[OAUTH-WG] draft-parecki-oauth-browser-based-apps-02
Aaron Parecki <aaron@parecki.com> Sat, 08 December 2018 21:49 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A590C130F0E for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 13:49:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TURJon-xBTrj for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 13:49:13 -0800 (PST)
Received: from mail-it1-x134.google.com (mail-it1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D85130F1D for <oauth@ietf.org>; Sat, 8 Dec 2018 13:49:13 -0800 (PST)
Received: by mail-it1-x134.google.com with SMTP id x124so4521535itd.1 for <oauth@ietf.org>; Sat, 08 Dec 2018 13:49:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=rXNaWesS5ip30Wk2RuWDk8zZ6FBal4jvQPsWR5D0WQM=; b=wG0XJMkQtdySYnezmMls5SdvNdsCKdWewvmEV0dIGz9qk18RfESoL6+qVLvFZ7SyM5 fzmv9cU+A4aqMTDk7Y8XmoYiCwJNKohRUMZQW7Pc9XqzLk8LT247aqh27Ih7cRCQL2jh cLBn2+xq6O+qx1WWcUwYbdYJkn2e0/JhyUCkJ+gFwXhhbbM+HgBnDyy5Qt05FykLfQuW gEzDzq+LH8sfWUxoXm2RPzbP2fpAYupT+hB7guigzDHARLxhdYQXPcvKltpyz+OhyJ4y SaG9G9+U3jcifOWYkr3Tk37Ox02A76oWvOyTdrsXgfPNmLSQ9FeX41Y8HvRMLizFtLt3 azOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=rXNaWesS5ip30Wk2RuWDk8zZ6FBal4jvQPsWR5D0WQM=; b=VQ7zr2Q7HI0ze1atPZt6Yt0dgCHAIi7elp6t/V2+9isn5udVWUu6lwpx8//o7gANiw EEAjpqt7HA+dxDo+yuTMVLb65rRwSPJzfnickuHjDqiUtgoqi/RhYQlDFt4TPTjzcl+B 49E/jh3AOdNzbefmes3FoUJtGYd1OObmpX/tn+bNHv7VOR2fQuuZju9KmTAGvSgfyCxQ DrmRs7yiZlaTLl0y3qg8QiSCV4roIEE2svAI/gGB+HECEyizNCUq1yNBwl4p4OkYcJjq PeJwvoNC9Ml/qzb5wHkzxlBgXnJLrZ+ywZ9won9zK+zuw2DisPzCp7U7trlRgUOD/LrC +G8Q==
X-Gm-Message-State: AA+aEWZ6g1WqZT40BEnQlnflqiAW4ymOXHBaa3YD5uplPyTVQJcyapaS l5XNhIE0AvxD6q5krWAYd2g2QV8KPNY=
X-Google-Smtp-Source: AFSGD/V8Kdvd6xTmxAGbGMPLw7DoLUwT7vzxG9TZB+1HqjQieMPTIBSiXWjc0EfK9T71m1VEwX3wIA==
X-Received: by 2002:a24:1c86:: with SMTP id c128mr6423396itc.58.1544305752636; Sat, 08 Dec 2018 13:49:12 -0800 (PST)
Received: from mail-it1-f177.google.com (mail-it1-f177.google.com. [209.85.166.177]) by smtp.gmail.com with ESMTPSA id z10sm3267021ioh.20.2018.12.08.13.49.11 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Dec 2018 13:49:11 -0800 (PST)
Received: by mail-it1-f177.google.com with SMTP id p197so12453655itp.0 for <oauth@ietf.org>; Sat, 08 Dec 2018 13:49:11 -0800 (PST)
X-Received: by 2002:a05:660c:452:: with SMTP id d18mr6360998itl.124.1544305751363; Sat, 08 Dec 2018 13:49:11 -0800 (PST)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Sat, 08 Dec 2018 13:48:59 -0800
X-Gmail-Original-Message-ID: <CAGBSGjoJwd1m58RPXQfR-32PwYiZGmgdmymCy-Ni+OJ8a-BHLQ@mail.gmail.com>
Message-ID: <CAGBSGjoJwd1m58RPXQfR-32PwYiZGmgdmymCy-Ni+OJ8a-BHLQ@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bc1584057c89b301"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CM_qO45nSy1pnVrbU8qgwcCJ7ZU>
Subject: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2018 21:49:18 -0000
Thanks again everyone for the additional feedback on -01. I've incorporated the discussion into a new draft which is now published. https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02 Here's a summary of the changes: * Added a new section with recommendations for refresh tokens, referencing OAuth 2.0 Security Topics * Added some more details on risks of the implicit flow * Added a new section discussing the situation where a browser app has its own server backend * Mention explicitly that clients must verify "state" * Fixed some minor typos * Updated acknowledgments section * Fixed working group name and target status ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk>
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Aaron Parecki