Discussion:
[OAUTH-WG] WGLC draft-ietf-oauth-device-flow-06
Rifaat Shekh-Yusef
2017-06-01 12:32:43 UTC
Permalink
All,

We are starting a WGLC on the Device Flow document:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06

Please, review the document and provide feedback on any issues you see with
the document.

The WGCL will end in two weeks, on June 16, 2017.

Regards,
Rifaat and Hannes
Rifaat Shekh-Yusef
2017-06-28 12:27:01 UTC
Permalink
Hi (as individual),

I have reviewed the Device Flow document, and I have a question about the
polling part.
The current draft is calling for the Device Client to poll the AS for a
token (steps E & F of Figure 1).

Presumably, the process started with the user pushing some button on the
Device Client to initiate the process.
One way to avoid the need for polling is for the Device Access Token
Request to be sent to the AS only after the user for example pushed that
same button again.
This would allow the user to perform steps C and D to authorize the device,
and then push the button again to get the token.

Thoughts?

Regards,
Rifaat
Post by Rifaat Shekh-Yusef
All,
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06
Please, review the document and provide feedback on any issues you see
with the document.
The WGCL will end in two weeks, on June 16, 2017.
Regards,
Rifaat and Hannes
Justin Richer
2017-06-28 15:33:28 UTC
Permalink
This is functionally equivalent to polling, as far as the spec is concerned. Instead of it being a timeout-based poll, it’s an interaction-based poll. Either way, the device makes a new HTTP request to the AS to see if the device code is good or not, and either option is possible at that point as far as the device knows— the user could go mash buttons as fast as possible without ever entering the user code.

In practice, this isn’t very likely to happen, as it requires additional steps for the user and makes for a more clunky experience. If anything, we might see it as an optimization in some environments for some clients. In any event, it’s not any different from the spec’s perspective.

— Justin
Post by Rifaat Shekh-Yusef
Hi (as individual),
I have reviewed the Device Flow document, and I have a question about the polling part.
The current draft is calling for the Device Client to poll the AS for a token (steps E & F of Figure 1).
Presumably, the process started with the user pushing some button on the Device Client to initiate the process.
One way to avoid the need for polling is for the Device Access Token Request to be sent to the AS only after the user for example pushed that same button again.
This would allow the user to perform steps C and D to authorize the device, and then push the button again to get the token.
Thoughts?
Regards,
Rifaat
All,
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06>
Please, review the document and provide feedback on any issues you see with the document.
The WGCL will end in two weeks, on June 16, 2017.
Regards,
Rifaat and Hannes
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Rifaat Shekh-Yusef
2017-06-28 18:35:33 UTC
Permalink
Post by Justin Richer
This is functionally equivalent to polling, as far as the spec is
concerned. Instead of it being a timeout-based poll, it’s an
interaction-based poll. Either way, the device makes a new HTTP request to
the AS to see if the device code is good or not, and either option is
possible at that point as far as the device knows— the user could go mash
buttons as fast as possible without ever entering the user code.
You are correct that this does not change the communication model, but if
there is a large number of devices being configured at the same time, then
the polling as it is defined in the document unnecessarily overloads the AS
whether the user is doing anything or not.
Post by Justin Richer
In practice, this isn’t very likely to happen, as it requires additional
steps for the user and
It requires one more step (not steps), which is the user pushing the button
one more time after the user is done with authenticating and authorizing
the device; do you see any other steps needed here?
Post by Justin Richer
makes for a more clunky experience.
I guess this is subjective, but why do you think it is clunky?

