IETF Logo Mail Archive

Re: [OAUTH-WG] Indicating sites where a token is valid

Dick Hardt <dick.hardt@gmail.com> Sun, 16 May 2010 18:38 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A1543A6B9C for <oauth@core3.amsl.com>; Sun, 16 May 2010 11:38:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.438
X-Spam-Level:
X-Spam-Status: No, score=-0.438 tagged_above=-999 required=5 tests=[AWL=-1.640, BAYES_50=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_83=0.6, J_CHICKENPOX_84=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdXV-7rMc6Cw for <oauth@core3.amsl.com>; Sun, 16 May 2010 11:38:39 -0700 (PDT)
Received: from mail-pz0-f200.google.com (mail-pz0-f200.google.com [209.85.222.200]) by core3.amsl.com (Postfix) with ESMTP id 2D40E3A6B06 for <oauth@ietf.org>; Sun, 16 May 2010 11:38:39 -0700 (PDT)
Received: by pzk38 with SMTP id 38so75600pzk.31 for <oauth@ietf.org>; Sun, 16 May 2010 11:38:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=qcPcbKbR2gVa0aTRWENunHcoF7FLHRK/H+A9jbY7+Fw=; b=pZZwmCHdPrJ5yHYOEUJdqbYyKNIX86hEo6CYA1jEvpxv57Sqhh9FTW8XjNu6o/hnWs oE3E8ZX5mYuBGpe3AobtJRxG7xbGKZ8HekBtl3BX2XBi5Ald6FwJMvGK79OhADTYV+ZZ B6CJE80VeZ+YK3n8kDM80Rt0Dt+Dn4tOt/O1Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=XYbWp3V+ijYY7huIjXmzoWTivL1CrXb5mrILs19GJO+rEk0SFRKsAXgy1M7Y3ZqgyF u5zfXs7UvwPLNE2jZSUgeyZffP1khAewenVptZF4eLXNh8rDsjoU6lTdvh8AdY+7TAly aabKiSqAjiQDKfkzhIzT3wP46l++loHkv+KQE=
MIME-Version: 1.0
Received: by 10.142.6.35 with SMTP id 35mr2768939wff.79.1274035106918; Sun, 16 May 2010 11:38:26 -0700 (PDT)
Received: by 10.142.87.17 with HTTP; Sun, 16 May 2010 11:38:26 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3B6987D4@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <AANLkTilkUA9i-WZPv8PqPsxiJf5_1SuiCb_GOTdcwtPX@mail.gmail.com> <AANLkTilNNyKvpbzCYfc__AvY1rJKqXE7KN8VL-m_CF-L@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112633D9594@WSMSG3153V.srv.dir.telstra.com> <AANLkTim0PNhUJAi1ZuDjB8feKh2Sb_OMoNz7AlDTYO6P@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112634655A4@WSMSG3153V.srv.dir.telstra.com> <AANLkTil7gTRNmqTAwsvFEdMLmlgeakpy8o1wyPTcTbLF@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB478D5@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTik0dKSLLVQDhodhFsO--bR43PvZKborWG1uK15t@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B6987D4@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Sun, 16 May 2010 11:38:26 -0700
Message-ID: <AANLkTilsw-oR2gMi-FFZwXotl1xQaDKvszpvQLWcQO-V@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="00504502b659fab16c0486ba699f"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 May 2010 18:38:42 -0000

Not sure if you intended this, but you are mixing user present and user not
present access control.

I do NOT think we want OAuth protected images to be the same as Basic auth
protected images. I do think OpenID protected images and Basic auth are
similar. With OAuth today, the user has granted explicit permission at a
particular resource, not any resource the user may have access to.

-- Dick

On Thu, May 13, 2010 at 9:30 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

