Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
Thomas Broyer <t.broyer@gmail.com> Wed, 08 May 2019 09:35 UTC
Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 493CF1200B4 for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 02:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sv6PEQoFzt_g for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 02:35:27 -0700 (PDT)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7075A120021 for <oauth@ietf.org>; Wed, 8 May 2019 02:35:27 -0700 (PDT)
Received: by mail-ot1-x336.google.com with SMTP id g8so17722379otl.8 for <oauth@ietf.org>; Wed, 08 May 2019 02:35:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OquHtgQmL+rxmi9C8pB2GN/NwCHfP0Pi0/QqGdEsCdk=; b=Z3mJcpcIG+SYpd9pHl7oowTAbd8rntbd/AwINIJJukKzevjLsBtRxL2qmcsAJKy2Rv PP0aEK5HYbOXNSUNqthlySxa7zJOaUTSR/z/TBp1CIHpXJVFgFBUkTwq8lnsgie+0Jy0 MnRi70LynwO3Wzs9d44D315y43WfEYH8TiXu2M9IIGrg/zrGaR8HaJjPrHHvuCMZ5tDj D9h3pnzm1RfwVyB/4TESZ60QEQ74fJrnuYcRCxdM5nSv9j5U8LAzmdUSzYb+Mx6NBXW+ g2SaFkRyqh1aXK1eluIdgG8P8ko1HnbwLZmrqYgUXeZrtRzoA4ycvdYyYQRrA988uTA6 F1Bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OquHtgQmL+rxmi9C8pB2GN/NwCHfP0Pi0/QqGdEsCdk=; b=ecvY0vxcXqoKCef3E1nV4zuvwiGGf3co0WiwyPp/h+iQZ1CHDOBuPO+nX8oGQU/mMT eGSOY4HTI9uqowvI65aRnhSIrLri7DgczkOCvLlrjYoSRCZR8EcKvgQ+XgCHd7kU+Fm3 XqpzHBxn/tve48W5lmiqb6fhHGsvsCwMaZFJwSRsNURcGi6UyuuKfe58q5COY9F3PS4X u9eBkBlgyaP7V7pSM140Pgr2P9jYGOw0qH3OOFOAXo6UsGp2otZ8iJU9OqaB5gm3VPbL 4khw6UGvkTkqu/ZHNlFenWRZHo6Ve2dEx23Qltr8HjjuqmYhndAOh4L8ZfXmdlXuZbFU yKBg==
X-Gm-Message-State: APjAAAXts4YvkQpZ9s+dvZBIFFg1VQCzQLDDJk+Y+mRE+FjyEEc78Mnq 0iK096gACiOTlQjENrC0WFkwQ87oSob2AFDTT9U=
X-Google-Smtp-Source: APXvYqwJeXZ/xficrf4eOeWJymxgE0HT3YteBMY8kpwBMDOZnwhRl+7fyFm+XZ+R5jEOrtNo99y8+ghwwP7bsIWheDs=
X-Received: by 2002:a9d:7d95:: with SMTP id j21mr4542477otn.141.1557308126724; Wed, 08 May 2019 02:35:26 -0700 (PDT)
MIME-Version: 1.0
References: <11125817.AKI43N3Yza@papegaaij> <C0E40840-26FE-4BC9-8D13-B06D399E4A52@alkaline-solutions.com> <2125064.3GpWMRz4CO@papegaaij>
In-Reply-To: <2125064.3GpWMRz4CO@papegaaij>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Wed, 08 May 2019 11:35:14 +0200
Message-ID: <CAEayHEMR5jBar9APgZ14=9-wYwc0cWmEAiX3LiFpKm2nyqo2VQ@mail.gmail.com>
To: Emond Papegaaij <emond.papegaaij@gmail.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b30e9605885d0dc8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IKqnsOSGK50V9FAQk7awXZulqyg>
Subject: Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 09:35:29 -0000
On Wed, May 8, 2019 at 9:38 AM Emond Papegaaij <emond.papegaaij@gmail.com> wrote: > In our case or AS might have to federate the authentication to some other > AS, > that would only work in an iframe. Therefore, I think we will go for the > OIDC > prompt=none in a hidden iframe. I'm not sure what to do if the AS reports > that > interaction is required, but at least the majority of the cases will be > covered. > I've implemented OpenID Connect Session Management in two AS and one app (not a SPA though); Session Management uses prompt=none in a hidden iframe. When the AS redirects back with an error (login_required, interaction_required, etc.) the hidden iframe can communicate the error to the app (parent window), which then can display a message with a button/link to reauthenticate in a popup. prompt=none in a hidden iframe, plus interactions in a popup, look to me like the way to go (my use-case has always been authentication though, never authorizations alone, so maybe things would be different in your case).
- [OAUTH-WG] Recommendations for OAuth 2.0 with Bro… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Thomas Broyer
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij