From nobody Tue Sep 13 11:25:26 2022
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 5606AC15949B
 for <oauth@ietfa.amsl.com>; Tue, 13 Sep 2022 11:25:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level: 
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
 RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001,
 URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 07nwtLMie3LV for <oauth@ietfa.amsl.com>;
 Tue, 13 Sep 2022 11:25:20 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com
 [IPv6:2607:f8b0:4864:20::d2a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id AB899C15949A
 for <oauth@ietf.org>; Tue, 13 Sep 2022 11:25:20 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id b23so10204648iof.2
 for <oauth@ietf.org>; Tue, 13 Sep 2022 11:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; 
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :from:to:cc:subject:date;
 bh=VcghmpgwdeTA2dS26mwTPBg3Ly+mB3VwJXObLDbjbSk=;
 b=O9dvSnxpdi98BEExSQtOswaDslsROKYjgrl94n+7a3DgMyUwc5pgTq0KPOHIdaYT0X
 xtrrvH0+j/FpPmHyFNmkmXaoHrfJLIbyInKWgTvEy1wUL4fjiI0jYUbhlXCl4kWuSSWo
 8qxYNYOhHmvNdbliAPuZRao/WxveVZVsE98n/c1dbVfz9Tk2tqW64vVcO7JM6XOB72K3
 QbJYr/VldXo1ICJdE0dtLG8vThL9/tnyWcDeeVJIaIXo07IIFeAYtmlBCUf4CtYJvyK1
 3tf/R7nH9iAaSnx8iuLNWgAkKshUs3qde60gMxu3X8rxPOoAJNR4F4kTbZ6wxL5nllOr
 1vhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-message-state:from:to:cc:subject:date;
 bh=VcghmpgwdeTA2dS26mwTPBg3Ly+mB3VwJXObLDbjbSk=;
 b=J8wJj3wzum1qVgznUdzNs48fKUu1Qt/b+HOjrkUuXBX8/1bCEfhbZuNai7X/rl8Ha2
 1b5VW6BcgSbvSTI5N83zZx7La2AWq7KpKaX1MkZPiQPDJCHvL+D5IbcE0Uc/ABA2lSI0
 M07EPRfRDyzK16lCXfgPJhfepQQjcW3tJhOgQnR690oePoCDagxIRISArZxIcISQYjAl
 puvFcf/xulo2oJpKysIO7pCBhR8f8eG1baSu+SdFPnRbNCCVr0CDhrqaE6NbkXAf+xYP
 RpEQTq4XLgxEZZ25kAOV68xXxhwK0LTnuvZRJoYHZsR93D/dUti4cIilWAziAxELIphF
 GT4Q==
X-Gm-Message-State: ACgBeo0hxXrFb7Dlb2dcfMhDBvEQznS5oy7B/nvSWFxzBlNtUnH9wpBb
 M4ZGPgy1E5kB2A2Bw7MtqppTKwghJcfkwg==
X-Google-Smtp-Source: AA6agR4YaTutfYXSPbftQx/lWB54/6gIblfkoeqQyRxQlz2fKWJCICpg2Vo6IGH7bIXFSRQIGceE0w==
X-Received: by 2002:a05:6602:134a:b0:689:2648:9c90 with SMTP id
 i10-20020a056602134a00b0068926489c90mr15379439iov.211.1663093519103; 
 Tue, 13 Sep 2022 11:25:19 -0700 (PDT)
Received: from mail-io1-f54.google.com (mail-io1-f54.google.com.
 [209.85.166.54]) by smtp.gmail.com with ESMTPSA id
 e18-20020a0566380cd200b00346e7ca2463sm5770486jak.135.2022.09.13.11.25.18
 for <oauth@ietf.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 13 Sep 2022 11:25:18 -0700 (PDT)
Received: by mail-io1-f54.google.com with SMTP id z191so10337098iof.10
 for <oauth@ietf.org>; Tue, 13 Sep 2022 11:25:18 -0700 (PDT)
X-Received: by 2002:a02:2711:0:b0:35a:4fb3:efcf with SMTP id
 g17-20020a022711000000b0035a4fb3efcfmr3704098jaa.14.1663093518176; Tue, 13
 Sep 2022 11:25:18 -0700 (PDT)
MIME-Version: 1.0
References: <166309088540.3684.1323489253171590895@ietfa.amsl.com>
In-Reply-To: <166309088540.3684.1323489253171590895@ietfa.amsl.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Tue, 13 Sep 2022 11:25:07 -0700
X-Gmail-Original-Message-ID: <CAGBSGjruc9xqY3Bct3w8BwK+b-=yAPt0GP+HpucY7nKAvB_Rkw@mail.gmail.com>
Message-ID: <CAGBSGjruc9xqY3Bct3w8BwK+b-=yAPt0GP+HpucY7nKAvB_Rkw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000611d1c05e893225f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-tMD2ahhs8CmlgMp-Uh2E8k76gg>
Subject: Re: [OAUTH-WG] I-D Action:
 draft-ietf-oauth-browser-based-apps-11.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2022 18:25:24 -0000

--000000000000611d1c05e893225f
Content-Type: text/plain; charset="UTF-8"

Hello all,

With the help of a few kind folks, we've made some updates to this draft as
discussed during the last IETF meeting in Philadelphia.

You can find the current version, draft 11, here:
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-11.html

The major changes in this version are adding two new architecture patterns,
the "Token Mediating Backend" pattern based on the TMI-BFF draft, and the
"Service Worker" pattern of using a Service Worker as the OAuth client.
I've also done a fair amount of rearranging of various parts of the
document to hopefully make more sense.

