Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sat, 01 December 2018 09:16 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0B8128A6E for <oauth@ietfa.amsl.com>; Sat, 1 Dec 2018 01:16:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5V4DefE7w0t2 for <oauth@ietfa.amsl.com>; Sat, 1 Dec 2018 01:16:26 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80084.outbound.protection.outlook.com [40.107.8.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6D6D128DFD for <oauth@ietf.org>; Sat, 1 Dec 2018 01:16:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gVVoWcGlFTrDsb+OgwdGBKfGSIo3zGMG3LC+8XcIMQI=; b=q6tnHWXSqraNHfGJCxkndmLC9urQbBMOf+nlKEV0Y3F37z1CWnC8Dem5Ll1tZBUzH3s7PtN6gCkq6dOH12R4e2SIrEgxz1jh0lvYhADsdXu0hi1m+41QzVlQ3uk48NwvcAXxvJhxcYhgHGyXLhnG2SS4CM68MOLxefcGqhfpzn0=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1375.eurprd08.prod.outlook.com (10.167.198.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1382.22; Sat, 1 Dec 2018 09:15:55 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670%3]) with mapi id 15.20.1361.022; Sat, 1 Dec 2018 09:15:55 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
Thread-Index: AdR1tZqXsuKHZhdYRhq5sgoVL0Z8egAA8cqAAKwg0oAAxpLdAABZ4LyAAAtfsIAABWFQAABNvIAAAqYaNYAAFg8eMA==
Date: Sat, 01 Dec 2018 09:15:55 +0000
Message-ID: <VI1PR0801MB21121BCD21DE8ABAF055E603FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net> <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com> <5B60008C-C6A7-44CC-B045-9A8C1248ED30@lodderstedt.net> <CA+k3eCTjRWo-OF+Q=KotOJzfBw1uSe7w_bHWDhDKi3WRjQsH9Q@mail.gmail.com>
In-Reply-To: <CA+k3eCTjRWo-OF+Q=KotOJzfBw1uSe7w_bHWDhDKi3WRjQsH9Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.115.19]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1375; 6:/CG3Twi4D4q+tL1U72SxBa8OofIGivFq8JkToU6vJnENQnFRdYnKOZBseuBQ2nspOGLDU4TPs41UX57V8MHms51BwYQYcpVxK7P+OIiuykHe0ds+Qsz+BGJIps4UuSxk/inGIssR5+fPmrPiFACsG9ZG2IM8C9r61NKXakGkUlbtWuWXw3yAO9/bRZ3JyUv9J93pFKwU4UJXtJdMAGS2FXeYwe0Jldr9GwamqTHFQHG5F7oamGBMUSPRH4c1e5COjDALhXxlrpdGW2/yg7Po+1yY7KMGpD7mJMsodjSpiuc0CXxaQ3b7uz930fDHnIlIRleqTkihQcOINceMdbEbCL4DKRyIb6ctURJKzMokUKo/Sv6BGUSdwAFpuy2iaABEVXYb+5kljHND3gKsWrJRQazbNgjRlxu6/re7UvWEUDhEMFrL+0SiJ1rfhahoirvP8swwlpjdM1WJ3jbEy0IM0g==; 5:KH6LirJSwCstAbyeHp2VlUhjnW7Ug394DbogGcTi9vt6RqdaSb/Pwpqj+iSUhf4q9XVfkoJEbOXwuD0Zz71gDp9YtrglXW4FMyk7GVF10qcX2s7B2vI7mISc49pdhLeNct3MOhyyxAAm3s4zqN0ATcKPNMQ1AOra+oQNug/YEAM=; 7:+9KQAeFYF/l+fWCYrD24dHISzxs4G0nyDCYWkEr9rO2yCsql9RtF3aFQGo2WNxHMLZQPQ9oZ3y5CUeOhU7b7WdFXxGr1Ltxv58Lk+3h1ILZYJCHqBrUC8fLCuP7jD1d0BvTM5pyT6w9UcIqZ7JesMg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: ef60d3f8-c377-4f7a-26cc-08d6576d9969
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1375;
x-ms-traffictypediagnostic: VI1PR0801MB1375:
x-microsoft-antispam-prvs: <VI1PR0801MB137563C05A5ABF4676DF8C7BFAAC0@VI1PR0801MB1375.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231454)(999002)(944501475)(4982022)(52105112)(10201501046)(3002001)(6055026)(148016)(149066)(150057)(6041310)(20161123564045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1375; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1375;
x-forefront-prvs: 087396016C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(346002)(366004)(396003)(136003)(199004)(189003)(40434004)(11346002)(446003)(72206003)(68736007)(486006)(93886005)(99286004)(7696005)(4326008)(25786009)(478600001)(6246003)(6506007)(53546011)(5660300001)(26005)(476003)(102836004)(186003)(256004)(5024004)(14444005)(71200400001)(76176011)(71190400001)(86362001)(66574009)(8936002)(81166006)(8676002)(229853002)(81156014)(6436002)(74316002)(7736002)(2906002)(110136005)(316002)(66066001)(3846002)(790700001)(6116002)(606006)(33656002)(105586002)(106356001)(14454004)(236005)(9686003)(54896002)(6306002)(97736004)(53936002)(55016002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1375; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: WxxmU05JqIJ/SGFiiX4EDkTCkyPsFARpwLX5y144rhN2QigY3lrHN2pBrCAGKQMKGZP8squpvH1fOiEFQDcIElYRWUbWT2kc780wp4ngbAVJDjGFjGG3HPV4pnRB0m8qNgVBqSE3ucxovHwJUddZLzkYjyAgb4215AgUZ4tbhN0vreYXSrFJQ+oWminTf9U1yb6EMm6THKrxvd+7ByDAxwJS4ik3+6uYQqVM1P4JEczckOZkgQnY0vju+/7DqZjiRvjl494IsRTom9Eep1qdaBYm0tc6yY1P48lfNjzpZi5roTeWEixZvqDH2z8xNbEN/6Yk926ei2tQRj8+JgMM+5fWmEAMHD3DobCxgf/+/2c=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB21121BCD21DE8ABAF055E603FAAC0VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ef60d3f8-c377-4f7a-26cc-08d6576d9969
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2018 09:15:55.4849 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1375
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-Wo9mL6zPNeKKgeNjkmUe5UMa8Q>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Dec 2018 09:16:28 -0000

I share the concern Brian has, which is also the conclusion I came up with in my other email sent a few minutes ago.

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell
Sent: Friday, November 30, 2018 11:43 PM
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00


On Sat, Nov 17, 2018 at 4:07 AM Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>> wrote:
> Am 15.11.2018 um 23:01 schrieb Brock Allen <brockallen@gmail.com<mailto:brockallen@gmail.com>>:
>
> So you mean at the resource server ensuring the token was really issued to the client? Isn't that an inherent limitation of all bearer tokens (modulo HTTP token binding, which is still some time off)?

Sure. That’s why the Security BCP recommends use of TLS-based methods for sender constraining access tokens (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2..2). Token Binding for OAuth (https://tools.ietf.org/html/draft-ietf-oauth-token-binding-08<https://tools..ietf.org/html/draft-ietf-oauth-token-binding-08>) as well as Mutual TLS for OAuth (https://tools.ietf.org/html/draft-ietf-oauth-mtls-12) are the options available.

Unfortunately even when using the token endpoint, for SPA / in-browser client applications, the potential mechanisms for sender/key-constraining access tokens don't work very well or maybe don't work at all. So I don't know that the recommendation is very realistic.


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.