[OAUTH-WG] Review of draft-ietf-oauth-native-apps-05
Samuel Erdtman <samuel@erdtman.se> Tue, 01 November 2016 16:41 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C591294BF for <oauth@ietfa.amsl.com>; Tue, 1 Nov 2016 09:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OUhJF8WqHC3W for <oauth@ietfa.amsl.com>; Tue, 1 Nov 2016 09:41:38 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB8A1294DA for <oauth@ietf.org>; Tue, 1 Nov 2016 09:41:37 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id p190so216208424wmp.1 for <oauth@ietf.org>; Tue, 01 Nov 2016 09:41:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=k9Qe3We3RCkSN4EguQBwndc4qtKRmLFa2pxnG0ieEx0=; b=X2E4Jy5nnFcUSfWEqRE2BOPD8RcOMSWL4yGLQBRRejeQnhuOn54/GbwyVFw8AYThfv VuEFxZOGANOegqSAo+zMxOsH0y6S+5BFH5e28GRULUEPol0iMlk7J5km6Ae+a0p3Ivgb bYIHzdXAH117q6nGHIJ4/5BKRudS9KpOem1QacKvIULocfUbpl1ktn8TPKl+cYaXy0pM NVNL/oBKvz6MgCZPYrnRVIzIfy3quCoHWLdoc4cNUn9PMfm7jlI31tzpvxvSAENTLTmC m6N2slKFnIm7zGSaUzYuKV7TvKEYBpIpuz8N3O6JQOaGhF1vhqeZfLt9fLB5gsNu6uqu 958w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=k9Qe3We3RCkSN4EguQBwndc4qtKRmLFa2pxnG0ieEx0=; b=QoBeEnB8z42Ad5Raw8mp0z/Zc8rCTvSC+CkSuqIAPXl01g9MZEg117FptMA1PduV7g zntT46pCxWJsFTaOeslQh6AT12ZNh39DDTvKdme/wd2TNdkf8MKviEB0HE+i9pkxfxLG 5wVlogHc3DUTrB203v7Iu8YLE+lqmF87K7bzCZWejM1TuH1U9Y8qUBTvGbG9Z1biJfke D5fDHgYxEneWd9uUXgXsNcyUGL9g2lCc8AJwwdq6DI7R8BEh1gsASONOJRdwbnv/oPU+ rLaQ7QpNPZRZXd1kcRrqn+nmMZmg4oteMPbPsNIdugW09qItOMt/Lt8o58k2/C//Yu2G 0mpQ==
X-Gm-Message-State: ABUngvenFU6Woqn8Rh41Sua6RwpOOVce2u6Ut0qxA1J6VhrjccaFr6goHRDyTfe15UyDwKr2bIFMUzlk8z/jHg==
X-Received: by 10.28.141.143 with SMTP id p137mr2224575wmd.5.1478018496457; Tue, 01 Nov 2016 09:41:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Tue, 1 Nov 2016 09:41:36 -0700 (PDT)
From: Samuel Erdtman <samuel@erdtman.se>
Date: Tue, 01 Nov 2016 17:41:36 +0100
Message-ID: <CAF2hCbZRyGSkKorKV1Vre-wdKWksbhMEDfoNUP3bHgjBccb-yw@mail.gmail.com>
To: "<oauth@ietf.org>" <oauth@ietf.org>, William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a114717b6742ec405403fff93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qTtRlzcaLRkPJRukfdh8n5QTeZk>
Subject: [OAUTH-WG] Review of draft-ietf-oauth-native-apps-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 16:41:41 -0000
Hi, Thanks for the great work of putting this together. I have a few comments on the current draft. See below Best Regards Samuel Erdtman 5. Using Inter-app URI Communication for OAuth The end of this section is a bit confusing with first a MUST statement and then a RECOMMENDED statement “Native apps MUST use an external user-agent to perform OAuth” and “This best practice focuses on the browser as the RECOMMENDED external user-agent for native apps.” 7.1.1. Custom URI Scheme Namespace Considerations “For example, an app that controls the domain name "app.example.com" can use "com.example.app:/" as their custom scheme.” drop the slash in the custom schema. 7.2. App-claimed HTTPS URI Redirection “When the browser encounters a claimed URL, instead of the page being loaded in the browser, the native app is launched instead with the URL supplied as a launch parameter.” drop one “instead” changing it to: “When the browser encounters a claimed URL, instead of the page being loaded in the browser, the native app is launched with the URL supplied as a launch parameter.” 7.2. App-claimed HTTPS URI Redirection If this is the recommended way to do it when possible maybe it should be first? 8.1. Embedded User-Agents “Embedded user-agents are an alternative method for authorization native apps.” change to “Embedded user-agents are an alternative method to authorize native apps.” or “Embedded user-agents are an alternative method for authorization of native apps.” 8. Security Considerations I see normative language here (MUST, RECOMMENDED, SHOULD, etc.), and it felt a bit odd to me to have that under Security Considerations. Not sure if there are guidelines around that, but to me it would make sense to keep the normative parts out of Security Considerations. And it says “Considerations”, to me that sounds mor like things to think about then this is how it works. 8.2. Protecting the Authorization Code “A limitation of using custom URI schemes for redirect URIs is that multiple apps can typically register the same scheme, which makes it indeterminate as to which app will receive the Authorization Code. PKCE [RFC7636] details how this limitation can be used to execute a code interception attack (see Figure 1). Loopback IP based redirect URIs may be susceptible to interception by other apps listening on the same loopback interface.” I think it would be preferable to separate custom URI and Loopback IP based redirect. 8.2. Protecting the Authorization Code “Loopback IP based redirect URIs may be susceptible to interception by other apps listening on the same loopback interface.” Are you referring to an application listening to loopback traffic or an application killing the original application and start listening on the same port. The second alternative would be relatively intrusive and notable. Appendix A. Server Support Checklist 1. Support custom URI-scheme redirect URIs. I could not see that this was required in section Section 7.1. Appendix A. Server Support Checklist 5. Support PKCE. in Section 8.2 it says MUST “Authorization servers MUST support PKCE [RFC7636] for public native app clients.”
- [OAUTH-WG] Review of draft-ietf-oauth-native-apps… Samuel Erdtman
- Re: [OAUTH-WG] Review of draft-ietf-oauth-native-… William Denniss
- Re: [OAUTH-WG] Review of draft-ietf-oauth-native-… Samuel Erdtman