[OAUTH-WG] New OAuth for Browser-Based Apps draft -04

Aaron Parecki <aaron@parecki.com> Thu, 26 September 2019 13:46 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0D7120077 for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2019 06:46:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qL91r9XSb8h9 for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2019 06:46:07 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57071120041 for <oauth@ietf.org>; Thu, 26 Sep 2019 06:46:07 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id c6so6539562ioo.13 for <oauth@ietf.org>; Thu, 26 Sep 2019 06:46:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=GZ/BGfQtKe2nzpSLVza6HZz5QLlDt35EHSsGGRYqDPU=; b=PhsXB9xyFq3m+C0IK0wp0qviVx5wgIDPGiMRa7rkiLIjsjmkS+qklvWXbtugA0jDPS sSWdX0YbUZBP3h78RiHguje1XlTwx5n/3O5wcfyisuPHOJGM0q4NNhnCxHYH0ArE+G5p +8Bnxrpt6NzuIBppWGYpyneG6ESKVakL1ifjKOUbxxKKzXh1bFppzi7Ij9bzNkUAFtOS 7Ib9nX89xunct5EXMBP71FGaLahunPLtYUOPdEDbw0P9TtZpzI5TK3/QGhydwjxk4CuU mIbnC9muB0tBJ9RClaveRTiO6LimUWoN8iyJuKsHz0B1uqffQVGpCdQK0VWQ9AhkTlB+ so2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GZ/BGfQtKe2nzpSLVza6HZz5QLlDt35EHSsGGRYqDPU=; b=f4S49yoyTq/jRoU/qFkTMKLcmSPllLinho3CUo8dpzTCLf9Ev0g9FU3Hkq+ZecRm8J ZGZENjocA0wtibg4FHEZp5MNkTk8kvM1a7YizHqgZmzG8OHrXdtBFhvfZhVVK5c3BgXn HlAn1UL45UztZ6e3E8iG0ILCnDNkEP9Pmf9fGsLtaVDIjc6vZltklny+QgCF2t316UyV YPynJoHgmYUgrROPJyLG65fU5t4Vji1NCDH8AvyWOqRdLMTfs+zPs9GIjZU2W3htGRFU lf+G4GWbkxusiAtCNu009d8MXqK9SQ4D+5F5uIRYGoXi7FSW8RewRGkG8ST66Lr6Yh0x x5JQ==
X-Gm-Message-State: APjAAAWXClVQhvJLfn8QWgrmbA8/5Zj/u9B/N2EltjZfAPYtHs4JyFNo 4KX1fsICM3+0vzPPO0BHFr6IJjuxv7Y=
X-Google-Smtp-Source: APXvYqxQrJpDs2BzUi6uENEx0L+vcvMiX762djtMO0Tl0uOTZmqy1BisPpf8eTYXlybSddvSHsVYbQ==
X-Received: by 2002:a92:5f09:: with SMTP id t9mr2380148ilb.217.1569505566330; Thu, 26 Sep 2019 06:46:06 -0700 (PDT)
Received: from mail-io1-f46.google.com (mail-io1-f46.google.com. [209.85.166.46]) by smtp.gmail.com with ESMTPSA id c19sm668958ila.19.2019.09.26.06.46.05 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 26 Sep 2019 06:46:05 -0700 (PDT)
Received: by mail-io1-f46.google.com with SMTP id z19so6763263ior.0 for <oauth@ietf.org>; Thu, 26 Sep 2019 06:46:05 -0700 (PDT)
X-Received: by 2002:a6b:b494:: with SMTP id d142mr3186203iof.156.1569505565537; Thu, 26 Sep 2019 06:46:05 -0700 (PDT)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 26 Sep 2019 15:45:53 +0200
X-Gmail-Original-Message-ID: <CAGBSGjqA0uzRp2OatrF9dWwB-McM7h3WU9Ns9idYw7pAnN8Szw@mail.gmail.com>
Message-ID: <CAGBSGjqA0uzRp2OatrF9dWwB-McM7h3WU9Ns9idYw7pAnN8Szw@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WrPARClrsHrCHAzdgzzn9E27nQ8>
Subject: [OAUTH-WG] New OAuth for Browser-Based Apps draft -04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2019 13:46:09 -0000

Hi all,

I've revised the browser-based apps draft to take into account
everything discussed at the previous IETF meeting in Montreal.

https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04

Here's a summary of the changes:

* Disallow the password grant to bring it inline with the Security BCP
* Rewrote the section about refresh tokens to allow refresh tokens if
they are time-limited or rotated on each use
* Updated the same-domain JS architecture section to focus more on the
design pattern than the domain aspect
* Added a few more references to the Security BCP

This addresses all of the feedback from the session except for the one
open item we had, which was to somehow describe that in some cases an
access token will be sent down to the browser, and what to keep in
mind when that is the case. This still needs some discussion on the
list here.

Please give it a read and let me know what you think! I think this is
shaping up quite nicely now.

----
Aaron Parecki
aaronparecki.com