IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Hans Zandbelt <hans.zandbelt@zmartzone.eu> Wed, 17 February 2021 17:59 UTC

Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B0E3A1C18 for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 09:59:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGAV1o3zaNN4 for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 09:59:02 -0800 (PST)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 578A33A1C15 for <oauth@ietf.org>; Wed, 17 Feb 2021 09:59:01 -0800 (PST)
Received: by mail-vs1-xe2b.google.com with SMTP id 68so7006799vsk.11 for <oauth@ietf.org>; Wed, 17 Feb 2021 09:59:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vLkSZ9rmio4EuCYNf+Ya/NVskuEMBMiN84esShUi+UE=; b=X5NvxTk8v05p1ko6TpG3Ud30k1lSw4xNkOyRZi+KLZZqKbd4m2Ar744PMNbc583irI y1qzyMx0yrNQpJurM8HOwMB4QpMTl78qmDK5dxsdNi2/Q8LoB00K2JRhJgVW/x7LDadY 7XFkvn/VPZKHeu3uh2kw8viZqXAgQObOERh6Q7berjpb9tjrCuuLiAAcn/DGEZtysCn7 GNCVSO6tZ91EnTGNOZl8NTQ9saSirFozeKjGVQrGYDXomx9Jjkgv0KORQN9PiJHCwy4L mZPKJVNOvI5yxrNOa98QNgmkHF/yyettW8n6fXZJ3MbAjMJqKiECwA1oHXNg4D9t5zd3 TjQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vLkSZ9rmio4EuCYNf+Ya/NVskuEMBMiN84esShUi+UE=; b=STOG2MEFqqyVfR7ouLzx8noqsP8fzI3p2ExZUH1cY15upn7gTCG5/tcuXRqNflcq6x sEUgL8+4++Q3ZV+QHSws3trsTrj47h9h2DkV0kJbIRz8zvz1flYgJVmGmAWNBMGEfKJx 9Emjs+t0vNOOX+ljQRfC8UzfeTirK2IGRTGeYyjtfufrIfakkvxqp9zmjeIRFzL6TEjL +bzCL5rJoWf3ouE3WfexTwOkPhIVPIWxYXkkI5GGJK9ClA7KMINwQmfbc1f7ZpAS2VQR do2IFARmb6H6A8IMXutBFVhJ07mW7ulbmI2bJQQvyXXrSj0nTJE213OCxaWbm0gd3IbO rRUw==
X-Gm-Message-State: AOAM5302YMk3U33vqIEpCxB8SgVVdXvQh4LFMh0zw82oD+wDaWli4MJb ML+51dKvAfGgz5ttxTmzfmZBYHwKaA+4qZQI6BL7DyqVGbSqkdLE
X-Google-Smtp-Source: ABdhPJzDwOm7MrocjhUQS/1aJwKFPtK0gFSKg7576PXSYOrKtbj0IKv9/iuYsYI3nGVQrDMyBgATZzAkr20QiPWX3Wg=
X-Received: by 2002:a67:2f90:: with SMTP id v138mr359512vsv.2.1613584740784; Wed, 17 Feb 2021 09:59:00 -0800 (PST)
MIME-Version: 1.0
References: <CO6PR18MB4052C85E4B5D5EE5E1DD357AAE899@CO6PR18MB4052.namprd18.prod.outlook.com> <5BE7C60F-84AB-431A-838F-D33459E551C6@lodderstedt.net> <CO6PR18MB4052CE7A7AFF1FAD39EDB90FAE899@CO6PR18MB4052.namprd18.prod.outlook.com> <16CA5346-48EF-4B29-8397-EE6312366C63@lodderstedt.net> <CA+k3eCRzPuQPEMm6EB-xd58DeAB2MSBt_ywRxPOHhsECpg+zYA@mail.gmail.com>
In-Reply-To: <CA+k3eCRzPuQPEMm6EB-xd58DeAB2MSBt_ywRxPOHhsECpg+zYA@mail.gmail.com>
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Wed, 17 Feb 2021 18:58:49 +0100
Message-ID: <CA+iA6uhz=A6UPe8Xo_kmke_7p7p+DXTam0=Jd4SbsxPNQ3swQw@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004a8eca05bb8bf91e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TrpwC2lHAxAUmEHdTCuvvi35-4Y>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 17:59:05 -0000

Thanks Vittorio and Brian for starting this work: I have deployed this
pattern in the field on a number occasions, at security and tech savvy
organizations, on their request.
I'd describe it as a regular OAuth 2.0 web client with the addition of a
well known endpoint meant for in-browser (counterpart) clients.

Enterprise security architects seem to prefer this approach because of the
confidential client involved and the ability to outsource a perceived
cumbersome and security sensitive task to a backend
infrastructure component under direct control of the organization rather
than the end user. Even if there's no proven security advantage by letter
of the OAuth 2 spec, it may still be a preferred way of deployment for some
organizations because of the way they want to structure security sensitive
software, the way they deal with software development, and the way they
deal with application and infrastructure management.

I very much agree with all of the arguments Vittorio brought up before and
I really don't see any reason to reject this approach. It is very useful to
list the considerations about this architectural pattern and to give
guidance about when it can be used and when to avoid it, regardless of the
complexity or length of such a spec.

Hans.

On Tue, Feb 16, 2021 at 10:02 PM Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

>
>
>
> On Mon, Feb 15, 2021 at 9:48 AM Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>> Thank you again for the explanation.
>>
>> I think your assumption about the overall flow should be described in the
>> draft.
>>
>
> We did attempt to capture the assumptions in the draft but clearly could
> have done a better job with it :)
>
>
>>
>> As I understand it now the core contribution of your proposal is to move
>> refresh token management from frontend to backend. Is that correct?
>>
>
>  Taking that a bit further - the idea is that the backend takes on the
> responsibilities of being a confidential client (client creds, token
> acquisition, token management/persistence, etc.) to the external AS(s). And
> TMI BFF describes a way for that backend to deliver access tokens to its
> own frontend.
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
hans.zandbelt@zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

v2.23.0 | Report a Bug | By Email