IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Brian Campbell <bcampbell@pingidentity.com> Tue, 16 February 2021 21:00 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C900E3A10F0 for <oauth@ietfa.amsl.com>; Tue, 16 Feb 2021 13:00:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9aT82h3FtDR for <oauth@ietfa.amsl.com>; Tue, 16 Feb 2021 13:00:57 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB09B3A1106 for <oauth@ietf.org>; Tue, 16 Feb 2021 13:00:27 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id e17so13574770ljl.8 for <oauth@ietf.org>; Tue, 16 Feb 2021 13:00:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WU7uP90TTa8iafQkCGeXChCLhiHB4ZuI2mPl2olaDD4=; b=TOz3/WtkXWXbJrKePDZrbJokY2FRDxYMiogQWoqO/LfFZJhaEv/YJ7uhHNnyFLGU4j jJsSpJ0YQthRNmY2xwMaQDnrFY2TXDM+j8MRy8QVId/5VeBNQKVU1jYDwC6or6Ta1VBV eTYOM5D9tnA11MdcsjAXc7PitgxYH/4UWuxMJX9YtlsxGTcSiTH8452G/ACHNaKsQ0zv B2jukJBwBgsVhL6YodHLTGS0GnIWLr2vLVQGvkKoaJIoP4QXd/VROWhRMgQqzWdi7cBG MiMwVLzGh3s4lH2cKgmPpkktSnX9eK1Iaa1YQTMghVLEc67QwDgEc9tZPBuYKdO8jiPq Zm8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WU7uP90TTa8iafQkCGeXChCLhiHB4ZuI2mPl2olaDD4=; b=LlyAsUHsuA116aTTkPBsP5IhTjmxy485++Vy1WYGoPAEuBIKVuh5+vX4OqpG92g6OM ohBgHGzkuvMpBtgBWRQ08EL9oog6qJjPUeJkhW3RqDxcG+YCgftsze04bdO05e3JPMY5 PS7D7GmMxULTnE+uAYF5d+nnJfgk3qifWgx4JJolcaYY5nNKuttpWiooPkD83jjZ8TmK /8Nq4mfbtY61HoY+bpkmvXY+OQjghoZ2ifDWgQ6/tqr5Ep8luzDEoaRinegML7TqFUV4 TmdHWFhTDY42zox4mdQ0VNLoh6zlMpFEZPq/9nwV1QEyIE8ewslmirwOrAbBptfJu5jp tmPA==
X-Gm-Message-State: AOAM5307H9Oe+5anAIqPnXgSSI7jIp+Lrf995dGY931DduRzTfVUvnzY 4lHCWCBj6pA36EFLYn8XQdAgELGGFSTG7CiOCBd+LBVnEUxE1VOXEI1B6L3bIfodL+8zlqPhfHU IJl2rRNcv1rCrpA==
X-Google-Smtp-Source: ABdhPJygKEjxmI/RJGjubJ268O4tc/qYJm8tz/KAHSAvIyzXyq3prGc3UINl29LozR4wOwVjx+vtwclsZnzyO9Xf9js=
X-Received: by 2002:a2e:9893:: with SMTP id b19mr9683867ljj.489.1613509224282; Tue, 16 Feb 2021 13:00:24 -0800 (PST)
MIME-Version: 1.0
References: <CO6PR18MB4052C85E4B5D5EE5E1DD357AAE899@CO6PR18MB4052.namprd18.prod.outlook.com> <5BE7C60F-84AB-431A-838F-D33459E551C6@lodderstedt.net> <CO6PR18MB4052CE7A7AFF1FAD39EDB90FAE899@CO6PR18MB4052.namprd18.prod.outlook.com> <16CA5346-48EF-4B29-8397-EE6312366C63@lodderstedt.net>
In-Reply-To: <16CA5346-48EF-4B29-8397-EE6312366C63@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 16 Feb 2021 13:59:57 -0700
Message-ID: <CA+k3eCRzPuQPEMm6EB-xd58DeAB2MSBt_ywRxPOHhsECpg+zYA@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000027d7f805bb7a64a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MASViGsE0HJtmUXMonw-4JfU7Us>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 21:00:59 -0000

On Mon, Feb 15, 2021 at 9:48 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> Thank you again for the explanation.
>
> I think your assumption about the overall flow should be described in the
> draft.
>

We did attempt to capture the assumptions in the draft but clearly could
have done a better job with it :)


>
> As I understand it now the core contribution of your proposal is to move
> refresh token management from frontend to backend. Is that correct?
>

 Taking that a bit further - the idea is that the backend takes on the
responsibilities of being a confidential client (client creds, token
acquisition, token management/persistence, etc.) to the external AS(s). And
TMI BFF describes a way for that backend to deliver access tokens to its
own frontend.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email