maybe this could go into the Design Goals appendix.
### Protocol overview - forward references
It would make the draft more cohesive if the Overview (in particular Sec. 3.2 and 3.3) had links to the sections that define the respective features.
### RS Behavior
Sec. 3.3 and 7 are confusing: are we adding new behavior to Step Up Auth? If we aren't, why exactly do we mention it? If we are, then this document needs to Update the relevant RFC.
### Which extensions exactly?
Sec. 4.1, 5th paragraph, lists several specific extensions that must be supported by the endpoint. It doesn't use normative language. It also leaves it to implementers to go through possible extensions and through each parameter they define, and decide which is applicable. This is ripe for interop and security issues. I suggest to include a closed list of extensions instead, and allow new extensions to mention that they apply to this endpoint.
### acr_values reference
Sec. 5.1, please include a reference that defines this claim. Is it OIDC?.
### ASCII?
Sec. 5.2.2, if `error_description` is human readable, it should be UTF-8 to enable various human languages (according to Wikipedia, at least 4999 other than English). We haven't been doing ASCII for many years now. And purists might also ask for an `error_lang` element containing a standard language tag.
### invalid_grant error code
Sec. 5.2.2, "The provided authorization grant" - does the protocol really allow the client to provide a grant type in this endpoint? Similarly, the wording for the `unauthorized_client` error code mentions a grant.
### redirect_to_web error code
Add a reference to the section that discusses this code.
### Redirect to Web
Is the expectation that the URI that the browser will use is hardcoded in the native app? Otherwise, shouldn't it be returned with the error response? Or do we always assume PAR is used?
### Binding to device
Sec. 5.3.1, "the 'auth_session' MUST be bound to the device" - how do we expect the Client/AS to do that? Device fingerprinting is a famously hard problem.
### auth_session in a successful token response
Sec. 6.1 (in particular the example), what is the meaning of a response with an access token, a refresh token as well as an auth_session, what is the client expected to do? How should it use the auth_session?
### RFC 6750
... is mentioned once but witout a proper reference.
### Relationship with "Native Apps" RFC
While RFC 8252 is mentioned in passing, shouldn't there be a section somewhere saying how this differs from 8252, applicability etc.? After all first party apps are also "native apps."
### Should we "update" RFC6749
Sec. 4.2: if we're adding an error code (=behavior) to the Token endpoint, I guess the document should Update RFC6749. We're also removing a REQUIRED parameter, `redirect_uri`.
### Definition of First Party Apps
Sec. 9.1, I think defining "first party applications" through the user's perception is not useful, for two reasons. First, branding of applications is very fluid, and the user is never aware when a vendor is using "white labeled" applications. And second, the user is totally unaware of the exact sequence of API calls happening behind the scenes so why do we care whether they see it as a first party app or not.
The same section discusses trust between the Client and the AS, and I think that same trust can be used for a more suitable definition of "first partyness."
### Phishing: two ways?
Maybe I misunderstand this section, but it sounds like only one way to do phishing is described, though the section starts by saying "there are two ways."
### Credential stuffing
Sec. 9.3: this section is worded a bit strange, in particular the phrase "if additional measures are not taken to ensure the authenticity of the application." Since we're discussing authentication attempts, the mitigating controls are those used as a standard, such as throttling and monitoring. I'm not sure the measures that ensure the application itself is authentic significantly affect the risk.
### Consent screen
Sec. 9.4, the language around consent is hard to parse. Why not say directly that, despite the MUST in RFC 6749, the AS MAY drop the consent screen. (And this is another reason this draft should be updating RFC 6749).
### DPoP binding of auth_session
Since RFC 9449 does not specify how "additional" parameters can be bound, please say explicitly that (presumably) this is a claim within the DPoP proof JWT named "auth_session".
### IANA Claims list is missing
Sec. 10.3 is cut short.
### E-mail confirmation code
Sec. A.4, The more typical use case is for the user to follow a link received in the email message. Please add a bullet that describes this alternative. Should the `auth_session` be part of the URL?
### Extra reference
You might want to reference the upcoming OSW24 talk by *Janak Amarasena*, https://oauth.secworkshop.events/osw2024/agenda-wednesday-osw-2024" rel="nofollow">https://oauth.secworkshop.events/osw2024/agenda-wednesday-osw-2024.
## Nits
### Typos
- Sec. 3.1: receing
- Sec. 4.1: that is has no meaning
- Sec. 5.3: The format of these requests are not
- Sec. 9.1: it's trust
- Sec. A.7: prtoected
- [OAUTH-WG] First-party apps - my comments yaronf.ietf@gmail.com