Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC
Aaron Parecki <aaron@parecki.com> Tue, 12 May 2020 18:19 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D2C3A08CD for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 11:19:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JpFnO47E0ljS for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 11:19:23 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D04CF3A08C7 for <oauth@ietf.org>; Tue, 12 May 2020 11:19:23 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id x5so6042919ioh.6 for <oauth@ietf.org>; Tue, 12 May 2020 11:19:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FIPqdsxdryEkXyYdnCKYLZKI9jNdY/CuebmAzVJcPC4=; b=g2GTtRtHxriQ68ANaKDv5YDkR/Z3r9EroLFhfot8LD6deFfM9NdeU9NKCnZOyq9Hlu cIBYpnZIfULmEbpX/U3pvoEUPSSF2JbneePDBZiWBg0Xs/qQCPdrDFjheMkUJNV07wjA ULvrL7ce58trBZEvZDkVy9O98pbLE6538/gZvH6W2/0IR+nycs0hExTUiCZjC2LdzI7u vXO1x5USqOLWBECGNgpUvWVFJ4pfFYNUkfa2nKMYT4QDuokLC4GF/WskT10agHqQdTZl TEuZvJC6PNX4w1XoQGpnbkPI2DuUtMRgpvL+1FOR467PYzHgSEvBfLZ1TdEC2H7zQw7j 0T2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FIPqdsxdryEkXyYdnCKYLZKI9jNdY/CuebmAzVJcPC4=; b=ft/JWimXAZwZWIKd7F8Pj19qAowXXOeU+Mi/IZqm2GB83CbUybfYq4CQGW8FU+G0cZ akTImjNbIsgFo0zLxpCVE45KfJ9yw0XRNViLrIRyBn4mE9xeP2DnKZ0OUO2g48EOYwDm l4xZKyGnejXqe8cPWu4tidKuzXJWfUR+k78Ozf0Ye+Eu6DeDQJxXlSOoEfxNR47Ah7H+ iXSJVeXHLCHDzFHUQVvTTTNG7Qu5OSYk9UXAAUPHokhIqR8b2oXIq5XIvPOjzidl8Wd5 yXcJlzWA2zLTOrzwWxFcLFXh6/msUyf5342ui+1hHbvK4vFA//HLGck+5JiNzPWs7zim fK0Q==
X-Gm-Message-State: AGi0PuYMVev5EqIVEPJM4r2fenFUTqlUaH4IiApeCmOp/NSwlN6ooDT4 bcaLn9VK2F2MuTc1bQpN37ORA1PsCxGE1A==
X-Google-Smtp-Source: APiQypJwLUzQ+D0opxDPKlWayRWLA9oauzcQBy7nii/9pRwdVsgxu6XqLQhrHK53oco6UXBI+7yIhg==
X-Received: by 2002:a6b:bc85:: with SMTP id m127mr21183812iof.89.1589307562400; Tue, 12 May 2020 11:19:22 -0700 (PDT)
Received: from mail-io1-f44.google.com (mail-io1-f44.google.com. [209.85.166.44]) by smtp.gmail.com with ESMTPSA id t22sm6020752iom.49.2020.05.12.11.19.21 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 May 2020 11:19:21 -0700 (PDT)
Received: by mail-io1-f44.google.com with SMTP id j8so15096796iog.13 for <oauth@ietf.org>; Tue, 12 May 2020 11:19:21 -0700 (PDT)
X-Received: by 2002:a5d:9244:: with SMTP id e4mr21240690iol.133.1589307561082; Tue, 12 May 2020 11:19:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyNY768vqFtxxHXNd2u+VXFoiW=+BG+AJNW0Ee9H13V3zQ@mail.gmail.com> <77C31557-E3C3-4A02-9579-DEFB2CD5A683@manicode.com> <CAOW4vyM3Vi4eHCCn1x5-0K0S8pP5qtpTByNYS4DP8EaSqiWn5Q@mail.gmail.com>
In-Reply-To: <CAOW4vyM3Vi4eHCCn1x5-0K0S8pP5qtpTByNYS4DP8EaSqiWn5Q@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Tue, 12 May 2020 11:19:10 -0700
X-Gmail-Original-Message-ID: <CAGBSGjrhRpKaG9UdLy+OphSYwPAK7d=kVJNRkkdDV=HHjKMynQ@mail.gmail.com>
Message-ID: <CAGBSGjrhRpKaG9UdLy+OphSYwPAK7d=kVJNRkkdDV=HHjKMynQ@mail.gmail.com>
To: Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
Cc: Jim Manico <jim@manicode.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009e090705a577806b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zmJPZ1OGm2CkSdXFmz1lLZIY9Pk>
Subject: Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 18:19:26 -0000
