OAuth 2.0 Device Authorization Grant
draft-ietf-oauth-device-flow-15
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2019-08-15
|
15 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2019-08-05
|
15 | Roman Danyliw | Shepherding AD changed to Roman Danyliw |
2019-07-01
|
15 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2019-06-19
|
15 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2019-06-19
|
15 | (System) | RFC Editor state changed to RFC-EDITOR from IANA |
2019-06-19
|
15 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2019-06-19
|
15 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2019-06-07
|
15 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2019-06-03
|
15 | (System) | IANA Action state changed to In Progress from On Hold |
2019-04-30
|
15 | (System) | RFC Editor state changed to IANA from RFC-EDITOR |
2019-04-30
|
15 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2019-03-28
|
15 | (System) | IANA Action state changed to On Hold from In Progress |
2019-03-27
|
15 | (System) | RFC Editor state changed to EDIT |
2019-03-27
|
15 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2019-03-27
|
15 | (System) | Announcement was received by RFC Editor |
2019-03-27
|
15 | (System) | IANA Action state changed to In Progress |
2019-03-27
|
15 | Cindy Morgan | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2019-03-27
|
15 | Cindy Morgan | IESG has approved the document |
2019-03-27
|
15 | Cindy Morgan | Closed "Approve" ballot |
2019-03-27
|
15 | Cindy Morgan | Ballot approval text was generated |
2019-03-26
|
15 | Eric Rescorla | IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup |
2019-03-11
|
15 | William Denniss | New version available: draft-ietf-oauth-device-flow-15.txt |
2019-03-11
|
15 | (System) | New version approved |
2019-03-11
|
15 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2019-03-11
|
15 | William Denniss | Uploaded new revision |
2019-01-17
|
14 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2019-01-17
|
14 | William Denniss | New version available: draft-ietf-oauth-device-flow-14.txt |
2019-01-17
|
14 | (System) | New version approved |
2019-01-17
|
14 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2019-01-17
|
14 | William Denniss | Uploaded new revision |
2018-12-24
|
13 | Eric Rescorla | Awaiting resolution (or rejection) of comments. |
2018-11-04
|
13 | Eric Rescorla | IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation::AD Followup |
2018-10-27
|
13 | Benjamin Kaduk | [Ballot comment] Thank you for addressing my Discuss points. I would still prefer to see a normative requirement for explicit user approval (as opposed to … [Ballot comment] Thank you for addressing my Discuss points. I would still prefer to see a normative requirement for explicit user approval (as opposed to just the descriptive statement that the chance to approve/deny should be offered), but I can understand the sentiment that such a requirement on the UI is not a matter for interoperability and could not be reliably enforced anyway. Original COMMENT section preserved below. Please use the RFC 8174 boilerplate instead of the RFC 2119 one. Section 3.2 The example expires in 30 minutes? That seems longer than needed; wouldn't 5 minutes do? Section 3.3 I agree with directorate reviewer that the MUST NOT requirement for displaying the device_code should justify that requirement by discussing the consequences of exposure. Section 3.5 authorization_pending The authorization request is still pending as the end-user hasn't yet completed the user interaction steps (Section 3.3). The client should repeat the Access Token Request to the token endpoint. I feel like we want to mention the 'interval' here or some other discussion of an inter-request delay. Also, please clarify "reasonable default polling interval", per multiple directorate reviews. Section 5.2 Please clarify the entities involved in "the backchannel flow" that can be MITM'd. Section 5.6 The "short-range" part of a "short-range wireless signal" partially depends on how big the receiver's antenna is. So perhaps we should be careful about indicating that this has more security value than it does. Section 6.1 I'm not sure I understand the usage of "case-insensitive", here -- how would the user have an expectation of case-insensitivity? Perhaps it is better to just say "majuscule" or "upper case" or whatever. |
2018-10-27
|
13 | Benjamin Kaduk | [Ballot Position Update] Position for Benjamin Kaduk has been changed to No Objection from Discuss |
2018-10-19
|
13 | Adam Roach | [Ballot comment] Thanks to the authors for addressing my comments and my DISCUSS. |
2018-10-19
|
13 | Adam Roach | [Ballot Position Update] Position for Adam Roach has been changed to No Objection from Discuss |
2018-10-19
|
13 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2018-10-19
|
13 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2018-10-19
|
13 | William Denniss | New version available: draft-ietf-oauth-device-flow-13.txt |
2018-10-19
|
13 | (System) | New version approved |
2018-10-19
|
13 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2018-10-19
|
13 | William Denniss | Uploaded new revision |
2018-10-18
|
12 | Mirja Kühlewind | [Ballot comment] Thanks for addressing my discuss comments (quickly - sorry for the delay!) |
2018-10-18
|
12 | Mirja Kühlewind | [Ballot Position Update] Position for Mirja Kühlewind has been changed to No Objection from Discuss |
2018-10-03
|
12 | Benjamin Kaduk | [Ballot discuss] [Updating to remove Discuss point addressed in the -12; no change to the ballot position text otherwise, even when non-Discuss comments are addressed] … [Ballot discuss] [Updating to remove Discuss point addressed in the -12; no change to the ballot position text otherwise, even when non-Discuss comments are addressed] Let me preface this by noting that I'm not sure that all of these points are actionable; I would, however, like to discuss them. I'm really unhappy to not see any hard numbers on the entropy needed in a user code to provide a reasonable security margin with given parameters, and how it compares to the guessability bounds considered best practices in general (across protocols). For example, we think 128-bit symmetric keys are okay because an attacker has to put in 2**96 work to have a 2**-32 chance of guessing correctly via brute force; the rate limiting and finite lifetime on the user code places an artificial limit on the amount of work an attacker can "do", so if one uses a 8-character base-20 user code (with roughly 34.5 bits of entropy), the rate-limiting interval and validity period would need to only allow 5 attempts in order to get the same 2**-32 probability of success by random guessing. Section 5.1 would be a great place for such text, near the preexisting: The user code SHOULD have enough entropy that when combined with rate limiting and other mitigations makes a brute-force attack infeasible. We talk about "the authorization