IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC draft-ietf-oauth-device-flow-06

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Fri, 30 June 2017 22:18 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6D4128CFF for <oauth@ietfa.amsl.com>; Fri, 30 Jun 2017 15:18:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rxiGjZUxiVA for <oauth@ietfa.amsl.com>; Fri, 30 Jun 2017 15:18:38 -0700 (PDT)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFDC2127977 for <oauth@ietf.org>; Fri, 30 Jun 2017 15:18:37 -0700 (PDT)
Received: by mail-ua0-x235.google.com with SMTP id g40so83467791uaa.3 for <oauth@ietf.org>; Fri, 30 Jun 2017 15:18:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+LdMV6DRUZWcZWjZjBFbltC6yeOB+ImbK73cdkN0qyo=; b=Asv+ON23tnKZjoLMSbZsY1hKZo1rEUCvBd9t0vfK+PRIsvf1Qat9HpTibduu0iP14+ Wv9k8JZyVRmKyKBkTuc1eA65hE5+T9LZ3lh/CQhZKmjmFrhg+ejauHb6X3KMvBHgGGih 8eZeUF3gj5IzRxr0osxYp7oIFvgBxEA5UopA9lnfW/+VV+cULxy69ZaX+gLT3iqlRFMT u8o6oLr6cz46SoQgqvshsbRIH9mKWS+Vp7gdpduvXzRrpV0x9n89JfKa1TavNfkBEG/X PO9r6ukmpLKZUCzQ+lei2zGmMzd7cH1rROBqSsaiLVacgKI7PPYaeRXnl+IZ5/EnLRyI C8SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+LdMV6DRUZWcZWjZjBFbltC6yeOB+ImbK73cdkN0qyo=; b=HtIqz94/Br7LQp3TXrxo2Vis3n3BVIbbLrIGPjckl1EbLM799d6fpZlg6v1ML+w7Pm SrOGBh3fcH5bnXpkHCebHxCV/xPjAjfK2AgaAzbb8y+5q0G3vxIro3DRevyzjyQAOZRS vFlrW4Wm7o1ohgUXDhfKOgzv7t0Ki9P1CZcXyfsVCVmohRhqO6Eyt5uIuHP06+73JYac Qu9YdZL/wK0RrlyX28XGGBA4MK5AVth9VeBGzhMsNOvMdY0UlY0v1qBk7vkK2e2RDEv4 p9u6hiAJr0Kb7Sy9FWSEfDmAYsHzHaKz8MwtlN0dkZV95z8maEKTbJ20u1zxWx8mECQr dftw==
X-Gm-Message-State: AKS2vOwNNi6M0pmDLH03GI650h9KToOZdMzLXm5Q67zBRFvlGxevMIMx gYU55fmvWqFZmLtPsbTcdlB8g/Wm+g==
X-Received: by 10.176.9.222 with SMTP id e30mr14742292uah.52.1498861117092; Fri, 30 Jun 2017 15:18:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.76.29 with HTTP; Fri, 30 Jun 2017 15:18:36 -0700 (PDT)
In-Reply-To: <8C46E20E-EFF4-481A-99E7-ADD1A9DF133F@mit.edu>
References: <CAGL6epKEzeYp163zn_6+o3beDaHGmm_TnjHGk4zV+riNxa-Dvw@mail.gmail.com> <CAGL6epJV_ymy5cNE5FJhyOXRYprCFs3hpL6-dg2WWZmY-cUUBA@mail.gmail.com> <2F9EAD6E-DDBD-4763-AF7D-51A7018216E1@mit.edu> <CAGL6epLPXRA=31WhV=jU3FAXQKhY99=RsXPG2HMkfeZQWE+hGQ@mail.gmail.com> <8C46E20E-EFF4-481A-99E7-ADD1A9DF133F@mit.edu>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Fri, 30 Jun 2017 18:18:36 -0400
Message-ID: <CAGL6epKquiF0Wskf-4oOnrnSNaN_u6jSjJrtUnugufst4cc+Hg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="f403043eea4873bade055334ccaf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uOMVyL2PmCzT1rL1uXe61AWjQxc>
Subject: Re: [OAUTH-WG] WGLC draft-ietf-oauth-device-flow-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jun 2017 22:18:41 -0000

On Wed, Jun 28, 2017 at 4:45 PM, Justin Richer <jricher@mit.edu> wrote:

>
> On Jun 28, 2017, at 2:35 PM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
>
> On Wed, Jun 28, 2017 at 11:33 AM, Justin Richer <jricher@mit.edu> wrote:
>
>> This is functionally equivalent to polling, as far as the spec is
>> concerned. Instead of it being a timeout-based poll, it’s an
>> interaction-based poll. Either way, the device makes a new HTTP request to
>> the AS to see if the device code is good or not, and either option is
>> possible at that point as far as the device knows— the user could go mash
>> buttons as fast as possible without ever entering the user code.
>>
>>
> You are correct that this does not change the communication model, but if
> there is a large number of devices being configured at the same time, then
> the polling as it is defined in the document unnecessarily overloads the AS
> whether the user is doing anything or not.
>
>
> The polling mechanism already has slow-down and other mechanisms to
> prevent the AS from being unnecessarily overloaded by well-behaved clients.
>
>
Sure, but *if* there is a way to avoid the polling altogether, then we
might not need these slow-down mechanisms in the first place.


>
>> In practice, this isn’t very likely to happen, as it requires additional
>> steps for the user and
>>
>
> It requires one more step (not steps), which is the user pushing the
> button one more time after the user is done with authenticating and
> authorizing the device; do you see any other steps needed here?
>
>
> What you describe as “clicking the button” really isn’t that simple in the
> real world:
>
> 1) Being told I need to go click a button by the AS, or maybe I need to go
> click a button, because now we have something that’s device specific and
> would be tied to the device registration. After all, some things will be
> “automatic” per the user’s experience (because of polling) and some will
> require further actions.
> 2) Finding the device because I wasn’t at the device I was at my computer
> and maybe the device needs me to do something else or maybe not (see step 1)
> 3) Finding the button on the device, or is that one the power button? Or
> does this one require me to wave my hand in front of a sensor instead of a
> button? Maybe there are some instructions on the device, or it will talk to
> me and tell me what to do when I push the button.
> 4) Clicking the button. Or waving my hand. Or shaking it really hard. Or
> licking it.
> 5) Checking to see if it worked, maybe clicking the button again just in
> case...
>
>
We are talking about a use case where a person is getting ready to install
a device, and you would expect the user to be able to find the device he
wants to install and interact with that device.
Are you expecting the user to be able to install a device without any
interaction with that device?


Regards,
 Rifaat


>
>
>
>> makes for a more clunky experience.
>>
>
> I guess this is subjective, but why do you think it is clunky?
>
>
> See the process above. It’s going to be incredibly device specific and not
> something we can, or should address at the protocol level, especially since
> the protocol as-is already allows for action-based polling completely
> transparently to the rest of the system.
>
> I don’t see any need for changes to the document to accommodate this. I
> would not be against a very small note that polling could happen on a
> reactive basis from the device instead of a timer, perhaps adding something
> like this sentence to §3.3¶3:
>
> Common mechanisms for determining when to poll include use of an internal
> timer and reliance on an interaction with the user, such as a button click
> or other physical activation. The details of such reactive polling behavior
> are expected to be device specific and are therefore outside the scope of
> this specification.
>
>
> Thanks,
>
>  — Justin
>
>
>
> Regards,.
>  Rifaat
>
>
>
>
>> If anything, we might see it as an optimization in some environments for
>> some clients. In any event, it’s not any different from the spec’s
>> perspective.
>>
>>  — Justin
>>
>> On Jun 28, 2017, at 8:27 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>> wrote:
>>
>> Hi (as individual),
>>
>> I have reviewed the Device Flow document, and I have a question about the
>> polling part.
>> The current draft is calling for the Device Client to poll the AS for a
>> token (steps E & F of Figure 1).
>>
>> Presumably, the process started with the user pushing some button on the
>> Device Client to initiate the process.
>> One way to avoid the need for polling is for the Device Access Token
>> Request to be sent to the AS only after the user for example pushed that
>> same button again.
>> This would allow the user to perform steps C and D to authorize the
>> device, and then push the button again to get the token.
>>
>> Thoughts?
>>
>> Regards,
>>  Rifaat
>>
>>
>> On Thu, Jun 1, 2017 at 8:32 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com
>> > wrote:
>>
>>> All,
>>>
>>> We are starting a WGLC on the Device Flow document:
>>> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06
>>>
>>> Please, review the document and provide feedback on any issues you see
>>> with the document.
>>>
>>> The WGCL will end in two weeks, on June 16, 2017.
>>>
>>> Regards,
>>>  Rifaat and Hannes
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>
>

v2.23.0 | Report a Bug | By Email