Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 5D2BE12022C
 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 12:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id EHbiV7dxAXNX for <oauth@ietfa.amsl.com>;
 Thu, 25 Jul 2019 12:04:07 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de
 [80.67.18.14])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id E4590120248
 for <oauth@ietf.org>; Thu, 25 Jul 2019 12:04:06 -0700 (PDT)
Received: from [91.13.158.20] (helo=[192.168.71.102])
 by smtprelay02.ispgateway.de with esmtpsa
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
 (envelope-from <torsten@lodderstedt.net>)
 id 1hqj24-0002zE-DT; Thu, 25 Jul 2019 21:04:04 +0200
Content-Type: multipart/signed;
 boundary=Apple-Mail-6FCA0155-0B48-43E5-864B-7CF910F102FD;
 protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (1.0)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: iPhone Mail (16F203)
In-Reply-To: <1903519861.188545.1563954610968@mail.yahoo.com>
Date: Thu, 25 Jul 2019 21:04:04 +0200
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>,
 David Waite <david@alkaline-solutions.com>, OAuth WG <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <B033CD2E-38BC-42CD-9BA1-99BA016CD332@lodderstedt.net>
References: <CAGBSGjqVV3jJaXEX28N_fKbLSp3ijzb34N9NrZwZ+ZNXwXGKAg@mail.gmail.com>
 <0C094925-1429-46ED-8CF6-0D7B8DFB332F@lodderstedt.net>
 <CA+k3eCT5eG=S9AjM7Ss=DwHvsjwnriuZC3_yMxhrUaJXf2-vrw@mail.gmail.com>
 <99169CD8-F415-43CB-9F93-D779E5A15592@alkaline-solutions.com>
 <1903519861.188545.1563954610968@mail.yahoo.com>
To: Tomek Stojecki <tstojecki=40yahoo.com@dmarc.ietf.org>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/I4_0B_6uCwFG7BDahveq8vcaxWo>
Subject: Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 19:04:21 -0000


--Apple-Mail-6FCA0155-0B48-43E5-864B-7CF910F102FD
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable



> Am 24.07.2019 um 09:50 schrieb Tomek Stojecki <tstojecki=3D40yahoo.com@dma=
rc.ietf.org>:
>=20
> I agree that 6.1 takes too broad of a swipe, but I'd say with same-site co=
okies and (sadly) without token-binding, the suggestion to use cookie based s=
ession following oauth/oidc auth is a good one and should be incorporated pe=
rhaps in 6.2?

Sure. Such mechanisms are also used in a backend based architecture for OAut=
h, just as a complement and not an alternative to OAuth

>=20
> Leo sums it up well here:
>> We need to be clear on the distinction between browser based apps that ho=
ld the token(s) in the browser space, vs. those that don't.  I agree that wi=
th this "common domain" architecture, the tokens should not be held in the b=
rowser, but it doesn't follow that oauth should not be used at all. =20
>=20
> Finally and sorry if this is off-topic, why isn't this discussion taking p=
lace in github? Aaron has uploaded the document there. This medium, while go=
od for some things, seems to have a lot of shortcomings for this sort of dis=
cussion and review.=20

Well, since this is IETF ;-)

