[OAUTH-WG] Review of draft-ietf-oauth-native-apps-05

Samuel Erdtman <samuel@erdtman.se> Tue, 01 November 2016 16:41 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C591294BF for <oauth@ietfa.amsl.com>; Tue, 1 Nov 2016 09:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OUhJF8WqHC3W for <oauth@ietfa.amsl.com>; Tue, 1 Nov 2016 09:41:38 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB8A1294DA for <oauth@ietf.org>; Tue, 1 Nov 2016 09:41:37 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id p190so216208424wmp.1 for <oauth@ietf.org>; Tue, 01 Nov 2016 09:41:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=k9Qe3We3RCkSN4EguQBwndc4qtKRmLFa2pxnG0ieEx0=; b=X2E4Jy5nnFcUSfWEqRE2BOPD8RcOMSWL4yGLQBRRejeQnhuOn54/GbwyVFw8AYThfv VuEFxZOGANOegqSAo+zMxOsH0y6S+5BFH5e28GRULUEPol0iMlk7J5km6Ae+a0p3Ivgb bYIHzdXAH117q6nGHIJ4/5BKRudS9KpOem1QacKvIULocfUbpl1ktn8TPKl+cYaXy0pM NVNL/oBKvz6MgCZPYrnRVIzIfy3quCoHWLdoc4cNUn9PMfm7jlI31tzpvxvSAENTLTmC m6N2slKFnIm7zGSaUzYuKV7TvKEYBpIpuz8N3O6JQOaGhF1vhqeZfLt9fLB5gsNu6uqu 958w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=k9Qe3We3RCkSN4EguQBwndc4qtKRmLFa2pxnG0ieEx0=; b=QoBeEnB8z42Ad5Raw8mp0z/Zc8rCTvSC+CkSuqIAPXl01g9MZEg117FptMA1PduV7g zntT46pCxWJsFTaOeslQh6AT12ZNh39DDTvKdme/wd2TNdkf8MKviEB0HE+i9pkxfxLG 5wVlogHc3DUTrB203v7Iu8YLE+lqmF87K7bzCZWejM1TuH1U9Y8qUBTvGbG9Z1biJfke D5fDHgYxEneWd9uUXgXsNcyUGL9g2lCc8AJwwdq6DI7R8BEh1gsASONOJRdwbnv/oPU+ rLaQ7QpNPZRZXd1kcRrqn+nmMZmg4oteMPbPsNIdugW09qItOMt/Lt8o58k2/C//Yu2G 0mpQ==
X-Gm-Message-State: ABUngvenFU6Woqn8Rh41Sua6RwpOOVce2u6Ut0qxA1J6VhrjccaFr6goHRDyTfe15UyDwKr2bIFMUzlk8z/jHg==
X-Received: by 10.28.141.143 with SMTP id p137mr2224575wmd.5.1478018496457; Tue, 01 Nov 2016 09:41:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Tue, 1 Nov 2016 09:41:36 -0700 (PDT)
From: Samuel Erdtman <samuel@erdtman.se>
Date: Tue, 01 Nov 2016 17:41:36 +0100
Message-ID: <CAF2hCbZRyGSkKorKV1Vre-wdKWksbhMEDfoNUP3bHgjBccb-yw@mail.gmail.com>
To: "<oauth@ietf.org>" <oauth@ietf.org>, William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a114717b6742ec405403fff93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qTtRlzcaLRkPJRukfdh8n5QTeZk>
Subject: [OAUTH-WG] Review of draft-ietf-oauth-native-apps-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 16:41:41 -0000

Hi,

Thanks for the great work of putting this together. I have a few comments
on the current draft. See below

Best Regards
Samuel Erdtman



5.  Using Inter-app URI Communication for OAuth
The end of this section is a bit confusing with first a MUST statement and
then a RECOMMENDED statement
“Native apps MUST use an external user-agent to perform OAuth”
and
“This best practice focuses on the browser as the RECOMMENDED external
   user-agent for native apps.”


7.1.1.  Custom URI Scheme Namespace Considerations
“For example, an app that controls the domain name "app.example.com"
   can use "com.example.app:/" as their custom scheme.”
drop the slash in the custom schema.


7.2.  App-claimed HTTPS URI Redirection
“When the browser encounters a claimed URL, instead of the
   page being loaded in the browser, the native app is launched instead
   with the URL supplied as a launch parameter.”
drop one “instead” changing it to:
“When the browser encounters a claimed URL, instead of the
   page being loaded in the browser, the native app is launched
   with the URL supplied as a launch parameter.”


7.2.  App-claimed HTTPS URI Redirection
If this is the recommended way to do it when possible maybe it should be
first?


8.1.  Embedded User-Agents
“Embedded user-agents are an alternative method for authorization
   native apps.”
change to
“Embedded user-agents are an alternative method to authorize
   native apps.”
or
“Embedded user-agents are an alternative method for authorization
   of native apps.”


8.  Security Considerations
I see normative language here (MUST, RECOMMENDED, SHOULD, etc.), and it
felt a bit odd to me to have that under Security Considerations. Not sure
if there are guidelines around that, but to me it would make sense to keep
the normative parts out of Security Considerations. And it says
“Considerations”, to me that sounds mor like things to think about then
this is how it works.


8.2.  Protecting the Authorization Code

“A limitation of using custom URI schemes for redirect URIs is that
   multiple apps can typically register the same scheme, which makes it
   indeterminate as to which app will receive the Authorization Code.
   PKCE [RFC7636] details how this limitation can be used to execute a
   code interception attack (see Figure 1).  Loopback IP based redirect
   URIs may be susceptible to interception by other apps listening on
   the same loopback interface.”

I think it would be preferable to separate custom URI and Loopback IP based
redirect.


8.2.  Protecting the Authorization Code
“Loopback IP based redirect
   URIs may be susceptible to interception by other apps listening on
   the same loopback interface.”
Are you referring to an application listening to loopback traffic or an
application killing the original application and start listening on the
same port. The second alternative would be relatively intrusive and notable.


Appendix A.  Server Support Checklist
1.  Support custom URI-scheme redirect URIs.
I could not see that this was required in section Section 7.1.


Appendix A.  Server Support Checklist
5.  Support PKCE.
in Section 8.2 it says MUST
“Authorization servers MUST support PKCE [RFC7636]
   for public native app clients.”