server", but any given *user* may have a relationship with multiple such ASes. Can the Introduction make it more clear that the AS is associated with the device/client, and as such the it may not be the user's most-trusted AS? It also seems like a large latent risk with this flow is when the verification_uri_complete response is used along with an AS that assumes an authenticated user making such a verification request has approved the authorization (i.e., without an explicit user interaction to confirm), when that AS uses cookies or other persistent state to keep the user authenticated across multiple requests. I could not find any MUST-level requirement for user interaction to confirm the device being authorized (even in Section 3.3, which covers the regular verificat_uri workflow!); please let me know if I missed something. I would like to see some explicit text that (matching the flow described in Section 3.1 that requires the user to input the code) explicit user approval of the authorization is required. (I do note that Section 5.3 has text about "SHOULD display information about the device.) |
2018-10-03
|
12 | Benjamin Kaduk | Ballot discuss text updated for Benjamin Kaduk |
2018-08-02
|
12 | Cindy Morgan | IESG state changed to IESG Evaluation::Revised I-D Needed from Waiting for Writeup |
2018-08-02
|
12 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2018-08-02
|
12 | Ignas Bagdonas | [Ballot Position Update] New position, No Objection, has been recorded for Ignas Bagdonas |
2018-08-01
|
12 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2018-08-01
|
12 | Adam Roach | [Ballot discuss] Thanks to the authors for addressing my comments and half of my DISCUSS. This final issue appears to remain unaddressed: §3.1: > The … [Ballot discuss] Thanks to the authors for addressing my comments and half of my DISCUSS. This final issue appears to remain unaddressed: §3.1: > The client constructs the request with the following parameters, > encoded with the "application/x-www-form-urlencoded" content type: This document needs a normative citation for this media type. My suggestion would be to cite REC-html5-20141028 section 4.10.22.6, as this appears to be the most recent stable description of how to encode this media type. I'd love to hear rationale behind other citations being more appropriate, since I'm not entirely happy with the one I suggest above (given that it's been superseded by HTML 5.2); but every other plausible citation I can find is even less palatable (with HTML 5.2 itself having the drawback of not actually defining how to encode the media type, instead pointing to an unstable, unversioned document). |
2018-08-01
|
12 | Adam Roach | Ballot discuss text updated for Adam Roach |
2018-08-01
|
12 | Adam Roach | [Ballot discuss] Thanks to the authors for addressing my comments and half of my DISCUSS. This final issue appears to remain unaddressed: §3.1: > The … [Ballot discuss] Thanks to the authors for addressing my comments and half of my DISCUSS. This final issue appears to remain unaddressed: §3.1: > The client initiates the flow by requesting a set of verification > codes from the authorization server by making an HTTP "POST" request > to the device authorization endpoint. The client constructs the > request with the following parameters, encoded with the "application/ > x-www-form-urlencoded" content type: This document needs a normative citation for this media type. My suggestion would be to cite REC-html5-20141028 section 4.10.22.6, as this appears to be the most recent stable description of how to encode this media type. I'd love to hear rationale behind other citations being more appropriate, since I'm not entirely happy with the one I suggest above (given that it's been superseded by HTML 5.2); but every other plausible citation I can find is even less palatable (with HTML 5.2 itself having the drawback of not actually defining how to encode the media type, instead pointing to an unstable, unversioned document). |
2018-08-01
|
12 | Adam Roach | Ballot comment and discuss text updated for Adam Roach |
2018-08-01
|
12 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2018-08-01
|
12 | William Denniss | New version available: draft-ietf-oauth-device-flow-12.txt |
2018-08-01
|
12 | (System) | New version approved |
2018-08-01
|
12 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2018-08-01
|
12 | William Denniss | Uploaded new revision |
2018-08-01
|
11 | Sabrina Tanamal | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2018-08-01
|
11 | Ben Campbell | [Ballot comment] Major Comment: I support Mirja's DISCUSS. (Otherwise, this would be a DISCUSS), but I have a slightly different spin on it. The device … [Ballot comment] Major Comment: I support Mirja's DISCUSS. (Otherwise, this would be a DISCUSS), but I have a slightly different spin on it. The device polls the server while waiting on the user to take action. Users are notoriously slow about that sort of thing. They might plug in a device then walk away for hours, days, or forever. Now, consider that we are talking about IoT devices, so there may be millions of them. If they are fate shared in some way (imagine shipping day for a new popular product, or a software update that forces reauthorization, or a server coming back online after getting whacked the last time around), there could be millions of them trying this at the roughly the same time. Given all that, I think the draft really needs to give more detailed guidance on what sort of refresh rates, maximum attempts, expirations, back off patterns, etc might be reasonable from both network congestion and server overload perspectives. Other Substantive Comments: §3.1: What sort of events are expected to trigger the flow? In particular, I wonder if there should be guidance to make it unlikely to start the process by accident. For example, if the authorization process is kicked off by a device simply being plugged into power, a user might plug it in then walk away before realizing they had more to do. (See my major comment). §3.3: What sort of bad thing could happen if the device_code is communicated to a user? Do implementers need to worry about people guessing device-codes? §3.3, last paragraph: The "NOT RECOMMENDED" seems overly strong, given that the next section describes a perfectly good way to do exactly that. Maybe something like "NOT RECOMMENDED unless the device uses a non-textual mechanism for conveying the URL and code, such as that described in ..." would make sense? §5.4: Are devices expected to know the operating environment in advance of deployment? Editorial Comments: §1, 3rd paragraph: The first sentence is hard to parse due the list of long, complex phrases. Please consider breaking into simpler sentences. §2: There are lower case instances of normative keywords. Please consider using the updated boilerplate from RFC8174. |
2018-08-01
|
11 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2018-08-01
|