Regards,.
Rifaat
Post by Justin Richer
If anything, we might see it as an optimization in some environments for
some clients. In any event, it’s not any different from the spec’s
perspective.
— Justin
Hi (as individual),
I have reviewed the Device Flow document, and I have a question about the polling part.
The current draft is calling for the Device Client to poll the AS for a
token (steps E & F of Figure 1).
Presumably, the process started with the user pushing some button on the
Device Client to initiate the process.
One way to avoid the need for polling is for the Device Access Token
Request to be sent to the AS only after the user for example pushed that
same button again.
This would allow the user to perform steps C and D to authorize the
device, and then push the button again to get the token.
Thoughts?
Regards,
Rifaat
Post by Rifaat Shekh-Yusef
All,
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06
Please, review the document and provide feedback on any issues you see with the document.
The WGCL will end in two weeks, on June 16, 2017.
Regards,
Rifaat and Hannes
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2017-06-28 20:45:40 UTC
Permalink
Post by Justin Richer
This is functionally equivalent to polling, as far as the spec is concerned. Instead of it being a timeout-based poll, it’s an interaction-based poll. Either way, the device makes a new HTTP request to the AS to see if the device code is good or not, and either option is possible at that point as far as the device knows— the user could go mash buttons as fast as possible without ever entering the user code.
You are correct that this does not change the communication model, but if there is a large number of devices being configured at the same time, then the polling as it is defined in the document unnecessarily overloads the AS whether the user is doing anything or not.
The polling mechanism already has slow-down and other mechanisms to prevent the AS from being unnecessarily overloaded by well-behaved clients.
Post by Justin Richer
In practice, this isn’t very likely to happen, as it requires additional steps for the user and
It requires one more step (not steps), which is the user pushing the button one more time after the user is done with authenticating and authorizing the device; do you see any other steps needed here?
What you describe as “clicking the button” really isn’t that simple in the real world:

1) Being told I need to go click a button by the AS, or maybe I need to go click a button, because now we have something that’s device specific and would be tied to the device registration. After all, some things will be “automatic” per the user’s experience (because of polling) and some will require further actions.
2) Finding the device because I wasn’t at the device I was at my computer and maybe the device needs me to do something else or maybe not (see step 1)
3) Finding the button on the device, or is that one the power button? Or does this one require me to wave my hand in front of a sensor instead of a button? Maybe there are some instructions on the device, or it will talk to me and tell me what to do when I push the button.
4) Clicking the button. Or waving my hand. Or shaking it really hard. Or licking it.
5) Checking to see if it worked, maybe clicking the button again just in case...
Post by Justin Richer
makes for a more clunky experience.
I guess this is subjective, but why do you think it is clunky?
See the process above. It’s going to be incredibly device specific and not something we can, or should address at the protocol level, especially since the protocol as-is already allows for action-based polling completely transparently to the rest of the system.

I don’t see any need for changes to the document to accommodate this. I would not be against a very small note that polling could happen on a reactive basis from the device instead of a timer, perhaps adding something like this sentence to §3.3¶3:

Common mechanisms for determining when to poll include use of an internal timer and reliance on an interaction with the user, such as a button click or other physical activation. The details of such reactive polling behavior are expected to be device specific and are therefore outside the scope of this specification.

