CIBA: slow_down
The description of slow_down
in the page 23 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:
the interval MUST be increased by 5 seconds for this and all subsequent requests
I'm not sure "5 seconds" is always appropriate to every possible use case. Is it necessary for the specification to say "MUST be increased" with a concrete time value? In addition, the fixed value (5 seconds in this case) "for this and all subsequent requests" will eliminate adoption of "exponential backoff" algorithm.
Comments (11)
-
-
I'm not 100% sure why its so restrictive in the device flow draft... but we don't want different behaviour for device flow and CIBA
-
-
assigned issue to
-
assigned issue to
-
Discussed during the Nov 13 MODRNA WG call and there was general consensus that following the device flow was probably good enough and likely the 'right' thing to do given the error code is actually defined there. There was agreement to add an "at least" to the sentence quoted in the ticket so as to more explicitly allow the client a bit more flexibility in how it slows down.
-
reporter 429 Too Many Requests
HTTP status code withRetry-After
header is better.Syntax of
Retry-After
:Retry-After: <http-date> Retry-After: <delay-seconds>
"Wait for at least 5 seconds" can be expressed as follows.
HTTP/1.1 429 Too Many Requests Retry-After: 5
"Read/Write Data API Specification" of UK Open Banking utilizes the standard HTTP status code and the standard HTTP header.
-
Using a 429 was discussed in the context of the device flow https://mailarchive.ietf.org/arch/msg/oauth/zs5Jdu5AZ9E6Jwp_mYXpeIqaOTo and the decision was that "there are no compelling reasons to change to the 429"
But a 429 does convey what is needed in this case. Although it seems like an OAuth layer error code is probably needed too.
Honestly, I don't know that the reasons for the 5 second value in device flow are all that compelling either. That value was put in in response to an IESG review that just wanted something specific https://mailarchive.ietf.org/arch/msg/oauth/I62mzW3exLVZ9XT-8tovpgh12cQ
So... I don't know. Maybe we can do something a little different in CIBA that's still in the spirit of general OAuth and uses the device flow error but also a 429.
-
Actually, a 429 and the Retry-After header say how long to wait before making the next request. While the slow_down is meant to tell the client to increase the poling interval for the next and all subsequent requests (for the given grant). So they aren't really equivalent.
-
pull request
#45adds an "at least" to the 5 second interval increase forslow_down
as discussed and agreed on during the Nov 13 MODRNA WG call -
reporter The point I imagine developers who read this specification in the future will feel strange is "5 seconds". What is the reason for this number? However, because probably this requirement won't cause any critical compatibility problems even if clients don't follow the requirement strictly, and because consensus has already been reached, I don't think I should stick to this any further.
-
Thanks @authlete-taka, I think the change from Brian is the best we can do at the moment.
-
- changed status to resolved
Pull request merged
- Log in to comment
This is taken from the OAuth device flow draft: https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13