Re: [OAUTH-WG] CORS and public vs. confidential clients

Phil Hunt <phil.hunt@oracle.com> Thu, 27 March 2014 19:00 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02AA21A06F0 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 12:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azo-INKSMRCd for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 12:00:24 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB8E1A0303 for <oauth@ietf.org>; Thu, 27 Mar 2014 12:00:24 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s2RJ0LPO008231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 27 Mar 2014 19:00:22 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s2RJ0Llf002082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Mar 2014 19:00:21 GMT
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s2RJ0Lvb002074; Thu, 27 Mar 2014 19:00:21 GMT
Received: from [192.168.1.186] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 27 Mar 2014 12:00:21 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <53344407.1050802@redhat.com>
Date: Thu, 27 Mar 2014 12:00:22 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <42ECC1E1-69A9-4D20-8613-1854D9E6D94B@oracle.com>
References: <53344407.1050802@redhat.com>
To: Bill Burke <bburke@redhat.com>
X-Mailer: Apple Mail (2.1510)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ubDeOdn3zosgu71L2GFRdXggYnQ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] CORS and public vs. confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 19:00:27 -0000

Bill,

I can't comment to how effective your use of "private metadata" is to supporting effective authentication of clients. If you feel it is sufficient than you could classify them as "confidential" since you are authenticating based on the metadata.  

I also can't comment on CORS as I am not familiar with it.

I would take a look at the Threat Model (RFC 6819) in addition to 6749 and 6750 to get a better idea of the many issues - particularly with browsers that are faced.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

On 2014-03-27, at 8:30 AM, Bill Burke <bburke@redhat.com> wrote:

> I'm still trying to wrap my head around the differences between public and confidential clients.  In our IDP impl, we check redirect uris and associate a lot of private metadata to the access code to ensure there is no client_id swapping.  My understanding was that confidential clients made sure that only an authenticated client could obtain an access token.
> 
> What if you throw CORS in the mix where your browser needs the access token (and the ability to refresh it) to make cross-domain requests? Doesn't this remove a large benefit of confidential clients?
> 
> Anybody know a good document that describes the difference and pros/cons of public vs. confidential clients beyond the actual OAUTH spec itself?
> 
> Thanks
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth