Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Stoycho Sleptsov <stoycho.sleptsov@gmail.com> Sun, 14 February 2021 14:10 UTC

Return-Path: <stoycho.sleptsov@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C433A0C77 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 06:10:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8ubDoJRpbG9 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 06:10:54 -0800 (PST)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BCA23A0C70 for <oauth@ietf.org>; Sun, 14 Feb 2021 06:10:54 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id v9so785630edw.8 for <oauth@ietf.org>; Sun, 14 Feb 2021 06:10:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AqJZa7m8JOHUtW80S/pDlnVpvYqHao3ejIjiXwC41qE=; b=QvR6OEHSRISFvpIcTFNTsZ+NzpnstZwFAY/lPpm67mD0IG9HFhx1LjYkLtQVkMFrmP A4rjR/08lgX8Azp7Q7+OGojDpejsWoHNKS36Nou4qla4MPXcA4MIPoulhzCKi2NXjwcg J5CG/u4OPgKmzvugVW691LXAz/mFE71/mIkJknkRLEldn+HVxyc19Tts+aoRjLerGN/Z Xe2GXdKhbB1pvIEXI3X2jwBlGZwPMYr9LK6shGNOwHb/cgNIjaj6eAu77Tuwti81DRok wx8UKuE5DJoa4AAff0zkxChs2eH2TxzYLAUqWCMAP9BrTJLYuu0juZiMJXMSxZf+IBHT SoTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AqJZa7m8JOHUtW80S/pDlnVpvYqHao3ejIjiXwC41qE=; b=Ve7ME0a5q4xEVkUaHTD67VE9DRSCSOgb5RCreWqeZC3vVjJMB0y4CtID3mVaaL0kUb eW4TY59kY4P+GsRgrhhTQp037LFBiOo0JGPGRsKnrwbVX4bQemaUsJY9v0h6zLJzHFXr 05nEx4R+A+22l3tsIFCPGRb+98ScDWrTu1HPbSq4wAvpZNTRlE+f44Q1AXFVF2ZwJggI VFLOpIgt71QN7H4bFuaOrgxj7GwjRh6ULbAPMf3GmeAJAIpyP98ltXDpL1b8LfQDelFJ c0wGTOSRqtAqoVC20c72tsPQSsSv7n/YfpRYvKOzmnjZZpxJCij5la31bESncMWy9ZF1 +A5w==
X-Gm-Message-State: AOAM531UZNG6OsBnknlwcsw5EVSF6O25XrMzCkieTkuie6yBh/mLSpga nBkcFGxRuPv+KPw3zWOI/4XrYSJdyCgbClrVtds=
X-Google-Smtp-Source: ABdhPJyg0WjRaeNgWe7WFk6y7gJtYpq8JPWql4JfDwXGWsyFWmR+vWAj/CcpbxWtaAIpveW9+OOt+PJFeoE49nVxx64=
X-Received: by 2002:a05:6402:5250:: with SMTP id t16mr11555680edd.302.1613311852995; Sun, 14 Feb 2021 06:10:52 -0800 (PST)
MIME-Version: 1.0
References: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com> <C741095F-8350-4531-BFA4-4AAE929C08C3@forgerock.com> <CAJot-L1xJFgBkTjKti1LmEkrMZ56SkpuwpTN+Q7MTNZF7aQ01Q@mail.gmail.com> <CO6PR18MB405236B3F50E3A5C42B82C39AE899@CO6PR18MB4052.namprd18.prod.outlook.com> <CAGL0X-qvLz=gG06Q3mL5yNs5f-eqSwxO-g=K=cDKdmC8VP+UEg@mail.gmail.com> <CAJot-L3AUd-kYuw4jByJqG85DCJ-9XRjA6A53Dm8h3Q+vTNZnw@mail.gmail.com>
In-Reply-To: <CAJot-L3AUd-kYuw4jByJqG85DCJ-9XRjA6A53Dm8h3Q+vTNZnw@mail.gmail.com>
From: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
Date: Sun, 14 Feb 2021 16:10:42 +0200
Message-ID: <CAGL0X-riOE6bxtjPC9XaDTEa2EpY9zVNoGjTXn5rCKTPTONTjg@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M3qIC1IvL7_n9TbYwBxNmS_mphA>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 14:10:56 -0000

If I understood correctly, PKCE try to guarantee that the app which
requests the access token in exchange for authorization code is the
same as the application which initiated the authorization request, but
it cannot help to guarantee which app exactly that is (as per section
2.3 of the draft-ietf-oauth-v2-1-01, through mTLS, Basic
authentication with client secret, "private_key_jwt", or other means).

On Sun, 14 Feb 2021 at 15:53, Warren Parad <wparad@rhosys.ch> wrote:
>
> Why doesn't PKCE help for authentication?
>
> Warren Parad
>
> Founder, CTO
>
> Secure your user data and complete your authorization architecture. Implement Authress.
>
>
> On Sun, Feb 14, 2021 at 2:48 PM Stoycho Sleptsov <stoycho.sleptsov@gmail.com> wrote:
>>
>> I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS",
>> with the objective to verify if they are valid.
>>
>> I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example).
>> If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication.
>>
>> Or is it considered a bad practice to do that?
>>
>> Regards,
>> Stoycho.