Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02

Torsten Lodderstedt <> Mon, 22 July 2019 13:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 83C5B120291 for <>; Mon, 22 Jul 2019 06:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OSDI2oROrRrR for <>; Mon, 22 Jul 2019 06:30:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2EAEE120286 for <>; Mon, 22 Jul 2019 06:30:46 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <>) id 1hpYOo-0007wt-J9; Mon, 22 Jul 2019 15:30:42 +0200
From: Torsten Lodderstedt <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_7E7AD628-0AF1-4EEA-9F2C-C8358004B51B"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 22 Jul 2019 15:30:41 +0200
In-Reply-To: <>
Cc: OAuth WG <>
To: Aaron Parecki <>
References: <>
X-Mailer: Apple Mail (2.3445.104.11)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <>
Subject: Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Jul 2019 13:30:50 -0000

Hi Aaron, 

thanks for your continued work on the topic. 

Here are some general remarks on the current revision: 

1) This BCP should not be limited to public clients. Your BCP itself already describes an architecture where the OAuth client is a backend that may be a confidential client (see section 6.2 for an example). The text of the BCP generally seems to be inconsistent regarding oauth client types.

I suggest to remove the second part of the first paragraph of the abstract (“and should not be issued a client secret when registered.") and other statements limiting the BCP to public clients. 

2) Regarding architectures: I think this BCP should focus on recommendations for securely implementing OAuth in the different potential architecture. I don’t think we should get into the business of recommending and assessing other solutions (e.g. section 6.1.). Just to give you an example: Section 6.1. states 

"OAuth and OpenID Connect provide very little benefit in this deployment scenario, so it is recommended to reconsider whether you need OAuth or OpenID Connect at all in this case.”

Really? What experiences is this statement based on? In my experience, sharing the same domain == host name tells you nothing about the overall architecture of a certain deployment. There may be several reasons why OAuth could be good choice in such a scenario, e.g. security considerations (since your common domain is just a proxy server encapsulating a whole universe of systems) or even modularity as an architecture principle. 

I suggest to remove section 6.1. and to rephrase the second paragraph of the abstract.

3) The naming in section 6 focus on the ways the JS could be served. I personally think the more important aspect is the architecture of the overall application. 

I suggest the following changes: 
- 6.2. Apps Served from a Dynamic Application Server -> SPA with backend
- 6.3. Apps Served from a Static Web Server -> SPA without backend 

Note: even an SPA with a backend could use a static web server to serve the JS code.

4) I don’t understand why your BCP distinguishes 1st and 3rd party apps. Neither the Native apps BCP nor security BCP do so and need to.

5) Section 9.8 seems to duplicate portions of the Security BCP (while not giving the complete threat model) - what is the benefit of duplicating this text?

6) I think the BCP would benefit from a refactoring. One idea would be to first state the problem with implicit and give general recommendations (PKCE and so on). The latter part could get into details of access and refresh token protection in the context of different SPA architectures (mTLS, CORS for CSRF prevention, …).

kind regards,

> On 9. Jul 2019, at 01:03, Aaron Parecki <> wrote:
> Hi all,
> I've just uploaded a new version of oauth-browser-based-apps in preparation for the meeting in Montreal. 
> This draft incorporates much of the feedback I've received over the last couple months, as well as what we discussed at the last meeting in Prague.
> The primary change is a significant rewrite and addition of Section 6 to highlight the two common deployment patterns, a SPA with and without a dynamic backend. 
> Please have a look and let me know what you think. I have a slot in the agenda for Montreal to present on this as well.
> Thanks!
> ----
> Aaron Parecki
> _______________________________________________
> OAuth mailing list