Obviously there is no clear winner in terms of which architecture pattern
is best, so instead of trying to make a blanket recommendation, the goal of
this draft is to document the pros and cons of each. If you have any input
into either benefits or drawbacks that aren't mentioned yet in any of the
patterns discussed, please feel free to chime in so we can add them to the
document! You're welcome to either reply on the list, open an issue on the
linked GitHub repository, or contact me directly. Keep in mind that only
comments on the mailing list are part of the official record.

Thanks,

Aaron Parecki


On Tue, Sep 13, 2022 at 10:42 AM <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>         Title           : OAuth 2.0 for Browser-Based Apps
>         Authors         : Aaron Parecki
>                           David Waite
>   Filename        : draft-ietf-oauth-browser-based-apps-11.txt
>   Pages           : 29
>   Date            : 2022-09-13
>
> Abstract:
>    This specification details the security considerations and best
>    practices that must be taken into account when developing browser-
>    based applications that use OAuth 2.0.
>
> Discussion Venues
>
>    This note is to be removed before publishing as an RFC.
>
>    Discussion of this document takes place on the Web Authorization
>    Protocol Working Group mailing list (oauth@ietf.org), which is
>    archived at https://mailarchive.ietf.org/arch/browse/oauth/.
>
>    Source for this draft and an issue tracker can be found at
>    https://github.com/oauth-wg/oauth-browser-based-apps.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-11.html
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-browser-based-apps-11
>
>
> Internet-Drafts are also available by rsync at rsync.ietf.org:
> :internet-drafts
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--000000000000611d1c05e893225f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hello all,<div><br></div><div>With the help of a few kind =
folks, we&#39;ve made some updates to this draft as discussed during the la=
st IETF meeting in Philadelphia.</div><div><br></div><div>You can find the =
current version, draft 11, here:=C2=A0</div><div><a href=3D"https://www.iet=
f.org/archive/id/draft-ietf-oauth-browser-based-apps-11.html">https://www.i=
etf.org/archive/id/draft-ietf-oauth-browser-based-apps-11.html</a></div><di=
v><br></div><div>The major changes in this version are adding two new archi=
tecture patterns, the &quot;Token Mediating Backend&quot; pattern based on =
the TMI-BFF draft, and the &quot;Service Worker&quot; pattern of using a Se=
rvice Worker as the OAuth client. I&#39;ve also done a fair amount of rearr=
anging of various parts of the document to hopefully make more sense.</div>=
<div><br></div><div>Obviously there is no clear winner in terms of which ar=
chitecture pattern is best, so instead of trying to make a blanket recommen=
dation, the goal of this draft is to document the pros and cons of each. If=
 you have any input into either benefits or drawbacks that aren&#39;t menti=
oned yet in any of the patterns discussed, please feel free to chime in so =
we can add them to the document! You&#39;re welcome to either reply on the =
list, open an issue on the linked GitHub repository, or contact me directly=
. Keep in mind that only comments on the mailing list are part of the offic=
ial record.</div><div><br></div><div>Thanks,</div><div><br></div><div>Aaron=
 Parecki</div><div><br></div></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Tue, Sep 13, 2022 at 10:42 AM &lt;<a href=
=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a>&gt; wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
A New Internet-Draft is available from the on-line Internet-Drafts director=
ies.<br>
This draft is a work item of the Web Authorization Protocol WG of the IETF.=
<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:=
 OAuth 2.0 for Browser-Based Apps<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Aaro=
n Parecki<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 David Waite<br>
=C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-ietf-oauth-browser-based=
-apps-11.txt<br>
=C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: 29<br>
=C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 : 2022-09-13<br>
<br>
Abstract:<br>
=C2=A0 =C2=A0This specification details the security considerations and bes=
t<br>
=C2=A0 =C2=A0practices that must be taken into account when developing brow=
ser-<br>
=C2=A0 =C2=A0based applications that use OAuth 2.0.<br>
<br>
Discussion Venues<br>
<br>
=C2=A0 =C2=A0This note is to be removed before publishing as an RFC.<br>
<br>
=C2=A0 =C2=A0Discussion of this document takes place on the Web Authorizati=
on<br>
=C2=A0 =C2=A0Protocol Working Group mailing list (<a href=3D"mailto:oauth@i=
etf.org" target=3D"_blank">oauth@ietf.org</a>), which is<br>
=C2=A0 =C2=A0archived at <a href=3D"https://mailarchive.ietf.org/arch/brows=
e/oauth/" rel=3D"noreferrer" target=3D"_blank">https://mailarchive.ietf.org=
/arch/browse/oauth/</a>.<br>
<br>
=C2=A0 =C2=A0Source for this draft and an issue tracker can be found at<br>
=C2=A0 =C2=A0<a href=3D"https://github.com/oauth-wg/oauth-browser-based-app=
s" rel=3D"noreferrer" target=3D"_blank">https://github.com/oauth-wg/oauth-b=
rowser-based-apps</a>.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href=3D"https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-=
apps/" rel=3D"noreferrer" target=3D"_blank">https://datatracker.ietf.org/do=
c/draft-ietf-oauth-browser-based-apps/</a><br>
<br>
There is also an HTML version available at:<br>
<a href=3D"https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-a=
pps-11.html" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/arch=
ive/id/draft-ietf-oauth-browser-based-apps-11.html</a><br>
<br>
A diff from the previous version is available at:<br>
<a href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-oauth-browser-bas=
ed-apps-11" rel=3D"noreferrer" target=3D"_blank">https://www.ietf.org/rfcdi=
ff?url2=3Ddraft-ietf-oauth-browser-based-apps-11</a><br>
<br>
<br>
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-dra=
fts<br>
<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" rel=3D"noreferrer" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
</blockquote></div>

--000000000000611d1c05e893225f--

