Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-15.txt
Aaron Parecki <aaron@parecki.com> Mon, 23 October 2023 16:21 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA0B9C151088 for <oauth@ietfa.amsl.com>; Mon, 23 Oct 2023 09:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASf8YZbQTxZa for <oauth@ietfa.amsl.com>; Mon, 23 Oct 2023 09:21:43 -0700 (PDT)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E7DC1519AE for <oauth@ietf.org>; Mon, 23 Oct 2023 09:21:22 -0700 (PDT)
Received: by mail-vk1-xa33.google.com with SMTP id 71dfb90a1353d-4a8158e8613so1429563e0c.3 for <oauth@ietf.org>; Mon, 23 Oct 2023 09:21:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1698078082; x=1698682882; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=kattGagxPmcFNpw6eu3dXVUTK8us4+LKmOlrz/sFivI=; b=S7EWNf1Hrb7S+IeEp7bqmiiLmsjWQkxkJXcWrQdbYtrPcQFowJ13TQ6MPczy28E8me BuI59ICYAxiDBvCiDTwcUF0wQ7MGM1spK6ofBz+wsuZINdi7DVt1lhNWB3n3QXkkxiPN BBPWW5w34gUipeXUcyZhCO73rSz9a+pRRgJsAieUHeTgk3PBnCNYmITJQfLLafuOdHe/ 0QvLbdmrJ4OLvr4HnF1NZWatcQUMylqE3hZwhjFxkjfFj/TEmXshcEbmpf8ZtXu3cTUm 92jdZQ+mN+t33bDXL8gHP4UfaDVXCaWdbKemIIoOKBFPbzei/wRcm9hHR0pZciFzDlLm XwXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698078082; x=1698682882; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=kattGagxPmcFNpw6eu3dXVUTK8us4+LKmOlrz/sFivI=; b=fDaox1QGs2+x4Ahf1JnR6B+6gm2H4rQZb4xel+TCx3nRERzPE5TUEqLEVGUd2K31FE Zw7MOr35QSGcLYRhFHAOLwkuljPiYu3PQK+gE1ZwbSgyTEMcYleqVeOPML2jdidUbXgn ggs7Vy3vXyOgnBzOXJVkCefWBYYjudF0m8z0GdCdSUbWRggMTV3rO0OviqAlSOs42tyy D9H0G78K1f0Md67zctQUacNvP++FefAXwn7Ela4DRShQvh4nGuJE2itEZMxIdvDtyksS CfybBis7PunUS59v5+VE+dsuGYMvudREX4jJihyElbNPw/OPozopQiEApMt7ud7cnlvc ePMg==
X-Gm-Message-State: AOJu0YwByJz1D56gHctGPBP1idRZucLKamYPAYIVbFfh36m8j0PXkLeH fSOP97I/S0HOD3hlLmAYn6YblJiHWEeRHUnAaa4=
X-Google-Smtp-Source: AGHT+IG6NB4NAvDFnH5NTL2A8hUxZpTTmXBpwGCx///8oyZPZod4eMWoD0adLtjiwbF0ewjOCj84+w==
X-Received: by 2002:a1f:1dcf:0:b0:49a:7a5b:dab2 with SMTP id d198-20020a1f1dcf000000b0049a7a5bdab2mr7179712vkd.16.1698078081363; Mon, 23 Oct 2023 09:21:21 -0700 (PDT)
Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com. [209.85.221.181]) by smtp.gmail.com with ESMTPSA id 11-20020a1f130b000000b0048f9f9200c7sm1004168vkt.45.2023.10.23.09.21.20 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Oct 2023 09:21:21 -0700 (PDT)
Received: by mail-vk1-f181.google.com with SMTP id 71dfb90a1353d-4a8158e8613so1429545e0c.3 for <oauth@ietf.org>; Mon, 23 Oct 2023 09:21:20 -0700 (PDT)
X-Received: by 2002:a05:6122:4682:b0:495:cace:d59c with SMTP id di2-20020a056122468200b00495caced59cmr3772209vkb.0.1698078080582; Mon, 23 Oct 2023 09:21:20 -0700 (PDT)
MIME-Version: 1.0
References: <169807514921.12395.9636385672719573597@ietfa.amsl.com>
In-Reply-To: <169807514921.12395.9636385672719573597@ietfa.amsl.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 23 Oct 2023 09:21:09 -0700
X-Gmail-Original-Message-ID: <CAGBSGjqz0nRAOYX2_O8+hFTLeYCkXQp+r54WV-xUCzjYkX92ng@mail.gmail.com>
Message-ID: <CAGBSGjqz0nRAOYX2_O8+hFTLeYCkXQp+r54WV-xUCzjYkX92ng@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cb57430608649cd0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/D-DvFaOaRJWBejsuEtHbhiu4m-w>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-15.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 16:21:47 -0000
After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft. I would like to give a huge thanks to Philippe De Ryck for stepping up to work on this draft as a co-author! This version is a huge restructuring of the draft and now starts with a concrete description of possible threats of malicious JavaScript as well as the consequences of each. The architectural patterns have been updated to reference which of each threat is mitigated by the pattern. This restructuring should help readers make a better informed decision by being able to evaluate the risks and benefits of each solution. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html Please give this a read, I am confident that this is a major improvement to the draft! Aaron On Mon, Oct 23, 2023 at 8:35 AM <internet-drafts@ietf.org> wrote: > Internet-Draft draft-ietf-oauth-browser-based-apps-15.txt is now > available. It > is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. > > Title: OAuth 2.0 for Browser-Based Apps > Authors: Aaron Parecki > David Waite > Philippe De Ryck > Name: draft-ietf-oauth-browser-based-apps-15.txt > Pages: 58 > Dates: 2023-10-23 > > Abstract: > > This specification details the threats, attack consequences, security > considerations and best practices that must be taken into account > when developing browser-based applications that use OAuth 2.0. > > Discussion Venues > > This note is to be removed before publishing as an RFC. > > Discussion of this document takes place on the Web Authorization > Protocol Working Group mailing list (oauth@ietf.org), which is > archived at https://mailarchive.ietf.org/arch/browse/oauth/. > > Source for this draft and an issue tracker can be found at > https://github.com/oauth-wg/oauth-browser-based-apps. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-15 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-browser-b… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-brows… Aaron Parecki