Thanks,

— Justin
Post by Justin Richer
Regards,.
Rifaat
If anything, we might see it as an optimization in some environments for some clients. In any event, it’s not any different from the spec’s perspective.
— Justin
Post by Rifaat Shekh-Yusef
Hi (as individual),
I have reviewed the Device Flow document, and I have a question about the polling part.
The current draft is calling for the Device Client to poll the AS for a token (steps E & F of Figure 1).
Presumably, the process started with the user pushing some button on the Device Client to initiate the process.
One way to avoid the need for polling is for the Device Access Token Request to be sent to the AS only after the user for example pushed that same button again.
This would allow the user to perform steps C and D to authorize the device, and then push the button again to get the token.
Thoughts?
Regards,
Rifaat
All,
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06>
Please, review the document and provide feedback on any issues you see with the document.
The WGCL will end in two weeks, on June 16, 2017.
Regards,
Rifaat and Hannes
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
Rifaat Shekh-Yusef
2017-06-30 22:18:36 UTC
Permalink
Post by Rifaat Shekh-Yusef
Post by Justin Richer
This is functionally equivalent to polling, as far as the spec is
concerned. Instead of it being a timeout-based poll, it’s an
interaction-based poll. Either way, the device makes a new HTTP request to
the AS to see if the device code is good or not, and either option is
possible at that point as far as the device knows— the user could go mash
buttons as fast as possible without ever entering the user code.
You are correct that this does not change the communication model, but if
there is a large number of devices being configured at the same time, then
the polling as it is defined in the document unnecessarily overloads the AS
whether the user is doing anything or not.
The polling mechanism already has slow-down and other mechanisms to
prevent the AS from being unnecessarily overloaded by well-behaved clients.
Sure, but *if* there is a way to avoid the polling altogether, then we
might not need these slow-down mechanisms in the first place.
Post by Rifaat Shekh-Yusef
Post by Justin Richer
In practice, this isn’t very likely to happen, as it requires additional
steps for the user and
It requires one more step (not steps), which is the user pushing the
button one more time after the user is done with authenticating and
authorizing the device; do you see any other steps needed here?
What you describe as “clicking the button” really isn’t that simple in the
1) Being told I need to go click a button by the AS, or maybe I need to go
click a button, because now we have something that’s device specific and
would be tied to the device registration. After all, some things will be
“automatic” per the user’s experience (because of polling) and some will
require further actions.
2) Finding the device because I wasn’t at the device I was at my computer
and maybe the device needs me to do something else or maybe not (see step 1)
3) Finding the button on the device, or is that one the power button? Or
does this one require me to wave my hand in front of a sensor instead of a
button? Maybe there are some instructions on the device, or it will talk to
me and tell me what to do when I push the button.
4) Clicking the button. Or waving my hand. Or shaking it really hard. Or licking it.
5) Checking to see if it worked, maybe clicking the button again just in case...
We are talking about a use case where a person is getting ready to install
a device, and you would expect the user to be able to find the device he
wants to install and interact with that device.
Are you expecting the user to be able to install a device without any
interaction with that device?


Regards,
Rifaat
Post by Rifaat Shekh-Yusef
Post by Justin Richer
makes for a more clunky experience.
I guess this is subjective, but why do you think it is clunky?
See the process above. It’s going to be incredibly device specific and not
something we can, or should address at the protocol level, especially since
the protocol as-is already allows for action-based polling completely
transparently to the rest of the system.
I don’t see any need for changes to the document to accommodate this. I
would not be against a very small note that polling could happen on a
reactive basis from the device instead of a timer, perhaps adding something
Common mechanisms for determining when to poll include use of an internal
timer and reliance on an interaction with the user, such as a button click
or other physical activation. The details of such reactive polling behavior
are expected to be device specific and are therefore outside the scope of
this specification.
Thanks,
— Justin
Regards,.
Rifaat
Post by Justin Richer
If anything, we might see it as an optimization in some environments for
some clients. In any event, it’s not any different from the spec’s
perspective.
— Justin
Hi (as individual),
I have reviewed the Device Flow document, and I have a question about the polling part.
The current draft is calling for the Device Client to poll the AS for a
token (steps E & F of Figure 1).
Presumably, the process started with the user pushing some button on the
Device Client to initiate the process.
One way to avoid the need for polling is for the Device Access Token
Request to be sent to the AS only after the user for example pushed that
same button again.
This would allow the user to perform steps C and D to authorize the
device, and then push the button again to get the token.
Thoughts?
Regards,
Rifaat
Post by Rifaat Shekh-Yusef
All,
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06
Please, review the document and provide feedback on any issues you see
with the document.
The WGCL will end in two weeks, on June 16, 2017.
Regards,
Rifaat and Hannes
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2017-07-01 00:37:28 UTC
Permalink
Inline.
Post by Justin Richer
Post by Justin Richer
This is functionally equivalent to polling, as far as the spec is concerned. Instead of it being a timeout-based poll, it’s an interaction-based poll. Either way, the device makes a new HTTP request to the AS to see if the device code is good or not, and either option is possible at that point as far as the device knows— the user could go mash buttons as fast as possible without ever entering the user code.
You are correct that this does not change the communication model, but if there is a large number of devices being configured at the same time, then the polling as it is defined in the document unnecessarily overloads the AS whether the user is doing anything or not.
The polling mechanism already has slow-down and other mechanisms to prevent the AS from being unnecessarily overloaded by well-behaved clients.
Sure, but if there is a way to avoid the polling altogether, then we might not need these slow-down mechanisms in the first place.
There’s not a way to avoid it altogether, and again I remind you that the current spec will already fully allow the use case that you’re describing, without requiring any changes to the text whatsoever. You could literally build a client today that does exactly what you’re talking about. All you need to do is:

