IETF Logo Mail Archive

[OAUTH-WG] best practices for implicit grant / token storage

Adam Lewis <adam.lewis@motorolasolutions.com> Thu, 08 September 2016 13:23 UTC

Return-Path: <adam.lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2804F12B485 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 06:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dv5jfvnv0mxR for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 06:23:30 -0700 (PDT)
Received: from mx0b-0019e102.pphosted.com (mx0a-0019e102.pphosted.com [67.231.149.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A80312B61E for <oauth@ietf.org>; Thu, 8 Sep 2016 06:02:43 -0700 (PDT)
Received: from pps.filterd (m0074408.ppops.net [127.0.0.1]) by mx0a-0019e102.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u88Cqo8M006651 for <oauth@ietf.org>; Thu, 8 Sep 2016 08:02:43 -0500
Received: from mail-qt0-f200.google.com (mail-qt0-f200.google.com [209.85.216.200]) by mx0a-0019e102.pphosted.com with ESMTP id 25b66frf0c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Thu, 08 Sep 2016 08:02:43 -0500
Received: by mail-qt0-f200.google.com with SMTP id v24so93048995qtv.2 for <oauth@ietf.org>; Thu, 08 Sep 2016 06:02:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WOhBswtDUJHix4aedE8NuqmYtIywx1Ku5qs4Tqjwu1o=; b=ZRu3AhJLLGDh19mwoJtsLuKP2DzCwJiA60YFvlrysPJmzK50ZYtqwWtKmksVHXDUVI djJszf01rUH0rOmMY4+hJwiitYiOyr8T/JPurK9fYuE8AaXyXB4NY16cvRYUP85vZkbW ZcRPc4JpR/xKy3WAT0XL2kw65IQlEv1RdpqC49El/E8xWvMlna6CA2uhjjb1DfXDZvFh /vqdwDiQdIe7XldBQBJRa5t4aL5LSj9KUlIT84bAKmLfjLH9jkZOXVuqIgmoXzSLEpBX LDzTJCCnuK54ml45K0951pKdI0T5ekMuVyH6u6/bBvqyqEpDObDyyIMQkaEskP0nnq3l 9omw==
X-Gm-Message-State: AE9vXwPhPvGjznEAeNRsb5bgVB0R11/PXdfIa4IfhA0caPGh7dvFXw4OKGTxfLu3eIDmaTQsP3uFf3H1lGQB8uuGZrOSIgZTiEXUCV4d6iWsL+z5y7Omkf3Cm6OnoVBnbxBnEm4/H2MgfDER
X-Received: by 10.129.39.205 with SMTP id n196mr23511657ywn.294.1473339762235; Thu, 08 Sep 2016 06:02:42 -0700 (PDT)
X-Received: by 10.129.39.205 with SMTP id n196mr23511640ywn.294.1473339762097; Thu, 08 Sep 2016 06:02:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.162.40 with HTTP; Thu, 8 Sep 2016 06:02:21 -0700 (PDT)
From: Adam Lewis <adam.lewis@motorolasolutions.com>
Date: Thu, 08 Sep 2016 08:02:21 -0500
Message-ID: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a114092a22778c8053bfea56a"
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=2 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1609080189
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/R-IlqNChcP17cVHrF3XJtgACEFY>
Subject: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 13:23:33 -0000

Hi,

The WG is currently putting together best practices for native apps.  I
would like to better understand the best practices around ua-based-apps,
especially as it relates to token storage.  I've read various blog posts
about the preference between storing tokens in cookies vs.  Web Storage
(localStorage/sessionStorage).  The current set of specs are rather silent
on the matter, as it is more of an implementation issue (but that is where
most mistakes are made).

What is the WG's guidance on this?

v2.23.0 | Report a Bug | By Email