CIBA: slow_down

Issue #114 resolved
Takahiko Kawasaki created an issue

The description of slow_down in the page 23 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:

the interval MUST be increased by 5 seconds for this and all subsequent requests

I'm not sure "5 seconds" is always appropriate to every possible use case. Is it necessary for the specification to say "MUST be increased" with a concrete time value? In addition, the fixed value (5 seconds in this case) "for this and all subsequent requests" will eliminate adoption of "exponential backoff" algorithm.

Comments (11)

  1. Dave Tonge

    I'm not 100% sure why its so restrictive in the device flow draft... but we don't want different behaviour for device flow and CIBA

  2. Brian Campbell

    Discussed during the Nov 13 MODRNA WG call and there was general consensus that following the device flow was probably good enough and likely the 'right' thing to do given the error code is actually defined there. There was agreement to add an "at least" to the sentence quoted in the ticket so as to more explicitly allow the client a bit more flexibility in how it slows down.

  3. Takahiko Kawasaki reporter

    429 Too Many Requests HTTP status code with Retry-After header is better.

    Syntax of Retry-After:

    Retry-After: <http-date>
    Retry-After: <delay-seconds>

    "Wait for at least 5 seconds" can be expressed as follows.

    HTTP/1.1 429 Too Many Requests
    Retry-After: 5

    "Read/Write Data API Specification" of UK Open Banking utilizes the standard HTTP status code and the standard HTTP header.

  4. Brian Campbell

    Using a 429 was discussed in the context of the device flow and the decision was that "there are no compelling reasons to change to the 429"

    But a 429 does convey what is needed in this case. Although it seems like an OAuth layer error code is probably needed too.

    Honestly, I don't know that the reasons for the 5 second value in device flow are all that compelling either. That value was put in in response to an IESG review that just wanted something specific

    So... I don't know. Maybe we can do something a little different in CIBA that's still in the spirit of general OAuth and uses the device flow error but also a 429.

  5. Brian Campbell

    Actually, a 429 and the Retry-After header say how long to wait before making the next request. While the slow_down is meant to tell the client to increase the poling interval for the next and all subsequent requests (for the given grant). So they aren't really equivalent.

  6. Brian Campbell

    pull request #45 adds an "at least" to the 5 second interval increase for slow_down as discussed and agreed on during the Nov 13 MODRNA WG call

  7. Takahiko Kawasaki reporter

    The point I imagine developers who read this specification in the future will feel strange is "5 seconds". What is the reason for this number? However, because probably this requirement won't cause any critical compatibility problems even if clients don't follow the requirement strictly, and because consensus has already been reached, I don't think I should stick to this any further.

  8. Log in to comment