Justin Richer
2017-07-06 18:48:51 UTC
Finally had a chance to review the device flow draft in earnest. Overall it’s really great, and we’ve implemented it in a few places (see my recent post on one interesting use case). Just a few notes:
- use of “flow” has largely been replaced by “authorization grant” in other documents and we should be consistent here
- use of “end-user” has been replaced by “resource owner” in other documents and we should be consistent here
- “input constrained” should be “input-constrained” as used in the title, abstract, and introduction.
- §1¶3 could be rewritten to a bulleted list of requirements instead for readability
- §1¶4 could add something to address recent discussion on the list: “While this polling is usually automatic and repeated on a regularly timed basis, the client could poll based on user action with the device such as a button press.”
- §1 diagram (D) should state that the user is prompted to enter the user code given in (C) and that the user does so — leaving it out is an optimization (see below) and the likely exception
- §2 should probably be §1.1, or move the protocol flow to §1.1 and make §2 into §1.2
- §2 should import all terms used from 6749/6750 explicitly
- §2 should we define “secondary device” once at the top instead of the parenthetical definition used throughout?
- §3.1¶1 Wording is awkward with double “by” phrases, suggest: “The client initiates the authorization grant request by making an HTTP POST request to the device authorization endpoint.”
- §3.2 add xref to JSON (7159), response is a JSON object with the following members (not parameters)
- §3.2 is there any requirement for the verification_uri to be over HTTPS? I can’t see any discussion of this anywhere and it should probably at least be in the security considerations, if not an outright requirement. We say that authentication is done in a tls-protected session in §3.3 but we don’t say anything about the actual URL or the page in which the user enters the code.
- §3.3¶3 as mentioned above, the polling could be continuous (timer-based) or in reaction to a user action at the device. There are no protocol differences and the AS shouldn’t do try and inform the user, but we can at least mention that in our description of polling.
- §3.3.1 I still think this optimized all-in-one URI should be a separate parameter from the AS so as not to conflate it with the “plain” verification URI.
- §3.4¶3 instead of “based on the error code in the response” perhaps “until the authorization server indicates the device code has expired or was cancelled.” — I’m less sure about the wording here but as written it feels awkward.
- §3.5 I agree with the point made on the list about the error code, “access_denied” would fit this bill but right now it’s only specified on authorization endpoint response, so let’s add its use to the token response here
- §3.5¶4 says to return “invalid_grant” if the codes are expired, but in the same section it says to use “expired_code”.
- §3.5¶5 the interval between polls SHOULD be at least the “interval” value. Also, it MUST be greater than zero … William …
- §5.2 “user’s session and device”, use of “device” here is confusing since this is the “device” flow. Maybe explicitly call out this as the “secondary device”
- §5.5 extra “or” in list in final sentence
— Justin
- use of “flow” has largely been replaced by “authorization grant” in other documents and we should be consistent here
- use of “end-user” has been replaced by “resource owner” in other documents and we should be consistent here
- “input constrained” should be “input-constrained” as used in the title, abstract, and introduction.
- §1¶3 could be rewritten to a bulleted list of requirements instead for readability
- §1¶4 could add something to address recent discussion on the list: “While this polling is usually automatic and repeated on a regularly timed basis, the client could poll based on user action with the device such as a button press.”
- §1 diagram (D) should state that the user is prompted to enter the user code given in (C) and that the user does so — leaving it out is an optimization (see below) and the likely exception
- §2 should probably be §1.1, or move the protocol flow to §1.1 and make §2 into §1.2
- §2 should import all terms used from 6749/6750 explicitly
- §2 should we define “secondary device” once at the top instead of the parenthetical definition used throughout?
- §3.1¶1 Wording is awkward with double “by” phrases, suggest: “The client initiates the authorization grant request by making an HTTP POST request to the device authorization endpoint.”
- §3.2 add xref to JSON (7159), response is a JSON object with the following members (not parameters)
- §3.2 is there any requirement for the verification_uri to be over HTTPS? I can’t see any discussion of this anywhere and it should probably at least be in the security considerations, if not an outright requirement. We say that authentication is done in a tls-protected session in §3.3 but we don’t say anything about the actual URL or the page in which the user enters the code.
- §3.3¶3 as mentioned above, the polling could be continuous (timer-based) or in reaction to a user action at the device. There are no protocol differences and the AS shouldn’t do try and inform the user, but we can at least mention that in our description of polling.
- §3.3.1 I still think this optimized all-in-one URI should be a separate parameter from the AS so as not to conflate it with the “plain” verification URI.
- §3.4¶3 instead of “based on the error code in the response” perhaps “until the authorization server indicates the device code has expired or was cancelled.” — I’m less sure about the wording here but as written it feels awkward.
- §3.5 I agree with the point made on the list about the error code, “access_denied” would fit this bill but right now it’s only specified on authorization endpoint response, so let’s add its use to the token response here
- §3.5¶4 says to return “invalid_grant” if the codes are expired, but in the same section it says to use “expired_code”.
- §3.5¶5 the interval between polls SHOULD be at least the “interval” value. Also, it MUST be greater than zero … William …
- §5.2 “user’s session and device”, use of “device” here is confusing since this is the “device” flow. Maybe explicitly call out this as the “secondary device”
- §5.5 extra “or” in list in final sentence
— Justin