[OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
Emond Papegaaij <emond.papegaaij@gmail.com> Mon, 06 May 2019 19:42 UTC
Return-Path: <emond.papegaaij@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 606431200F9 for <oauth@ietfa.amsl.com>; Mon, 6 May 2019 12:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwpl3mO6uhN9 for <oauth@ietfa.amsl.com>; Mon, 6 May 2019 12:42:30 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5295712012F for <oauth@ietf.org>; Mon, 6 May 2019 12:42:30 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id w11so16476374edl.5 for <oauth@ietf.org>; Mon, 06 May 2019 12:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=h8x8KfvUeqcZH61XByI2f0qAvGPIiTteczjvilxhZRg=; b=OZHPXH+VXDA8uPzWKxhZu/HvbAasjvj93dnW5h47qvfHqnQ2b+Xg9t4DLeLQshgEFq xKU4+GVQWTk5bAdopNwrJvog8+yhZkGUKU3DsbRo8FpdN34zBu6UA6Kjk4SFWOKu27Fi woSiD7Pv7h2xJbQQ5jqujh0BhCy86nz9tfpJrBGFF1wcXbgiObWQIR4zpN04EgvT5AUr cxZftt0aPEub7kNhW2VL5MP9RXOLpp4mPHpGYTEQQVG2nFv0XMEVqAOivKF9GTXyp0mS Qw6GoXCI+U9Q4xQsJ2RCIxMKJgV3cd8CPPNSH79MqFT8PczmVi7mnl43euC2I96jHkA/ 3rLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=h8x8KfvUeqcZH61XByI2f0qAvGPIiTteczjvilxhZRg=; b=HqfxZEJVsjMBsTYSbQ3jw81DqSVQCLPo3qbpqySu0/3iQqEb+M6krYd7VBlq2B3KE9 t1zzGZ6dKLnMSjbM6U7XgjffThNZQ802wFD0yVHhIjLsSO9lvItlJ0b/WS69I1OXFDkf P89f8Go8Yn97TYx0z9VuyqTdaDjLWa1iwjdabO0RIZoBgoFcmItWlqNEVPofW4c5pLWQ Q396zw6xAnlo5wn6xxxNaZ/LM+SWhG3Q7MSNX7Jx9ONflc4QkNJWrgq5Uu5X61vdszUk wfx+Uf06BwVno46gnuCJBs1WLMvQRt5/sd2dIwNX5ZbjnIb3rdXuDpRunAQvvTOb/qkF 9TUw==
X-Gm-Message-State: APjAAAXeXExYekkqBUuOOVfLjuxajdTIKmQXQj0TlJbokLBZOSsQv+d0 JduliVvgspCu93GUvZLSZF1bP9YtF+Y=
X-Google-Smtp-Source: APXvYqxsvnqI3Pr/s+sa6kCJQrsgD7uQYBMCXO/xxKbIDnL46b36Ldv0g72wdqcG0x4edaYZ5tlOKA==
X-Received: by 2002:a50:f5d4:: with SMTP id x20mr27791096edm.88.1557171748125; Mon, 06 May 2019 12:42:28 -0700 (PDT)
Received: from papegaaij.localnet (2001-1c06-0105-0e00-d550-1b4b-99df-63aa.cable.dynamic.v6.ziggo.nl. [2001:1c06:105:e00:d550:1b4b:99df:63aa]) by smtp.gmail.com with ESMTPSA id 65sm3321437edm.60.2019.05.06.12.42.27 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 06 May 2019 12:42:27 -0700 (PDT)
From: Emond Papegaaij <emond.papegaaij@gmail.com>
To: oauth@ietf.org
Date: Mon, 06 May 2019 21:42:17 +0200
Message-ID: <11125817.AKI43N3Yza@papegaaij>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MArTWhOenG1bfAWRcyJuWY7pJNM>
Subject: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 19:42:33 -0000
Hi all, For a browser-based app, we try to follow the recommendations set in draft- ietf-oauth-browser-based-apps-01. This does allow us to create a secure OAuth 2.0 browser-based application, but at the moment it comes at a cost wrt. user experience when the access token expires. Our current solution forces us to redirect the user to the authorization server for a new authorization code. This will destroy most state the browser-based app has, causing the user to loose data. We are looking for a way to get a new access token in a secure way without disrupting the user. As a refresh token is not issued to the app (as it should be), the application is forced to do a front-channel re-authentication for an authorization code. We are thinking of letting this front-channel communication happen in a hidden iframe. Naturally, this can only be done if no user interaction is required, hence we want to use the OIDC prompt=none. Is this a viable way of doing this re-authentication? Can it hurt to open up our authorization server for non- interactive authorization requests inside an iframe? At the moment we do not allow iframes at all. Maybe anybody knows a different way of achieving this? As I cannot believe we are the only ones facing this issue, maybe a recommendation can be put in the spec? Best regards, Emond Papegaaij
- [OAUTH-WG] Recommendations for OAuth 2.0 with Bro… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Thomas Broyer
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij