IETF Logo Mail Archive

[OAUTH-WG] TMI BFF - html meta tags over/alternative to discovery

Filip Skokan <panva.ip@gmail.com> Sat, 15 May 2021 15:36 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB5A3A10DA for <oauth@ietfa.amsl.com>; Sat, 15 May 2021 08:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MywC5J9qfiWg for <oauth@ietfa.amsl.com>; Sat, 15 May 2021 08:36:07 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F24413A10D7 for <oauth@ietf.org>; Sat, 15 May 2021 08:36:06 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id q144so2951540ybq.0 for <oauth@ietf.org>; Sat, 15 May 2021 08:36:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=nA4znqp7WZgVLkean1D4ueMzyezILLvFTKPpZH9JPFE=; b=pyzIpz0GiHsryeq1YgZTpHJS1eWqMINR1hr4l39bJq8qmEmj1T8T45HIWayQkGNu/T 3Njczk1AL9Jw4rfbUuiiIAdwHrmGfBziFabenLnkE5ccAPo01IblJMMtTiO0Eh+tADTF xIKK2gxpuB8+A8EqBCtg05vDhdQyr4DAwR+3h6wn55xH14jXL3NrWYsmzdVKDLAgOngC RIu9nwjECpoLXF6C2bk11NWFf9avGxpFlNebdvD6c4uVucyoPKDt/UtlHKLvNwJDlBv3 Dzpssjm0VFCC36PvZqL+YksJxINdf0YWC+24KHKi34QvHElp3r+figXRRlOyd3yP05pa 3h5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=nA4znqp7WZgVLkean1D4ueMzyezILLvFTKPpZH9JPFE=; b=KcEIpp0q3hZkn0Ri9a4UjbUaNPdLSbTNfnAN8LxxPpqMiQC8FKE0PNjbrx8onsWN/G FbLzJohaH64u3nmo1ZTKGsrbbcguuXPKk8L2C5u1tb+l0pmaxdNk685prEafbmVGshik 2bmpls/GT3Vq0RKQLjDooutN8pYfIJ9vd0hnQY11TBlYdER7X9jqi5qaNy53q+52J8B6 Q9o3+TngK5V/C/JbWKZbVuAVvwllPM5i8aonoTO0lP5naBnU4Fy+jmXEb72YFnmFC6cA k8xqfEdikN0ix/k1DVN6hMamVofXMrMqzZMmajLuY0XcmkzfSypdeBgMJYdF8i6xt8go SOAA==
X-Gm-Message-State: AOAM532xCBp3cTPxFiKwfP+A4kCyTR9PbG811uCaP6Vk/9lvuKuqSBmZ 6zSgHnJyCTtHf/YiObw+oFwgCfkgccqeYXZNdA==
X-Google-Smtp-Source: ABdhPJxRoQ0wxj9PUZB7sv6xw9/zpTmzcBKXkgyrVZc0Se8HSlx4vKHXEiApz++vM/MFvWJypYJcxbg1O5g0y9LGNCs=
X-Received: by 2002:a25:790d:: with SMTP id u13mr74312976ybc.427.1621092965487; Sat, 15 May 2021 08:36:05 -0700 (PDT)
MIME-Version: 1.0
From: Filip Skokan <panva.ip@gmail.com>
Date: Sat, 15 May 2021 17:35:29 +0200
Message-ID: <CALAqi_8B7fv9j8CnqLt_wFKDbYLjmFci3jjeBz7EKpqKXu+Atw@mail.gmail.com>
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>, Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005b17e405c2601e3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6lfqd3n8O196a3Om9HxVfCFLLQk>
Subject: [OAUTH-WG] TMI BFF - html meta tags over/alternative to discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 May 2021 15:36:12 -0000

Hello Vittorio, Brian, everyone

This is a followup to my feedback in the TMI BFF interim meeting on April
26th where I mentioned I'd bring this to the list for discussion.

I proposed an alternative to using fixed endpoint locations and/or
discovery. HTML <meta> Tags <https://www.w3schools.com/tags/tag_meta.asp>.

These would be in the returned page HTML's head tag, e.g.

<meta name="oauth-bff-token" content="/api/bff-token">
> <meta name="oauth-bff-sessioninfo" content="/api/bff-sessioninfo">


The javascript SDK handing TMI BFF would know to look for these defined
meta tags to source the location of the different endpoints. I think this
could be the primary place an SDK would look at as it doesn't require any
upfront external requests.

For the SDK this is as simple as

var bffTokenPath =
> document.querySelector('meta[name="oauth-bff-token"]').content;


If this was the only mechanism defined by the document (to be bashed) I
think it can save the group a lot of time defining a client discovery
document which would be otherwise needed. If discovery as an alternative
solution is indeed inevitable, it can be a second in line mechanism the
javascript SDK would know to use.

As discussed in the interim, a well known set of endpoints (or even a
single root client discovery document) might not always be available for
control to the webpage depending on where and how it is hosted, on the
other hand the HTML it serves always, I hope, is.

Best,
*Filip Skokan*

v2.23.0 | Report a Bug | By Email