IETF Logo Mail Archive

Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

"Brock Allen" <brockallen@gmail.com> Thu, 15 November 2018 22:01 UTC

Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1996130ECA for <oauth@ietfa.amsl.com>; Thu, 15 Nov 2018 14:01:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ya7P1LElJfC for <oauth@ietfa.amsl.com>; Thu, 15 Nov 2018 14:01:16 -0800 (PST)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB00F130EC7 for <oauth@ietf.org>; Thu, 15 Nov 2018 14:01:15 -0800 (PST)
Received: by mail-qk1-x72f.google.com with SMTP id q70so16838781qkh.6 for <oauth@ietf.org>; Thu, 15 Nov 2018 14:01:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc:in-reply-to :references:user-agent; bh=Yavoz46N2Cy976B8I49QXfIsjtZVT/GTXabpB+lRICg=; b=ldBoF3r7+iohz0pvRHSUjaSTvv3PHRMvccbc1merh+kD8P54whjEcsSgI/XuIZb5WB LKP5lBlDl2y6GhaBkwULtU4UidLwR0eNyW3yEGOZNkgR6Kp8/BFyfetYcfbm3XGMuoFG lUKL/aa2jS4U4uiWtp/bmjrQiM5ndKOJNOzgdkm0c1yQZBKL5CsLYANXoF0/Rdsmpnm9 pfnPxNTQZnQolJYTL7DHUO5vYLIiOwFOYibQdEc7BOQlGOl34fKCqZe3vv8HsizcOvLM uIzOZnbf3r9qmvZNZFM1GM1AjKSAH1L1cwnWkmslyGQ7oBFtCtfxdxZ7wgozZZUO2Txv lmlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :in-reply-to:references:user-agent; bh=Yavoz46N2Cy976B8I49QXfIsjtZVT/GTXabpB+lRICg=; b=ptA51hB0Sc8+2xNLDIwPqsnJmy00Srtw0lj7eao/BdHasfz+9TJj5EJaayDD/teztw 9bm0dWslEZf6jhkEqFSpIFPq1A0wV5DhNe8nFJ8SQSPxRcVAiGdIqnOk67/Dtlbgv1yZ zsJeXuUqGE+Prn3tBpkIncTwY9nBEMFncQh2L/LC1MAPeAdSVE9z67RT7/qos3uFPCuL Tdiumk6uNW2+2XIU1O2wTiaqjZSyml07Nyen7XWRQBzb/gxUdNm9aSYFF1l4HJclSlkA m7il09w2MPHP+ALybXkPaYT5UGFWlX4yq3SFepxnnAEFimd+aEWMduehogTQy/Mzb1F2 gpow==
X-Gm-Message-State: AGRZ1gJ9hXYXULdZ7MhM0akdXgCtQdjFfp+ltjskneK78RxXxX/ELK+c TDI/aLpmhA6YLHaZ8z5CPvapdb75
X-Google-Smtp-Source: AJdET5dYPwWrdOo2XxTsCYuIRgBWk6G/2ROZh9jxCyGYwQEaj+XRxwcrxCHbGPJYBa5gIPikWk69BA==
X-Received: by 2002:a0c:f0c2:: with SMTP id d2mr7901175qvl.123.1542319274760; Thu, 15 Nov 2018 14:01:14 -0800 (PST)
Received: from [10.0.1.3] (pool-96-253-25-169.prvdri.fios.verizon.net. [96.253.25.169]) by smtp.gmail.com with ESMTPSA id k6sm6572598qkk.60.2018.11.15.14.01.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Nov 2018 14:01:13 -0800 (PST)
Content-Type: multipart/alternative; boundary="----=_NextPart_49816796.133433135323"
MIME-Version: 1.0
Date: Thu, 15 Nov 2018 17:01:10 -0500
Message-ID: <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com>
From: Brock Allen <brockallen@gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Aaron Parecki <aaron@parecki.com>, Hannes Tschofenig <hannes.tschofenig@arm.com>, oauth@ietf.org
In-Reply-To: <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net>
User-Agent: Mailbird/2.5.23.0
X-Mailbird-ID: 64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5Ydh7nLmbrPVLu9ugaaRIta6yao>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2018 22:01:18 -0000

> It still lacks the ability to issue sender constraint access tokens.

So you mean at the resource server ensuring the token was really issued to the client? Isn't that an inherent limitation of all bearer tokens (modulo HTTP token binding, which is still some time off)? Resource servers don't know the flow the clients might use, especially if/when they have many clients.

> The AS can bind the lifetime of the refresh tokens to the session lifetime, i.e. automatically revoke it on logout.


Yea, I saw your other email asking about refresh token revocation relating to session management. Obviously for certain clients, this won't make sense, but for implicit/browser-based ones it's a nice feature to have.

The alternative, as you mentioned, is to not issue refresh tokens and do token renewal the "same old way" via iframe with prompt=none, while still using code flow.

> The only potential „baby step“ I would see is to move towards „token id_token“. Since this requires signature/at_hash checks etc. I doubt this is really easier than moving to code and exchange the code for an access token. What’s your opinion?

Even since OIDC arrived, this is the only flow I use for JS/browser-based clients (anything less has always seemed so obviously inferior). So for me and my customers, all browser-based clients I am involved in are already there. Perhaps this is the reason for all of my questions/comments about the recent BCP doc. Given "id_token token", CSP, and using the browser history API to wipe the access token from browser history, we already have a decent set of tools to mitigate attacks. As I already conceded, the only remaining issue (IMO) is the short window of time the access token is in the URL.

Given that it seems to me that OIDC and OAuth2 are typically used together (at least when a user is involved with authentication), I always wonder why the OAuth and OIDC WGs are separate. Given that so much effort of the two sets of specs overlap, it seems odd to keep adding onto the OAuth specs and ignoring the added features that OIDC provides. I don't mean to derail this thread, or step on any political toes, so apologies in advance.


-Brock

v2.23.0 | Report a Bug | By Email