So where are we on this?  Any progress?


________________________________
From: "Manger, James H" <james.h.man...@team.telstra.com>
To: William J. Mills <wmi...@yahoo-inc.com>; "oauth@ietf.org" <oauth@ietf.org>
Sent: Tuesday, August 30, 2011 11:39 PM
Subject: RE: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments


William J. Mills said:
>Did item #2 below get resolved?  I haven't seen any more traffic about it and 
>it seems pretty significant.
 
 
No, I haven’t seen any resolution for #2 (or any of these comments).
The latest HTTPbis draft 
(http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-16) has updated ABNF for 
<challenge> and <credentials> that supports the base64-blobs used by BASIC and 
NTLM. It does not allow what BEARER tries to do.
 
--
James Manger
 
 

________________________________

From:"Manger, James H" <james.h.man...@team.telstra.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Sent: Thursday, July 28, 2011 8:51 PM
Subject: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments

My working group last call comments on draft-ietf-oauth-v2-bearer-08.txt:


1. Mentioning that this is an HTTP authentication mechanism in the title and/or 
abstract would be useful to the wider IETF (& beyond) audience.
Title:
  "The BEARER HTTP authentication mechanism for use with OAuth 2"
Abstract:
  "This specification describes how to use bearer tokens in
  HTTP requests to access OAuth 2 protected resources."

[Personally, I wouldn't bother mentioning OAuth at all here, but others seem to 
want this context restriction.]


2. The ABNF for <credentials> does not comply with RFC 2617 "HTTP 
Authentication". And even though RFC 2617 is broken is this aspect, the BEARER 
spec doesn't comply with the errata (still broken) or the more likely fixes 
proposed for HTTPbis [draft-ietf-httpbis-p7-auth].
I expect HTTPbis to allow a base64-like-blob consistently in Authorization and 
WWW-Authenticate headers (to accommodate BASIC and NTLM). Multiple 
WWW-Authenticate headers can have their values combined, separated by commas. 
They can also have quoted-string parameters. To be able to parse this, requires 
disallowing commas and double-quotes from the base64-like-blob (and hence from 
<access-token>) at a minimum; only allowing equals at the end also helps.
The current approach in the bearer spec disallows all but 94 chars/bytes. I 
suggest reducing this to 69. Something in between (eg 91 chars, dropping comma, 
quote, and slash) might work. None of these options are materially easier than 
the others for a token issuer; and less symbols just means less risk of 
escaping problems elsewhere (eg allowing "<" in an access token will wreck 
someone's XML somewhere, for no benefit).

Suggestion: 
  access-token = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="

  <access-token> includes the 66 unreserved URI characters plus a few others.
  It can hold a base64, base64url (URL and filename safe alphabet),
  base32, or base16 (hex) encoding, with or without padding, but
  excluding whitespace [RFC4648].

2b. If 2 is not accepted (and assuming HTTPbis will allow any content after the 
scheme name in a Authorization header) can we please not misuse the 
<quoted-char> label when no quoting is going on. The following is a better 
equivalent:

  access-token = 1*(%x21-7E) ; ASCII, except controls, space, or delete


3. Drop '\' from the allowed chars in a scope value, to avoid clashing with the 
HTTP quoted-string escaping mechanism (and don't use the <quoted-char> label 
when no quoting is going on).
  scope-v = 1*(%x21 / %x23-5B / %x5D-7E); excludes space and " and \


4. Section 3.3 "Summary of Recommendations" sensibly says clients "MUST ensure 
that bearer tokens are not leaked to *unintended parties*" and correctly notes 
that this is "the primary security consideration" that underlies all the 
others. So it is a glaring hole that OAuth2 fails to tell the client who the 
intended parties are when issuing a bearer token.


--
James Manger
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to