Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-11.txt

Aaron Parecki <> Tue, 13 September 2022 18:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5606AC15949B for <>; Tue, 13 Sep 2022 11:25:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 07nwtLMie3LV for <>; Tue, 13 Sep 2022 11:25:20 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id AB899C15949A for <>; Tue, 13 Sep 2022 11:25:20 -0700 (PDT)
Received: by with SMTP id b23so10204648iof.2 for <>; Tue, 13 Sep 2022 11:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date; bh=VcghmpgwdeTA2dS26mwTPBg3Ly+mB3VwJXObLDbjbSk=; b=O9dvSnxpdi98BEExSQtOswaDslsROKYjgrl94n+7a3DgMyUwc5pgTq0KPOHIdaYT0X xtrrvH0+j/FpPmHyFNmkmXaoHrfJLIbyInKWgTvEy1wUL4fjiI0jYUbhlXCl4kWuSSWo 8qxYNYOhHmvNdbliAPuZRao/WxveVZVsE98n/c1dbVfz9Tk2tqW64vVcO7JM6XOB72K3 QbJYr/VldXo1ICJdE0dtLG8vThL9/tnyWcDeeVJIaIXo07IIFeAYtmlBCUf4CtYJvyK1 3tf/R7nH9iAaSnx8iuLNWgAkKshUs3qde60gMxu3X8rxPOoAJNR4F4kTbZ6wxL5nllOr 1vhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date; bh=VcghmpgwdeTA2dS26mwTPBg3Ly+mB3VwJXObLDbjbSk=; b=J8wJj3wzum1qVgznUdzNs48fKUu1Qt/b+HOjrkUuXBX8/1bCEfhbZuNai7X/rl8Ha2 1b5VW6BcgSbvSTI5N83zZx7La2AWq7KpKaX1MkZPiQPDJCHvL+D5IbcE0Uc/ABA2lSI0 M07EPRfRDyzK16lCXfgPJhfepQQjcW3tJhOgQnR690oePoCDagxIRISArZxIcISQYjAl puvFcf/xulo2oJpKysIO7pCBhR8f8eG1baSu+SdFPnRbNCCVr0CDhrqaE6NbkXAf+xYP RpEQTq4XLgxEZZ25kAOV68xXxhwK0LTnuvZRJoYHZsR93D/dUti4cIilWAziAxELIphF GT4Q==
X-Gm-Message-State: ACgBeo0hxXrFb7Dlb2dcfMhDBvEQznS5oy7B/nvSWFxzBlNtUnH9wpBb M4ZGPgy1E5kB2A2Bw7MtqppTKwghJcfkwg==
X-Google-Smtp-Source: AA6agR4YaTutfYXSPbftQx/lWB54/6gIblfkoeqQyRxQlz2fKWJCICpg2Vo6IGH7bIXFSRQIGceE0w==
X-Received: by 2002:a05:6602:134a:b0:689:2648:9c90 with SMTP id i10-20020a056602134a00b0068926489c90mr15379439iov.211.1663093519103; Tue, 13 Sep 2022 11:25:19 -0700 (PDT)
Received: from ( []) by with ESMTPSA id e18-20020a0566380cd200b00346e7ca2463sm5770486jak.135.2022. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 13 Sep 2022 11:25:18 -0700 (PDT)
Received: by with SMTP id z191so10337098iof.10 for <>; Tue, 13 Sep 2022 11:25:18 -0700 (PDT)
X-Received: by 2002:a02:2711:0:b0:35a:4fb3:efcf with SMTP id g17-20020a022711000000b0035a4fb3efcfmr3704098jaa.14.1663093518176; Tue, 13 Sep 2022 11:25:18 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Aaron Parecki <>
Date: Tue, 13 Sep 2022 11:25:07 -0700
X-Gmail-Original-Message-ID: <>
Message-ID: <>
Content-Type: multipart/alternative; boundary="000000000000611d1c05e893225f"
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-11.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Sep 2022 18:25:24 -0000

Hello all,

With the help of a few kind folks, we've made some updates to this draft as
discussed during the last IETF meeting in Philadelphia.

You can find the current version, draft 11, here:

The major changes in this version are adding two new architecture patterns,
the "Token Mediating Backend" pattern based on the TMI-BFF draft, and the
"Service Worker" pattern of using a Service Worker as the OAuth client.
I've also done a fair amount of rearranging of various parts of the
document to hopefully make more sense.

Obviously there is no clear winner in terms of which architecture pattern
is best, so instead of trying to make a blanket recommendation, the goal of
this draft is to document the pros and cons of each. If you have any input
into either benefits or drawbacks that aren't mentioned yet in any of the
patterns discussed, please feel free to chime in so we can add them to the
document! You're welcome to either reply on the list, open an issue on the
linked GitHub repository, or contact me directly. Keep in mind that only
comments on the mailing list are part of the official record.


Aaron Parecki

On Tue, Sep 13, 2022 at 10:42 AM <> wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>         Title           : OAuth 2.0 for Browser-Based Apps
>         Authors         : Aaron Parecki
>                           David Waite
>   Filename        : draft-ietf-oauth-browser-based-apps-11.txt
>   Pages           : 29
>   Date            : 2022-09-13
> Abstract:
>    This specification details the security considerations and best
>    practices that must be taken into account when developing browser-
>    based applications that use OAuth 2.0.
> Discussion Venues
>    This note is to be removed before publishing as an RFC.
>    Discussion of this document takes place on the Web Authorization
>    Protocol Working Group mailing list (, which is
>    archived at
>    Source for this draft and an issue tracker can be found at
> The IETF datatracker status page for this draft is:
> There is also an HTML version available at:
> A diff from the previous version is available at:
> Internet-Drafts are also available by rsync at
> :internet-drafts
> _______________________________________________
> OAuth mailing list