Re: [OAUTH-WG] OAuth 2.0 Device Flow: IETF98 Follow-up

Mike Jones <Michael.Jones@microsoft.com> Fri, 28 April 2017 22:03 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C3D129473 for <oauth@ietfa.amsl.com>; Fri, 28 Apr 2017 15:03:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCXdQz8GedM2 for <oauth@ietfa.amsl.com>; Fri, 28 Apr 2017 15:03:31 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0120.outbound.protection.outlook.com [104.47.40.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3CE6129BE6 for <oauth@ietf.org>; Fri, 28 Apr 2017 15:00:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Itp6bN+mEig/n9UPcLExByY387Kg5Gu8n9KChFVaLi4=; b=mWpeXbHNbxZSEVEXoOGnmaZ0gE7nc8HE8YlvWc9V310s0vsWAwk7qnBoK+XuHLbRQ+gZZwYX8/ZYYNae1RnZ9xCl9HrEipo55WaRamm6ladQ9AjW3sQ6fVdy9aNLwMasP+cnQXoMr8lY42odQDt8zYnmUYaAxNP0V6HHnPG7HrE=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1075.0; Fri, 28 Apr 2017 22:00:41 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1075.005; Fri, 28 Apr 2017 22:00:41 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>, "oauth@ietf.org" <oauth@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: OAuth 2.0 Device Flow: IETF98 Follow-up
Thread-Index: AQHSwF+RTVKjJdH3N0ez9GThgKKoNqHbVOGQ
Date: Fri, 28 Apr 2017 22:00:41 +0000
Message-ID: <CY4PR21MB0504A4BA6BFB6351A64169A8F5130@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <CAAP42hDugtAz-7MaeVcNsS+Oza1GVKRyGm4vfR6Vj1DFF1-nag@mail.gmail.com>
In-Reply-To: <CAAP42hDugtAz-7MaeVcNsS+Oza1GVKRyGm4vfR6Vj1DFF1-nag@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-04-28T15:00:39.0253890-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:2::7cb]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:sDP70NPObdRLl77D6pQsvwlptV+0e8QzobD7+9ifAs0pCbq7sRNQt5pjL+jdDM6TaEv+3vSIrpGNuEEEa2iqAzePp+MqtryFaNS8zAGUcEaM1Zcqpp87XrHoMd7p5PU3GGCmwEiZg/MxwBqJj/e75+Crim1XaCCQoL4ite+qtN7fy4juecw1wvmPn52kepthFqyK/Kh8QVSpwBqrUHdFyPD1ohADDfkk5ivmsLnSVhR7yMFrEb+ipkrpyGd79y8awMKWmf6/kXQFUY0lxBhw1OdsZ1BPhX+DmqHVhW89DdfdLT41hMCD65yaP4mUIPD8NxfW44W2HVNmhfcbaLWn3DgK3JUxneOE/lSRLQPnDt8=
x-ms-office365-filtering-correlation-id: 68f24911-c7e0-4633-f360-08d48e82031f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:CY4PR21MB0502;
x-microsoft-antispam-prvs: <CY4PR21MB050294B6DA47A416BB658047F5130@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(211936372134217)(100405760836317)(21748063052155)(248736688235697);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502;
x-forefront-prvs: 029174C036
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400002)(39410400002)(39450400003)(39850400002)(39860400002)(39400400002)(377454003)(6246003)(7906003)(53936002)(33656002)(76176999)(10090500001)(9686003)(6306002)(236005)(54896002)(81166006)(8676002)(99286003)(2906002)(606005)(54356999)(38730400002)(7736002)(122556002)(8936002)(6436002)(55016002)(50986999)(2900100001)(3280700002)(6506006)(77096006)(5660300001)(25786009)(53546009)(229853002)(7696004)(19609705001)(5005710100001)(2950100002)(189998001)(86612001)(74316002)(10290500003)(790700001)(102836003)(6116002)(2501003)(3660700001)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504A4BA6BFB6351A64169A8F5130CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2017 22:00:41.2868 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pzt0JN4F7vuf66cJI6vcbkPD5po>
Subject: Re: [OAUTH-WG] OAuth 2.0 Device Flow: IETF98 Follow-up
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2017 22:03:34 -0000

I think the spec is better with the (optional) user_code in it.

                                                          -- Mike

From: William Denniss [mailto:wdenniss@google.com]
Sent: Friday, April 28, 2017 1:39 PM
To: oauth@ietf.org; John Bradley <ve7jtb@ve7jtb.com>;; Hannes Tschofenig <hannes.tschofenig@gmx.net>;; Mike Jones <Michael.Jones@microsoft.com>;
Subject: OAuth 2.0 Device Flow: IETF98 Follow-up

Thanks all who joined us in Chicago in person and remotely last month for the discussion on the device flow. [recording here<https://play.conf.meetecho.com/Playout/?session=IETF98-OAUTH-20170327-1710>;, presentation starts at about 7min in].

The most contentious topic was addition of the user_code URI param extension (introduced in version 05, documented in Section 3.3<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-05#section-3.3>;).

I'd like to close out that discussion with a decision soon so we can advance to a WG last call on the draft.

To summarise my thoughts on the param:

  1.  It can be can be used to improve usability – QR codes and NFC can be used with this feature to create a more delightful user authorization experience.
  2.  It may increase the potential phishing risk (which we can document), as the user has less typing. This risk assessment is likely not one-size-fits-all, it may vary widely due to different the different potential applications of this standard.
  3.  The way it's worded makes it completely optional, leaving it up to the discretion of the authorization server on whether to offer the optimisation, allowing them to secure it as best they see it.
  4.  I do believe it is possible to design a secure user experiance that includes this optimization.
I think on the balance, it's worthwhile feature to include, and one that benefits interop. The authorization server has complete control over whether to enable this feature – as Justin pointed out in the meeting, it degrades really nicely – and should they enable it, they have control over the user experiance and can add whatever phishing mitigations their use-case warrants.  Rarely is there a one-size-fits-all risk profile, use-cases of this flow range widely from mass-market TV apps to internal-only device bootstrapping by employees, so I don't think we should be overly prescriptive.

Mitigating phishing is already something that is in the domain of the authorization server with OAuth generally, and I know that this is an extremely important consideration when designing user authorization flows. This spec will be no exception to that, with or without this optimization.

That's my opinion. I'm keen to continue the discussion from Chicago and reach rough consensus so we can progress forward.
Best,
William