[OAUTH-WG] Recommendations for browser-based apps

Aaron Parecki <aaron@parecki.com> Wed, 25 January 2017 23:12 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3B591293F9 for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 15:12:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAfKyHT7DiJz for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 15:12:42 -0800 (PST)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D27A2120727 for <oauth@ietf.org>; Wed, 25 Jan 2017 15:12:41 -0800 (PST)
Received: by mail-ua0-x231.google.com with SMTP id i68so170486974uad.0 for <oauth@ietf.org>; Wed, 25 Jan 2017 15:12:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=3iCY2EJumwh5idoP4KSj3YKp4ULiatAoWeSJNSNepPs=; b=Sey/dXLCAeQlfX/uTcPa2jZc7oNx0vWK9PIOIcdxX/L/gfniNP5l0mYzZrMsdLDYMP P6T549QOCqJNcSBDMUzDSuF/pCTI9ArTqMcAI6Si85Z7jyho+mHL6Som1vr694ThxVxi vBMuVnGFlqQpZR4ax9u65Q+sFN5jfbtou3lTZ12LWHvSVQnuJ0XIe9M78cP+1vjok2Mh Wu4F5iWipLEPmRWVvz8jVkCvLxgK5rAMHNARgjLe4DYnPOaTW7LmkoXWowX8LSCoKDC9 P9Opxl5Aedqdk9gU2zAz4CRU+4BNdt4XKNMn3W8LOFaqT3BBQMFh86t/yi4BmoTy3TJ+ d2qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3iCY2EJumwh5idoP4KSj3YKp4ULiatAoWeSJNSNepPs=; b=IeRGCEKUwfeI2uFf8WnpFnTV0BkJDF6DVgTRb+MpxnJpt7vvP3GtnyGoIiU7vo32Ms NmVndayZxq3roNBQlxoSya+wKDsnJ3AlZ3uuMGbDn1dz9ke383fka0VdcwWGJQiw72X2 Ftf2DJgcjCJaGfDfuuAfjsS9yWkkIS2d3YH6cVVAC4l54nm4iQbs73x6+AFjY0nbVj5t 9xDbrPdesdYLtj/VL2bNXbIUGPkPv3u29iFQjSzOZ9Cdr41A9MAZenYDAGVRMEx7tqMi dQ0VpV1EgkP0lKMuWHZDTQnOwvfGyw0KbkODWeNjE6Ca32hcRbPopD1728BAmixfONVw qZTg==
X-Gm-Message-State: AIkVDXJPe+MWHjkkQfp8MskUf/TBAd33Ttk4GUeoU9kwIMk4PEnDD054HKXCJb6FzJhbEQ==
X-Received: by 10.159.56.146 with SMTP id t18mr22648705uaf.137.1485385960746; Wed, 25 Jan 2017 15:12:40 -0800 (PST)
Received: from mail-ua0-f182.google.com (mail-ua0-f182.google.com. [209.85.217.182]) by smtp.gmail.com with ESMTPSA id 64sm819053vkp.16.2017.01.25.15.12.39 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jan 2017 15:12:40 -0800 (PST)
Received: by mail-ua0-f182.google.com with SMTP id 35so170879983uak.1 for <oauth@ietf.org>; Wed, 25 Jan 2017 15:12:39 -0800 (PST)
X-Received: by 10.159.34.105 with SMTP id 96mr21834119uad.84.1485385959734; Wed, 25 Jan 2017 15:12:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.36.132 with HTTP; Wed, 25 Jan 2017 15:12:39 -0800 (PST)
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 25 Jan 2017 15:12:39 -0800
X-Gmail-Original-Message-ID: <CAGBSGjqz1nwAWgwauqxt8ZRVTnDCu+L_p2=6v1zgkecsgso8TQ@mail.gmail.com>
Message-ID: <CAGBSGjqz1nwAWgwauqxt8ZRVTnDCu+L_p2=6v1zgkecsgso8TQ@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a113fa0927c0c0e0546f35e73
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VCScEx6QNlybG3KctqkR9Te4qCM>
Subject: [OAUTH-WG] Recommendations for browser-based apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2017 23:12:43 -0000

Thanks to the new "OAuth 2.0 for Native Apps" and PKCE documents, we have a
solid recommendation for how to do OAuth 2.0 for native apps.

Given that PKCE is intended for "public clients" and not specifically
native apps, I'm wondering where that leaves browser-based apps. The core
spec still says that the implicit grant is recommended for browser-based
apps, but it's looking like the recommendation is to use the authorization
code flow + PKCE with no secret for browser-based apps.

Am I correct in thinking that the general recommendation would be to use
the authorization code flow with no secret, and even better to use PKCE for
browser-based apps?

----
Aaron Parecki
aaronparecki.com