IETF Logo Mail Archive

Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)

Alissa Cooper <alissa@cooperw.in> Fri, 03 August 2018 13:22 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9C6130E06; Fri, 3 Aug 2018 06:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=EzRjp8ZR; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=dtxn+QcD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptUr54rZ59vu; Fri, 3 Aug 2018 06:22:17 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3D8130E16; Fri, 3 Aug 2018 06:22:14 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 4E9C022D; Fri, 3 Aug 2018 09:22:13 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Fri, 03 Aug 2018 09:22:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; bh=v3/OKgWxLLM2YdKgt65v7DSr8yuSQ6zb/jSk0ZCCFmg=; b=EzRjp8ZR vA+qgMsJB5VKZvdvFpIY05Cogh9fj9FqDatJRNBxa1Do+Z1PqVBH+MmPuj2yKjxM ZgW2GlUCGbK2r5Upwal3lKiZkpjFNOKY1h5QNPH39hoWzTq+UMXHlCNisAgGjiH2 RHbyxfaSP/JFu8kbaWyZtqrXqECrKaLmXbtny7vftldvX7+LM+dt8I7i9tqbXw+f eYEr3Sa9OqnOmOAMga2e3xrl9GwsFHbFBDhK5GyGu9yBCPkE9jLRs+mgJK3/NS3X SNbrtKIrFhT7RVr0hMe3hjNlKVMNck/DcS9/zMqfqmSs0/w1YLN/pmA/xcXIegBf uFxr0JXkYmhQkg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=v3/OKgWxLLM2YdKgt65v7DSr8yuSQ 6zb/jSk0ZCCFmg=; b=dtxn+QcD/O5/XxYJ6cEIHy44/sP7AhJKSykztMom29ZOk sZ6Kciphg44z5LPKg6HaCHC6dvYMp28FONVQCPxFXk767mKAbe9uxH/9Xt+LsJUl RW1lucYgEDSFJ4JgG5eUsu9/J0HGGkkptZ0k2H93sjTQC0D2XMea7gBiE4PjmZ4R FcOJUWyT8peFEN4XqlLxTOxpDdXn1XxLrRPlzUSOy5VKpXDH8PPKrh9P7UjTusnS 1kxyLMQgQWiNqaBhv840/eOEiDVAfjISKHVEpfIsmQ1ppeRunvPu/wl3KYdNLNwI c/i4qfLOmA0BeLx8yc0grg5X1j/Eg2kNw6XU3qA5g==
X-ME-Proxy: <xmx:BFdkW9qjOZ_kv_Ffi5jM7aZFJilwL6Oc6Rcl9n9e_bvEX2OFZIFc7A> <xmx:BFdkW_2VAeIVDD1XJfBBWdmXz9uvWAwUMGZH--aXULqkIDyAjppYnQ> <xmx:BFdkW8BzhHpFppmcreTES8QCiynVhFHGBQ8CZRDHSkuZXe4Pz2l_Hg> <xmx:BFdkW3dGKkkNi2f5ab4ri4x21u0tOKCbUtLqhLc4YlqlQSoycj03PA> <xmx:BFdkWxjWmudiZ6APYSi6XZOqhWctEDX2lOIdR3szI4SZNAvMbhZf4w> <xmx:BFdkW9xrDiL9zbkXJiOxL_Pvrnxk_XCWrCOtl4XLYAPtj2APd4NrGg>
X-ME-Sender: <xms:BFdkW6UouTMqI91kqnc_DxmAyScAw4WCRcJDR5DX0u0okDrbz2k5dw>
Received: from rtp-alcoop-nitro2.cisco.com (unknown [173.38.117.79]) by mail.messagingengine.com (Postfix) with ESMTPA id 52C3110273; Fri, 3 Aug 2018 09:22:12 -0400 (EDT)
From: Alissa Cooper <alissa@cooperw.in>
Message-Id: <6EDF694B-553E-45FF-99A4-3034FA393372@cooperw.in>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B2AE964B-490D-4743-9E44-240BA1F399D3"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 03 Aug 2018 09:22:09 -0400
In-Reply-To: <CAAP42hCVBG6vnaazuo1A7sxj5zYj_MJfY8fHujWP0M9Mjdh3TQ@mail.gmail.com>
Cc: IESG <iesg@ietf.org>, draft-ietf-oauth-device-flow@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, oauth <oauth@ietf.org>
To: William Denniss <wdenniss@google.com>
References: <153305269020.3071.5881779499900104302.idtracker@ietfa.amsl.com> <CAAP42hCVBG6vnaazuo1A7sxj5zYj_MJfY8fHujWP0M9Mjdh3TQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t9drdhBoXLSlJ8dwzeogRsT0mNM>
Subject: Re: [OAUTH-WG] Alissa Cooper's No Objection on draft-ietf-oauth-device-flow-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 13:22:22 -0000

Hi William,

> On Aug 2, 2018, at 2:41 PM, William Denniss <wdenniss@google.com> wrote:
> 
> Alissa,
> 
> Thank you for your review. Replies inline:
> 
> On Tue, Jul 31, 2018 at 8:58 AM, Alissa Cooper <alissa@cooperw.in <mailto:alissa@cooperw.in>> wrote:
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> I support Mirja's DISCUSS point #3 which was also raised by the Gen-ART
> reviewer. The Gen-ART review also included a number of other useful comments.
> Please address them.
> 
> We're working through the comments, some were addressed in -12, and the work continues.
>  
> 
> Perhaps this is implicit, but I found it a little odd that there is no mention
> of whether the device codes and user codes are expected to be unique to
> individual devices.
> 
> The are definitely expected to be unique.
> 
> Section 3.2 currently states "the authorization server generates a device verification code and an end-user code that are valid for a limited time"
> 
> The assumption was that the "generated" codes would be unique. I will add the word unique in future version (13), so it will read "generates a unique device verification code…”

Great.

> 
>  
> Section 3.3:
> 
> "It is NOT RECOMMENDED for authorization servers to include the user
>    code in the verification URI ("verification_uri"), as this increases
>    the length and complexity of the URI that the user must type."
> 
> I don't fully understand the justification for the normative requirement here.
> The user ultimately ends up typing in both strings, right? Is it so much more
> complex to type them both into a browser bar contiguously than to type the uri
> into the browser bar and the code into some form field on the page such that
> the normative requirement is warranted?
> 
> Yes, the user will need to type both strings regardless.
> 
> The main reason for the recommended separation is that the URI can't be validated/corrected – either they type it correctly and they get to the page, or they don't. But for the user-code, the page can display an error if the user types it wrong. The belief is that it's a better user experience that they get to the page, and then continue the input from there rather than get browser errors if they typed the user-code part of the URI wrong.

Got it. I think it would help to add this explanation to the document.

Thanks,
Alissa

> 
> This is also how every implementation I've seen has actually implemented it.
> 
> As written, if the authorization server were to include the code in the URI, this would then raise the question of what should be in the user_code (e.g. would it be the empty string?) and how the device client should render the instructions in that case. I think the spec is simpler if we recommend one preferred approach based on the usability best-practices derived from the implementation experience of earlier drafts.
> 
> Section 3.3.1:
> 
> Wouldn't there be textual instructions about how to use the QR code also
> included here? If the point is to illustrate the UI it seems like those should
> be included too.
> 
> Good point! Figure 3 was updated to include QR scanning instructions.
> 
> Best,
> William
>

v2.23.0 | Report a Bug | By Email