Re: [OAUTH-WG] TMI BFF - html meta tags over/alternative to discovery

Warren Parad <> Mon, 17 May 2021 20:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D7DB73A448C for <>; Mon, 17 May 2021 13:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WzQm64qR22Eb for <>; Mon, 17 May 2021 13:53:01 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8D9CF3A4489 for <>; Mon, 17 May 2021 13:53:01 -0700 (PDT)
Received: by with SMTP id f9so10350099ybo.6 for <>; Mon, 17 May 2021 13:53:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B3ZC7KZ+Q2G5yQeiG4JMdXvdycGF/tFoBd1vvus79zo=; b=eFQR4X/PXVYt8oj/6MGYTcrp7XII6Op9fBaCDRC0FVxEaMY6j5tffiBCTexCWejdZ8 d9VWmvnNy+BfbkK11bCDsQpgvI/MF6opgNMf7KpPsL6mADtspkQNDXG0o2fUeaO4/yfp wbzbLOgCPht7++Bq27wW+5WW4YZEcJFmpaOkEj/pj9AnaA5ylP1IHcxaElNo0zzuqBYQ Sp+zfhdYkJUd23R70Ag694B4REi7QdnD+Llc0d6edKLpqDAN/JYSA6GZ1yrpOboJJnTG 3B9RKINheyyUvBbpLRpOI31ub7SkK2gL7+Dqd7KqB+r7eVMM88x7GgZ96QX63eRgjTgz /l1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B3ZC7KZ+Q2G5yQeiG4JMdXvdycGF/tFoBd1vvus79zo=; b=b6Gn8l6uLDsUAhcog8etUC67BlPObx/yhU1ciBTS6bq20bwWDoHYawG8bGjDev7Xcy ZMjtP0Ts48/rJqOFj9Z2VbmS3LALFBvdf9WGOtnlGxURKMIIu7HXZp/kXLd+MFtbrDL9 45Q8UJ49HPdH3xCHDTfyCt9nThFY899xAJEFR6xIKXYNu6QJTstGKF+Aeji9aW4afu1n jKvZ3SB0qp9cWQyVipE19SUFQ0wd8ENH7Ub53cRhZWuJ5CRkSOVwXPjQt70hIjbAhp5x J3bCN14UFTrSa9BKpBbjPxgVB2q8kHaj68e8BSiE6ql5fjVOAnsG07n29brw6Zj3dTmL dhkA==
X-Gm-Message-State: AOAM531aJuQ5IXvez/LG1B6JV9i3VP1TBNPK+P7x29phBOkuwoIrUiXs 1iSfHFaRF0MVtCOzp6nhdPdns3ocofXMrWTrepGw
X-Google-Smtp-Source: ABdhPJwPUcQ2/E9J7ut+CW0FYNbDD8lTjYjij29QiDF6SHBE5GI3BWpZ23hcCeuAtUapOhUo0QAdGaJNIRJpIpSqF0Y=
X-Received: by 2002:a25:a003:: with SMTP id x3mr2494222ybh.182.1621284779333; Mon, 17 May 2021 13:52:59 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Warren Parad <>
Date: Mon, 17 May 2021 22:52:48 +0200
Message-ID: <>
To: Brian Campbell <>
Cc: Philippe De Ryck <>, Vittorio Bertocci <>, oauth <>
Content-Type: multipart/alternative; boundary="0000000000005a2d5805c28cc768"
Archived-At: <>
Subject: Re: [OAUTH-WG] TMI BFF - html meta tags over/alternative to discovery
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 May 2021 20:53:07 -0000

I can't follow the discussion. So I'm still missing why the endpoints would
need to be listed anywhere. Isn't the developer of the html page, the same
developer that will configure the HTTP request to go to the backend?

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <>.

On Mon, May 17, 2021 at 10:04 PM Brian Campbell <bcampbell=> wrote:

> The interim discussion can be found here
> but the general context, as I understand it, is that there's a desire to
> have the location of the two application endpoints be conveyed to the
> frontend in a defined way that avoids out-of-band configuration and also
> doesn't infringe on the application namespace. The current draft places the
> two endpoints directly in .well-known but a number of folks have stated
> reasons that's less than ideal or even unworkable in many common
> deployments. Moving to a single static document in .well-known that lists
> the endpoint locations is one alternative approach. This thread suggests a
> different alternative of placing the locations in HTML meta/link tags or
> link headers returned with the application's main html page.
> On Sun, May 16, 2021 at 2:04 AM Warren Parad <wparad=
>> wrote:
>> I agree, missing context for this:
>> As discussed in the interim, a well known set of endpoints (or even a
>> single root client discovery document) might not always be available for
>> control to the webpage depending on where and how it is hosted, on the
>> other hand the HTML it serves always, I hope, is.
>> Wouldn't this only be used as input to a SDK, why wouldn't you just
>> define the configuration in javascript, like everything else?
>> Also, is it required or something that can be added later?
>> On Sun, May 16, 2021, 09:26 Philippe De Ryck <
>>> wrote:
>>> Without having the full context of the interim meeting, this feels
>>> really off to me. I see the need for making this configurable, but I have
>>> doubts about using HTML elements for this purpose.
>>> As far as I understand, this mechanism is supposed to be used for modern
>>> frontends (Angular, React, …). Having to add variables to the index.html in
>>> these applications is likely to conflict with their development paradigms.
>>> It would be much easier to add these variables to the environment file, so
>>> you can differentiate between dev and prod when necessary.
>>> Additionally, querying the DOM for API endpoints sounds like a lot of
>>> trouble. I don’t think that injection is that big of a risk, but I might be
>>> wrong (I’m sure someone said that about the base tag as well). However,
>>> using DOM APIs like this will cause headaches for server-side rendering,
>>> where these DOM APIs are typically not available (e.g.,
>>> ).
>>> Kind regards
>>> Philippe
>>> —
>>> *Pragmatic Web Security*
>>> *Security for developers*
>>> On 15 May 2021, at 17:35, Filip Skokan <> wrote:
>>> Hello Vittorio, Brian, everyone
>>> This is a followup to my feedback in the TMI BFF interim meeting on
>>> April 26th where I mentioned I'd bring this to the list for discussion.
>>> I proposed an alternative to using fixed endpoint locations and/or
>>> discovery. HTML <meta> Tags
>>> <>.
>>> These would be in the returned page HTML's head tag, e.g.
>>> <meta name="oauth-bff-token" content="/api/bff-token">
>>>> <meta name="oauth-bff-sessioninfo" content="/api/bff-sessioninfo">
>>> The javascript SDK handing TMI BFF would know to look for these defined
>>> meta tags to source the location of the different endpoints. I think this
>>> could be the primary place an SDK would look at as it doesn't require any
>>> upfront external requests.
>>> For the SDK this is as simple as
>>> var bffTokenPath =
>>>> document.querySelector('meta[name="oauth-bff-token"]').content;
>>> If this was the only mechanism defined by the document (to be bashed) I
>>> think it can save the group a lot of time defining a client discovery
>>> document which would be otherwise needed. If discovery as an alternative
>>> solution is indeed inevitable, it can be a second in line mechanism the
>>> javascript SDK would know to use.
>>> As discussed in the interim, a well known set of endpoints (or even a
>>> single root client discovery document) might not always be available for
>>> control to the webpage depending on where and how it is hosted, on the
>>> other hand the HTML it serves always, I hope, is.
>>> Best,
>>> *Filip Skokan*
>>> _______________________________________________
>>> OAuth mailing list
>>> _______________________________________________
>>> OAuth mailing list
>> _______________________________________________
>> OAuth mailing list
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*