Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
"Brock Allen" <brockallen@gmail.com> Sun, 09 December 2018 13:53 UTC
Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314AE1293FB for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 05:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeD_a6STSeHy for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 05:53:10 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19B61126F72 for <oauth@ietf.org>; Sun, 9 Dec 2018 05:53:10 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id 189so5075388qkj.8 for <oauth@ietf.org>; Sun, 09 Dec 2018 05:53:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc:in-reply-to :references:user-agent; bh=axqDGjlezqfIPvUYSU4mbOWSVcje4xPLmMOemBdfocU=; b=E/shQV50ThvkY40dwmjK/sbMFiHn+cG/+CVyqzO9z+IqJoCvaZRioxk0T3eibvJAJX vFaHGQ/EWIPgLS7xpxOAfogrqMSv/L0MOZZypuAzOJLUKBbglNj0ZEAnk2g8m9PTBoZd 3faGwbMXj1SjzU74k7bzrlV2yRqQDNQNpANQxzmgEVqr47mmer2gfVKutYW6TY7xEnau EErhuXCvirDX165L662oEkp6/ArkFdgBY+pBYEbabZa7IyQ+KvL38P+qsfMHDJyJ/5p7 0o1OyFZj5bO3fbfC98fTB0J4DrNYSMq24Zzk2ntUhUlGGlY03JaaC0OLuECHBkJZF+ZA TBCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :in-reply-to:references:user-agent; bh=axqDGjlezqfIPvUYSU4mbOWSVcje4xPLmMOemBdfocU=; b=eIoaedriia72H1AYKEB6bvi3BIyzZ9e+WHyEixvWbYkIRV9SQhQUY0TxV/KiD6NNAI u1gEU549h6WSpJsZkvCNctCU/PO9LiSz95BT9fxchY8RcXQoIbEUq5rVJ0zl+mY9KC2E QJudZVAaNM5mJO5o1xNWSu6ecR5agE43Lnv9JnJ3+MEM8Porkd+YfytT605RuhT9xFWN xNKjFkgI/7BeyjPXMjMuFEDZ9u8ZYOlSQSXXG5yBwXnXd+dU8kJxMV0/ZNTE7fYYPE28 /sqmSzv54GqexX3R89yZ70rPqdul8Nrxe99G5JGt5/fkjtBjCkVFL6M1hflEkqNCLnMG Z5uw==
X-Gm-Message-State: AA+aEWYljfGK8ZWIOAQi51U58XsTLj/nhkWjPGjdH1XJXESEZs/3hFHm sdqdapVtVvNdhIYQPsaM9MoBD1Kb
X-Google-Smtp-Source: AFSGD/XnbdMawqrRpyNlXyRg+2/9YrPr3CWeIfR/X7QDFBkg8/vDNtG97WJ0myDm9fxSz7Bv0/8SBA==
X-Received: by 2002:a37:10d4:: with SMTP id 81mr7597915qkq.19.1544363589119; Sun, 09 Dec 2018 05:53:09 -0800 (PST)
Received: from [10.0.1.3] (pool-96-253-25-169.prvdri.fios.verizon.net. [96.253.25.169]) by smtp.gmail.com with ESMTPSA id b8sm6535415qka.79.2018.12.09.05.53.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Dec 2018 05:53:08 -0800 (PST)
Content-Type: multipart/alternative; boundary="----=_NextPart_4475589.076596026533"
MIME-Version: 1.0
Date: Sun, 09 Dec 2018 08:53:06 -0500
Message-ID: <eeeed3ba-10d3-4b42-9da2-1460d13e4351@getmailbird.com>
From: Brock Allen <brockallen@gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: Aaron Parecki <aaron@parecki.com>, oauth@ietf.org
In-Reply-To: <F9914ABE-3C3F-4BCE-B623-AECF18E737F9@alkaline-solutions.com>
References: <6d88c55a-a300-47ff-af77-8fdb7dcfbc25@getmailbird.com> <CAGBSGjrj95i97mVDJq7jDA0DsLH-NasiH+E0nqc+6XjL-mnt4Q@mail.gmail.com> <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com> <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com> <d34d9d15-6b50-4b1e-8483-80f0ab709a98@getmailbird.com> <F9914ABE-3C3F-4BCE-B623-AECF18E737F9@alkaline-solutions.com>
User-Agent: Mailbird/2.5.24.0
X-Mailbird-ID: eeeed3ba-10d3-4b42-9da2-1460d13e4351@getmailbird.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TGyxJXCVLhI47KsI-oteMqdHAUw>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 13:53:12 -0000
Yes, I meant response_mode. Thanks. And those are good points about the referrer policy. Thanks for that insight as well. In the context of this thread/topic, I'm assuming browser-based JS clients, and a common deployment is from a CDN, so I suspect the <meta> tag approach for a referrer policy is sufficient (especially since many SPAs are designed for CDN deployment)? -Brock On 12/9/2018 3:00:23 AM, David Waite <david@alkaline-solutions.com> wrote: I assume the original post meant response_mode, not response_type. Fragments have their own data leakage problems, in particular they are preserved on 3xx redirects (per https://tools.ietf.org/html/rfc7231#section-7.1.2 [https://tools.ietf.org/html/rfc7231#section-7.1.2]). The form_post mode is the safest, but unfortunately was not defined in the original specifications so it doesn’t have as widespread support. In the absence of a response_mode RFC, I would typically suggest both killing the code in the referrer as part of processing, and a server-wide Referrer Policy of never or origin (as those have reasonably broad support) as server-wide response headers are easier to operationally audit. -DW On Dec 8, 2018, at 3:53 PM, Brock Allen <brockallen@gmail.com [mailto:brockallen@gmail.com]> wrote: Not pure OAuth. This only came up as a question while I was implementing code flow/pkce for oidc-client-js. I can appreciate not expanding the current OAuth2 behavior in the BCP, so that's fair. I only wanted to mention it in case it had not been considered. Having said that, I think I will implement an optional response_type in my code flow/pkce to allow fragment, but default to query (as that's the default for pure code flow). -Brock
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Filip Skokan
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Jim Manico
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell