Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
Dominick Baier <dbaier@leastprivilege.com> Wed, 17 February 2021 19:43 UTC
Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3447C3A1CE5 for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 11:43:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FbOGuIt_NTMd for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 11:43:22 -0800 (PST)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B6513A1CE2 for <oauth@ietf.org>; Wed, 17 Feb 2021 11:43:22 -0800 (PST)
Received: by mail-il1-x12a.google.com with SMTP id p15so12374993ilq.8 for <oauth@ietf.org>; Wed, 17 Feb 2021 11:43:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=5worYElBP5wzL/Ubgm5ibQ8iBBiw42Ccu67AbPtOmzE=; b=zPTNeqAXO289B18+vp+fg8Bxl3FZAbyA1DXndyUwAn+oarP8wxue2B99rM1/2jya/z JEODt/T6r6cyiIRLdPMKqq0me0fUMSjnkvccOgotTP4qwh88H1JT6qsWMqBPJDQOaipt UeEe7hhfeeVPVg5JdCXC4zGBGC7vckfontTcwVoXUqQ27JLjFvU1rvhzvCEKdkXgeXL5 hVMeaI2dDajRSCD0Hls91hmjl4Ya5cChMrC5tynNMIeR0UoCfBlmdkkzW+pS//HsmXZv hxnQZCTbDxTH1LLsSFYkBv8bEfDAbwji/ASi+iX3jlqQlk8CEeBsggpOzZLrWEt6URzA 9plg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=5worYElBP5wzL/Ubgm5ibQ8iBBiw42Ccu67AbPtOmzE=; b=EVU/qgiRUyiz9/QPq78tH4sF90z4OL/r6Rbi00ByLVA2mT6cvA1jBe4cTP/xdepByr 6NOASSrhisgnBQTesQooFSX+0SdUbKK5fEB9Zrtn7XrrAR21FmWNbo5jD6JBkrg7q6ws duzUz5IJl4ih3AMyhuYkfouRAfhSO5abWz4onV/dnr0+2wKNq0yfRHUdf6oCduMefdbm oipTIFMCpcAWLdTAZAbSkM81HBJJgF7Tsus++kmQ3XIudAWyKNs5cA2nn9WwuejEU3RW evHGStvJV5xxsuZjEJpm1n1YVHv+lRBTeC7jYX0oztUyRMzeIUAQNDFf1IdK3YgRYMbM Lv1w==
X-Gm-Message-State: AOAM531KBDueDveWwWkstm7n8tpqSdf2P8sE+hOqH+9sWWTO/PoHee1h 0i8Wb/kzN4UHWurc9bDJldsMM3hCBpfWR4rz+Mzf
X-Google-Smtp-Source: ABdhPJxZ+n6xQlacqROgURAoW2ttazJy7ovZfA06Zl5L51JB6oAK193UmBRKfglN872IR9/EEKaZaKaxOmeHM0LdWYw=
X-Received: by 2002:a05:6e02:1888:: with SMTP id o8mr590175ilu.154.1613591001328; Wed, 17 Feb 2021 11:43:21 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 17 Feb 2021 11:43:20 -0800
From: Dominick Baier <dbaier@leastprivilege.com>
In-Reply-To: <CO6PR18MB4052BA48231DA27E5C208514AE869@CO6PR18MB4052.namprd18.prod.outlook.com>
References: <CO6PR18MB4052C85E4B5D5EE5E1DD357AAE899@CO6PR18MB4052.namprd18.prod.outlook.com> <5BE7C60F-84AB-431A-838F-D33459E551C6@lodderstedt.net> <CO6PR18MB4052CE7A7AFF1FAD39EDB90FAE899@CO6PR18MB4052.namprd18.prod.outlook.com> <16CA5346-48EF-4B29-8397-EE6312366C63@lodderstedt.net> <CA+k3eCRzPuQPEMm6EB-xd58DeAB2MSBt_ywRxPOHhsECpg+zYA@mail.gmail.com> <CAO7Ng+tkaBgyZEEzfcD7f1MiC2pWr7tuuX8+efEpstgaGfSk4w@mail.gmail.com> <CO6PR18MB4052BA48231DA27E5C208514AE869@CO6PR18MB4052.namprd18.prod.outlook.com>
MIME-Version: 1.0
Date: Wed, 17 Feb 2021 11:43:20 -0800
Message-ID: <CAO7Ng+viWRG3=O+Pz+9kdY_fOYnyyynTfy5VtOzjt1Gz6rjOLA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, Vittorio Bertocci <vittorio.bertocci@auth0.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000072993d05bb8d6ea1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JcRycrLIh445CLcuFte5B2Vzex0>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 19:43:25 -0000
Yes - “no OAuth tokens in the browser” ;) They are all kept server-side and the BFF proxies the API calls if necessary. Also the RT management happens server-side and is transparent to the SPA. I see that in lots of industries - finance, health, cloud providers While someone will always say “but this doesn’t solve the XSS problem” - this is absolutely correct. But when there are no tokens in the browser - you can simply eliminate that part of the threat model ;) ——— Dominick Baier On 17. February 2021 at 18:30:23, Vittorio Bertocci ( vittorio.bertocci@auth0.com) wrote: Thanks Dominick, It is indeed a very simple spec, but as you can see from the discussion so far, it doesn’t appear to be trivial- and there might be some considerations we consider obvious (eg scope escalation) that might not be super clear otherwise. In terms of the guidance, just to make sure I get the scope right- that means that also code+PKCE+rotating RTs in JS would not be acceptable for your customers? *From: *Dominick Baier <dbaier@leastprivilege.com> *Date: *Wednesday, February 17, 2021 at 00:27 *To: *Brian Campbell <bcampbell@pingidentity.com>, Torsten Lodderstedt < torsten@lodderstedt.net> *Cc: *Vittorio Bertocci <vittorio.bertocci@auth0.com>, "oauth@ietf.org" < oauth@ietf.org> *Subject: *Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF) Hey, Tbh - I have a bit of a hard time to see why this requires a spec, if that is all you are aiming at. Wouldn’t that be just an extension to the “OAuth for web apps BCP?”. All I can add here is - this approach would not work for any of our customer. Because their real motivation is to implement a more and more common security guideline these days - namely: “no JS-accessible tokens in the browser” - but this document doesn’t cover this. cheers ——— Dominick Baier On 16. February 2021 at 22:01:37, Brian Campbell ( bcampbell=40pingidentity.com@dmarc.ietf.org) wrote: On Mon, Feb 15, 2021 at 9:48 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: Thank you again for the explanation. I think your assumption about the overall flow should be described in the draft. We did attempt to capture the assumptions in the draft but clearly could have done a better job with it :) As I understand it now the core contribution of your proposal is to move refresh token management from frontend to backend. Is that correct? Taking that a bit further - the idea is that the backend takes on the responsibilities of being a confidential client (client creds, token acquisition, token management/persistence, etc.) to the external AS(s). And TMI BFF describes a way for that backend to deliver access tokens to its own frontend. *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Token Mediating and session Informatio… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Hans Zandbelt
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… George Fletcher
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- [OAUTH-WG] Security of OAuth on Andriod [Was: Re:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Om
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… SOMMER, DOMINIK
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Warren Parad
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Aaron Parecki
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden