Re: [OAUTH-WG] CORS and public vs. confidential clients

Prateek Mishra <prateek.mishra@oracle.com> Fri, 28 March 2014 00:00 UTC

Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF89E1A0743 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 17:00:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9HogpCwaYW33 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 17:00:04 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id CE23C1A0775 for <oauth@ietf.org>; Thu, 27 Mar 2014 17:00:02 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s2RNxxlX028749 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 28 Mar 2014 00:00:00 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s2RNxxPQ008779 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Mar 2014 23:59:59 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s2RNxxxi008763; Thu, 27 Mar 2014 23:59:59 GMT
Received: from [192.168.0.172] (/199.33.32.40) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 27 Mar 2014 16:59:59 -0700
Message-ID: <5334BB7B.2060602@oracle.com>
Date: Thu, 27 Mar 2014 16:59:55 -0700
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Bill Burke <bburke@redhat.com>
References: <53344407.1050802@redhat.com>
In-Reply-To: <53344407.1050802@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tZpeM0l-cziQGDNnpVZMFKAAA6w
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] CORS and public vs. confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 00:00:10 -0000

Bill - as you are referencing CORS in your message, I assume you are 
discussing a Javascript-only (browser) client. I believe the implicit flow
was designed for this case and this flow never involves a confidential 
client.

Confidential clients may be used with the other flows (code, 
resource,..) that are capable of making a TLS call to a Token Endpoint.

- prateek

> I'm still trying to wrap my head around the differences between public 
> and confidential clients.  In our IDP impl, we check redirect uris and 
> associate a lot of private metadata to the access code to ensure there 
> is no client_id swapping.  My understanding was that confidential 
> clients made sure that only an authenticated client could obtain an 
> access token.
>
> What if you throw CORS in the mix where your browser needs the access 
> token (and the ability to refresh it) to make cross-domain requests? 
> Doesn't this remove a large benefit of confidential clients?
>
> Anybody know a good document that describes the difference and 
> pros/cons of public vs. confidential clients beyond the actual OAUTH 
> spec itself?
>
> Thanks
>