Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
William Denniss <wdenniss@google.com> Wed, 30 May 2018 22:06 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB25A12EAD6 for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 15:06:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.21
X-Spam-Level:
X-Spam-Status: No, score=-18.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkdQfVnNUIfo for <oauth@ietfa.amsl.com>; Wed, 30 May 2018 15:06:43 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B327412EAE1 for <oauth@ietf.org>; Wed, 30 May 2018 15:06:40 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id q135-v6so9614313vkh.1 for <oauth@ietf.org>; Wed, 30 May 2018 15:06:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Z7CNzLkmjHhx4Q4nVrsP6UfVDHfXSuxz9fZoYXw19q0=; b=ZTcHnZ9xg4g/bQsog4Jj9Zf97/NXO3UjfErqgWomsJaJIdE1XXNDKtlgOWDJsKbdR9 BYkqvw9BZNYNzvC3k/cjjB3LsqoyzNFkyr+GuJUiX8epoBBv5VsJGoVCEO/BZkDa5hIJ bkScrEfDNGF8N/g3CFWJzR5Ph9r5A4CoVLSupl2pzw2zZR+vAONIqp8zFb24suVdEmsZ KFLikH2ztrGenHropQ48s2aTuWOgaTi/9hw8t9FUVBp9MbhB0rOOXjeZQSMmRByVRu8i LYGR62Qjp+L65I6uAdMZ8c+rPbbs+nAvV9KTB9zgn2zjHbYX8V89PXWIJpy/OWncFMLY v/sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Z7CNzLkmjHhx4Q4nVrsP6UfVDHfXSuxz9fZoYXw19q0=; b=NPP5ZYBEDu4RzHNk9Xgvng5e2SpF/c4iqnvUS1FitMigzsJ6BOXOaWklW5uaRfc245 vj6/2/ACmRejy7Ad0wz2EA0RCQJCq8av7vcHXyWl8eQ5M/n2j+QDcGAxHL4j760TjpCS TPwwAp4R5fEN6YrAsu0Fyy/XKPFVwOn3XF/msUpMM30Dtl6do/vy9QFsD99XFJ1eXh/r TutyOWDND4PHoh+vlHCei1IWuNUzEsv8/icmxqoM21j5y7D9jhvPpsmqeQpWzm/Z1qTG 5JlOdtkWtSf6wUCZNT7UyF1w29bX+vpWNXLVvVtp88nrDD/udAzOCIpD1S0Wkl2sg5Zo BnQg==
X-Gm-Message-State: ALKqPwdkVlkzmP/sXJNuPriJ5tFUIdTePF1EjczRLgscChuafnOpAKrL f9sOqIMTPqmBxb0qgBwRwZ7LaCegQVB063m+ynqTqQ==
X-Google-Smtp-Source: ADUXVKK0vEKvFypcEtn1eqxQZDy9N08ryYNgdKJz1AEKnfWMzqcMN9UfMxHc+rqUkSzSnjCOuUCW5l3CbVyxhwOqalY=
X-Received: by 2002:a1f:990a:: with SMTP id b10-v6mr2697001vke.56.1527717999166; Wed, 30 May 2018 15:06:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:2110:0:0:0:0:0 with HTTP; Wed, 30 May 2018 15:06:18 -0700 (PDT)
In-Reply-To: <CAEqOSkfwdn-+1zFBgpgk3Mr6HYy-OvKNdVRKZtdP9c6HVHC60Q@mail.gmail.com>
References: <152763243091.27698.7723369435827878398.idtracker@ietfa.amsl.com> <CAEqOSkfwdn-+1zFBgpgk3Mr6HYy-OvKNdVRKZtdP9c6HVHC60Q@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 30 May 2018 15:06:18 -0700
Message-ID: <CAAP42hAA8FC8B8bhDdCAg=5TnDjZXr76UiMLNABEG23GRFdeyQ@mail.gmail.com>
To: Andrew Sciberras <andrewsciberras@pingidentity.com>
Cc: ietf@ietf.org, IETF-Announce <ietf-announce@ietf.org>, oauth <oauth@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-device-flow@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a90752056d7390c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xs0ygtLw1KngJpYqDaYh4RfMMFI>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 22:06:46 -0000
Hi Andrew, On Wed, May 30, 2018 at 2:35 PM, Andrew Sciberras <andrewsciberras@pingidentity.com> wrote: Hello > > > Do we feel that the document should be more specific in addressing how the > authorization service should respond to a device access token request when > the user has refused to grant access to the device? > > > The document currently indicates in section 3.5 that a success response > defined in section 5.1 of RFC6749, an error as defined in section 5.2 of > RFC6749 (this includes invalid_request, invalid_client, invalid_grant, > unauthorized_client, unsupported_grant_type, and invalid_scope), or a new > device flow error code (authorization_pending, slow_down, and > expired_token) may be returned in a response to a