Re: [OAUTH-WG] Call for adoption - TMI BFF
Dick Hardt <dick.hardt@gmail.com> Tue, 04 May 2021 15:33 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 697913A0BC5 for <oauth@ietfa.amsl.com>; Tue, 4 May 2021 08:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZPCe6AQC9-n for <oauth@ietfa.amsl.com>; Tue, 4 May 2021 08:33:01 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 159A13A0BBA for <oauth@ietf.org>; Tue, 4 May 2021 08:33:00 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id j10so13871797lfb.12 for <oauth@ietf.org>; Tue, 04 May 2021 08:33:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bXjGw8dwl1Ig/fBA0VyJ1iuqS8srq9iaF/PBtryMtAU=; b=qg1igLPazX3MChFmQf/DemySOxCRId7axRcruyFu/Iu18sM1tg3iH/df9SQc3Tl8Zs b/dQ3UZaj74lFSbVKcw4uwOw2dEAyvTrdLDUHkBYQyYV4w0Mhv83CF0pMGxL2EVSzcDr rs/+g8nszi/VckZv9kfdGoVO7XL7a7RkGjwPxSgVG19aSY2uwlxpNGQPLmXClfHxbK1/ JFTvC9LoH76tONBHmYW4GMKrsI9F54Ot3j3dHaxRtqKK/620gUSL6NBs3rwZ7Ls+2cSk AnPXZP4QqfCJzFjnJKpf/SlywTrtHz+CMj1FZ6PCw/aXjSSXPkO06gw6aY2aZtGftBZ+ jowQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bXjGw8dwl1Ig/fBA0VyJ1iuqS8srq9iaF/PBtryMtAU=; b=efNkKSZU3ROQfj2JAjQxh9p8eYS7JLRgiA7bPJsJIBKTiR8hvcLCJR9j5dJbCYhlgb fsbEQ5hW6AUMVUcW4lEx5ViuIBJ+hS4OH4oSMZP6vGoMnOFVQL9L3hAEiccuF3p1U/20 MsISA4xCnm7Nm26X98wgB6OF8D5DFfqWCsKOVs1cR8wEmGpZXdbKRg7sC3/VuRyEw3kt udkOddPs5CzYSxLB6plXWx/EH+RHPxX7OOqO5yQ+2fUAwmQSzgqodwBo4bvGqzi1/Frl KK/IfkIfh7bYcBvRPvoo+1rJ5lhYjsQZjTtkNjrk/YAyORJVvGtDzSsmtjeEf5ccwnin hqBw==
X-Gm-Message-State: AOAM532iYI5mlGa6DDiaw6iBSdC2wBNWzBCkKV6v71GeborrO2Kx7d9A 6B9kmIHOhRq7AVQCjTUdR2SCoyCPW51z4YjoxPo=
X-Google-Smtp-Source: ABdhPJxPZFWvDRh9i6vRDYQPTKeebaA1oNdF4jhbd7ftJ+yY2kAPoCGpw+wtuSaVsOpsJFyAkH0lvar4wDzXUA80SFA=
X-Received: by 2002:a05:6512:38c2:: with SMTP id p2mr17492408lft.259.1620142378484; Tue, 04 May 2021 08:32:58 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9wV6=T-AU+j_hrXT7zH9c8OdKone_0Arq+yPu+aAupNQ@mail.gmail.com> <CAD9ie-uhLf_d0=GpftqoRAZ7_=wEBLBHyUjkR1bomz6xcM_dzQ@mail.gmail.com> <CAGBSGjo=fko9Tc+fbcA3P74xH9bZbg6t6x__-KR7XSfh6A5Evg@mail.gmail.com> <CAPLh0AME6QbiEOj5uJdyVaNxGaVYLhm7gtgCZj36zVmxO=+DJQ@mail.gmail.com>
In-Reply-To: <CAPLh0AME6QbiEOj5uJdyVaNxGaVYLhm7gtgCZj36zVmxO=+DJQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 04 May 2021 08:32:20 -0700
Message-ID: <CAD9ie-uA7XAeaCE8Fyv5rAMx6B=qkFsVnye_WC_pcgXdfguc2g@mail.gmail.com>
To: Seán Kelleher <sean@trustap.com>
Cc: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f486aa05c182caa4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q7epiFNnrMWQHoG682ke4MixJng>
Subject: Re: [OAUTH-WG] Call for adoption - TMI BFF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2021 15:33:06 -0000
I have made up my own implementations that follow the pattern in the document. It keeps the security in the server, and allows the app to call the API directly rather than through a backend proxy, which impacts latency and CX. ᐧ On Tue, May 4, 2021 at 8:27 AM Seán Kelleher <sean@trustap.com> wrote: > Hi all, > > I'd like to hear others' take on Brock Allen's prior comment on the > document: > > 5) For me personally in all the consulting I've done helping customers use >> OIDC/OAuth over the past 7 years (since OIDC was released) I've never seen >> anyone trying to do it this way. I do believe that some people try this >> style, but I wonder if it's just because they don't know any better (so >> lacking guidance) or is it really because they're actively trying to >> mitigate the reverse proxy hop performance issue? If it's the former, then >> I don't agree that it makes sense to formalize a less secure approach when >> they simply need better guidance (which arguably is the "full BFF" >> approach), and thus the motivation for the document is slightly weakened >> (IMO). > > > I don't have as much exposure to the way lots of different groups are > implementing OAuth2/OIDC but I agree that this approach is novel for me, > and I'd be interested to hear others' thoughts on that aspect before the > document is adopted. > > Apologies if this is the wrong place to voice such a concern. I would > still be very much interested in a discourse about the relative security > and positives/negatives of this approach regardless of the outcome. > > Kind regards, > > Seán. > > On Tue, 4 May 2021 at 16:03, Aaron Parecki <aaron@parecki.com> wrote: > >> I support adoption. I'm also fine with the BFF acronym since it's common >> in the software development world already. If anything, the TMI acronym is >> the least strong of the two as it's missing a letter from the full name of >> the draft. >> >> Aaron >> >> >> >> >> On Tue, May 4, 2021 at 7:40 AM Dick Hardt <dick.hardt@gmail.com> wrote: >> >>> I'm supportive -- but am concerned with the BFF acronym. >>> ᐧ >>> >>> On Mon, May 3, 2021 at 3:00 PM Rifaat Shekh-Yusef < >>> rifaat.s.ietf@gmail.com> wrote: >>> >>>> All, >>>> >>>> This is a call for adoption for the *Token Mediating and Session >>>> Information Backend for Frontend* as a WG document: >>>> https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/ >>>> >>>> Please, provide your feedback on the mailing list by *May 17th*. >>>> >>>> Regards, >>>> Rifaat & Hannes >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> -- >> --- >> Aaron Parecki >> https://aaronparecki.com >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Call for adoption - TMI BFF Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - TMI BFF Dick Hardt
- Re: [OAUTH-WG] Call for adoption - TMI BFF Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - TMI BFF Dick Hardt
- Re: [OAUTH-WG] Call for adoption - TMI BFF Seán Kelleher
- Re: [OAUTH-WG] Call for adoption - TMI BFF Dick Hardt
- Re: [OAUTH-WG] Call for adoption - TMI BFF Jim Manico
- Re: [OAUTH-WG] Call for adoption - TMI BFF Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - TMI BFF Hans Zandbelt
- Re: [OAUTH-WG] Call for adoption - TMI BFF Brian Campbell
- Re: [OAUTH-WG] Call for adoption - TMI BFF Brian Campbell
- Re: [OAUTH-WG] Call for adoption - TMI BFF Rifaat Shekh-Yusef