[OAUTH-WG] More product group review comments on the OAuth 2.0 for Browser-Based Apps spec

Mike Jones <Michael.Jones@microsoft.com> Sat, 22 February 2020 01:02 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A39A1200F4 for <oauth@ietfa.amsl.com>; Fri, 21 Feb 2020 17:02:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CrFbTDw8Fa-n for <oauth@ietfa.amsl.com>; Fri, 21 Feb 2020 17:02:24 -0800 (PST)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640135.outbound.protection.outlook.com [40.107.64.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FCCB1200F3 for <oauth@ietf.org>; Fri, 21 Feb 2020 17:02:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BabeXAmZucufBrLziGBpSNR9Ct/8qI7mTV4qgX479KO2t1yXAAwvRTkVCav8XIZiUVO1Qd06+ZUudf4jVQPWqvfwGOAK/67dGp32+W1Z08iFVN+b2LFVeDD9w5b70azjVCtF7NAWJTM07v+cEKy3jUCw48z7q1jjxKhuZX5ENIl05mB6imR04aLtwuVkRsBhdGmhjUIdgCpJzUcvsgTP21QVsRuvFbQUJ1qE1EPVb+VvIPb8GYqB411QHz7fVOEE2qMst2b+fZRqQELTjRfDaMn6VKzap2fql8n7omHPQZ6B3+Q2rXkKF71Xon+wc6UHb4+Lg2wu50eP7UcS4eaaIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZVZv3G6lMxzY8tGYrMSqpAltrdBvAeHrCkL0y2b5Ko=; b=VmiNMSgzvpgn88vfrc7StaKyyGq46DWMhGfyjyneQ7w3zQHOQker7XF1rpgMgb2N8nb0kbu8YJXUWlB2UQoU9AGuTH06Yj1JfB1SYjo+YH7vZJBmH3CKCkGD0cB9DZrjaF5ecPyRNn9a7ajO7Vh8skGklLBhbgYhbluEb9OildV8ERB4t0RDMzFmGPwDG28Wvwg2u+keSHxr7YFzq0VdhVXgbSD59JeC146Ae8YlDtH4B5rWlalneMewohPWcW4VHVBxbvH80hkxCNspaEDMZl8TUfuO46eJ1Webk5AMUCR9g2AvU947dqlvyxVRteCc+HAIoih232Sk1W92XIJgLg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZVZv3G6lMxzY8tGYrMSqpAltrdBvAeHrCkL0y2b5Ko=; b=Et3mfIjf13TVeVhavpwcJ60wb9Xwfdz+V19g7I9u6kzlUNx5xVWUcH10xlmIF4U0+jENKK7yv4rC371HP7mIYJ7kbrGU12kujwd5HC8CBn3nMmdtcoE6iADiDe8D3PDaf3mgy61IzUrJTpzNBKkVODl9Jpbqd79e9tWEUAZVyiU=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by BL0PR00MB0770.namprd00.prod.outlook.com (2603:10b6:208:1c1::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2798.0; Sat, 22 Feb 2020 01:02:01 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::2522:39b3:eb98:cc8c]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::2522:39b3:eb98:cc8c%8]) with mapi id 15.20.2798.000; Sat, 22 Feb 2020 01:02:01 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: More product group review comments on the OAuth 2.0 for Browser-Based Apps spec
Thread-Index: AdXpG3f2cDgEaH8QQ167PwNe4TzB+g==
Date: Sat, 22 Feb 2020 01:02:01 +0000
Message-ID: <MN2PR00MB06861DECA92E8CDA95610699F5EE0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=422a613d-a42d-4319-ae51-0000e3ce3c95; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-02-22T00:59:36Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:0:b0d0:4afa:31da:9bf7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 35a205cf-2481-46ae-558d-08d7b732d35b
x-ms-traffictypediagnostic: BL0PR00MB0770:
x-microsoft-antispam-prvs: <BL0PR00MB0770E557DF1713F68CE1A34BF5EE0@BL0PR00MB0770.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 03218BFD9F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(346002)(136003)(396003)(39860400002)(366004)(376002)(189003)(199004)(55016002)(6916009)(5660300002)(81156014)(478600001)(66946007)(966005)(8936002)(81166006)(4326008)(8676002)(33656002)(76116006)(8990500004)(10290500003)(66574012)(54906003)(7696005)(6506007)(71200400001)(2906002)(86362001)(66446008)(186003)(52536014)(64756008)(66556008)(66476007)(9686003)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0770; H:MN2PR00MB0686.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hp9YxzQpBexanrGyJobpoFdHR1IaUgpH3p0WqBKhUUaYW3O+KiN2dmYihGrpQNuwqPxU/+bHzSl7Qx5l/xjGpY24NQyC6/25UWLMMINlKlkWhrI+v81enDi3Uo6YxIN8VTFKcEmDzRIvJrmgy/qeo+26/IRfENMbf2g8Cx7z042Yeb0GcMV5TFA+8UYcKgiUKQdjCCNkKmKrq/ypAkHQXUvArXllq4cC0LYR6XfQZykbxrJsIbDOmAN01Y8bTICj7lyXotKWn0IrxktFZcfoFe2J2mO3Yf6yLq0B/8Xow4WktYM2lHaBPySs0gRS5RnaWC6jzCUus/mlsHyc78WiOGlHU9QHYOV+dqWunDDj1Z3NpnlOrkCGYRKjRzz4mvi/ZrsYXHvnXhyIRD+BwTh7UApjLfafmfJcMJZgrWAdhbmJSpCVK5JSGH/OX8P8fetMCNoosIgX2oPYciXCzylsbLLPdiBF5kYo/5096vp8r2Jt/GEuTNxnKYeHxcIZ3lhZIJibPX8Ov1FIuai2t8JkUw==
x-ms-exchange-antispam-messagedata: U8Tln1l2UAerdYAS+W6Th6JRnd6UalE3n+q8JP7MJAlvk9zd/CHm7544rbU4SsLYyWZsnwTz/hIyAwJTvprpYfug9kpcL/PJLfGLHGksRnxjqr6GmD7Ak08FYqabnTiHQJ8UW/V5iqC9vydM5hUL95EquHogl65MsQmO/9ZVfqmV34BKj4qCNutXuRfXFAChhU/a8cXZC+TtSTgNbQMHjw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB06861DECA92E8CDA95610699F5EE0MN2PR00MB0686namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 35a205cf-2481-46ae-558d-08d7b732d35b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2020 01:02:01.7514 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0uR7Uk2+EZJSIn4I6tR9LmuSWUwUrsbobIpiItDeGc1IWY5Y0cuxk7/IHpFUrMp6UtBGSNS0ITNora5PxrouYQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0770
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0YMfhnhf9DhehPKVgMtChyQHJBc>
Subject: [OAUTH-WG] More product group review comments on the OAuth 2.0 for Browser-Based Apps spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Feb 2020 01:02:27 -0000