11 | Adam Roach | [Ballot discuss] Thanks to everyone who worked on this document. I have a couple of related issues that need to be cleared up before publication, … [Ballot discuss] Thanks to everyone who worked on this document. I have a couple of related issues that need to be cleared up before publication, but I expect that these should be easy to resolve. §3.1: > The client initiates the flow by requesting a set of verification > codes from the authorization server by making an HTTP "POST" request > to the device authorization endpoint. The client constructs the > request with the following parameters, encoded with the "application/ > x-www-form-urlencoded" content type: This document needs a normative citation for this media type. My suggestion would be to cite REC-html5-20141028 section 4.10.22.6, as this appears to be the most recent stable description of how to encode this media type. I'd love to hear rationale behind other citations being more appropriate, since I'm not entirely happy with the one I suggest above (given that it's been superseded by HTML 5.2); but every other plausible citation I can find is even less palatable (with HTML 5.2 itself having the drawback of not actually defining how to encode the media type, instead pointing to an unstable, unversioned document). (Non-discuss comment: this passage could be made clearer by saying something like "...parameters, sent as the body of the request, encoded with the...") --------------------------------------------------------------------------- §3.2: > In response, the authorization server generates a device verification > code and an end-user code that are valid for a limited time and > includes them in the HTTP response body using the "application/json" > format with a 200 (OK) status code. This needs to normatively cite RFC 8259. |
2018-08-01
|
11 | Adam Roach | Ballot discuss text updated for Adam Roach |
2018-07-31
|
11 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2018-07-31
|
11 | Robert Sparks | Request for Telechat review by GENART Completed: Ready with Nits. Reviewer: Robert Sparks. Sent review to list. |
2018-07-31
|
11 | Alissa Cooper | [Ballot comment] I support Mirja's DISCUSS point #3 which was also raised by the Gen-ART reviewer. The Gen-ART review also included a number of other … [Ballot comment] I support Mirja's DISCUSS point #3 which was also raised by the Gen-ART reviewer. The Gen-ART review also included a number of other useful comments. Please address them. Perhaps this is implicit, but I found it a little odd that there is no mention of whether the device codes and user codes are expected to be unique to individual devices. Section 3.3: "It is NOT RECOMMENDED for authorization servers to include the user code in the verification URI ("verification_uri"), as this increases the length and complexity of the URI that the user must type." I don't fully understand the justification for the normative requirement here. The user ultimately ends up typing in both strings, right? Is it so much more complex to type them both into a browser bar contiguously than to type the uri into the browser bar and the code into some form field on the page such that the normative requirement is warranted? Section 3.3.1: Wouldn't there be textual instructions about how to use the QR code also included here? If the point is to illustrate the UI it seems like those should be included too. |
2018-07-31
|
11 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2018-07-30
|
11 | Adam Roach | [Ballot discuss] Thanks to everyone who worked on this document. I have a couple of related issues that need to be cleared up before publication, … [Ballot discuss] Thanks to everyone who worked on this document. I have a couple of related issues that need to be cleared up before publication, but I expect that these should be easy to resolve. §3.1: > The client initiates the flow by requesting a set of verification > codes from the authorization server by making an HTTP "POST" request > to the device authorization endpoint. The client constructs the > request with the following parameters, encoded with the "application/ > x-www-form-urlencoded" content type: This document needs a normative citation for this media type. My suggestion would be to cite REC-html5-20141028 section 4.10.22.6, as this appears to be the most recent stable description of how to encode this media type. I'd love to hear rationale behind other citations being more appropriate, since I'm not entirely happy with the one I suggest above (given that it's been superseded by HTML 5.2); but every other plausible citation I can find is even less palatable (with HTML 5.2 itself having the drawback of not actually defining how to encode the media type, instead pointing to an unstable, unversioned document). (Non-discuss comment: this passage could be made clearer by saying something like "...parameters, sent as the body of the request, encoded with the...") --------------------------------------------------------------------------- §3.2: > In response, the authorization server generates a device verification > code and an end-user code that are valid for a limited time and > includes them in the HTTP response body using the "application/json" > format with a 200 (OK) status code. This needs to normatively cite RFC 7159. |
2018-07-30
|
11 | Adam Roach | [Ballot comment] §3.5: > slow_down > The client is polling too quickly and should back off at a > reasonable rate. I'm surprised … [Ballot comment] §3.5: > slow_down > The client is polling too quickly and should back off at a > reasonable rate. I'm surprised the document doesn't define what is meant by "reasonable rate" here. I would expect to see something concrete like "the client should double the interval between polling requests" or some similarly concrete advice. > If no interval was provided, the client > MUST use a reasonable default polling interval. Similarly, I'm really sad that this does not give concrete guidance for what "reasonable" might be. Implementations may well decide 100ms is "reasonable" for the purpose of application responsiveness -- but I suspect average OAuth servers wouldn't be happy with that. This would be a DISCUSS, but I see that Mirja has already registered a DISCUSS on this topic. I support her DISCUSS. --------------------------------------------------------------------------- §6.1: This section discusses code input by the user. I'm surprised that it doesn't also discuss confusability considerations (e.g., I, l, and 1; 0 and O) =========================================================================== All of my remaining comments are minor editorial nits. --------------------------------------------------------------------------- Abstract: > This OAuth 2.0 authorization flow for browserless and input > constrained devices Nit: "...input-constrained..." > This OAuth 2.0 authorization flow for browserless and input > constrained devices, often referred to as the device flow, enables > OAuth clients to request user authorization from devices that have an > Internet connection, but don't have an easy input method (such as a > smart TV, media console, picture frame, or printer), or lack a > suitable browser for a more traditional OAuth flow. This is a very long and winding sentence. Consider breaking up into multiple sentences. --------------------------------------------------------------------------- §1: > This OAuth 2.0 protocol flow for browserless and input constrained Nit: "...input-constrained..." Please cite RFC 6749 here. --------------------------------------------------------------------------- §1: > The only requirements to use this flow are that the device is > connected to the Internet, and able to make outbound HTTPS requests, > be able to display or otherwise communicate a URI and code sequence > to the user, and that the user has a secondary device (e.g., personal > computer or smartphone) from which to process the request. This is hard to read, and difficult to pack into one sentence (due to the requirements being on both the device and its user). Consider reworking into a bulleted list; e.g.: The only requirements to use this flow are: * The device is connected to the Internet * The device is able to make outbound HTTPS requests * The device is able to display or otherwise communicate a URI and code sequence to the user * The user has a secondary device (e.g., personal computer or smartphone) from which they can process the request --------------------------------------------------------------------------- §1: > Instead of interacting with the end-user's user-agent, the client Nit: "...end user's user agent..." > instructs the end-user to use another computer or device and connect Nit: "...end user..." --------------------------------------------------------------------------- §1: > (C) The client instructs the end-user to use its user-agent Nit: "...end user..." Nit: "...user agent..." > client provides the end-user with the end-user code to enter in Nit: "...provides the end user with the end-user code..." --------------------------------------------------------------------------- §1: > (D) The authorization server authenticates the end-user (via the "...the end user..." > user-agent) and prompts the end-user to grant the client's access "...user agent... end user..." > request. If the end-user agrees to the client's access request, "...the end user..." > the end-user enters the end-user code provided by the client. The "...the end user enters the end-user code..." > authorization server validates the end-user code provided by the > end-user. "...by the end user." --------------------------------------------------------------------------- §1: > (E) While the end-user authorizes (or denies) the client's request "...the end user..." > (step D), the client repeatedly polls the authorization server to > find out if the end-user completed the end-user authorization "...the end user completed the end-user authorization..." --------------------------------------------------------------------------- §1: > (F) Assuming the end-user granted access, the authorization server "...the end user..." --------------------------------------------------------------------------- §2: > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and > "OPTIONAL" in this document are to be interpreted as described in > [RFC2119]. Consider updating to use the boilerplate specified in RFC 8174. --------------------------------------------------------------------------- §2: > End-User Verification Code: > A short-lived token which the device displays to the end user, is > entered by the end-user on the authorization server, and is thus "...end user..." > used to bind the device to the end-user. "...end user..." --------------------------------------------------------------------------- §3.3: > session. The authorization server prompts the end-user to identify "...end user..." --------------------------------------------------------------------------- §5.1: > In some applications this > attack may not make much economic sense, for example for a video app, > the owner of the device may then be able to purchase movies with the > attacker's account, however there are still privacy considerations in > that case as well as other uses of the device flow whereby the > granting account may be able to perform sensitive actions such as > controlling the victim's device. This is a run-on sentence. Restructure by replacing the commas after "sense" and "account" with either semicolons or periods. --------------------------------------------------------------------------- §5.2: > malicious, then it could man-in-the middle the backchannel flow to "...man-in-the-middle..." > middle is not completely hidden from sight, as the end-user would end "...end user..." |
2018-07-30
|
11 | Adam Roach | [Ballot Position Update] New position, Discuss, has been recorded for Adam Roach |
2018-07-30
|
11 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2018-07-29
|
11 | Alexey Melnikov | [Ballot comment] This is generally a fine document and it was easy to follow. I am agreeing with Benjamin's DISCUSS about amount of entropy in … [Ballot comment] This is generally a fine document and it was easy to follow. I am agreeing with Benjamin's DISCUSS about amount of entropy in codes. In addition, the last para in Section 6.1 reads: The server should ignore any characters like punctuation that are not in the user-code character set. Provided that the character set doesn't include characters of different case, the comparison should be case insensitive. This makes me uncomfortable, because you are talking of case-insensitivity, without fully specifying what it is. I assume that your advice only applies to user-code character sets which only use subset of ASCII? Because if you mean to extend your advice to full Unicode, you need more text and references here. Can you please clarify. |
2018-07-29
|
11 | Alexey Melnikov | Ballot comment text updated for Alexey Melnikov |
2018-07-28
|
11 | Alexey Melnikov | [Ballot comment] I am agreeing with Benjamin's DISCUSS. -Also the last para of section 6.1 (case insensitive comparison) is dodgy- |
2018-07-28
|
11 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov |
2018-07-28
|
11 | Warren Kumari | [Ballot comment] Props on the ASCII art QR code :-) I believe the acknowledgement section should be in the body of the document, not as … [Ballot comment] Props on the ASCII art QR code :-) I believe the acknowledgement section should be in the body of the document, not as an appendix. Also, please see the OpsDir review at: https://mailarchive.ietf.org/arch/msg/ops-dir/W8nzC89juHe32K3VXLQyVcPC_og |
2018-07-28
|
11 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2018-07-26
|
11 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2018-07-24
|
11 | (System) | IANA Review state changed to IANA - Not OK from Version Changed - Review Needed |
2018-07-24
|
11 | Mirja Kühlewind | [Ballot discuss] Please specify more clearly the (default) polling behavior to ensure that the polling does neither overload the network, nor the server, or is … [Ballot discuss] Please specify more clearly the (default) polling behavior to ensure that the polling does neither overload the network, nor the server, or is never terminated. Ideally provide default values and an upper bound for the polling frequency, as well as a timer to terminate polling if no reply is received (and no expiration time is given). See further details below. 1) Sec 3.3: "until the user completes the interaction, the code expires, or another error occurs." What if not expiration time is given (as this optional) and no reply is ever received? 2) Sec 3.5: "the client should stop polling and react accordingly, for example, by displaying an error to the user." Maybe: "the client MUST stop polling and SHOULD react accordingly, for example, by displaying an error to the user." 3) sec 3.5 "If no interval was provided, the client MUST use a reasonable default polling interval." Can you please provide a default number for a "reasonable" polling interval! And in best case an upper bound! 4) sec 3.5: "...increasing the time between polls if a "slow_down" error is received. " Maybe use a separate normative sentence instead: "The client SHOUD increase the time between polls if a "slow_down" error is received." Or MUST? If so how much? Can you given further (default) guidance. 5) sec 3.5: "Clients MAY then choose to start a new device authorization session." Maybe make it clear that polling is stopped "Clients MUST stop polling but MAY then choose to start a new device authorization session." 6) sec 3.5: "then the device MAY wait until notified on that channel that the user has completed the action before initiating the token request." Why not SHOULD (or MUST) here? |
2018-07-24
|
11 | Mirja Kühlewind | [Ballot Position Update] New position, Discuss, has been recorded for Mirja Kühlewind |
2018-07-24
|
11 | Benjamin Kaduk | [Ballot discuss] Let me preface this by noting that I'm not sure that all of these points are actionable; I would, however, like to discuss … [Ballot discuss] Let me preface this by noting that I'm not sure that all of these points are actionable; I would, however, like to discuss them. I'm really unhappy to not see any hard numbers on the entropy needed in a user code to provide a reasonable security margin with given parameters, and how it compares to the guessability bounds considered best practices in general (across protocols). For example, we think 128-bit symmetric keys are okay because an attacker has to put in 2**96 work to have a 2**-32 chance of guessing correctly via brute force; the rate limiting and finite lifetime on the user code places an artificial limit on the amount of work an attacker can "do", so if one uses a 8-character base-20 user code (with roughly 34.5 bits of entropy), the rate-limiting interval and validity period would need to only allow 5 attempts in order to get the same 2**-32 probability of success by random guessing. Section 5.1 would be a great place for such text, near the preexisting: The user code SHOULD have enough entropy that when combined with rate limiting and other mitigations makes a brute-force attack infeasible. We talk about "the authorization server", but any given *user* may have a relationship with multiple such ASes. Can the Introduction make it more clear that the AS is associated with the device/client, and as such the it may not be the user's most-trusted AS? It also seems like a large latent risk with this flow is when the verification_uri_complete response is used along with an AS that assumes an authenticated user making such a verification request has approved the authorization (i.e., without an explicit user interaction to confirm), when that AS uses cookies or other persistent state to keep the user authenticated across multiple requests. I could not find any MUST-level requirement for user interaction to confirm the device being authorized (even in Section 3.3, which covers the regular verificat_uri workflow!); please let me know if I missed something. I would like to see some explicit text that (matching the flow described in Section 3.1 that requires the user to input the code) explicit user approval of the authorization is required. (I do note that Section 5.3 has text about "SHOULD display information about the device.) I'm also unhappy about the text in Section 1 that merely requires of the device the ability to "make outbound HTTPS requests", which leaves room for an awful lot of sins in certificate validation (and, potentially, ciphersuite selection). Can we get a MUST-level requirement for authenticating the server and a cite to RFC 7525? |
2018-07-24
|
11 | Benjamin Kaduk | [Ballot comment] Please use the RFC 8174 boilerplate instead of the RFC 2119 one. Section 3.2 The example expires in 30 minutes? That seems longer … [Ballot comment] Please use the RFC 8174 boilerplate instead of the RFC 2119 one. Section 3.2 The example expires in 30 minutes? That seems longer than needed; wouldn't 5 minutes do? Section 3.3 I agree with directorate reviewer that the MUST NOT requirement for displaying the device_code should justify that requirement by discussing the consequences of exposure. Section 3.5 authorization_pending The authorization request is still pending as the end-user hasn't yet completed the user interaction steps (Section 3.3). The client should repeat the Access Token Request to the token endpoint. I feel like we want to mention the 'interval' here or some other discussion of an inter-request delay. Also, please clarify "reasonable default polling interval", per multiple directorate reviews. Section 5.2 Please clarify the entities involved in "the backchannel flow" that can be MITM'd. Section 5.6 The "short-range" part of a "short-range wireless signal" partially depends on how big the receiver's antenna is. So perhaps we should be careful about indicating that this has more security value than it does. Section 6.1 I'm not sure I understand the usage of "case-insensitive", here -- how would the user have an expectation of case-insensitivity? Perhaps it is better to just say "majuscule" or "upper case" or whatever. |
2018-07-24
|
11 | Benjamin Kaduk | [Ballot Position Update] New position, Discuss, has been recorded for Benjamin Kaduk |
2018-07-19
|
11 | Jean Mahoney | Request for Telechat review by GENART is assigned to Robert Sparks |
2018-07-19
|
11 | Jean Mahoney | Request for Telechat review by GENART is assigned to Robert Sparks |
2018-07-17
|
11 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2018-07-17
|
11 | William Denniss | New version available: draft-ietf-oauth-device-flow-11.txt |
2018-07-17
|
11 | (System) | New version approved |
2018-07-17
|
11 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2018-07-17
|
11 | William Denniss | Uploaded new revision |
2018-07-17
|
10 | Cindy Morgan | Placed on agenda for telechat - 2018-08-02 |
2018-07-17
|
10 | Eric Rescorla | Ballot has been issued |
2018-07-17
|
10 | Eric Rescorla | Ballot writeup was changed |
2018-07-17
|
10 | Eric Rescorla | Ballot has been issued |
2018-07-17
|
10 | Eric Rescorla | [Ballot Position Update] New position, Yes, has been recorded for Eric Rescorla |
2018-07-17
|
10 | Eric Rescorla | Created "Approve" ballot |
2018-07-17
|
10 | Eric Rescorla | Ballot writeup was changed |
2018-06-15
|
10 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Christopher Wood. |
2018-06-12
|
10 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2018-06-12
|
10 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-oauth-device-flow-09. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-oauth-device-flow-09. If any part of this review is inaccurate, please let us know. The IANA Services Operator understands that, upon approval of this document, there are three actions which we must complete. First, in the OAuth URI registry on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a single, new registration will be made as follows: URN: urn:ietf:params:oauth:grant-type:device_code Common Name: Device flow grant type for OAuth 2.0 Change controller: IESG Reference: Section 3.1 of [ RFC-to-be ] As this document requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC. Second, in the OAuth Extensions Error Registry also on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a four, new registrations will be made as follows: Name: authorization_pending Usage Location Token endpoint response Protocol Extension: [ RFC-to-be ] Change controller: IETF Reference: Section 3.5 of [ RFC-to-be ] Name: access_denied Usage Location: Token endpoint response Protocol Extension: [ RFC-to-be ] Change controller: IETF Reference: Section 3.5 of [ RFC-to-be ] Name: slow_down Usage Location Token endpoint response Protocol Extension: [ RFC-to-be ] Change controller: IETF Reference: Section 3.5 of [ RFC-to-be ] Name: expired_token Usage Location Token endpoint response Protocol Extension: [ RFC-to-be ] Change controller: IETF Reference: Section 3.5 of [ RFC-to-be ] As this document also requests further registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC. Third, in the OAuth Authorization Server Metadata registry also on the OAuth Parameters registry page located at: https://www.iana.org/assignments/oauth-parameters/ a single, new registration will be made as follows: Metadata Name: device_authorization_endpoint Metadata Description: The Device Authorization Endpoint Change Controller: IESG Refernce: Section 4 of [ RFC-to-be ] As this document requests further registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC. The IANA Services Operator understands that these are the only actions required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed. Thank you, Sabrina Tanamal Senior IANA Services Specialist |
2018-06-12
|
10 | Qin Wu | Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Qin Wu. Sent review to list. |
2018-06-12
|
10 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2018-06-11
|
10 | Robert Sparks | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Robert Sparks. Sent review to list. |
2018-06-05
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Qin Wu |
2018-06-05
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Qin Wu |
2018-06-01
|
10 | William Denniss | New version available: draft-ietf-oauth-device-flow-10.txt |
2018-06-01
|
10 | (System) | New version approved |
2018-06-01
|
10 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2018-06-01
|
10 | William Denniss | Uploaded new revision |
2018-05-31
|
09 | Jean Mahoney | Request for Last Call review by GENART is assigned to Robert Sparks |
2018-05-31
|
09 | Jean Mahoney | Request for Last Call review by GENART is assigned to Robert Sparks |
2018-05-31
|
09 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Christopher Wood |
2018-05-31
|
09 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Christopher Wood |
2018-05-29
|
09 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2018-05-29
|
09 | Amy Vezza | The following Last Call announcement was sent out (ends 2018-06-12): From: The IESG To: IETF-Announce CC: ekr@rtfm.com, Rifaat Shekh-Yusef , rifaat.ietf@gmail.com, draft-ietf-oauth-device-flow@ietf.org, … The following Last Call announcement was sent out (ends 2018-06-12): From: The IESG To: IETF-Announce CC: ekr@rtfm.com, Rifaat Shekh-Yusef , rifaat.ietf@gmail.com, draft-ietf-oauth-device-flow@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org Reply-To: ietf@ietf.org Sender: Subject: Last Call: (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard The IESG has received a request from the Web Authorization Protocol WG (oauth) to consider the following document: - 'OAuth 2.0 Device Flow for Browserless and Input Constrained Devices' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2018-06-12. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This OAuth 2.0 authorization flow for browserless and input constrained devices, often referred to as the device flow, enables OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow. This authorization flow instructs the user to perform the authorization request on a secondary device, such as a smartphone. There is no requirement for communication between the constrained device and the user's secondary device. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ballot/ No IPR declarations have been submitted directly on this I-D. The document contains these normative downward references. See RFC 3967 for additional information: rfc6819: OAuth 2.0 Threat Model and Security Considerations (Informational - IETF stream) draft-recordon-oauth-v2-device: OAuth 2.0 Device Profile (None - ) rfc6755: An IETF URN Sub-Namespace for OAuth (Informational - IETF stream) |
2018-05-29
|
09 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2018-05-29
|
09 | Eric Rescorla | Last call was requested |
2018-05-29
|
09 | Eric Rescorla | Last call announcement was generated |
2018-05-29
|
09 | Eric Rescorla | Ballot approval text was generated |
2018-05-29
|
09 | Eric Rescorla | Ballot writeup was generated |
2018-05-29
|
09 | Eric Rescorla | IESG state changed to Last Call Requested from AD Evaluation::Point Raised - writeup needed |
2018-04-20
|
09 | William Denniss | New version available: draft-ietf-oauth-device-flow-09.txt |
2018-04-20
|
09 | (System) | New version approved |
2018-04-20
|
09 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2018-04-20
|
09 | William Denniss | Uploaded new revision |
2018-04-13
|
08 | Eric Rescorla | IESG state changed to AD Evaluation::Point Raised - writeup needed from AD Evaluation::AD Followup |
2018-03-19
|
08 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2018-03-19
|
08 | William Denniss | New version available: draft-ietf-oauth-device-flow-08.txt |
2018-03-19
|
08 | (System) | New version approved |
2018-03-19
|
08 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2018-03-19
|
08 | William Denniss | Uploaded new revision |
2018-02-24
|
07 | Eric Rescorla | IESG state changed to AD Evaluation::Revised I-D Needed from AD Evaluation |
2018-02-24
|
07 | Eric Rescorla | IESG state changed to AD Evaluation from Publication Requested |
2018-01-08
|
07 | Rifaat Shekh-Yusef | (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? … (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? The draft-ietf-oauth-device-flow-07 is a Standards Track document that defines a mechanism to allow users to request authorization for devices with Internet access but with limited UI capabilities (e.g. smart TV, media console, etc). Standards Track is needed because the new mechanism defines a new flow that is not defined in the existing OAuth 2.0 specifications. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This OAuth 2.0 authorization flow for browserless and input constrained devices, often referred to as the device flow, enables OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow. This authorization flow instructs the user to perform the authorization request on a secondary device, such as a smartphone. There is no requirement for communication between the constrained device and the user's secondary device. Working Group Summary: The device flow used to be part of the OAuth 2.0 specification, but it was later moved to its own separate document based on the WG feedback and support: https://mailarchive.ietf.org/arch/msg/oauth/pQafddqfV3W3U_skHuR7E6ZQ44I https://mailarchive.ietf.org/arch/msg/oauth/U7FsPASLxhNz4eB2FNypw4n952c The WG document received many reviews and feedbacks from multiple WG members on the mailing list and during the WG meetings. Document Quality: The document has been implemented by Google, Facebook, Microsoft, ForgeRock, Salesforce, Curity Identity Server, and MITREid Connect. https://developers.google.com/youtube/v3/guides/auth/devices https://developers.facebook.com/docs/facebook-login/for-devices https://github.com/Azure-Samples/active-directory-dotnet-deviceprofile https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/#rest-api-oauth2-device-flow https://releasenotes.docs.salesforce.com/en-us/spring17/release-notes/rn_security_auth_device_flow.htm https://www.curity.io/product/ https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server Also, it seems that ETSI has a specification based on this document: https://www.ietf.org/mail-archive/web/oauth/current/msg15969.html https://mailarchive.ietf.org/arch/msg/oauth/23ARrozt4RUUHA_NRiet7c38oIA http://www.etsi.org/deliver/etsi_ts/103400_103499/103407/01.01.01_60/ts_103407v010101p.pdf https://tech.ebu.ch/groups/CPA There is also a different use for this mechanism as stated here: https://mailarchive.ietf.org/arch/msg/oauth/VzEo9rqC3kmqCuLFR-JcYQvIM3Q Personnel: The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Eric Rescorla. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd has reviewed several versions of this document, including the last one, feels the document is ready. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns with the level of reviews, as the document was discussed and reviewed by many participants. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Security review is always needed and appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no such concerns. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Yes. John: https://www.ietf.org/mail-archive/web/oauth/current/msg17698.html Mike: https://www.ietf.org/mail-archive/web/oauth/current/msg17704.html William: https://www.ietf.org/mail-archive/web/oauth/current/msg17705.html Hannes: https://www.ietf.org/mail-archive/web/oauth/current/msg17706.html (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No such IPR disclosures. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There is a solid support for this document from the WG. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No such threat or discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. Section 7.1.1, last bullet, should point to section 3.2 instead of 3.1 The following is the IETF tools nits reports: idnits 2.15.00 /tmp/draft-ietf-oauth-device-flow-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 14 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 30, 2017) is 66 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-08) exists of draft-ietf-oauth-discovery-05 ** Downref: Normative reference to an Informational RFC: RFC 6755 ** Downref: Normative reference to an Informational RFC: RFC 6819 Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No such reviews are necessary. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? The document references the OAuth 2.0 Authorization Server Metadata document, which is under IESG Evaluation at this stage. https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/ (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. From the nits: ** Downref: Normative reference to an Informational RFC: RFC 6755 ** Downref: Normative reference to an Informational RFC: RFC 6819 (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No status change of any existing RFCs. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The IANA section is complete and correct. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. No new IANA registries. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. The document contains JSON-based examples, and these were validated using JSONLint. |
2018-01-05
|
07 | Rifaat Shekh-Yusef | (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? … (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? The draft-ietf-oauth-device-flow-07 is a Standards Track document that defines a mechanism to allow users to request authorization for devices with Internet access but with limited UI capabilities (e.g. smart TV, media console, etc). Standards Track is needed because the new mechanism defines a new flow that is not defined in the existing OAuth 2.0 specifications. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This OAuth 2.0 authorization flow for browserless and input constrained devices, often referred to as the device flow, enables OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method (such as a smart TV, media console, picture frame, or printer), or lack a suitable browser for a more traditional OAuth flow. This authorization flow instructs the user to perform the authorization request on a secondary device, such as a smartphone. There is no requirement for communication between the constrained device and the user's secondary device. Working Group Summary: The device flow used to be part of the OAuth 2.0 specification, but it was later moved to its own separate document based on the WG feedback and support: https://mailarchive.ietf.org/arch/msg/oauth/pQafddqfV3W3U_skHuR7E6ZQ44I https://mailarchive.ietf.org/arch/msg/oauth/U7FsPASLxhNz4eB2FNypw4n952c The WG document received many reviews and feedbacks from multiple WG members on the mailing list and during the WG meetings. Document Quality: The document has been implemented by Google, Facebook, Microsoft, ForgeRock, Salesforce, and Curity Identity Server. https://developers.google.com/youtube/v3/guides/auth/devices https://developers.facebook.com/docs/facebook-login/for-devices https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/#rest-api-oauth2-device-flow https://releasenotes.docs.salesforce.com/en-us/spring17/release-notes/rn_security_auth_device_flow.htm https://www.curity.io/product/ Also, it seems that ETSI has a specification based on this document: https://www.ietf.org/mail-archive/web/oauth/current/msg15969.html https://mailarchive.ietf.org/arch/msg/oauth/23ARrozt4RUUHA_NRiet7c38oIA http://www.etsi.org/deliver/etsi_ts/103400_103499/103407/01.01.01_60/ts_103407v010101p.pdf There is also a different use for this mechanism as stated here: https://mailarchive.ietf.org/arch/msg/oauth/VzEo9rqC3kmqCuLFR-JcYQvIM3Q Personnel: The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Eric Rescorla. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd has reviewed several versions of this document, including the last one, feels the document is ready. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document shepherd has no concerns with the level of reviews, as the document was discussed and reviewed by many participants. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Security review is always needed and appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no such concerns. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Yes. John: https://www.ietf.org/mail-archive/web/oauth/current/msg17698.html Mike: https://www.ietf.org/mail-archive/web/oauth/current/msg17704.html William: https://www.ietf.org/mail-archive/web/oauth/current/msg17705.html Hannes: https://www.ietf.org/mail-archive/web/oauth/current/msg17706.html (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No such IPR disclosures. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There is a solid support for this document from the WG. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No such threat or discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. Section 7.1.1, last bullet, should point to section 3.2 instead of 3.1 The following is the IETF tools nits reports: idnits 2.15.00 /tmp/draft-ietf-oauth-device-flow-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 14 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 30, 2017) is 66 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-08) exists of draft-ietf-oauth-discovery-05 ** Downref: Normative reference to an Informational RFC: RFC 6755 ** Downref: Normative reference to an Informational RFC: RFC 6819 Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No such reviews are necessary. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? The document references the OAuth 2.0 Authorization Server Metadata document, which is under IESG Evaluation at this stage. https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/ (15) Are there downward normative references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. From the nits: ** Downref: Normative reference to an Informational RFC: RFC 6755 ** Downref: Normative reference to an Informational RFC: RFC 6819 (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No status change of any existing RFCs. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The IANA section is complete and correct. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. No new IANA registries. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. The document contains JSON-based examples, and these were validated using JSONLint. |
2018-01-05
|
07 | Rifaat Shekh-Yusef | Responsible AD changed to Eric Rescorla |
2018-01-05
|
07 | Rifaat Shekh-Yusef | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2018-01-05
|
07 | Rifaat Shekh-Yusef | IESG state changed to Publication Requested |
2018-01-05
|
07 | Rifaat Shekh-Yusef | IESG process started in state Publication Requested |
2018-01-05
|
07 | Rifaat Shekh-Yusef | Changed consensus to Yes from Unknown |
2018-01-05
|
07 | Rifaat Shekh-Yusef | Intended Status changed to Proposed Standard from None |
2018-01-05
|
07 | Rifaat Shekh-Yusef | Changed document writeup |
2018-01-05
|
07 | Rifaat Shekh-Yusef | Changed document writeup |
2018-01-02
|
07 | Rifaat Shekh-Yusef | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2017-10-30
|
07 | William Denniss | New version available: draft-ietf-oauth-device-flow-07.txt |
2017-10-30
|
07 | (System) | New version approved |
2017-10-30
|
07 | (System) | Request for posting confirmation emailed to previous authors: Michael Jones , William Denniss , Hannes Tschofenig , John Bradley |
2017-10-30
|
07 | William Denniss | Uploaded new revision |
2017-06-05
|
06 | Rifaat Shekh-Yusef | IETF WG state changed to In WG Last Call from WG Document |
2017-05-31
|
06 | William Denniss | New version available: draft-ietf-oauth-device-flow-06.txt |
2017-05-31
|
06 | (System) | New version approved |
2017-05-31
|
06 | (System) | Request for posting confirmation emailed to previous authors: John Bradley , William Denniss , Michael Jones , Hannes Tschofenig , oauth-chairs@ietf.org |
2017-05-31
|
06 | William Denniss | Uploaded new revision |
2017-04-10
|
05 | Hannes Tschofenig | Notification list changed to Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> |
2017-04-10
|
05 | Hannes Tschofenig | Document shepherd changed to Rifaat Shekh-Yusef |
2017-03-13
|
05 | William Denniss | New version available: draft-ietf-oauth-device-flow-05.txt |
2017-03-13
|
05 | (System) | New version approved |
2017-03-13
|
05 | (System) | Request for posting confirmation emailed to previous authors: John Bradley , William Denniss , Michael Jones , Hannes Tschofenig , oauth-chairs@ietf.org |
2017-03-13
|
05 | William Denniss | Uploaded new revision |
2017-02-27
|
04 | William Denniss | New version available: draft-ietf-oauth-device-flow-04.txt |
2017-02-27
|
04 | (System) | New version approved |
2017-02-27
|
04 | (System) | Request for posting confirmation emailed to previous authors: Stein Myrseth , Michael Jones , John Bradley , William Denniss , Hannes Tschofenig , oauth-chairs@ietf.org |
2017-02-27
|
04 | William Denniss | Uploaded new revision |
2017-01-19
|
03 | (System) | Document has expired |
2016-11-22
|
03 | Hannes Tschofenig | Added to session: IETF-97: oauth Mon-0930 |
2016-07-18
|
03 | William Denniss | New version available: draft-ietf-oauth-device-flow-03.txt |
2016-07-08
|
02 | William Denniss | New version available: draft-ietf-oauth-device-flow-02.txt |
2016-03-03
|
01 | Michael Jones | New version available: draft-ietf-oauth-device-flow-01.txt |
2016-02-17
|
00 | Hannes Tschofenig | This document now replaces draft-denniss-oauth-device-flow instead of None |
2016-02-17
|
00 | William Denniss | New version available: draft-ietf-oauth-device-flow-00.txt |