> Today when I cut/paste a URI of an image using Basic auth, the browser
> knows exactly what to do. I want to do the same with an OAuth-protected
> image. Saying that there aren’t standards API out there to benefit from this
> is incorrect. There are plenty.
>
>
>
> This is complete discovery for the authentication layer. The rest doesn’t
> belong here, the same way this doesn’t belong as part of the API
> specification.
>
>
>
> EHL
>
>
>
> *From:* Evan Gilbert [mailto:uidude@google.com]
> *Sent:* Thursday, May 13, 2010 9:16 AM
> *To:* Eran Hammer-Lahav
> *Cc:* Manger, James H; OAuth WG
>
> *Subject:* Re: [OAUTH-WG] Indicating sites where a token is valid
>
>
>
>
>
> On Thu, May 13, 2010 at 9:08 AM, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
>
> You are trying to match a mechanism designed for automatic discovery with a
> system designed to require paperwork. It sounds like for your use cases, you
> will not be using this optional parameter and just document how to use your
> API (i.e. hardcode your security setup and API format).
>
>
>
> I'm saying it should be a fully automatic discovery or use paperwork.
> Having an API return valid URL prefixes to send the token to without having
> an API to determine the actual URLs you send tokens to seems odd.
>
>
>
> The whole point of this is that the developer isn’t involved. The library
> takes care of everything. All the developer does is ask to get a protected
> resource. The library will check if it already has a valid token for that
> resource (based on the security restrictions provided by the sites
> parameter, and the scope requirements – two very separate things).
>
>
>
> This is an incomplete mechanism for automatic discovery. How does the
> developer find out where to ask for the protected resource in the first
> place?
>
>
>
> So yes – if your developers have plenty of stuff to hardcode already, this
> adds little value.
>
>
>
> EHL
>
>
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Evan Gilbert
> *Sent:* Thursday, May 13, 2010 9:00 AM
>
>
> *To:* Manger, James H
> *Cc:* OAuth WG
> *Subject:* Re: [OAUTH-WG] Indicating sites where a token is valid
>
>
>
>
>
> On Wed, May 12, 2010 at 11:52 PM, Manger, James H <
> James.H.Manger@team.telstra.com> wrote:
>
> Evan,
>
>
> > The key point is that this discovery covers a lot of the same grounds as
> the sites parameter, and it's hard  to define semantics around a sites
> parameter without understanding the semantics of scopes and API endpoints.
>
> I strongly disagree. The semantics are crystal clear:
>  "Here is a token. It is INSECURE to send it anywhere not in this list."
> These semantics are useful regardless of what the API does, how the client
> is using it, or how much (or how little) the client knows about the API.
>
>
>
> To expand - it's hard to define *useful* semantics around a sites parameter
> without understanding the semantics of scopes and API endpoints. Yes, you
> can define crystal clear semantics, but these are not useful unless they
> work well with the way developers figure out the endpoints to call APIs.
>
>
>
>
>
> > Clients need to [know] more about these links (at least the response
> format).
>
> That knowledge comes from other standards (HTML, Atom, wiki of rel
> values...) and is totally independent of whether a token should or should
> not be sent.
>
>
>
> In our use cases, clients almost always need to know more about the API:
>
> - How to call directly - we have no API endpoints that are only arrived at
> by links
>
> - Response format of the data
>
>
>
>
>
> > The mechanism they use to find out about these links - documentation,
> discovery, data returned with token request - could also provide the
> information about whether a token should be sent to a particular API.
>
> Could, but shouldn't and doesn't in practise.
> It is much much better to have the information about how to use a token
> securely delivered at the same time & place as receiving that token, and
> with minimal assumptions about how much the client apps knows about the
> service.
>
>
>
> So why wouldn't we return a list of specific API endpoints instead of a
> "sites" parameter?
>
>
>
> Developers are going to call the APIs endpoints that they know about. If
> there is a conflict between this and the sites parameter, what should they
> do? For example, if facebook returns a sites parameter "
> https://unknown.facebook.com/", do we think the developer is going to not
> try to use the access token on https://graph.facebook.com/<https://graph.facebook.com/*>
>  ?
>
>
>
> Separating the concept of sites from API endpoints feels like a bad idea.
> Discovery / docs will give you a list of URLs where you should send tokens.
> The "sites" parameter will give you a list of URLs where you can send
> tokens. This is redundant, and will lead to developers / libraries not
> respecting the sites parameter. If developers / libraries don't respect it,
> then the service can't rely on it for enforcing security.
>
>
>
> Another note: Where do we anticipate clients storing the sites parameter in
> the User-Agent flow? Right now the access token can be set as an HTTP cookie
> by the client. Do we expect them to set a separate "sites" cookie and
> respect this on their server when making requests? This seems complicated.
>
>
>
>
>
> > I should be more concrete about the use cases I see. Let's assume there's
> an API where there are two endpoints, each with an associated permission
> > - contacts.list permission ->
> http://contacts.serviceprovider.com/contacts/list
> > - calendar.get permission ->
> http://calendar.serviceprovider.com/calendar/get
> >
> > If the response to an authorization request includes the authorized
> scopes (contacts.list, calendar.get), then the "sites" parameter is
> redundant.
>
> I'll admit that "sites" is redundant if a client has *perfect* knowledge
> about a service, but so is pretty much any standard at that point.
>
> Consider a generic search spider tool that you point at
> http://calendar.serviceprovider.com/calendar/get. It can do its job with
> no knowledge about what "calendar.get" means -- but it still needs to know
> (as it spiders along) when it is safe to expose the token.
>
>
>
> How does the generic search spider know to call to
> http://calendar.serviceprovider.com/calendar/get in the first place?
>
>
>
>
>
> --
> James Manger
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email