IETF Logo Mail Archive

Re: [OAUTH-WG] Username and Password Flow and oauth_client_secret

David Recordon <recordond@gmail.com> Thu, 29 April 2010 03:29 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 906333A6AA8 for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 20:29:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id la--1KiQxjMT for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 20:29:01 -0700 (PDT)
Received: from mail-iw0-f191.google.com (mail-iw0-f191.google.com [209.85.223.191]) by core3.amsl.com (Postfix) with ESMTP id 4E6333A6A5C for <oauth@ietf.org>; Wed, 28 Apr 2010 20:29:01 -0700 (PDT)
Received: by iwn29 with SMTP id 29so11117805iwn.17 for <oauth@ietf.org>; Wed, 28 Apr 2010 20:28:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=1WSjVcvJDV7mo6uetM3AmflgHyID2CSRhVT/ApwhazQ=; b=MrpOu4ESjtd0+NzYdOYq+wj8qvetGywV22daQmqWfMmyqSV6+pABvKLBSVEUl3AzSq ezs+RJVGzTRo4U8Vs0SAdktHw2nxYzQ2QXommPh8TrR7K6Oqnhrvwjmnswl4QTm6s/bZ m+PjtEnGwGdd1SQYaMYOQ/VPhoyxlhtRV0tYI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=upupd6yb1s0H9aJbjk4GJdmmwtOW1jQTXIxQmqnyDMnfS0lL/MmPDjDw8Hfy/wqgbB VZeNWRzov5OdbRMuUDUDYrZ/kZp5c2yZNcnIvbIgfFOjEpbD7Wb3o//zOBQiJv2fMKuP YcVBXAckLhkdAbTMBe1ZtukZmB0eMRQCVWmCA=
MIME-Version: 1.0
Received: by 10.231.170.143 with SMTP id d15mr3540489ibz.13.1272511725428; Wed, 28 Apr 2010 20:28:45 -0700 (PDT)
Received: by 10.231.182.146 with HTTP; Wed, 28 Apr 2010 20:28:45 -0700 (PDT)
In-Reply-To: <p2mf3fdf5a71004281801me439ae60q156c0518eb7543dc@mail.gmail.com>
References: <h2if3fdf5a71004281326l9492c83ibd957178b3716646@mail.gmail.com> <u2zfd6741651004281419l67dc635en84c4491cbfc23ce2@mail.gmail.com> <p2mf3fdf5a71004281801me439ae60q156c0518eb7543dc@mail.gmail.com>
Date: Wed, 28 Apr 2010 23:28:45 -0400
Message-ID: <m2gfd6741651004282028x180a469bl942f556e46d4a443@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Tosh Meston <tosh.meston@gmail.com>
Content-Type: multipart/alternative; boundary="005045029be95ddff7048557b99e"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Username and Password Flow and oauth_client_secret
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2010 03:29:02 -0000

I realize that this doesn't work generically, but at Facebook we only plan
to offer the username/password flow to a small number of partners. We figure
that we'll work out device/app authentication on a case by case basis
depending on what is possible. We've also thought about issuing clients a
separate secret which only works on this flow and couldn't be repurposed for
other flows if it were to be stolen.

I believe Google is going to solve this problem by not supporting the
username/password flow in the first place.

--David


On Wed, Apr 28, 2010 at 9:01 PM, Tosh Meston <tosh.meston@gmail.com> wrote:

> Hey David,
> Thanks for the response and clarification.  Agreed.  The mobile device
> shouldn't keep the client secret so passing in the body in an SSL request is
> out, and signing the /access_token request is out for the same reason.  So,
> it doesn't seem like there is a way to ensure that value in the
> oauth_client_identifier really represents that client, if I understand
> correctly.  Is that an issue?
>
> Evil client X could get an access_token and token_secret for another app,
> but would only be able to make successful calls to protected resources if
> the platform failed to check if the app represented by the
> oauth_client_identifier is the same app represented by the
> oauth_consumer_key, and also used the oauth_client_identifier as the
> application id.
>
> Just thinking aloud and trying to get my brain around this...
>
> Thanks!
> Tosh
>
>
>
> On Wed, Apr 28, 2010 at 2:19 PM, David Recordon <recordond@gmail.com>wrote:
>
>> Hey Tosh,
>> I think this example just needs updating. In most cases the username and
>> password flow will be used on applications or devices which can't keep
>> secrets. Thus specing that the oauth client secret is used is a poor idea
>> from a security perspective. I imagine that different devices will be able
>> to keep secrets in different manners and that this will be used in a more
>> case by case basis.
>>
>> --David
>>
>>
>> On Wed, Apr 28, 2010 at 4:26 PM, Tosh Meston <tosh.meston@gmail.com>wrote:
>>
>>> Hi everyone,
>>> I see that in draft specification, under the username and password flow,
>>> the oauth_client_secret is not listed in the required or optional request
>>> parameters, but is included in the example request.  Is it correct to assume
>>> it should be listed it in the required parameters?
>>>
>>> POST /access_token HTTP/1.1 Host: server.example.comoauth_client_identifier=s6BhdRkqt3&oauth_client_secret=8eSEIpnqmM&oauth_username=daveman692&oauth_password=1password
>>>
>>>
>>> http://www.ietf.org/mail-archive/web/oauth/current/msg01396.html#anchor9
>>>
>>> Thanks,
>>> Tosh
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email