[OAUTH-WG] not using oauth for this architecture in oauth for browser based apps.
Leo Tohill <leotohill@gmail.com> Mon, 22 July 2019 02:22 UTC
Return-Path: <leotohill@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 199B3120096 for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 19:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLAQbT9i9Qw1 for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 19:22:26 -0700 (PDT)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7D9912003F for <oauth@ietf.org>; Sun, 21 Jul 2019 19:22:25 -0700 (PDT)
Received: by mail-pl1-x634.google.com with SMTP id w24so18439202plp.2 for <oauth@ietf.org>; Sun, 21 Jul 2019 19:22:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=oiJl3PasdkXtlQrTNplXhNcqXo502D5uQ/wDoYq0/dY=; b=fv+l5M1Ek1UjU4zEcOSyKRiAubjdfiXrs0u76MsEoeqrFQTc2WLr0mgzXARo+3SICa HLv9jfcplmAGQtoHRoCBB3SJZDMJg8mWsAifrUU170m07Fl2+ieq4gDfkpu9/O7pZWGg E4EaHVpdLGYu0/jN6c4S8MmxUtPJOsrTooyADW+vFr40OWgXt8To18VIWLcuHh9+etrj wn7WGnQlzuYd68+kGMCUPrVYTZgojigFNqKcp8/Rq9K6brWSmumrPO6ecwr0qA/4iTVe dIc4enySQ+Kva+HL2S6Dkb2AxPUqdeDejcjC4VbpnMjTaGNpuUgDeSts/vmUjTfCmneF bJ4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=oiJl3PasdkXtlQrTNplXhNcqXo502D5uQ/wDoYq0/dY=; b=MdSJlZERoRkZtnP6oBR1vUhCGfCJfyltv6CoGmr/0+mc3+ac33l0XpfT+BMHPx68xs 9RWEJrInyb63wFvdCIBAsm3OsJWCKPsmcqt+FnKZry8AKHUOV21PpBjCsxUXj2dxgfqB ImRa9Oirj8shdvuEed2fprd0UxOFT8Ez52oGOqKxIiqKAQSe+7E5R12cFanB+wF8+/Y+ P0pBFj3mQ2kPH03yH6Oiac5vwnsaqpW+Y+I6W1aj+w/DqYu1wSXrklpPXDxpWGMAG2U5 FVK7YfdwfQGDfp66PYYNO0B9H6SJ+KFA6KpujHfRudtQw5x+32XFw2zspr3Y5TLNLPZC jYkQ==
X-Gm-Message-State: APjAAAWIwRQYyqSbAEKOim/XSNhOVTRwGUw75BkG76Q6T0pE/wILebIK QsmxvklsOWR9G+tjK51JPsFEDucjJBk3ZeTTSLnkF1y46go=
X-Google-Smtp-Source: APXvYqwjOME93EKwh1fzc4MDPUoEknqcQpCS1CB06p0NJLQRw7GQ/i+r1iga1RL/a88wLWOdWue1ManXccjMiBpEhqE=
X-Received: by 2002:a17:902:4401:: with SMTP id k1mr49068451pld.193.1563762145088; Sun, 21 Jul 2019 19:22:25 -0700 (PDT)
MIME-Version: 1.0
From: Leo Tohill <leotohill@gmail.com>
Date: Sun, 21 Jul 2019 22:22:16 -0400
Message-ID: <CABw+Fcuv2banmDtqC_6A4j6Vw7OgTLEDFOf0mn4YSeMaNkUsrA@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002bd7f5058e3bbfab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-VQ1ktgNLVphS2BrOnUPm0e2NeI>
Subject: [OAUTH-WG] not using oauth for this architecture in oauth for browser based apps.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 02:22:27 -0000
The advice for the architectural pattern "JavaScript served from a common domain as the resource server" reads: "For simple system architectures, such as when the JavaScript application is served from a domain that can share cookies with the domain of the API (resource server), it may be a better decision to avoid using OAuth entirely, and instead use session authentication to communicate directly with the API." I can agree that session authentication could be best here, but how was the user authenticated in order to create the trusted session? Wouldn't that/shouldn't that still use an oauth flow to collect credentials? We need to be clear on the distinction between browser based apps that hold the token(s) in the browser space, vs. those that don't. I agree that with this "common domain" architecture, the tokens should not be held in the browser, but it doesn't follow that oauth should not be used at all. Leo
- [OAUTH-WG] not using oauth for this architecture … Leo Tohill
- Re: [OAUTH-WG] not using oauth for this architect… Brock Allen
- Re: [OAUTH-WG] not using oauth for this architect… Hans Zandbelt
- Re: [OAUTH-WG] not using oauth for this architect… Leo Tohill
- Re: [OAUTH-WG] not using oauth for this architect… Justin Richer
- Re: [OAUTH-WG] not using oauth for this architect… Aaron Parecki