IETF Logo Mail Archive

Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02

Aaron Parecki <aaron@parecki.com> Wed, 10 July 2019 23:28 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B02120073 for <oauth@ietfa.amsl.com>; Wed, 10 Jul 2019 16:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.603
X-Spam-Level:
X-Spam-Status: No, score=-0.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_A1lQ64gBb3 for <oauth@ietfa.amsl.com>; Wed, 10 Jul 2019 16:28:04 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE360120019 for <oauth@ietf.org>; Wed, 10 Jul 2019 16:28:04 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id g20so8451656ioc.12 for <oauth@ietf.org>; Wed, 10 Jul 2019 16:28:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=82Qk40EBTgE4uJGTMzou1iCz5rhFPjSbkHWzF1aP0rc=; b=b6SMGA4+nFGbUgk7nCykmH8jR03npessRqyx9luzsNHTCe5J9c71WpVZ7HHujVAtoY p9u9a7D7CKefW6E0YQRMgytFVjrdekMe2SGALRlhJRAevzV4XsaSKIXAWfuNirey738u V+SxRYUaG6Lkkp4MuJOUhCYrkWBggPaAajUUkSuRW12dYjQAD9z3Vlco1VNbyv0CZNNr 7GQ5jGCzn7exyJd3aP+D9Ki/yqafGdH1BHx+XAfPmbXfgavQmTMGF3NuLsKNrU+LHWds /lciN7OdnHEUtV1C0XgFSuw8JBRvKTci/VZgZZ567Yt3tuwKRMHEpaWn9RCP32NJcrw8 Dtgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=82Qk40EBTgE4uJGTMzou1iCz5rhFPjSbkHWzF1aP0rc=; b=Ec/DDbstOSSVWXNnsfmo10XMkwZfV8MtieM7uqxht7CxqbTb/BwuJEft1lzYAVKABC aqA3yDzevbpV7nqCE14iQ4G207df+ORVLEskHkpjUJRT0fsHKO4c5XpW1sR9MIpZwazq pgT8Aoi1xnkQ0s58jlaQK7S85cL8c6/PDkWo9yQfG8p8u5AS1AJH4XROU85I5N375cll VqA3VUzUp9n2m624/cwGRcsG1OgErT/mw5OzFyS3vBVCLoBeP3n7XXhZnujzHmrC/Dnq hbtxDhONBWdmTSzNhhgakmr9RHElYI+QEIt2r0vfzu4S/Tn3jNY9n2qbl8Vq9tkdNoOE VR8Q==
X-Gm-Message-State: APjAAAXjN2/UkMG+WUabGj96zE50P9kDOGu/yydFUWipRqZ2L7A7dfoP LxT3/kNYMT+R28NBBa8d61pFCsWI
X-Google-Smtp-Source: APXvYqwlQOvTx7E1FfPzE0XszVVestk6If1u3rgmisYjIcs7CF7rT2HpZuapoMa49VaCMLdTZrrvCw==
X-Received: by 2002:a5d:9bc6:: with SMTP id d6mr735661ion.160.1562801283741; Wed, 10 Jul 2019 16:28:03 -0700 (PDT)
Received: from mail-io1-f54.google.com (mail-io1-f54.google.com. [209.85.166.54]) by smtp.gmail.com with ESMTPSA id c81sm4679191iof.28.2019.07.10.16.28.03 for <oauth@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Wed, 10 Jul 2019 16:28:03 -0700 (PDT)
Received: by mail-io1-f54.google.com with SMTP id j6so8511576ioa.5 for <oauth@ietf.org>; Wed, 10 Jul 2019 16:28:03 -0700 (PDT)
X-Received: by 2002:a6b:6e01:: with SMTP id d1mr768920ioh.156.1562801282920; Wed, 10 Jul 2019 16:28:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjqVV3jJaXEX28N_fKbLSp3ijzb34N9NrZwZ+ZNXwXGKAg@mail.gmail.com> <CABw+FcsF8wZDVHJDSLbz+RxnF19AZAwUWomUTL3Yx7e3NaTBcA@mail.gmail.com> <CABw+FctK64Nb7DknXSgO=U8bWf-3Tzn6yziVnBbS+rjWeeNaWw@mail.gmail.com> <CAM7dPt18y59T1=iP-0ye45mPBWcpaPe1zV2k+yRZee20PGsj=Q@mail.gmail.com>
In-Reply-To: <CAM7dPt18y59T1=iP-0ye45mPBWcpaPe1zV2k+yRZee20PGsj=Q@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 10 Jul 2019 16:27:47 -0700
X-Gmail-Original-Message-ID: <CAGBSGjq1wbFh6NCKMPB7a6Mbj7s4AfDCgSU=9Fq-pJqaOzC7Vw@mail.gmail.com>
Message-ID: <CAGBSGjq1wbFh6NCKMPB7a6Mbj7s4AfDCgSU=9Fq-pJqaOzC7Vw@mail.gmail.com>
To: Janak Amarasena <janakama360@gmail.com>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000052bca7058d5c07b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UAoKL0KU1tIg530cncqv2dvf-W4>
Subject: Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 23:28:07 -0000

>
> Isn't this recommendation neglecting some benefits  or use cases of
> Oauth?