>=20
> Thanks,
> Tomek
>=20
>=20
> On Wednesday, July 24, 2019, 04:14:14 AM GMT+2, David Waite <david@alkalin=
e-solutions.com> wrote:=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>> On Jul 23, 2019, at 12:47 PM, Brian Campbell <bcampbell=3D40pingidentity.=
com@dmarc.ietf.org> wrote:
>>=20
>>=20
>>=20
>>> On Mon, Jul 22, 2019 at 7:31 AM Torsten Lodderstedt <torsten@lodderstedt=
.net> wrote:
>>>=20
>>> 2) Regarding architectures: I think this BCP should focus on recommendat=
ions for securely implementing OAuth in the different potential architecture=
. I don=E2=80=99t think we should get into the business of recommending and a=
ssessing other solutions (e.g. section 6.1.). Just to give you an example: S=
ection 6.1. states=20
>>>=20
>>> "OAuth and OpenID Connect provide very little benefit in this deployment=
 scenario, so it is recommended to reconsider whether you need OAuth or Open=
ID Connect at all in this case.=E2=80=9D
>>>=20
>>> Really? What experiences is this statement based on? In my experience, s=
haring the same domain =3D=3D host name tells you nothing about the overall a=
rchitecture of a certain deployment. There may be several reasons why OAuth c=
ould be good choice in such a scenario, e.g. security considerations (since y=
our common domain is just a proxy server encapsulating a whole universe of s=
ystems) or even modularity as an architecture principle.=20
>>>=20
>>> I suggest to remove section c. and to rephrase the second paragraph of t=
he abstract.
>>=20
>> I believe the experiences that the statement is based on are the predomin=
ant practice over the course of much of the history of the web of using a co=
okie to maintain an authenticated HTTP session in web applications. When the=
 script of the browser-based application is served from a domain that can sh=
are cookies with the domain of the API, then cookies can still be used to au=
thorize requests (even if those requests are API calls rather than full page=
 HTTP request/response). And I do believe that's likely a better decision in=
 a lot of such cases.=20
>>=20
>> That authenticated HTTP session may be establish from a username/password=
 form submission, FIDO/WebAuthn, or whatever.  Even as a result of an OpenID=
 Connect flow. Or even SAML for that matter. But the the requests after that=
 are authorized by the cookie.=20
>>=20
>> I think there's a tendency to assume because SPA style apps make API call=
s, they simply must use OAuth. Because API implies OAuth in the minds of man=
y (which is a sign of its success). But OAuth isn't necessarily the only thi=
ng that can be used for API authorization. Cookies work too. I think/hope th=
at's what Section 6.1. is getting at - providing some potential guidance tha=
t OAuth might not necessarily be the right choice in those cases where a com=
mon domain allows for a cookie. Perhaps the text in that section could be ph=
ased in a different or better way, but I think its useful to have some menti=
on of in this document.=20
>>=20
>> Although taking out "and OpenID Connect" from the sentence quoted above m=
ight be more appropriate and alleviate some confusion.=20
>>=20
>>=20
>=20
> Perhaps it should be turned into a stated document assumption (that the re=
ader has decided to use OAuth) rather than guidance later in the document (t=
hat OAuth may not be the best fit)
>=20
> There is AFAIK no set of security considerations or best practices we can p=
oint to for =E2=80=9Cuse some non-standardized system for acquiring and usin=
g cookies=E2=80=9D or even =E2=80=9Chere=E2=80=99s a standard for acquiring a=
nd using cookies=E2=80=9D. Omitting some of the moving pieces of OAuth might=
 alleviate some security concerns, but also resurrect some other security is=
sues. The most immediate example that comes to mind: using a HttpOnly cookie=
-as-token instead of an access token may mean that you can=E2=80=99t have in=
jected scripts exfiltrate the token, but applying the access token was also a=
 mitigation against browser CSRF for your APIs.
>=20
> -DW
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-6FCA0155-0B48-43E5-864B-7CF910F102FD
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCCn8w
ggUyMIIEGqADAgECAhEAh3cjdwfbVS49xtpMKQd5tjANBgkqhkiG9w0BAQsFADCBljELMAkGA1UE
BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYG
A1UEChMPU2VjdGlnbyBMaW1pdGVkMT4wPAYDVQQDEzVTZWN0aWdvIFJTQSBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xOTAxMzAwMDAwMDBaFw0yMDAxMzAyMzU5
NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iT7e+ZazS5uGQ2/oV6rKb+dLiC1cbVCWN1TEV1XemJP68/I
91+YUtc87N8M46QgGHN25FeM8xaWL6Q83aArs/nnuYx26+x0Em5Z8cqcAe+i1JLbvxt5j47h+5ii
ZErQld2GCf7EsW5YO+UoNws9ZMkcOHp77qSUuva0mDxitDpsMdlVIbYTkOIW2/x7NinUBBSvpO0b
xlejSGukCX73pTUWPBK3kznd3wqg7SaiqZH+1g/1cQxMD8Wk8S1QPO3AB2xA7hES4EjWFZ7a9HhX
5VMRyJlsEDb1KJAot7cypJcfDhCJwG8De5hSEsW5kEWL0h+AOFXcB+JQzLW0sdSVxwIDAQABo4IB
5jCCAeIwHwYDVR0jBBgwFoAUCcDy/AvalNtf/ivfqJlCz8ngrQAwHQYDVR0OBBYEFBnmpsoJu2zU
GrbmQoBZG6uxqdNRMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsG
AQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwQAYDVR0gBDkwNzA1BgwrBgEE
AbIxAQIBAQEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwWgYDVR0fBFMw
UTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklo
dHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNl
Y3VyZUVtYWlsQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAiBgNV
HREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAKEl922ls
OY5xPqRLJUKLCshBzoNcJ6UDXI4CwCClc4E3yIDQg09zpK0UdrFW0cU8qFc7iXRixKdU361AADG+
SB/N9ttU40JB7HgJYLhHYijKjXwobUGohyhZRv00PvAS6qV8Xevj2OGZ1V/w3VPJxEyYPpSCFJ0g
qUut0Nt6qse67hS5+BZsJp5d+v/Ozo9UGjLa658ZovxG7/CsKZXF6AQe5fNPhpWAfyVfnTHwQpqm
5jQYPX3fB3k3JQv/IuB2CIENxgQoYpfXg37sSbcdkeWQu4ouiRlTwTfLDI2pfuxRQLJzoCxIYkxg
jlq6XtpvolvwKfJpeg44hus5k11RPDCCBUUwggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJ
KoZIhvcNAQELBQAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIx
EDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhD
T01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAe
Fw0xNzAxMDkwMDAwMDBaFw0xODAxMDkyMzU5NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5A
bG9kZGVyc3RlZHQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9
SRW9Sve5K8n5lWhplOCE6HH3gMye12DjOpkFFZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHB
qVGJSIWF9hWAoSFCgQACOoh/cDFbzz1PsMY8El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8v
tTuKTwbgnizJSyzZTYrsttn3LmwY17HU+U9vXloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHc
kVZ5zfR80guIZ538Y2qqsqt5VaSRSR2oQzE/HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZ
eYVu4QdVWyO2HIQ4i2x9r5m7SwIDAQABo4IB9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7Gfx
wqP3tIAAwewwHQYDVR0OBBYEFPngHgVxOZ7GSji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAM
BgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhC
AQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6
Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21v
ZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENB
LmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2Eu
Y29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVu
QGxvZGRlcnN0ZWR0Lm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcv
jCAfG8Jaq48tC0IjP8pH/tGi4uL9CHVfLnV3pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7IS
YQyT4flNkqVUb8nfewbCPcIN13ObfpU7rlXoIarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy
4t95J7Mdp9NFUzQrKPJDaJ2Jr/TcTXFcjLvNVmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxv
T5uUtB6/tioDZqBDDk8Gvdno/xmye3YiasS7JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4
ImVnZ6WvgzGCA88wggPLAgEBMIGsMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBN
YW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8
BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBAhEAh3cjdwfbVS49xtpMKQd5tjANBglghkgBZQMEAgEFAKCCAfMwGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwNzI1MTkwNDA0WjAvBgkqhkiG9w0BCQQxIgQg
eUrUviTaoTme22ruhBvsv5KW27g9L+EsRCltPpewKYUwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENs
aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0
MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIg
TWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx
QTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl
IEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqGSIb3DQEBAQUABIIBAFrCDUFTp9oUkhU/
QzzD0fHHSVwBSotjWllNK77vYKWTVKxN533Ub81iZsMYm/QyLuzTFMTbYz4CPKqLTD9sYnv+nY4e
RsAWiMRiSC8daXNdxl6B3KciIR1l+6k1RxWWmONI0MSZ2I+0vqzzdH50ippjbAS2nvkCsAlURXfD
NQw8A9SypdbsiVsp94wZMxB1oKVN3gzlaVJc2xlIm85W5RIrL8Er/C4tBSDkyh4m6IZjtodYNIIv
ahag0LFsU7QL6JNy3OroCL4FFLXuVw/+a8zuC/DZ/WBc6AgKBWrNq/v2n3anrWPtn+7iMFDNCtgT
naHx3/GUI+vAo9EZ17NEY9IAAAAAAAA=

--Apple-Mail-6FCA0155-0B48-43E5-864B-7CF910F102FD--