IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Neil Madden <neil.madden@forgerock.com> Sun, 14 February 2021 14:28 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B918F3A0D25 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 06:28:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geebRL3yN1O3 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 06:28:14 -0800 (PST)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFA343A0D24 for <oauth@ietf.org>; Sun, 14 Feb 2021 06:28:13 -0800 (PST)
Received: by mail-wr1-x432.google.com with SMTP id g6so5444634wrs.11 for <oauth@ietf.org>; Sun, 14 Feb 2021 06:28:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=Q2oBxOOV3kitY4hQEK7hHBhAhti7yHE3kvY4zF/Yp10=; b=W4ewy/Qw6twhrBYQMhpDKIrOvfc8obIQBYZVPfBnKNd1GMuVxaN8USG5eqZm/4fc/q ozwFFlmExBkiX/S4rOjXl3av90SOXk60f/vTjWyAwMbwLNUTBPnROrePCQifAubp4KMN 4adZ+cqWfzS/5HRKWMh7mQay7AG9ZimeSUa9o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=Q2oBxOOV3kitY4hQEK7hHBhAhti7yHE3kvY4zF/Yp10=; b=lLYWY1vd91sZAYu40sOzvJkyasIgtVfWmuR968z11cowbu8jFXTsh/VqF9Uz55mtXJ IJmWUgHk4yEvGBDOLepaSs/WgRnz89pJxmEOUJPugjrNFb5F1P29TCCgoa3IOFnyNYOg pQ3gpwm6XzWo6lstrBv0cjqrItA4JsdgugAAqMObvoKUriQxIpSISFY37ylQRuq+zeJB UWPrXm/+MwRsIUkK7ctQ6SMUmI4RzbPdbaHAiYuG1YxpUZsU+DKvnlxgZd+qq54LMC3a aVumo2E/AGgmydBIQfBGnkSIs+VyI4N8owjakRmt+ovmzPPN/UB643Mcyc83cZ10o9Y6 dnBw==
X-Gm-Message-State: AOAM5324oJoW0RwIz0zALfESJazC24Z515WPn372INBw/Mgx+V97rHIE 79LRTs5CzJs4n6joknPv1GONmMB2J55sF6TYoNTmidKBHXO+JGY0ULj7QsUUAo2veIAcnO5z8jI fwt4mm/RzGiOW8PTB0BRB1ODdgD2+ylBByamEmXkkBoc1zuMaYMwybpbhcOBjmxKGkA==
X-Google-Smtp-Source: ABdhPJyZ0Vm77iyxFirKiHNNMxKFQ/UKM9Wrq6LuejY9rgtLInXL3mm1/4rjfGh2Rx298idZ0bFg/A==
X-Received: by 2002:a5d:4cc9:: with SMTP id c9mr13631420wrt.43.1613312892123; Sun, 14 Feb 2021 06:28:12 -0800 (PST)
Received: from [10.0.0.2] (252.207.159.143.dyn.plus.net. [143.159.207.252]) by smtp.gmail.com with ESMTPSA id y16sm15696415wrw.46.2021.02.14.06.28.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 14 Feb 2021 06:28:11 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 14 Feb 2021 14:28:08 +0000
Message-Id: <AE8B3F28-D7B3-4A70-8E0D-2F673970E008@forgerock.com>
References: <CAGL0X-qvLz=gG06Q3mL5yNs5f-eqSwxO-g=K=cDKdmC8VP+UEg@mail.gmail.com>
Cc: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth <oauth@ietf.org>, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
In-Reply-To: <CAGL0X-qvLz=gG06Q3mL5yNs5f-eqSwxO-g=K=cDKdmC8VP+UEg@mail.gmail.com>
To: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
X-Mailer: iPhone Mail (18C66)
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Dh5wJRII9llrinurNI_9xvKp2is>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 14:28:16 -0000

Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching. 

There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure. 

— Neil

> On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.sleptsov@gmail.com> wrote:
> 
> 
> I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS",
> with the objective to verify if they are valid.
> 
> I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example).
> If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication.
> 
> Or is it considered a bad practice to do that?
> 
> Regards,
> Stoycho.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

v2.23.0 | Report a Bug | By Email