More comments hot off the presses from a Microsoft product architect...

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04#section-6.2<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-browser-based-apps-04%23section-6.2&data=04%7C01%7CMichael.Jones%40microsoft.com%7C73725d8c1c014d1b6e2408d7b731dce8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637179297104326028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=7ycNTjlpOBqPB22EFNhqnCBN3T0kev1bGw%2BmtL5KgKo%3D&reserved=0>
Applications with BE

If I read this correctly, the prescribed pattern is to have browser JS call into its own BE only and have the BE call into 3P WebAPIs:

When the JavaScript application in the browser wants to make a
   request to the Resource Server, it MUST instead make the request to
   the Application Server, and the Application Server will make the
   request with the access token to the Resource Server (C), and forward
   the response (D) back to the browser.

Many of our application services give the access tokens to browser instead and have JS call the resource server directly.
If we enforce the prescribed pattern, then app server becomes proxy to all resource servers. This may not scale of our services

SPO, for example, has a pattern that is a mix b/n application with and without BE. It can behave as public or conf client depending on the redirect URI as we allow URI to be marked as 'SPA'.

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04#section-9.3<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-browser-based-apps-04%23section-9.3&data=04%7C01%7CMichael.Jones%40microsoft.com%7C73725d8c1c014d1b6e2408d7b731dce8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637179297104326028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=TD0czW39IBoTpREeBFhmcUGcIzbYmPU02f6qZ4lFWFo%3D&reserved=0>
9.3<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-browser-based-apps-04%23section-9.3&data=04%7C01%7CMichael.Jones%40microsoft.com%7C73725d8c1c014d1b6e2408d7b731dce8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637179297104335990%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C-1&sdata=NfIE3QQYxgnRRkAFMR4ljuEcHKJYEBdVN2IyKf6m6ww%3D&reserved=0>amp;reserved=0>.  Client Impersonation
It is implied that consent granted to public client should not be recorded:

Even when the user has previously approved an

   authorization request for a given client_id, the request SHOULD be

   processed as if no previous request had been approved, unless the

   identity of the client can be proven.

Do we agree with this? If implemented, it will add significant number of consent prompts.

tx