Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Aaron Parecki <aaron@parecki.com> Tue, 06 November 2018 10:13 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B99D129AB8 for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2018 02:13:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FsCmwXAL4Jb2 for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2018 02:13:53 -0800 (PST)
Received: from mail-it1-x134.google.com (mail-it1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A6A61277C8 for <oauth@ietf.org>; Tue, 6 Nov 2018 02:13:53 -0800 (PST)
Received: by mail-it1-x134.google.com with SMTP id t190-v6so11316815itb.2 for <oauth@ietf.org>; Tue, 06 Nov 2018 02:13:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=altIvsF40ov2SwdS24KfwKV7NmpzS3xH9/hzhKsjsJ0=; b=sHjMbegIlWpMrtqB/uem7xMRW4/eBSUqKxSZmJwmkC0VzmE8bTOLe+624+K5og7aT4 r/bC7tNxpv0auquJRHkpi+Us8Ev0y+q5YK7VWXmsoQ/794d07CFer7LdFlsJbtf2pwYP +6CRbZuPr3r0GonxGCTJEDgntAugUEd6Q6HBqRHib+0A/udkwUcNseYzUURk3QvHYTOj OL4lmjl1Zu/vwziwcTy8GUUQoa80CkVyGexvfWlukgbY9xCFNb4zZhWCRpDvCb428Dfl waHaL7wLuOEk58rbT4TRnL0pUbZy9li55g4tTBPrJ7nYhtkWtw35BJIHWCo6vp9pWUSo h/ZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=altIvsF40ov2SwdS24KfwKV7NmpzS3xH9/hzhKsjsJ0=; b=D4isIwDLVJM/gCsWKHtB5l/vEuNS6j/6SEKAhMQ1/s/hIuS4W2npTBA/ZOlp2lBLHi Ej0uTfb1l6tixWnyMavDW/lZhWTLjbIIDho/fItBDeM5agDhBDFmTfAGJn0FUZ+sQ+J2 PyDvWhKIfhqUSX0ngSXOvn9pHh6tlp7zGfZ39UoacjZtWsGg5TheE1j1mY1MZ2qbKQsl qza3MNlvdyLbJTZ+FSZEgAT42u/BVAGqJDzQevE1FlUpsDwGgfJoyhQoa4y6psabsqoN 8+uWy3f+roZYsHO955tVEMf8FCVN8vdGPATaYeFI02Zmh8eDbSgmK//ZrnH3YqA0znK1 ajBg==
X-Gm-Message-State: AGRZ1gJrAspl6cQzRaALEjUmSbLit0hf+NeU48awPTMpwaZQgvdy0hiT MTV09MN7zuZGV4x+FZrUxiH/7+69gIOHsQ==
X-Google-Smtp-Source: AJdET5dDZeYNU5smM3pSz1VMwtXJeKK9Rzo9hPpIUdTKDU+N/X6u75EMbo0zve1SB36Zh9qMaiVwNg==
X-Received: by 2002:a24:d93:: with SMTP id 141-v6mr1442157itx.163.1541499232261; Tue, 06 Nov 2018 02:13:52 -0800 (PST)
Received: from mail-io1-f53.google.com (mail-io1-f53.google.com. [209.85.166.53]) by smtp.gmail.com with ESMTPSA id w127-v6sm738368ita.38.2018.11.06.02.13.51 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Nov 2018 02:13:51 -0800 (PST)
Received: by mail-io1-f53.google.com with SMTP id t81-v6so8784601iod.10 for <oauth@ietf.org>; Tue, 06 Nov 2018 02:13:51 -0800 (PST)
X-Received: by 2002:a6b:153:: with SMTP id 80-v6mr21807909iob.290.1541499230917; Tue, 06 Nov 2018 02:13:50 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Tue, 06 Nov 2018 11:13:37 +0100
X-Gmail-Original-Message-ID: <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
Message-ID: <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014a4180579fc429a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XySCSWrxXNuLdYxVrTb2dia0gK8>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 10:13:56 -0000

Thanks Hannes,

Since I wasn't able to give an intro during the meeting today, I'd like to
share a little more context about this here as well.

At the Internet Identity Workshop in Mountain View last week, I led a
session to collect feedback on recommendations for OAuth for browser based
apps. During the session, we came up with a list of several points based on
the collective experience of the attendees. I then tried to address all
those points in this draft.

The goal of this is not to specify any new behavior, but rather to limit
the possibilities that the existing OAuth specs provide, to ensure a secure
implementation in browser based apps.

Thanks in advance for your review and feedback!

Aaron Parecki
aaronpk.com



On Tue, Nov 6, 2018 at 10:55 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com>
wrote:

> Hi all,
>
> Today we were not able to talk about
> draft-parecki-oauth-browser-based-apps-00, which describes  "OAuth 2.0 for
> Browser-Based Apps".
>
> Aaron put a few slides together, which can be found here:
>
> https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf
>
> Your review of this new draft is highly appreciated.
>
> Ciao
> Hannes
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>