IETF Logo Mail Archive

[OAUTH-WG] The verification URL and CAPTCHA responses for username/password profile?

David Recordon <davidrecordon@facebook.com> Tue, 09 March 2010 04:53 UTC

Return-Path: <davidrecordon@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27FA13A6852 for <oauth@core3.amsl.com>; Mon, 8 Mar 2010 20:53:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.765
X-Spam-Level:
X-Spam-Status: No, score=-4.765 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jFm9eEK71cI for <oauth@core3.amsl.com>; Mon, 8 Mar 2010 20:53:36 -0800 (PST)
Received: from mailout-sf2p.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 4EE363A6839 for <oauth@ietf.org>; Mon, 8 Mar 2010 20:53:36 -0800 (PST)
Received: from mail.thefacebook.com ([192.168.18.104]) by pp02.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o294rAcH023162 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Mon, 8 Mar 2010 20:53:10 -0800
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub01.TheFacebook.com ([192.168.18.104]) with mapi; Mon, 8 Mar 2010 20:53:40 -0800
From: David Recordon <davidrecordon@facebook.com>
To: OAuth WG <oauth@ietf.org>
Date: Mon, 08 Mar 2010 20:53:39 -0800
Thread-Topic: The verification URL and CAPTCHA responses for username/password profile?
Thread-Index: Acq/RHySxn1hY1t7RBGStUs+AGGGdQ==
Message-ID: <0C7833DF-75CA-4C4D-94A8-C5A20A2F41AB@facebook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-03-09_04:2010-02-06, 2010-03-09, 2010-03-08 signatures=0
Subject: [OAUTH-WG] The verification URL and CAPTCHA responses for username/password profile?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2010 04:53:37 -0000

I'm spending some time with the spec this evening and am having a hard time understanding the need for the verification URL and CAPTCHA responses which are part of the username and password profile.

My criteria for using this profile is that 1) the authorization server generally trusts the client to temporarily collect the end-user's username and password and 2) it is impossible to use one of the other authorization profiles.  This means that the client cannot interact with or embed a web browser.  Given that...

The client would not be able to send the user to the verification URL in the response anyway (otherwise they would have picked the rich app profile). If the client were to encourage the user to use a nearby computer, then it could use the upcoming device API which should be based on the Netflix flow.

The CAPTCHA response verifies that there is a human, not that it is the human who the username and password belong to. Wouldn't bot attacks be mitigated via aggressive rate limiting techniques which reject authorization requests?  This response seems to be more complex than the benefit and hasn't been successfully implemented at scale AFAIK.

--David

v2.23.0 | Report a Bug | By Email