Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
"Brock Allen" <brockallen@gmail.com> Fri, 16 November 2018 15:11 UTC
Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F37812D4EB for <oauth@ietfa.amsl.com>; Fri, 16 Nov 2018 07:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oV1CByZJ-Rff for <oauth@ietfa.amsl.com>; Fri, 16 Nov 2018 07:11:22 -0800 (PST)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C26B012DD85 for <oauth@ietf.org>; Fri, 16 Nov 2018 07:11:22 -0800 (PST)
Received: by mail-qk1-x732.google.com with SMTP id o125so37857946qkf.3 for <oauth@ietf.org>; Fri, 16 Nov 2018 07:11:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:message-id:subject:from:to:in-reply-to:references :user-agent; bh=l1+yt18WgPIT39cbub79GCxDaUAc0s9QTLQcn0O/H48=; b=r1a4+9ZBci31tVU7WOKYXxTlAi6Y6tt6Tpjq8j1J7Hn1pZ9+7cL6wzIBu5+5YDePDO hfHZo6jSf7cX+j21oy3PLJyCDoihXKR2OpjEbYDXv6ZNCxlfbMSaMxyth8NGHn4zuTwX 2tNIFgY01WifUEa3EqzpDTk1ce8b33q4N/B4bp5Du9BlDOi6A3ieIPzyZ3SaBAkDZtWT 8KjwmIkVpWQlTTI12IVN7M5IacnWm3bL4eTQ7HnTHqwkiHh7eyMurN/vJgeVtIQ4iNPc yln/E/kwKd3OQCVfbaQF1RfSXTeARtoicfsQ3J2LCI65M5tv3A58J88At2kqUdGOQPXn p9Cw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :in-reply-to:references:user-agent; bh=l1+yt18WgPIT39cbub79GCxDaUAc0s9QTLQcn0O/H48=; b=ct0sZ0x/fxTBj2OG6/VtYQtPsrcWSK9QtBtoWBV9TZ9L4sWthFHC+It3nXU+9sNucG hTjzdyv7NguriigDmZfMM4CTJ2S4gxNVwPXZBX4j2uvadFGj4hcSZy5cQXy1tWsDgDTM vakrssMHYK4LRZrXP78nCIdHs9RCiWA1krlm5NiJDrGGVtB+TpMlg0lbii5vj4lYDY0X VlVAtPAUb5+cLfeQ9ArU6zeVQTW+mXg+DgbCfd4fk9OsH/vgkJenUWZskzr2CzXhfEGX G3YGRwkeiJ2vMOBSteUhBA5OXz9IcqJ4+gEG7sewN4QpjY3DwZ8Qsv2TqsKgyo7uqB0s hutw==
X-Gm-Message-State: AGRZ1gIUIUAQ43KSwRfYAMjmdyo8YJaaOr5E7ntvS6DZorRs3G/azyZL 1pWSDT8L6xPtelsRmKSDpoc=
X-Google-Smtp-Source: AJdET5d8DrzVBMgdhTPaYgAM5Jv7/pRQsaprXyBRNWmHw4KQw6M9Q3GzGyrikNQ8AOjQC4hrj+Fw4Q==
X-Received: by 2002:ac8:3790:: with SMTP id d16mr10644725qtc.20.1542381081689; Fri, 16 Nov 2018 07:11:21 -0800 (PST)
Received: from [10.0.1.3] (pool-96-253-25-169.prvdri.fios.verizon.net. [96.253.25.169]) by smtp.gmail.com with ESMTPSA id a50sm16821535qtb.38.2018.11.16.07.11.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Nov 2018 07:11:20 -0800 (PST)
Content-Type: multipart/alternative; boundary="----=_NextPart_32609194.201174770633"
MIME-Version: 1.0
Date: Fri, 16 Nov 2018 10:11:17 -0500
Message-ID: <155c95ac-ac34-48fb-ad0e-7d8102c11530@getmailbird.com>
From: Brock Allen <brockallen@gmail.com>
To: Daniel Fett <danielf+oauth@yes.com>, oauth@ietf.org
In-Reply-To: <ef8353a0-3fb1-3428-d7dc-26a6b96ae22b@yes.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <ef8353a0-3fb1-3428-d7dc-26a6b96ae22b@yes.com>
User-Agent: Mailbird/2.5.23.0
X-Mailbird-ID: 155c95ac-ac34-48fb-ad0e-7d8102c11530@getmailbird.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RoCWDH2sHhctDh_9ntI2vhULfRA>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2018 15:11:24 -0000
> Could you please expand on what you are achieving with replacing the URL using the history API? Removing the token from the browser's history, or any protection beyond that? Just this block of code which would be run on the redirect_uri page loaded in the client (after id_token/token validation is complete): https://github.com/IdentityServer/IdentityServer4.Samples/blob/release/Clients/src/JsOidc/wwwroot/callback.js#L4-L6 -Brock
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Hannes Tschofenig
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Joseph Heenan
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Simon Moffatt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Tomek Stojecki
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Daniel Fett
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Daniel Fett
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Daniel Fett
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… n-sakimura
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Tomek Stojecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hans Zandbelt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Jim Manico
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… George Fletcher
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hans Zandbelt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hannes Tschofenig
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… John Bradley
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Rob Otto
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Phil Hunt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hans Zandbelt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… John Bradley
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki