IETF Logo Mail Archive

Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Rob Otto <robotto@pingidentity.com> Sun, 02 December 2018 11:55 UTC

Return-Path: <robertotto@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8951B130EBD for <oauth@ietfa.amsl.com>; Sun, 2 Dec 2018 03:55:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wSrWrzGBfPAb for <oauth@ietfa.amsl.com>; Sun, 2 Dec 2018 03:55:05 -0800 (PST)
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306C812D7EA for <oauth@ietf.org>; Sun, 2 Dec 2018 03:55:05 -0800 (PST)
Received: by mail-pg1-x533.google.com with SMTP id d72so4450583pga.9 for <oauth@ietf.org>; Sun, 02 Dec 2018 03:55:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pMhE232W+oO4Ae4zVh7j2t5Y0kl6jCJ2JNuBisUBoeQ=; b=MDjr6MNvPNiDcVCpLDrg13ladzqhgb3uSWwR7KGdacW5wcys+sfH5vofHIJa+TGtpJ LoJxcdJysC9ybD8J0YV/TaNmseld/Zn+OKnaNv9RyzLEuPofGCJ7WlLpaTG2vPjG2QMX TADXADfVDbzRBY1MQR6iFIghtJzoIThKturxY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pMhE232W+oO4Ae4zVh7j2t5Y0kl6jCJ2JNuBisUBoeQ=; b=fg2rpbzo+FU0Fyga1T5imMZtSeg3dXWgMe5t/DMwFKrUSpklgsPksi5lItMAr7Kdgo JylybUSWHIlXCBF4E3YHoNrRmDmpK7amMDxeXb8koypqzyI3eUADDKOgc+pzqU60x42V wVIme7K5fCND4JHn4xizUtbffMulk+c8SbPzabldo7Vx1cfAfCTH7F3XGLDQTztd1Yqw 7ldTGGPGURTR+9FE94Mp/fChX7q7Q4XLkFPTvXmDBKr2hHq5Uf1uqxrqJUmgr4du5dgC CLYBMu1bXGpm4L/p3MNUvoqKW8ZdhC1Zj2RiSBSt4F7BmuDFvOqL/4MAh1OChGhHlmUr ybfw==
X-Gm-Message-State: AA+aEWacLO7DtkLBQf24+PpcQ0GatCzPJepe8OVCNdr7/EOUfYtT5LvX o70VLJ8JpsbZydvAi2b52Clt4Icq43J1hOs7eC0XC7QOHDnwnH/iFKgwrPWwVw4xLkrftAWkpOJ 4EsE3lQmIWWMHguyb
X-Google-Smtp-Source: AFSGD/USaureM1Krp+B7pQ0qj+4CNMnJVXe3TA/DLhQMmmzdPHHpC1p0eiqc4Z7+klAWjqsu5NUTfbYiUYa1KOATgRo=
X-Received: by 2002:a63:5122:: with SMTP id f34mr9720271pgb.218.1543751704316; Sun, 02 Dec 2018 03:55:04 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net> <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com> <5B60008C-C6A7-44CC-B045-9A8C1248ED30@lodderstedt.net> <CA+k3eCTjRWo-OF+Q=KotOJzfBw1uSe7w_bHWDhDKi3WRjQsH9Q@mail.gmail.com> <VI1PR0801MB21121BCD21DE8ABAF055E603FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <E0F62B7E-9C58-493A-BEFD-91D7441BB5BF@lodderstedt.net> <0BD84A8F-0A71-45CC-BE20-89FBC8FF18D2@lodderstedt.net> <df7c80be-477e-bb4a-cc29-edb233571a2f@ve7jtb.com> <A6E974DC-59C2-43E2-9534-CAD2EE695941@lodderstedt.net>
In-Reply-To: <A6E974DC-59C2-43E2-9534-CAD2EE695941@lodderstedt.net>
From: Rob Otto <robotto@pingidentity.com>
Date: Sun, 02 Dec 2018 11:54:52 +0000
Message-ID: <CABh6VRH9a64G4tWteNo2H+SAxWHSxfGuY09y+jH0pdc=M-Ht5g@mail.gmail.com>
To: torsten@lodderstedt.net
Cc: John Bradley <ve7jtb@ve7jtb.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f52bae057c08b37a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/83LiN_9OvvUjPb6hJtBWLa5Y5yE>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Dec 2018 11:55:08 -0000

