Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-13.txt
George Fletcher <gffletch@aol.com> Wed, 07 November 2018 20:13 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A441E130DCA for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2018 12:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mN-Iqg-D1oiv for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2018 12:13:00 -0800 (PST)
Received: from sonic304-12.consmr.mail.bf2.yahoo.com (sonic304-12.consmr.mail.bf2.yahoo.com [74.6.128.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337EB127B92 for <oauth@ietf.org>; Wed, 7 Nov 2018 12:13:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1541621579; bh=ErZtekA236gdCqZXc47WBoR5N6MlozgO2/LtFwBoAPg=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=O4fj2anEdw5doL3RdK0MFW6DzFRKWJjoKI35dH/Oj6yUnTQifBXvQUA/bb2MNn5H33qCtLIgky4bjQSz0cOla5gpTdG4DXKIa3O2+BHN9cNtj6ATRgBtebrJdITRo7PKiZlS9Yb4jRSyGhAepgDByJ6tvcN3+/DLcD6Xl6XCUnX3KVm5f5qZ08doKowAaBK/VcvRd3NDadQ96bgXa0vYqJxiIRvOIGU3Z1wisW4k0drE7T7IhWuUI5fK9Ijb7P+v11yAbGLPWEMBoxLtdkW4hi+jyYrsbrZWIOHYp6aXuH9Zc9gibOFIpngSbI6zsREMp06UmJNXzYNkYxgA54MzVg==
X-YMail-OSG: 030Xnp0VM1kd6g3FpW_uw75Nslk31C15owrGR.DLM0CtoGxCYQZlPjV7c525W0n KzAkxTsb.rekB6aZUySuc7zf3am1ZVSxzIWBxRzbNvWhn8aouJVfxbkYpcU97CpWdSPYHz8kJQFZ UbSQWgtU_gcfRII2Kn_Zwf3aSwAs5s.jssW254xSm_t7MSZexKaU.BW_dMKwZksRZeHiIsuuW0ZJ U08hjva9W24tIhhYMgdPAarUFHu4HxDyCukzJy7fZHvoTB9r3EWPyNdktc5BA2vKS26.SesP3sGI LvczXAB6zDUf0PjYc.qT3OdPKTifVUa9kCnatF8u.F9ilMFqeuIXTjE_KSr.0m.n.W9y.BpnvmS. 6_FvtDiADAIVBXAlDkxPsYSsZq4chw0gk7.5M5h7.fCbYf83hsIRk44NxOjxT2.0Ldfe.N6aqV0F Y6.4aqPOpI1evFRed7P98U9LiIEoItKv7i70dKiXNBpoxW7Mfq2hhPAVGBiC9Wznz.Ya1ZtLw1oj xUeAoQCNqWpsgNSTaYl5cRZWVwg260hgb_ESko_iW8sZ2odqCQPLp51JP_cCoihFUGrN615FhVtG yW34dpNIo9vujcnpP_61kAcOnkceOkDr_11SsarKYhRaybNg5dRmlL.WOiG7fD1B5qRgWWPKCFG9 bgSc0hX4QYkFMwmwBmg335ad58giXSHenv_K8piAB.tr.5f9W.EyCmZMCUOuwym3vRd_QhXDRw99 fBLSUzlJPo1dnCJSDsx1Eb62xcoh2fZ6T6lRCCciXxz_TdHKzXhiUNMmOBYwq2kD9peDlw3Ffcc8 rbRjPVK8huOxCW6D8ecjFltFJIICJW5xbwBWd3XtfyAFWXb08aXW1SwW0ZX2.3pURiyQ_8PxU.II Se2Mp39wkYF6qrHowSFo64H7.vV43bRPPIqmYoBxEURHvvf6mYpkwy1ixtnaAmJjVhw.gb4u004P VF.kgahbEUgWHHt34AJTJRtv2Ekg1TXd20Jqgy6Kpg5AIgMw58oLJlCekBUhwMSBuwelYPlajC9O p4UizO2JMiUm7my0keul_UoAf_FXx.IdpUohePg--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.bf2.yahoo.com with HTTP; Wed, 7 Nov 2018 20:12:59 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp406.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 9ea03decb8758aa4a6bea6df730ee5b5; Wed, 07 Nov 2018 20:12:57 +0000 (UTC)
To: oauth@ietf.org
References: <153998365568.6513.8592147530039175488@ietfa.amsl.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>, Mike Jones <Michael.Jones@microsoft.com>, hongchen@oath.com
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <31dd448d-a001-ab6f-bc3c-d7316296631c@aol.com>
Date: Wed, 07 Nov 2018 15:12:55 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <153998365568.6513.8592147530039175488@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------03888BF67200AC6A1CB5D95D"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wQU7rJCXeQfVNRKg9GB5YMLHlPk>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 20:13:04 -0000
Have we considered replacing the device_code logic with PKCE now that PKCE exists? At the time we started this spec I'm not sure PKCE was around, but now that it exists and is required (practically speaking) for mobile apps, should we look at using it instead of device_code to protect this flow? I'm assuming that most of these devices can not protect secrets and hence are effectively "public" clients. If this has already been considered and I missed it, I'm sorry for the noise :) Thanks, George On 10/19/18 5:14 PM, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 Device Flow for Browserless and Input Constrained Devices > Authors : William Denniss > John Bradley > Michael B. Jones > Hannes Tschofenig > Filename : draft-ietf-oauth-device-flow-13.txt > Pages : 21 > Date : 2018-10-19 > > Abstract: > This OAuth 2.0 authorization flow is designed for devices that either > lack a browser to perform a user-agent based OAuth flow, or are > input-constrained to the extent that requiring the user to input a > lot of text (like their credentials to authenticate with the > authorization server) is impractical. It enables OAuth clients on > such devices (like smart TVs, media consoles, digital picture frames, > and printers) to obtain user authorization to access protected > resources without using an on-device user-agent, provided that they > have an Internet connection. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-13 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-13 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-device-fl… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-devic… George Fletcher