device token request. > > > It doesn’t seem that any of these options are appropriate to convey that a > user has refused to grant access to the device. > > > The Google implementation appears to be using the access_denied error code > from section 4.1.2.1 of RFC6749. While this would seem to be the most > suitable error code, the document does not explicitly indicate it as a > permitted response. > Actually, this is indicated explicitly I believe: If the user has approved the grant, the token endpoint responds with a success response defined in Section 5.1 of [RFC6749]; *otherwise it responds with an error, as defined in Section 5.2 of [RFC6749].* In addition to the error codes defined in Section 5.2 of [RFC6749], the following error codes are specific for the device flow: > > I believe that clarifying the response error code in the condition where a > user has refused access to the client would be beneficial, remove > ambiguity, and promote greater consistency across implementations. > > > Regards > > Andrew Sciberras > > > On Wed, May 30, 2018 at 8:20 AM, The IESG <iesg-secretary@ietf.org> wrote: > >> >> The IESG has received a request from the Web Authorization Protocol WG >> (oauth) to consider the following document: - 'OAuth 2.0 Device Flow for >> Browserless and Input Constrained Devices' >> <draft-ietf-oauth-device-flow-09.txt> as Proposed Standard >> >> The IESG plans to make a decision in the next few weeks, and solicits >> final >> comments on this action. Please send substantive comments to the >> ietf@ietf.org mailing lists by 2018-06-12. Exceptionally, comments may be >> sent to iesg@ietf.org instead. In either case, please retain the >> beginning of >> the Subject line to allow automated sorting. >> >> Abstract >> >> >> This OAuth 2.0 authorization flow for browserless and input >> constrained devices, often referred to as the device flow, enables >> OAuth clients to request user authorization from devices that have an >> Internet connection, but don't have an easy input method (such as a >> smart TV, media console, picture frame, or printer), or lack a >> suitable browser for a more traditional OAuth flow. This >> authorization flow instructs the user to perform the authorization >> request on a secondary device, such as a smartphone. There is no >> requirement for communication between the constrained device and the >> user's secondary device. >> >> >> >> >> The file can be obtained via >> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ >> >> IESG discussion can be tracked via >> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ballot/ >> >> >> No IPR declarations have been submitted directly on this I-D. >> >> >> The document contains these normative downward references. >> See RFC 3967 for additional information: >> rfc6819: OAuth 2.0 Threat Model and Security Considerations >> (Informational - IETF stream) >> draft-recordon-oauth-v2-device: OAuth 2.0 Device Profile >> (None - ) >> rfc6755: An IETF URN Sub-Namespace for OAuth (Informational - IETF >> stream) >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* >
- [OAUTH-WG] Last Call: <draft-ietf-oauth-device-fl… The IESG
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Eric Fazendin
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Andrew Sciberras
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Naveen Agarwal
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Brian Campbell
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… George Fletcher
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-devic… William Denniss