Re: [OAUTH-WG] Sharing a client_id: is it good or bad ?

Jim Manico <jim@manicode.com> Wed, 04 November 2015 16:05 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8911B3277 for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 08:05:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpSFLUMkpL7V for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 08:05:02 -0800 (PST)
Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6697E1B3269 for <oauth@ietf.org>; Wed, 4 Nov 2015 08:04:47 -0800 (PST)
Received: by pabfh17 with SMTP id fh17so56755870pab.0 for <oauth@ietf.org>; Wed, 04 Nov 2015 08:04:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode_com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=n4WciXV6ZqUFH2TaeNHWhyP3T2Te4joFnjs8B3wtp4s=; b=JqdWTWw/q3KqtWpuK7Lcg4a15IYIjCPyQ9Ksmy6pZC3wD5SWzRnLMIKMm7Rdgwfnlo Lqk1Oox5GXIA+c8c/JQS1lSAPdFADDAAF7AJTfkp7YSEQ/NTHc8kEtAOnBc0RMv/YsR/ GJ62QRhDVHCzo/9itEnKZ4Reozzt10PZMupNXNJ0etMkI9DW34UXoZ1isKCiju/v02Xx Ep34CQpIzPF7tQ5oRixW3C64tGLqbMp8esyztJj61P3AKiNUOXFjHS4Rlklk0IH3VMod kfAA3cOwJO2wjsBbx2pwEe2V03SM8v8tM2h9qbHYCgJ/HXZNIAB6rHkibBSjRndY/4m7 YL3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=n4WciXV6ZqUFH2TaeNHWhyP3T2Te4joFnjs8B3wtp4s=; b=K/nIBceBJSgSWvjqXtGVZ148vMjTmd+f7Yr8GiaizfpJgVn/cQutKunFwesKo8BzSD CVRuBUR/rZw/Wya0Ma0gvHu+IqCY1ceRtvz/vYIKCihQ0XjqZ0RzSjUgvjvgBCbtGQBd b0XscBBeHhMIHKaht3f6k0nJXE4nJq+bw//Pu0LVBknzoFKcBpFGLYhLQ1ZdRrZDLK1t oI3jvKYVRIydh2J/GoLjklxD0xOc5DxaoEmLa5tVuaDCvvZp0EBP1I2gCu8qviu/BPOR IllxWD6jiGWVznPt4o24uCjhAIwWhcm3Dh4uebwfWVGonRSENNNxDR6DPS8D2ycpA+2I bpmg==
X-Gm-Message-State: ALoCoQlGywAJIHkXITHNLd1LwDaC+6LYtr+5QXnMGRjUbvn4qjPYj3Sx2o15aGIUCXoEDW+oJD/z
X-Received: by 10.66.160.194 with SMTP id xm2mr2802269pab.68.1446653086854; Wed, 04 Nov 2015 08:04:46 -0800 (PST)
Received: from [10.177.18.88] ([166.170.46.233]) by smtp.gmail.com with ESMTPSA id ir5sm2881390pbc.13.2015.11.04.08.04.46 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Nov 2015 08:04:46 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manicode.com>
X-Mailer: iPhone Mail (13B143)
In-Reply-To: <563A2BCC.6030801@gmail.com>
Date: Wed, 4 Nov 2015 08:04:44 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <2C769211-60B3-43A4-AFAA-849D46515DA5@manicode.com>
References: <CAH_M0wuMq-TANrCBPRJ7LmtRfCmQdBpnitY=0ws6h4O82GrCuA@mail.gmail.com> <6A84AF37-C6FC-41DD-99D6-32A8DDD7A18A@mit.edu> <CAAP42hCV8ibpERocOBRPXccWO3K05=E8frtcxqhHi3EXM5SH+w@mail.gmail.com> <5637feb5.611a450a.bf33d.4307@mx.google.com> <CAAP42hBdMmtjReqwj=KDQ0XuTssqA1wiHgxgjD+0FHL+_mv_CA@mail.gmail.com> <563A2BCC.6030801@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/vupnRHZThv3x9NP5h6nuNgED6Zs>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Sharing a client_id: is it good or bad ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 16:05:05 -0000

> And what about multiple confidential clients being set up with the same id/secret. 

Bad idea. For security when you see one confidential client doing bad things you will need to revoke it individually. If multiple confidential clients have the same client secrets, thats no longer possible.

--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805

> On Nov 4, 2015, at 8:01 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
> 
> Hi All
> 
> I'm having a discussion with my colleagues on the pros and cons of sharing a client_id.
> 
> For example, say we have N number of public mobile applications (the same application package, an application instance on an individual phone), and one approach is for each of these applications to have the same client_id.
> 
> I've been trying to analyze why it can be bad and the only thing I can come up with is that there will be no (easy) way to track which application instance actually accessed a given RS.
> 
> Can someone please explain what the pros and cons are of having the same client_id shared between public client applications.
> 
> And what about multiple confidential clients being set up with the same id/secret. I suspect it is a bad idea but what is main line why it is a bad idea, lets say it is all done in the protected network, no chance of the bad clients interfering...
> 
> 
> 
> Thanks, Sergey
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth