Internet-Draft | mAuth | November 2024 |
Bucksch | Expires 8 May 2025 | [Page] |
This document creates a specific OAuth2 profile that is suitable for mail, chat, calendar and similar clients.¶
It defines specific parameters of OAuth2, to allow email clients to reliably authenticate using OAuth2 on any mail provider.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://benbucksch.github.io/mauth-spec/draft-mauth.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mauth/.¶
Discussion of this document takes place on the extra Working Group mailing list (mailto:extra@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/extra/. Subscribe at https://www.ietf.org/mailman/listinfo/extra/.¶
Source for this draft and an issue tracker can be found at https://github.com/benbucksch/mauth-spec.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 May 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Mail clients today use mostly username and password to log in to IMAP. OAuth2 can only be used at the biggest providers, but causes major problems for mail clients in its current application.¶
This document creates a specific OAuth2 profile that is suitable for mail, chat, calendar and similar clients.¶
It defines specific parameters of OAuth2, with the purpose of making OAuth2 as reliable for client and for end users as password login is today.¶
It also avoids provider-specific configuration and adjustments. This in turn would allow email clients to authenticate using OAuth2 on any mail provider, without having to specifically register with or test each and every mail provider in the world.¶
To avoid that the client needs to know the provider-specific version of scope names, the server MUST accept the following literal scope names (RFC 6749 3.3), for the following purposes:¶
Scope | Resource protocol or standard |
---|---|
IMAP | RFC 9051 |
SMTP | RFC 5321 |
POP3 | RFC 1939 |
CalDAV | RFC 4791 |
CardDAV | RFC 6352 |
WebDAV | RFC 4918 |
XMPP | RFC 6120 |
matrix.org/Matrix | Matrix chat client/server API |
microsoft.com/EWS | Microsoft Exchange Web Services |
microsoft.com/ActiveSync | Microsoft ActiveSync |
For all RFC references, previous versions and updates of these standards are also included.¶
If a client requests one or multiple of these scopes, the token issued by the server MUST be valid for this user on the resource servers of the provider which implement the corresponding protocols.¶
If the provider does not have an resource server which
implements this protocol, the server MUST ignore the unsupported scope and issue the token for the supported scopes. The authorization server response MUST include only the supported scopes. It MAY reject the token request with error invalid_scope
, if all requested scopes are unsupported.
(See RFC 6749 3.3 Paragraph 3)¶
OAuth2 was created with server-to-server relations in mind, where a contractual relationship between both parties exist. [OAuth2.1] Section 2 states: "Client Registration ... typically involve the client developer manually ... creating an account and agreeing to the service's Terms of Service".¶
This concept is not compatible with the concept of mail clients. A mail client cannot realistically register with all mail providers in the world.¶
Last but not least, the client ID currently allows a mail provider to force a contract on a mail client. This is directly contrary to a free Internet and IETF values.¶
Furthermore, given that mail providers typically also offer mail clients and mail clients are therefore almost always competitors to the mail provider, a mail provider blocking clients or allowing the clients only under conditions, is inherently anti-competitive.¶
The server MUST accept the following Client ID
(RFC 6749 2.2):
open
¶
The client SHALL use this Client ID.¶
The server MUST NOT require other authentication or authorization for the client software.¶
The client MUST use the following mechanisms to identify itself, as appropriate for the protocol used:¶
Protocol | Identification method | Standard |
---|---|---|
OAuth2 |
User-Agent HTTP header |
RFC 2616 14.43 |
HTTPS |
User-Agent HTTP header |
RFC 2616 14.43 |
IMAP |
ID command |
RFC 2971 |
All all cases, the client MUST use as primary name component a string reflecting the commonly known name of the end user application, and at least the major version. The client MAY include as secondary name component the software library that implements the protocol.¶
In the case of HTTP user agent strings, the order is reversed, so a typical user agent string should be, for mail app "ACME Mail" using "Best Effort IMAP" library:¶
User-Agent: Best-Effort-IMAP/2.3 ACME-Mail/4.5
¶
The OAuth2 authorization server MUST NOT reject or disadvantage clients that send non-browser User-Agent strings. The client SHALL NOT send generic browser user agent strings, unless the authorization server is known to disadvantage a client without such user agent string.¶
In most cases, the client would like to authenticate to a specific account or email address which is known before the authentication is started. However, RFC 6749 does not specify how the client informs the authorization server which username is intended to log in. Various proprietary provider-specific mechanisms exist, e.g. login_hint
at Office365, but there is no interoperable standard.¶
In the Authorization Request, an additional URL query parameter username
MAY be passed by the client, with the email address or account ID of the account that the client expects to log in. If given, the server MUST skip the interactive username input, SHALL show the username on the login page, and SHALL NOT allow the user to log in with another account.¶
In the Authorization Response Error Response (RFC 6749 4.1.2.1.), the following more specific error
codes MUST be used, if their case applies:¶
error code | Problem |
---|---|
auth_failed | The user made a login attempt, but the password or username or second factor was wrong. |
blocked | The login credentials were valid, but the user account was blocked. The error_description MUST give a detailed cause for the block, and SHALL explain a way for the user to remedy the problem and unblock the account. |
unknown_user | The user doesn't exist, as far as this server is aware. |
user_not_here | The user account is known to exist, but must use another OAuth2 server. |
no_oauth | The user account exists, but is not allowed to use OAuth2. |
The authorization server access token response MUST contain a working refresh token together with the access token (RFC 6749 5.1. and 6.).¶
When the client requests a new access token using a valid refresh token, the authorization server MUST return a new refresh token with a renewed expiry time.¶
The expiry time of the refresh token MUST be long enough for typical uses of an email client that checks email in the background, i.e. at least 24 hours, but preferably 1 year.¶
The expires_in
field MUST be returned in the response (in RFC 6749 5.1., it is RECOMMENDED).¶
The tokens MAY be revoked or invalidated by the authorization server at any time, if there is a concrete reason to believe that this specific account has been compromised.¶
This avoids that users get logged out of their email silenty and do not get new mail notifications anymore.¶
It also avoids that users have to re-log in constantly, which is known to be detrimental to security, due to passwords being written down or re-using the same password on multiple services to remember them.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The client MUST act directly on behalf of the user who is authenticating using OAuth2.¶
The client MUST keep the data obtained via the obtained access token from the protected resources on the user's computers and MUST not route the data through servers not under control of the resource server owner (including avoiding servers of the application vendor), unless specifically and explicitly requested by the user. (TODO rephrase with better English)¶
This document has no IANA actions.¶