Re: [OAUTH-WG] WGLC draft-ietf-oauth-device-flow-06

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 28 June 2017 18:35 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8601A12EBF5 for <oauth@ietfa.amsl.com>; Wed, 28 Jun 2017 11:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMblj5-VPme6 for <oauth@ietfa.amsl.com>; Wed, 28 Jun 2017 11:35:36 -0700 (PDT)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3311112EC08 for <oauth@ietf.org>; Wed, 28 Jun 2017 11:35:35 -0700 (PDT)
Received: by mail-vk0-x230.google.com with SMTP id y70so37672431vky.3 for <oauth@ietf.org>; Wed, 28 Jun 2017 11:35:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ToKFdGjz2Cru++7h5LprC6t+RBmCY47Ys0vquzfOFh4=; b=T+QuqQj175+7dVQgxeC+Ch1V9b+/Q6H9t5v4lgsZJwhBlTNbpd2kfD8edWB7bc6x4L u1UvN5qDePdcJr6crWDrktFyAA6MwuEYyPTT/6bUFLe2PhZWKbcRmqhtA6HzalqIXZET 47OuNGAP+X/Dhua71bsuLkAEOBJ/j2vNBY0BCK9BK4oV+hxQICKrOqPKYgszGf2prdvC hhUyArGbSrHXeFMBh9xRkxGNwJ5bIQFDwDPss00kVLrCc07+fi45nHpj26j3nuyf7RsG tDV5iD0m+RaliIq6btq1z1ePfiqxq51z1fyQCD0+fK3QmrRqnO0TYa4w4c3H5yhhdmZu Fkfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ToKFdGjz2Cru++7h5LprC6t+RBmCY47Ys0vquzfOFh4=; b=FXNfrGj7cWtkFrU33QZ7p2RMiSeKUhhijZlpxX2008YIPH7+/Yh94A+8cjPGlzfLP4 tGxrkSISqP4bs3O1PIMkvGeBLtRhBATbBeeRib4ypDDde7XW1A12cXfIY4trfSExEurC f87mJjztWQcsT8uS9nqvBzKscV2xdPzvYdWsu1qrvHpEdKUWocLd0wXUAJNEb8FSYjBA vHLpSa6xe6N8YRAochdpNqdixJkxqexRn/uEOa5j3dbaQWCT0mScej7TwaluuJXRlW7c 3UfE/LDUTVZYurDbu2LZBVPj28gVC6WgRXkucB+gL6gMhcHZmvPzN9fy0jcL4xkDPGW7 6tHg==
X-Gm-Message-State: AKS2vOzb3Kk+Uw/MeJUGlseTLQ5bXqx3HBlrtZriVYS0vYBz4micE073 QMydZ6LuSrA5aaTxNvXyAhxjnoM1NA==
X-Received: by 10.31.56.132 with SMTP id f126mr3533616vka.86.1498674934317; Wed, 28 Jun 2017 11:35:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.76.29 with HTTP; Wed, 28 Jun 2017 11:35:33 -0700 (PDT)
In-Reply-To: <2F9EAD6E-DDBD-4763-AF7D-51A7018216E1@mit.edu>
References: <CAGL6epKEzeYp163zn_6+o3beDaHGmm_TnjHGk4zV+riNxa-Dvw@mail.gmail.com> <CAGL6epJV_ymy5cNE5FJhyOXRYprCFs3hpL6-dg2WWZmY-cUUBA@mail.gmail.com> <2F9EAD6E-DDBD-4763-AF7D-51A7018216E1@mit.edu>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Wed, 28 Jun 2017 14:35:33 -0400
Message-ID: <CAGL6epLPXRA=31WhV=jU3FAXQKhY99=RsXPG2HMkfeZQWE+hGQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a11431040180e130553097347"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sEZPyeXIy_UO74OH7CUpHWmRKnE>
Subject: Re: [OAUTH-WG] WGLC draft-ietf-oauth-device-flow-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2017 18:35:38 -0000

On Wed, Jun 28, 2017 at 11:33 AM, Justin Richer <jricher@mit.edu> wrote:

> This is functionally equivalent to polling, as far as the spec is
> concerned. Instead of it being a timeout-based poll, it’s an
> interaction-based poll. Either way, the device makes a new HTTP request to
> the AS to see if the device code is good or not, and either option is
> possible at that point as far as the device knows— the user could go mash
> buttons as fast as possible without ever entering the user code.
>
>
You are correct that this does not change the communication model, but if
there is a large number of devices being configured at the same time, then
the polling as it is defined in the document unnecessarily overloads the AS
whether the user is doing anything or not.



> In practice, this isn’t very likely to happen, as it requires additional
> steps for the user and
>

It requires one more step (not steps), which is the user pushing the button
one more time after the user is done with authenticating and authorizing
the device; do you see any other steps needed here?



> makes for a more clunky experience.
>

I guess this is subjective, but why do you think it is clunky?

Regards,.
 Rifaat




> If anything, we might see it as an optimization in some environments for
> some clients. In any event, it’s not any different from the spec’s
> perspective.
>
>  — Justin
>
> On Jun 28, 2017, at 8:27 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
> Hi (as individual),
>
> I have reviewed the Device Flow document, and I have a question about the
> polling part.
> The current draft is calling for the Device Client to poll the AS for a
> token (steps E & F of Figure 1).
>
> Presumably, the process started with the user pushing some button on the
> Device Client to initiate the process.
> One way to avoid the need for polling is for the Device Access Token
> Request to be sent to the AS only after the user for example pushed that
> same button again.
> This would allow the user to perform steps C and D to authorize the
> device, and then push the button again to get the token.
>
> Thoughts?
>
> Regards,
>  Rifaat
>
>
> On Thu, Jun 1, 2017 at 8:32 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
>> All,
>>
>> We are starting a WGLC on the Device Flow document:
>> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06
>>
>> Please, review the document and provide feedback on any issues you see
>> with the document.
>>
>> The WGCL will end in two weeks, on June 16, 2017.
>>
>> Regards,
>>  Rifaat and Hannes
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>