Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
Dominick Baier <dbaier@leastprivilege.com> Sun, 14 February 2021 12:06 UTC
Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE41C3A0045 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 04:06:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dDujv5Ta-Ec for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 04:06:06 -0800 (PST)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 654F83A003E for <oauth@ietf.org>; Sun, 14 Feb 2021 04:06:06 -0800 (PST)
Received: by mail-il1-x12d.google.com with SMTP id a16so3290173ilq.5 for <oauth@ietf.org>; Sun, 14 Feb 2021 04:06:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=MuwX2FjMl1lt9bg6AgFNVtRQlou/P32QDssA1BdP8nw=; b=xWB87uJ4ncZMItq9lF018IzZ8cZZd4IpwrJE0GlpdnTIxOYrRo1hTxfBvqCVRPIqzM dyBk1RHzRFsYP0ujSPBVRQ7LzKPhGg/4Q7e0iI4DtuM1TaygVZqJyjUUaSG84T+MbLmM cOmrPxw7jDKMuYUmrTjaRw9wUk1d7pOWviGRC8+m2VBIXlLH9TbpoISPcaRVWJkfjtnW N7mHsvWvoTm8rZ5E8FGESvNU/+Uaj6aqEFOAI8Y66fcuvcPIGWr6+LJ5Yt20ffqBqeJw tmfUuVW1syQjOPrloDJQouY2rrmDxNtByTPhwN9/aO8wkx82lAodMpZfCSerCnIK3Nh6 Ordw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=MuwX2FjMl1lt9bg6AgFNVtRQlou/P32QDssA1BdP8nw=; b=MES5P85PG5yJmF8T0wxNX+FhgX4YexnXHjTOr8M/wF7VLPGWlCiZAq4ff8ttCEiFIu PawHhYu5qotY6X8vS1UEZP8Kr+TgXmJ6o2t537jCsTaV25OOycYqHp+Kc8n5NxkNt8Zi egXkIAwMHBP9bvQGdPYWWkjYuASGVOjHwYsGaQkO9XOzr1Josmc1sIba+zlJRea4HCAd iXTRNRWe0KswT+fdisgus09l1+HX6nkipVXbppS7DI3aCvLJ2BlOtcZznNQfKeBuItnv a9OlWLGy3r8g8bI7bG9jQ6R7osx/fHT2xtUK5sGiQKl0KWmCJxnB/TT2Q1sPMHUbFVPj NSEA==
X-Gm-Message-State: AOAM530YajZCPmu40czLNfsWUGTatB86eYjbfiaw9qdnV4/lsVE9L0lz 0Gu9f8by3kDjvPQ9HS7du5rqk9MkSUwTgcUrcSeS
X-Google-Smtp-Source: ABdhPJwBC1w+UwIAN9pEHz6jDvmCYOVURlKLTVhd510+uAYhTNxNt8kzzykAUAS7Y+HR7b+zOdoghrnNC7wx/nojiQg=
X-Received: by 2002:a05:6e02:152c:: with SMTP id i12mr8729607ilu.46.1613304365295; Sun, 14 Feb 2021 04:06:05 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Sun, 14 Feb 2021 12:06:04 +0000
From: Dominick Baier <dbaier@leastprivilege.com>
In-Reply-To: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com>
References: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com>
MIME-Version: 1.0
Date: Sun, 14 Feb 2021 12:06:04 +0000
Message-ID: <CAO7Ng+vWgx1yFBqeTEy8pkUsqFjyyBuESzteobhfqYAVqbVWWA@mail.gmail.com>
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009bc6e905bb4ab12c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Pg690U2Th68q5ThZSYc4-ocPA7I>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 12:06:10 -0000
Hi, Just making sure I understand - in your protocol flow diagram step D it looks like that the BFF is returning the access token to the front-end. Is that correct? My biggest concern with browser-based applications is that the JavaScript / browser has access to the access token (don’t care if it is in-memory or local storage) - but this exactly seems to happen in D. Thanks ——— Dominick Baier On 12. February 2021 at 21:46:20, Vittorio Bertocci ( vittorio.bertocci=40auth0.com@dmarc.ietf.org) wrote: Dear all, Brian and yours truly are proposing a new specification that shows how the user agent frontend of a web app can delegate token acquisition and persistence to its backend, and request such tokens when needed for direct access of protected resources from the frontend code. The pattern is already in use, in proprietary form, by various modern development stacks, such as Next.JS. Variants of the pattern, often discussed under the catch-all term BFF (backend for frontend), have been often mentioned in this workgroup’s activity, but always left all implementation details to the reader. We believe the pattern has merit, as corroborated by its growing adoption. By delegating access token acquisition to the backend, we avoid many of the often brittle moving parts (and implied attack surface) required to acquire access tokens from a user agent. The topology also relieves the frontend from the need of persisting tokens in local storage, a well known sore point of using OAuth directly in JavaScript, by relying on its backend storage and session to preserve tokens. Although the specification is very simple, providing explicit guidance on the scenario offers many advantages. - It makes it possible to create interoperable SDKs, where frontend dev stacks (any JS flavor) can be mixed and matched with compliant backend stacks (middlewares in node, java, ASP.NET, PHP etc) - It allows us to provide guidance on how to properly tackle the scenario and warn implementers against security risks (scope escalations, using IDtokens instead of access tokens, etc) - It allows us to discuss (and when appropriate, promote) this pattern as part of the browser apps security guidance, and position the scenario where frontend only calls API on its own backed (hence doesn’t need access tokens) simply as a special case of this more general pattern - This approach makes mocking and testing apps very easy, possibly preventing developers from weakening the security of their system (eg turning on ROPG options) or turning to risky practices like scraping Needless to say, this specification doesn’t entirely eliminate the risks inherent to direct use of access tokens from a browser. But reality is that the pattern is in widespread use, and the circumstances leading to that (eg developers on a particular project only work with frontend stacks; components like reverse proxies might not always be viable; etc) aren’t going away any time soon. By providing simple guidance on this pattern, we can simplify the life of many developers while enshrining basic security hygiene in scenarios that would have otherwise be left to their own device. Looking forward for your feedback! B&V On 2/12/21, 12:41, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote: A new version of I-D, draft-bertocci-oauth2-tmi-bff-00.txt has been successfully submitted by Vittorio Bertocci and posted to the IETF repository. Name: draft-bertocci-oauth2-tmi-bff Revision: 00 Title: Token Mediating and session Information Backend For Frontend Document date: 2021-02-12 Group: Individual Submission Pages: 16 URL: https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.txt Status: https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/ Html: https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.html Htmlized: https://tools.ietf.org/html/draft-bertocci-oauth2-tmi-bff-00 Abstract: This document describes how a JavaScript frontend can delegate access token acquisition to a backend component. In so doing, the frontend can access resource servers directly without taking on the burden of communicating with the authorization server, persisting tokens, and performing operations that are fraught with security challenges when executed in a user agent, but are safe and well proven when executed by a confidential client running on a backend. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Token Mediating and session Informatio… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Hans Zandbelt
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… George Fletcher
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- [OAUTH-WG] Security of OAuth on Andriod [Was: Re:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Om
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… SOMMER, DOMINIK
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Warren Parad
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Aaron Parecki
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden