Re: [OAUTH-WG] Google's use of Implicit Grant Flow
<Sebastian.Ebling@telekom.de> Fri, 17 February 2017 16:03 UTC
Return-Path: <prvs=214125624=Sebastian.Ebling@telekom.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23C3112944D for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 08:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4nNy1kRnf_2 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 08:03:56 -0800 (PST)
Received: from MAILOUT21.telekom.de (MAILOUT21.telekom.de [80.149.113.251]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D305127071 for <oauth@ietf.org>; Fri, 17 Feb 2017 08:03:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1487347435; x=1518883435; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=OzhPpuqs/GLG1zRLbhNeqUzthXwxEejg1dRS3pwC+Y8=; b=xEDPFIMoqAhQXa9QXOI5vUsuO7UkXk01PK1+mDiMoEj0mBBDoBjkzmcg w6cA8Dgigxzro536i1K4DTrLV2/sGpmvpQEfEwWhYn+ZIN6a17HcCgT+P rLx29WzohkEaK7M+f2/TsMIpEbLoCOcqRjNreafdBLJNTIqlm/F8rDDeA pgbt+otLmrlSkk0Ie9WVHiILhgZzY7yXVvbeYFLg2JHuEP6/rjF5Tpplc AL86CZxfyVOQi7AbXQ/glmY8/96YYNVvqkyi0NMbLzpTNKQIv2Cdu3dWT xEYriwLChVbC9P8ilO5eUWJsfMu7TWQA9pvNK9uFwsU4FLZiQnsvtfa6k w==;
Received: from q4de8psa04t.blf.telekom.de ([10.151.13.130]) by MAILOUT21.telekom.de with ESMTP/TLS/DHE-RSA-AES128-SHA; 17 Feb 2017 17:03:53 +0100
X-IronPort-AV: E=Sophos;i="5.35,172,1484002800"; d="scan'208,217";a="621113027"
Received: from he105715.emea1.cds.t-internal.com ([10.169.118.51]) by Q4DE8PSA04V.blf.telekom.de with ESMTP/TLS/AES256-SHA; 17 Feb 2017 17:03:53 +0100
Received: from HE105717.EMEA1.cds.t-internal.com (10.169.118.53) by HE105715.emea1.cds.t-internal.com (10.169.118.51) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 17 Feb 2017 17:03:53 +0100
Received: from HE105717.EMEA1.cds.t-internal.com ([fe80::5881:9115:c037:89f8]) by HE105717.emea1.cds.t-internal.com ([fe80::5881:9115:c037:89f8%26]) with mapi id 15.00.1263.000; Fri, 17 Feb 2017 17:03:52 +0100
From: Sebastian.Ebling@telekom.de
To: bburke@redhat.com, oauth@ietf.org
Thread-Topic: [OAUTH-WG] Google's use of Implicit Grant Flow
Thread-Index: AQHSiKZY8rBjj2HMMkuyqR4U8Rqi96FsMosAgAEqb+A=
Date: Fri, 17 Feb 2017 16:03:52 +0000
Message-ID: <600a2fe3fbc147588baedb557e6e5938@HE105717.emea1.cds.t-internal.com>
References: <1e63222f-1d3b-59cc-a7c3-f9f3aa14e9df@manicode.com> <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com>
In-Reply-To: <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.157.116.64]
Content-Type: multipart/alternative; boundary="_000_600a2fe3fbc147588baedb557e6e5938HE105717emea1cdstintern_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-lEv3Uw2bygZfAczwVHLu5A443c>
Subject: Re: [OAUTH-WG] Google's use of Implicit Grant Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 16:03:58 -0000
Same for Deutsche Telekom. Our javascript clients also use code flow with CORS processing and of course redirect_uri validation. Best regards Sebastian Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Bill Burke Gesendet: Freitag, 17. Februar 2017 00:14 An: oauth@ietf.org Betreff: Re: [OAUTH-WG] Google's use of Implicit Grant Flow For our IDP [1], our javascript library uses the auth code flow, but requires a public client, redirect_uri validation, and also does CORS checks and processing. We did not like Implicit Flow because 1) access tokens would be in the browser history 2) short lived access tokens (seconds or minutes) would require a browser redirect I'd be really curious to hear other's thoughts though. [1] http://keycloak.org On 2/16/17 5:44 PM, Jim Manico wrote: Hello Folks, I noticed that Google supports the OAuth 2 Implicit flow for third-party JavaScript applications. https://developers.google.com/identity/protocols/OAuth2UserAgent Isn't this generally discouraged from a security POV? Is there a better OAuth 2 flow for third party SPA applications? Aloha, -- Jim Manico Manicode Security https://www.manicode.com _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Bill Burke
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Josh Mandel
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Sebastian.Ebling
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Adam Lewis
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Aaron Parecki
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier