> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Freeman, Tim
> Sent: Tuesday, March 15, 2011 2:56 PM
<snip>
I think authorization, user-agent, endpoint are well understood terms among
those working with HTTP which OAuth clearly requires a certain level of
familiarity, but I'll sprinkle some references to make it clearer.
> Section 2.1.1, "Redirection URI". "If a redirection URI was registered, the
> authorization server MUST compare any redirection URI received at the
> authorization endpoint with the registered URI." Section 2.1 says the
> authorization endpoint is where the user (presumably also the resource
> owner, using the user-agent) interacts with the authorization server.
> Therefore, I conclude that the communication path between the client and
> the authorization server in figure 3 does not happen by the authorization
> endpoint, since the client is not the user.
The authorization endpoint response to the user-agent, redirects it back to the
client's callback URI.
> I suspect it's the token endpoint,
> since there's a token in Figure 3 step E. (If that's wrong, section 2.1
> needs to
> be changed to say that the client uses the authorization endpoint too.)
Yes.
> Section 2.1.1 says "If a redirection URI was registered, the authorization
> server MUST compare any redirection URI received at the authorization
> endpoint with the registered URI." Thus I conclude that that phrase requires
> the authorization server to check the redirection URI at step A of figure 3,
> but
> not step D, since that communication comes from the client instead of the
> user and therefore is not going to the authorization endpoint. If there is no
> requirement to check the redirection URI in step D, it's unclear why it's
> there.
The client sets the redirection URI used by the resource owner to communicate
with the authorization endpoint. Once complete, the client uses the same
redirection URI value to obtain a token. In the second step, it is used for
verification and protection against an attack, not to redirect anything.
Explaining the purpose of the redirection URI in step E belongs in the security
considerations section.
> Section 3 "Client Authentication". I think the intent is that client
> identifiers
> are public, since they are disclosed to the user-agent in section 4.1,
> "Authorization Code". You might want to say so, otherwise one might reason
> that clients are required to publish their client identifiers (in section
> 4.1), and
> client identifiers are part of the client credentials (section 3), no clients
> can
> keep their credentials confidential, so no authorization servers should issue
> client credentials to any clients.
> Perhaps client identifiers are not part of the client credentials?
New text:
Client credentials are used to identify and authenticate the client.
The client
credentials include a client identifier - a unique string issued to the
client to
identify itself to the authorization server. The client identifier is
not a secret, it is
exposed to the resource owner, and MUST NOT be used alone for client
authentication. Client
authentication is accomplished via additional means such as a matching
client password.
> Figure 3 in section 4.1. "User authenticates" is a two-way communication
> because the authorization server will typically prompt the user to
> authenticate, but the arrow only points from user-agent to authorization
> server, so there is no opportunity to prompt. I think you want arrows
> pointing in both directions on the "User authenticates" path.
The arrow passes through the user-agent to the resource-owner... the
limitations of ascii art.
> We should get clear on whether the redirect URI is public or not. If it's
> public,
> and the client, all possible entities wishing to impersonate the client, and
> the
> authorization server all know it, then there's no value in communicating it
> from the client to the authorization server. If it's private, that should be
> specified when the redirection URI is introduced at step A, and the
> alternative of omitting it because it's common knowledge to the client and
> the authentication server (in section 2.1.1, first paragraph) goes away since
> it's disclosed to (possibly adversarial) user agents in Figure 3, step A.
It's a session fixation attack protection which I can't recall anymore. It's
explained somewhere in the list archives.
> Figure 3 step B: You'll need to make clear that if the resource owner is a
> human, there will be a need to uniquely identify the client and the requested
> resource in a human-readable way. For example, if the actual client is
> "Microsoft, Inc.", and I am able to register a client "M1crosoft, Inc.", and
> humans in practice cannot distinguish "Microsoft" from "M1crosoft", people
> might give my client authorizations that they intended to give to Microsoft.
>
> I can imagine using social engineering to leave the user in the middle of one
> OAuth exchange while they start another in another window, and if popup
> windows are used for interacting with the user while authenticating, they
> might authenticate the wrong client. In other words, the rhythm of the
> interaction is not a reliable cue to tell a human which client he's
> authenticating to, so the human-readable name of the client must be
> unambiguously stated on the screen when the user is accepting or denying
> the authorization.
>
> The human-readable name corresponding to a client id has to come from a
> database on the authorization server, since the client cannot be trusted to
> provide it.
>
> A similar scenario can be created where imperfect human reading
> comprehension can cause authentication to the wrong resource, if the
> operators of the authorization server allow arbitrary names for resources.
All good feedback for the security considerations section.
> Section 10.2.2: It says the "state" parameter can be present in the
> authorization request and authorization response. I suppose the
> authorization response is the response to the authorization request, but in
> the figures up to this point the phrases "authorization grant" (Figure 1) or
> "authorization code"
> (Figure 3) are used, not authorization response. I see that there is a
> section
> 4.1.2 "Authorization Response". It would be good to identify which arrows in
> Figures 1 and 3 are Authorization Responses (I suspect B and C, respectively).
> It looks like that text would not fit into the space available in the figure,
> but it
> would fit well in the steps listed below each of the figures.
Just (C).
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
