[OAUTH-WG] New OAuth for Browser-Based Apps draft -02

Aaron Parecki <aaron@parecki.com> Mon, 08 July 2019 23:03 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7600412033D for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2019 16:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.603
X-Spam-Level:
X-Spam-Status: No, score=-0.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aN2w5J53Eaoy for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2019 16:03:24 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94942120305 for <oauth@ietf.org>; Mon, 8 Jul 2019 16:03:24 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id q22so17257382iog.4 for <oauth@ietf.org>; Mon, 08 Jul 2019 16:03:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=YpPCM/XsnpuHDihifrz6bZVoA34Nzo0zSlc4BmlxPtY=; b=YR64CJsrM7A5sa3yuw27gU+AuSF/WUAkGrL23XQXiLo5MzylgFeHJH3C5MHTShgeGN FRZbI919a6swVjAHAXMPyhel67lwnnc6+4cOOCa8aRUzLjDIDS0IO4A/uOfhNGLMwMEx qcPxfRx1afC32QXKO5gxVuVuM1vzgMVJhfsnsOsKG/W45JAGmtEUyDxCuxYjIOYg+oa8 vEKgHNWiKJZ22O4l4WXtCFsijMgKPNlAF7a4aBhttDNCx/kiZvHjIkDFG4sDFbYWXYO3 nVFkkKKUYrPY556QpUdNbe23a4Co08NuWh/OsDOeXD8mrB4oaVhjPoeHmY9HPmws60rC 0aYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=YpPCM/XsnpuHDihifrz6bZVoA34Nzo0zSlc4BmlxPtY=; b=B/73Kts3uR/izd+h2mh7u6x/lRXNhO58EcJIsRpGryekIjLFBzu8OXs5gwxqAl367g h+bpqk0MWFSjgw827N+5MZc9TL30fteVMAI5u4XHGH7Sytw3fiafcjr/8pShHIeTieWN k7FKIX/RiA/t2qp+K6ogMJSqIYSlcPGE4oOwYWhIbog28AHkToqPmQQNK3HPfh5162IS rS697qO1tGJApibBRTLgvltQfJOpZVefPigMN3rZ8NRfS9ZVw8eRrMMp3XQiWswnpPXb ys9bOYP4cQEJVvyIbP+pOupHgOkLBfhTJBeq5Jb7mYSGP9X91XvWp2owCfU2D0t/rmIQ T4dQ==
X-Gm-Message-State: APjAAAVM7cwUutDlgEPIHiPX/15+nS94Vimm3lCTu7/9lgfgt1CXasxh qBXUZe2XfQMrEANbN86FkCcsmt6TF3w=
X-Google-Smtp-Source: APXvYqxQUN9CsATJ1Cok3iWPv7MEDKCEjdYNVasfwl45kb2WcdWuJrNwnUwyVG9/FNVEcY/Us2ukgQ==
X-Received: by 2002:a02:b68f:: with SMTP id i15mr24176029jam.107.1562627003607; Mon, 08 Jul 2019 16:03:23 -0700 (PDT)
Received: from mail-io1-f45.google.com (mail-io1-f45.google.com. [209.85.166.45]) by smtp.gmail.com with ESMTPSA id c17sm16266645ioo.82.2019.07.08.16.03.23 for <oauth@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2019 16:03:23 -0700 (PDT)
Received: by mail-io1-f45.google.com with SMTP id k8so39150567iot.1 for <oauth@ietf.org>; Mon, 08 Jul 2019 16:03:23 -0700 (PDT)
X-Received: by 2002:a6b:7a42:: with SMTP id k2mr15210061iop.214.1562627002936; Mon, 08 Jul 2019 16:03:22 -0700 (PDT)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 08 Jul 2019 16:03:10 -0700
X-Gmail-Original-Message-ID: <CAGBSGjqVV3jJaXEX28N_fKbLSp3ijzb34N9NrZwZ+ZNXwXGKAg@mail.gmail.com>
Message-ID: <CAGBSGjqVV3jJaXEX28N_fKbLSp3ijzb34N9NrZwZ+ZNXwXGKAg@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d35dc058d3373a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Mdj679H76qmRRQB7DTGV33W2mAA>
Subject: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 23:03:38 -0000

Hi all,

I've just uploaded a new version of oauth-browser-based-apps in preparation
for the meeting in Montreal.

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02

This draft incorporates much of the feedback I've received over the last
couple months, as well as what we discussed at the last meeting in Prague.

The primary change is a significant rewrite and addition of Section 6 to
highlight the two common deployment patterns, a SPA with and without a
dynamic backend.

Please have a look and let me know what you think. I have a slot in the
agenda for Montreal to present on this as well.

Thanks!

----
Aaron Parecki
aaronparecki.com