> We are not talking about ROPC mandating OAuth2, but about OAuth-2.1 forbidding the user of ROPC. Keep in mind that while the Security BCP explicitly forbids the use of the Password grant in OAuth 2.0, technically OAuth 2.1 just never includes it in the first place. Subtle difference. Aaron Parecki On Tue, May 12, 2020 at 10:23 AM Francis Pouatcha <fpo= 40adorsys.de@dmarc.ietf.org> wrote: > > > On Tue, May 12, 2020 at 9:50 AM Jim Manico <jim@manicode.com> wrote: > >> Forgive me if this question is late or poor context, but wouldn’t OIDC be >> a better replacement for ROPC since it’s essentially a authentication flow? >> >> What use case for ROPC mandates OAuth2 over OIDC? >> > We are not talking about ROPC mandating OAuth2, but about OAuth-2.1 > forbidding the user of ROPC. > > >> -- >> Jim Manico >> @Manicode >> >> On May 11, 2020, at 11:00 PM, Francis Pouatcha <fpo= >> 40adorsys.de@dmarc.ietf.org> wrote: >> >> >> I am against OAuth 2.1 discarding the use of ROPC (Resource Owner >> Password Credentials) with the following reasoning: >> >> Auth Code Grant: >> There are many use cases on the market where redirection based flows do >> not work.. As we see in the "OAuth 2.1 - require PKCE?" thread, the >> complexity of user agents on non controllable client devices still make >> user agent redirection a challenge. >> >> Client Credentials Grant: >> Requires the registration of an oAuth client. >> - Citing the iot device use cases Beena which do not have a comfortable >> way to have iot devices register with AS. >> - This is a registration flow for the oAuth client role and for the RO >> (Resource Owner). Remember resource owner credentials might be sourced from >> system external to the AS like company's LDAP. oAuth Client Credentials >> are generally managed by the AS. >> For these reasons, we shall not use Client Credential Grant to manage RO >> authorization. >> >> ROPC: >> Having an oAuth Client proxy the auth request of the RO to the AS only >> presents a security risk if the oAuth Client is a third party application. >> Therefore, the decision on whether to accept ROPC for a specified client >> shall be left to the AS. Discarding this use case will take a lot of >> business from oAuth servers back to the old market. >> >> Beside this, I mentioned in my previous post that there are use cases in >> the market where permanent passwords are replaced with one time passwords. >> >> A lot of work is also being done in the direction of having the RO send >> signed proof of ownership to the AS through the ROPC flow using the >> password field. >> >> Therefore, I am ok with raising the attention of implementers the same >> way we are doing with PKCE, mentioning that ROPC must only be used if AS >> / oAuth Client can guarantee security of the RO credentials exposed to the >> oAuth Client. >> >> /Francis >> -- >> Francis Pouatcha >> Co-Founder and Technical Lead at adorys >> https://adorsys-platform.de/solutions/ >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > -- > Francis Pouatcha > Co-Founder and Technical Lead at adorys > https://adorsys-platform.de/solutions/ > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth 2.1 - recalling ROPC Francis Pouatcha
- Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC Jim Manico
- Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC Francis Pouatcha
- Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC Jim Manico
- Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC Aaron Parecki
- Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC Falk Andreas
- [OAUTH-WG] Incorporate or Reference RFC8628 Devic… Phillip Hunt
- Re: [OAUTH-WG] Incorporate or Reference RFC8628 D… Aaron Parecki
- Re: [OAUTH-WG] Incorporate or Reference RFC8628 D… Mike Jones
- Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC Francis Pouatcha