Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Brian Campbell <bcampbell@pingidentity.com> Fri, 30 November 2018 22:43 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0F0131083 for <oauth@ietfa.amsl.com>; Fri, 30 Nov 2018 14:43:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5SQjiu91EYSx for <oauth@ietfa.amsl.com>; Fri, 30 Nov 2018 14:43:38 -0800 (PST)
Received: from mail-it1-x131.google.com (mail-it1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BD4E130EC8 for <oauth@ietf.org>; Fri, 30 Nov 2018 14:43:38 -0800 (PST)
Received: by mail-it1-x131.google.com with SMTP id a6so812053itl.4 for <oauth@ietf.org>; Fri, 30 Nov 2018 14:43:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=itqU6li7yMqzibCGwXTG0lCUTZ1NyiNQieINqXqGsjI=; b=jk+tfR3W8iAldwdRmxY7W0JhurOaF57zPgO1Oi2iLsL7+w+PgQ9+j6mrSIm7x2ScYE GosS9+TJVjBLnHnVDtM2DL0HiQrc7fzHikVrM3sf9MPTgEfGQNft0IrT/aawVJJeQt3N SGV22tzySdKRWWeeSMozqchTdce3X5urNhSKM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=itqU6li7yMqzibCGwXTG0lCUTZ1NyiNQieINqXqGsjI=; b=ih+20ZclXY9CpEOU6gQqIR7Ipy3JpZZiqEzMhuzjnqAwvehiy0/XWqmu9DecFFZt2A KF/x1Z8McsJsPLlwOPz7oRF/3i7h5oQrC7tpDwTW/KzQakU7R3IwiA96PSfG0pd0Qfk3 lAlvxzG+jwwcEWeKJx8/fjvwLhdsqNjsrgfDZwaFJs/hV6e8ig/GR8a3w4OxuDnWr8TI qC6UGM9CLZJPr7grvl252BnTvp2EgGDJ5FFAZJ+xDzLOjnwaSOScBArtpvOynt9T7Lg9 UgZge+0iB15vt+R55zUuuElajXtHBEM2IocFw93lbm8furRFn9cTjgB/GgRKkUBC5T/f fvyA==
X-Gm-Message-State: AA+aEWYAwpf4vEBKFaJfHvNWk9kWs1g1jCGWbU7fXn+6fFz+CTvmhSXm zB2XCd5tPkH+at6mtS+3Y8KA8tDnroTG/wT6sIX0993HidAlCLyojbqkag0YTOKvxaICM5+zrJQ UB//zhQgwR5E06A==
X-Google-Smtp-Source: AFSGD/XUTlD4WnTUOe0DbnbAsrv+l0e/EllOCKqqNNSI7Z0/7RNd7bOxQk3lZYgueH49IN0lquzU7wZnvK7ulEwGi9s=
X-Received: by 2002:a24:85d4:: with SMTP id r203-v6mr601160itd.124.1543617817694; Fri, 30 Nov 2018 14:43:37 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net> <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com> <5B60008C-C6A7-44CC-B045-9A8C1248ED30@lodderstedt.net>
In-Reply-To: <5B60008C-C6A7-44CC-B045-9A8C1248ED30@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 30 Nov 2018 15:43:11 -0700
Message-ID: <CA+k3eCTjRWo-OF+Q=KotOJzfBw1uSe7w_bHWDhDKi3WRjQsH9Q@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Brock Allen <brockallen@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b17322057be98769"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0QyoHp5ka-ObsOFLvShWnJEsHyc>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 22:43:40 -0000

On Sat, Nov 17, 2018 at 4:07 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> > Am 15.11.2018 um 23:01 schrieb Brock Allen <brockallen@gmail.com>:
> >
> > So you mean at the resource server ensuring the token was really issued
> to the client? Isn't that an inherent limitation of all bearer tokens
> (modulo HTTP token binding, which is still some time off)?
>
> Sure. That’s why the Security BCP recommends use of TLS-based methods for
> sender constraining access tokens (
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2..2).
> Token Binding for OAuth (
> https://tools.ietf.org/html/draft-ietf-oauth-token-binding-08) as well as
> Mutual TLS for OAuth (https://tools.ietf.org/html/draft-ietf-oauth-mtls-12)
> are the options available.
>

Unfortunately even when using the token endpoint, for SPA / in-browser
client applications, the potential mechanisms for sender/key-constraining
access tokens don't work very well or maybe don't work at all. So I don't
know that the recommendation is very realistic.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._