1. Call the device code endpoint to get your device code and user code
2. Not call the token endpoint automatically
3. Wait until a button press to call the token endpoint
4. If you get a token back, great; if you get one of the errors back, wait until another button press

Note that if the user hammers the button too fast you should still wait for the timeout before calling again. This is only slightly different from most code deployed today:

1. Call the device code endpoint to get your device code and user code
2. Wait until a a timeout to call the token endpoint
3. If you get a token back, great; if you get one of the errors back, wait until another timeout

In fact, I wouldn’t at all be surprised that somebody’s built the first one along with the number of implementations of the second one that have been built to date. So I’m still not seeing what changes you’d want in the specification to address this.
Post by Justin Richer
Post by Justin Richer
In practice, this isn’t very likely to happen, as it requires additional steps for the user and
It requires one more step (not steps), which is the user pushing the button one more time after the user is done with authenticating and authorizing the device; do you see any other steps needed here?
1) Being told I need to go click a button by the AS, or maybe I need to go click a button, because now we have something that’s device specific and would be tied to the device registration. After all, some things will be “automatic” per the user’s experience (because of polling) and some will require further actions.
2) Finding the device because I wasn’t at the device I was at my computer and maybe the device needs me to do something else or maybe not (see step 1)
3) Finding the button on the device, or is that one the power button? Or does this one require me to wave my hand in front of a sensor instead of a button? Maybe there are some instructions on the device, or it will talk to me and tell me what to do when I push the button.
4) Clicking the button. Or waving my hand. Or shaking it really hard. Or licking it.
5) Checking to see if it worked, maybe clicking the button again just in case...
We are talking about a use case where a person is getting ready to install a device, and you would expect the user to be able to find the device he wants to install and interact with that device.
That’s making a lot of assumptions about the nature of the device and the availability of the non-constrained login platform.
Post by Justin Richer
Are you expecting the user to be able to install a device without any interaction with that device?
If you’re provisioning thousands of devices simultaneously like you said in your original email, I should hope I don’t need to go around pushing a bunch of buttons to make it happen. So, yes.


Perhaps if you can describe in detail what changes you’d like to see to the specification, or in what way the current text does not allow for your use case, then I’d be able to understand what you’re asking for.


— Justin
Post by Justin Richer
Regards,
Rifaat
Post by Justin Richer
makes for a more clunky experience.
I guess this is subjective, but why do you think it is clunky?
See the process above. It’s going to be incredibly device specific and not something we can, or should address at the protocol level, especially since the protocol as-is already allows for action-based polling completely transparently to the rest of the system.
Common mechanisms for determining when to poll include use of an internal timer and reliance on an interaction with the user, such as a button click or other physical activation. The details of such reactive polling behavior are expected to be device specific and are therefore outside the scope of this specification.
Thanks,
— Justin
Post by Justin Richer
Regards,.
Rifaat
If anything, we might see it as an optimization in some environments for some clients. In any event, it’s not any different from the spec’s perspective.
— Justin
Post by Rifaat Shekh-Yusef
Hi (as individual),
I have reviewed the Device Flow document, and I have a question about the polling part.
The current draft is calling for the Device Client to poll the AS for a token (steps E & F of Figure 1).
Presumably, the process started with the user pushing some button on the Device Client to initiate the process.
One way to avoid the need for polling is for the Device Access Token Request to be sent to the AS only after the user for example pushed that same button again.
This would allow the user to perform steps C and D to authorize the device, and then push the button again to get the token.
Thoughts?
Regards,
Rifaat
All,
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-06>
Please, review the document and provide feedback on any issues you see with the document.
The WGCL will end in two weeks, on June 16, 2017.
Regards,
Rifaat and Hannes
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
Loading...