This recommendation doesn't say you can't still centralize your account
management in a dedicated component. If that component shares a domain with
the application, you don't need OAuth to hop back and forth, you can just
have the centralized account system set a cookie on the same domain. That
said, I also agree that it reads better as "it may be a better decision"
anyway.

Also in section-9.6, it is a bit hard to understand what is meant by the
> below statement.
> If POSTs in particular from unsupported single-page applications are to be
> rejected as errors per authorization server security policy...


I agree, it's confusingly worded and I'm not sure it actually adds anything
to the section, so I'm removing it.

Suggestion:
> Public browser-based apps needing user authorization *should *create an
> authorization request...


I see the intent here, but I don't want to confuse this with normative
wording like "SHOULD". I've rephrased this paragraph to better lead into
the next two sections instead.

Leo and Janak, thanks for the other typo fixes too.

These edits are currently in my source file on GitHub,
https://github.com/aaronpk/oauth-browser-based-apps as I believe it's no
longer possible to publish an updated version to ietf until after the
meeting.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>




On Tue, Jul 9, 2019 at 1:08 PM Janak Amarasena <janakama360@gmail.com>
wrote:

> Hi,
>
> A few rewording suggestions;
>
> *section-6.2*
> Original:
> The Application Server SHOULD use the OAuth 2.0 authorization code grant
> to initiate a request *request *for an access token...
>
> Suggestion:
> The Application Server SHOULD use the OAuth 2.0 authorization code grant
> to initiate a request for an access token.
>
> *section-7*
> Original:
> Public browser-based apps needing user authorization create an
> authorization request URI with the authorization code grant type per
> Section 4.1 of OAuth 2.0 [RFC6749], using a redirect URI capable of being
> received by the app.
>
> Suggestion:
> Public browser-based apps needing user authorization *should *create an
> authorization request URI with the authorization code grant type *as *per
> Section 4.1 of OAuth 2.0 [RFC6749], using a redirect URI capable of being
> received by the app.
>
> *section-8*
> Original:
> ... can potentially continue using the stoken refresh token to obtain new
> access without being detectable by the authorization server.
>
> Suggestion:
> can potentially continue using the *stolen *refresh token to obtain new
> access *tokens *without being detectable by the authorization server.
>
> Also in *section-9.6,* it is a bit hard to understand what is meant by
> the below statement.
> *If POSTs in particular from unsupported single-page applications* are to
> be rejected as errors per authorization server security policy...
>
>
> Best Regards,
> Janak Amarasena
>
> On Tue, Jul 9, 2019 at 6:43 AM Leo Tohill <leotohill@gmail.com> wrote:
>
>> I see now that my arguments for softening the 6.1 language are backed and
>> expanded on by the last paragraph of section 5, starting with " By
>> redirecting to the authorization server,..."
>>
>>
>> On Mon, Jul 8, 2019 at 8:44 PM Leo Tohill <leotohill@gmail.com> wrote:
>>
>>>  regarding 6.1. Apps Served from a Common Domain as the Resource Server
>>>
>>> Isn't this recommendation neglecting some benefits  or use cases of
>>> Oauth?
>>>
>>> * An application that doesn't collect user credentials is an app that
>>> doesn't need to be audited for problems such as password leakage into log
>>> files.
>>> * Applications that offload authentication to a identity server can
>>> delegate to that server the complexities of MFA, password recovery,and the
>>> like.  Of course these CAN be done in the app, but isn't it sometimes
>>> better to centralize those features in a identity server?  Especially if
>>> the organization has multiple apps that require these features.
>>>
>>>
>>> I would soften " it is likely a better decision"  to "it may be a better
>>> decision".
>>>
>>> Leo
>>>
>>>
>>> On Mon, Jul 8, 2019 at 7:05 PM Aaron Parecki <aaron@parecki.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I've just uploaded a new version of oauth-browser-based-apps in
>>>> preparation for the meeting in Montreal.
>>>>
>>>> https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02
>>>>
>>>> This draft incorporates much of the feedback I've received over the
>>>> last couple months, as well as what we discussed at the last meeting in
>>>> Prague.
>>>>
>>>> The primary change is a significant rewrite and addition of Section 6
>>>> to highlight the two common deployment patterns, a SPA with and without a
>>>> dynamic backend.
>>>>
>>>> Please have a look and let me know what you think. I have a slot in the
>>>> agenda for Montreal to present on this as well.
>>>>
>>>> Thanks!
>>>>
>>>> ----
>>>> Aaron Parecki
>>>> aaronparecki.com
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email