Last Call Review of draft-ietf-oauth-native-apps-11
review-ietf-oauth-native-apps-11-opsdir-lc-wang-2017-05-22-00

Request Review of draft-ietf-oauth-native-apps
Requested revision No specific revision (document currently at 12)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2017-05-16
Requested 2017-05-02
Authors William Denniss , John Bradley
I-D last updated 2017-05-22
Completed reviews Secdir Last Call review of -11 by Donald E. Eastlake 3rd (diff)
Opsdir Last Call review of -11 by Zitao Wang (diff)
Genart Last Call review of -10 by Elwyn B. Davies (diff)
Genart Telechat review of -11 by Elwyn B. Davies (diff)
Assignment Reviewer Zitao Wang
State Completed
Request Last Call review on draft-ietf-oauth-native-apps by Ops Directorate Assigned
Reviewed revision 11 (document currently at 12)
Result Has nits
Completed 2017-05-22
review-ietf-oauth-native-apps-11-opsdir-lc-wang-2017-05-22-00
Reviewer: Zitao Wang (Michael)

Review result: Has Nits

I have reviewed this document as part of the Operational directorate’s ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational aspects of
the IETF drafts. Comments that are not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs should
treat these comments just like any other last call comments.

Document reviewed:  draft-ietf-oauth-native-apps-10

Summary:

OAuth 2.0 authorization requests from native apps should only be made
through external user-agents, primarily the user’s browser. This
specification details the security and usability reasons why this is
the case, and how native apps and authorization servers can implement
this best practice.

I think the document is written very clear, except some small nits:

Page 3:     The last sentence of introduction-- “This practice is also known as
the AppAuth pattern”.

I suggest adding a reference to explain the AppAuth pattern.

Page 3:     Terminology -- "OAuth".

I suggest modifying to: "OAuth"   The Web Authorization (OAuth) protocol.  In
this document, OAuth refers to OAuth 2.0 [RFC6749].

Page 4:     Terminology -- "web-view"  A web browser UI component.

Does it mean "User Information"?  Suggest expanding this abbreviation.

Page 5:     Figure 1.   Does the browser and authorization endpoint are some
kinds of "external user-agent"? Suggest describing it more clearly.

Page   9:   PKCE [RFC7636] details how this limitation can be used to execute a
code interception attack (see Figure 1). Does the Figure 1 means “Figure 1 of
RFC7636”?

Page10:     However, as the Implicit Flow cannot be protected by PKCE
Seems here, the reference be omitted.

A run of idnits revealed no errors, flaws. There were 1 warning and 1 comments
though

  == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
     document.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  -- The document date (April 26, 2017) is 14 days in the past.  Is this
     intentional?

  Checking references for intended status: Best Current Practice
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).