Apologies if I'm being dim (it wouldn't be the first time!) but how, in
this scenario, do we identify the browser client and authenticate it to the
backend, to associate it with the correct token(s)?

Cheers (and really interesting discussion so far)

Rob

On Sun, 2 Dec 2018 at 07:31, Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> the UI is rendered in the frontend, UI control flow is in the frontend.
> just a different cut through the web app’s layering
>
> All Angular apps I have seen so far work that way. And it makes a lot of
> sense to me. The backend can aggregate and optimize access to the
> underlying services without the need to fully expose them.
>
> Am 02.12.2018 um 00:44 schrieb John Bradley <ve7jtb@ve7jtb.com>:
>
> How is that different from a regular server client with a web interface if
> the backed is doing the API calls to the RS?
>
>
> On 12/1/2018 12:25 PM, Torsten Lodderstedt wrote:
>
> I forgot to mention another (architectural) option: split an application
> into frontend provided by JS in the browser and a backend, which takes care
> of the business logic and handles tokens and API access. Replay detection
> at the interface between SPA and backend can utilize standard web
> techniques (see OWASP). The backend in turn can use mTLS for sender
> constraining.
>
> Am 01.12.2018 um 15:34 schrieb Torsten Lodderstedt <
> torsten@lodderstedt.net>:
>
> IMHO the best mechanism at hand currently to cope with token
> leakage/replay in SPAs is to use refresh tokens (rotating w/ replay
> detection) and issue short living and privilege restricted access tokens.
>
> Sender constrained access tokens in SPAs need adoption of token binding or
> alternative mechanism. mtls could potentially work in deployments with
> automated cert rollout but browser UX and interplay with fetch needs some
> work. We potentially must consider to warm up application level PoP
> mechanisms in conjunction with web crypto. Another path to be evaluated
> could be web auth.
>
> Am 01.12.2018 um 10:15 schrieb Hannes Tschofenig <
> Hannes.Tschofenig@arm.com>:
>
> I share the concern Brian has, which is also the conclusion I came up with
> in my other email sent a few minutes ago.
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Brian Campbell
> *Sent:* Friday, November 30, 2018 11:43 PM
> *To:* Torsten Lodderstedt <torsten@lodderstedt.net>
> *Cc:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
>
>
>
>
>
> On Sat, Nov 17, 2018 at 4:07 AM Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
> > Am 15.11.2018 um 23:01 schrieb Brock Allen <brockallen@gmail.com>:
> >
> > So you mean at the resource server ensuring the token was really issued
> to the client? Isn't that an inherent limitation of all bearer tokens
> (modulo HTTP token binding, which is still some time off)?
>
> Sure. That’s why the Security BCP recommends use of TLS-based methods for
> sender constraining access tokens (
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2..2).
> Token Binding for OAuth (
> https://tools.ietf.org/html/draft-ietf-oauth-token-binding-08
> <https://tools..ietf.org/html/draft-ietf-oauth-token-binding-08>) as well
> as Mutual TLS for OAuth (
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-12) are the options
> available.
>
>
>
> Unfortunately even when using the token endpoint, for SPA / in-browser
> client applications, the potential mechanisms for sender/key-constraining
> access tokens don't work very well or maybe don't work at all. So I don't
> know that the recommendation is very realistic.
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Rob Otto
EMEA Field CTO/Solutions Architect
robotto@pingidentity.com

c: +44 (0) 777 135 6092
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email