Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
George Fletcher <gffletch@aol.com> Tue, 23 February 2021 15:21 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1832E3A040F for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 07:21:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQ2IkruhIHW4 for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 07:21:07 -0800 (PST)
Received: from sonic301-31.consmr.mail.ne1.yahoo.com (sonic301-31.consmr.mail.ne1.yahoo.com [66.163.184.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B725A3A2C58 for <oauth@ietf.org>; Tue, 23 Feb 2021 07:20:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1614093648; bh=YRW0X+xaXromLOgvmOHIjHUY9ISZrNivjmgLhmV6Jl8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject:Reply-To; b=GaZaOz7p78DcIedc811ZfiqPXEtrmtpgpi3nQDGM0tKHUHQYlEys7t9miegXGEXtP1UxTQtxDDKxsvuJK+vLuOLLUn+MhAsx8BeeP/UVnm/NVSNj20shrCp4faijuFTCbLBJzy16IXr1UMvwQmi3nH1bcWA1eP7v2pJBZEgsNh8xOIHSPi2P1mXhTCbc44jYSlV/NGFDI86HkEGrsI4yExKouoZ4FTT0jRyC6zfbd78B1YJ4OE+aYJ841o8OIt8w8e//PpObultXz9d+vlF+xkb6nBLjD/PI/5sWSqHZrUUTzKD3BBmn50JuicH7mEl1TshrftZgbXT7khUOdzYuMg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1614093648; bh=rnuG5iG85oyGirOpjmbkRKs0QHPtgcvqYFHq/+oDQKS=; h=X-Sonic-MF:Subject:To:From:Date:From:Subject; b=H+9OuB/upwgG6XlJChuUZnNCGLDxX8B1j1zkYBU4c2lhu3YTlXKV7+HtEXlqCjSZrnCySC23Hu2j97jr/OWmAPi3RYVX8l8y9FkTqdvViExsNuWDIrHR21fmDOTraEWsNSOQTJvctl4HNQ7Xn5ahW+cXgZ/yxcxWXpFFC5WxKKcfQG4xbPrc+lYVYMzOIYgja5q1rllUkG4KNpDQjlb9w9doRMp7dlzKYe0hH1rCjzUsafh9AoezctkCjZdsbG+h82ZcM4QcanR2jqw6bRJM76+/YQcXWZSoFKrii6STuME4pqiZmGEM0qSYQvVXOhlrvl56idFSBe6kIkjjwTzmug==
X-YMail-OSG: 2WRzi9YVM1lxGc.vTF5ylF3hONE4odmK8sVV9HXmLCkJfcK6SNC3clNGa1VGrRC URcdQ.oRmozFOi23GbyvFUHM0OkzAnImxe01WiruzXyfy.exk7Xxw6iT86oTp691y4ILQOqmV_3a GOURreP_0YdsBz5M6qcIXf3FgIjEzbSAQfCXgpB51l9K.keAqFk1Ug77CP4TyKsL6puPtxNyGGx9 dvY6UNwxmcTyJYkkI1I4weNvomGwarefrUdW_obYNKVtuRm7aXZL8ulWGNoBuw4ZyOsgc4z6t_ZC Wq_4cPcw7Z7U_BeAbRtWGx4me2bvL.OQAiQm33VKZEyWtSdGfLXaQcEg2WBZQ411D65t3WUnI3X8 Zn0XOtX1sXgkK3JgPHJbencY1aHW9vJplZf3OIrJ8RFEfeZSsL25XKBxWBNl7754thHET1l3Nd87 W6YInJvzW8zPDgEOdZ3TL5SpRZO7UiEn3YHXuGQEImxeruA0nkZzrpHEpOwnxbHlloEMnppbQOS. WlWlGcJ8jUqE1XUEQZW0Knl3.mLXIAes1skZKs4vzgpWjF_CcSDcyzNuFu6EDpcDQwiKJb113CC5 SoRmf_aHfKp_yjw8JyT5lbMmLm56HHlrZpugw1R1f2__5fbtnqjxWVW1SFWXNrBsyisp70M.Mgrg umhT18AH4a45T8kii5zzrxah3WPIX.xy4H_cTItrZkbQSnnQrhtAHtTnablbBeQHjE8k3OGTFn_z W2vmdA2HQWS2Dn6lHlPpHPha55mI6yE63zS1us.sFmJuBF_AzDw6oHLJj5GquM6_AfIqpO0Cd3cG Uq.lgqVXplAShANzaEI2mZz7ia6ep.RJoFBBeXQpBS5HaBYu_wFPKPXHW6sETje5_DFHOKcB95pI vUKY3G4uNy799HZZdX5z1It4LLUASz.1xBwGzxk1JZDwtWcwR_ltzcYBIFsx3jEJ9BstQfXZeeRc 0NTOUcchXC2xBu4j5VM9M.8QJo_05Ru8IX_m70tx.FOK2QQhq7ItZ0y2CURcUzNMSvskm8mkY1qv WwvBlaVjbdb.EDm0uc_Q.zEwJODCXKas4X0q4RC6LIASwcWwqSK3DrOE_6mFuV9khgBKWQghSB8P 4x4U5s7DBAJbMWDJnHkNLWDl8KfRJ.hSEn3q_J7jgJ_spzcBcoLoa1sE55wZL9fkpdTW9KHNCFsh kSCQu4c1aq_IuD5OWSA1nCu_u6x29USa0ZbBNHxSVitdo649jje81vT.izr4CIxvqDVcQFamnqvp _oZP.dw2JI_ZuYQueg7iYt8BNBdcIeuN2Y4o9xHQry3eYeM5KOEBXX3.9w5tddDDL9VQAv56DQnO 7chmz.d641y1gSpEFrfanH7PYMTQXhdZzRklS8iKcehNC8f6hGXOf9uYAs08CJpcGjbeIQSqAL1x v39bN3EB7dYTXnmUQXPfVX2XfuMVXWUPyJPW46_H_L89hS8Ybw7O8TJWoz8iLtQP7KitTdUWnXY2 DRSAKnv83Psy2DtSkOrfwAuV5GhiqKIjffaQSU3v87E5DFv54KVo9f76O8mFj6LAZI6Hif4jBQUn IiRnzXnyCS0ihPupRREGiUndTDLoEfJiUYquJ1OEZJdnZBIkGW82I69.9r.YE0EDYT8.5yqyvect IphP8Ec_IBa0.qgUtnPsDPmpKzcQ8yS5EYQ35z.WxxHV4Q6J5ak27bpczE8_efyZLUs_6M2zvi2m cmh.jBu9Ri8NLraXSVJxNhieByR9m24M.bBmlI3I02Ak3AWKc0vrfDRlAkbKXLD3rH3CIH2yplEm 1AMmqoPAbZQX7omhMxuHqatR9vY4bE091cEaYLgbR23zvdEQ5RewyqqMtdIGvRyBzUyu3u_3kLQ0 o.ZUTi2IMFN0gP.ELj1pamKeDAUrNC_hraxMyf81w6qGT9El50zw2LmXXvKIa3Fy1BoMCy6OnlWs n851ZZQq.tJ1aImqZ0e70SqTZcS2BqNWSPszCcl6d40y1yMCmSv5Zzu8hS7jxkbJIUVse3v1Z74t 5WKjPIcE0aQExIXzo69csILU.GYIHc2QVhTdcgOe5lkWrnQxdV5y8OS7FgFUHRuyMKNotSOcqk7L WoeYEHFLmnIoUQn8VMtmIVC0lVg3WSkcur3h0Opfb5s7Nwf8cWb0YlA7yVCSRPo1l5aCpdiNdx7D iqFv2R3Ld.3LhYpvH3R8cKfjmOKEfoP7gTubDR6alU1oVVf5EvZxNZ1ZYIlV3uKr7VVbwbWL5Uol lEEdbPRqR1ZQJuVHRTvl2JjxLt5K4J7YRIyTxBCjRfpnl6TvBFGedmNGVe3iQN__aRhDzPtoHOtp .zxh2D3pVYnP8qMoY.Ft7mA3vTcaFw.hhVWTOXLq8kCrOYoiNwuXxUOHg5FkUXtOvcmx97Bk7HWK W4T3fKXdgHAKiHg71VTL5_WHyxNscbNazVdOHa98FiZSMd_SiofuRj9MJt2lqcaTll4298o4Txa7 yvBrp6J0oKod0YaaXAraSR3g6SfjmckqLQYu.y9OXSp3hZc_6oeaOVsHeYYvFwkYRSTZET.ws_bX DNtJ6GSaCV4Ndsqmnc4CIJcSPGj1rLMdbG2p7nsjHJhYB_JTfjEXhVP5cV4fW5IVKrEiiPS62urP X8bgMxodZnaGkYu62Kbb9X6S8KIZQJMs19.yjWRK03iggU0zfh9dlAo1G0vMFEXvr3rDNyA--
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Tue, 23 Feb 2021 15:20:48 +0000
Received: by smtp424.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 62b5ae26315f8e5bb240206fd429aac5; Tue, 23 Feb 2021 15:20:43 +0000 (UTC)
To: Neil Madden <neil.madden@forgerock.com>, Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
Cc: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth <oauth@ietf.org>, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
References: <CAGL0X-qvLz=gG06Q3mL5yNs5f-eqSwxO-g=K=cDKdmC8VP+UEg@mail.gmail.com> <AE8B3F28-D7B3-4A70-8E0D-2F673970E008@forgerock.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <8b0b9840-1a80-d06f-316b-8a5273ad2124@aol.com>
Date: Tue, 23 Feb 2021 10:20:39 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <AE8B3F28-D7B3-4A70-8E0D-2F673970E008@forgerock.com>
Content-Type: multipart/alternative; boundary="------------9418B008DA7290F9BFF16E3C"
Content-Language: en-US
X-Mailer: WebService/1.1.17712 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PLEpbjLmFp3kuj7CJl5rfRrqtVc>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 15:21:09 -0000
Unfortunately, in the mobile app world this isn't sufficient. On iOS using Universal Links will bind the https redirect_url to your app in a secure way but it doesn't work the same way on Android with App Links. There is still a problem with "mobile app impersonation". If you have an app that you want to ensure is "your" app then the most secure way is to look at "app attestation". This is however, way off topic for this thread :) On 2/14/21 9:28 AM, Neil Madden wrote: > Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching. > > There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure. > > — Neil > >> On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.sleptsov@gmail.com> wrote: >> >> >> I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS", >> with the objective to verify if they are valid. >> >> I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example). >> If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication. >> >> Or is it considered a bad practice to do that? >> >> Regards, >> Stoycho. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Token Mediating and session Informatio… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Hans Zandbelt
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… George Fletcher
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- [OAUTH-WG] Security of OAuth on Andriod [Was: Re:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Om
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… SOMMER, DOMINIK
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Warren Parad
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Aaron Parecki
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden