IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Stoycho Sleptsov <stoycho.sleptsov@gmail.com> Mon, 15 February 2021 13:35 UTC

Return-Path: <stoycho.sleptsov@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69D363A09B5 for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 05:35:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.187
X-Spam-Level:
X-Spam-Status: No, score=-0.187 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rabw9Sg6pQBB for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 05:35:12 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C663A3A084A for <oauth@ietf.org>; Mon, 15 Feb 2021 05:35:11 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id o3so5895816edv.4 for <oauth@ietf.org>; Mon, 15 Feb 2021 05:35:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lnxYdKF1FYiDAwI6oBLSGMZXj6ZeEA8AxgrpUwkjCf8=; b=tBWz8B+swt3z5FPWRbkgXRUsUEVZQwVhU2MjnRXnFkjATRqa7yfX/sghFtjhu8HQJ4 hHHuwxpZ1c56Ih5LSKtsZseEnauYS57yptDkwLWOFu6gHer7/sVJyDvNQQpCIbF4f2WN xARjcBto+X1Emzl/eX8vAb6rLHFaNvEg0IQhW7j+0JIUt448UM8g7TBghp2d6DOt3hjj nbrHCJu0M8Jf+xlbHEcLZ7SLtcriw/bHg0B5YCikN/N9jJH1kJMcnZTm9epmfF0H6BqG fmm6KH1u0f81a/fAQtM7h9/pDPDZ5VO1DF8AVJlvZmgMati7SiWT2OO1/YWDd2Pe8hAY xq8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lnxYdKF1FYiDAwI6oBLSGMZXj6ZeEA8AxgrpUwkjCf8=; b=PHK0vbS2QqHA6tiVuknlbiMwoJtGol1joyPDA8emGgqG5jkX9eV/jr7DNQFcoywDSC qd2aWxt1qMjHCZj7b2UxUKSz7lCMvsIeRe9EahOT0nbtoCCOqmK2FhZLbWtdrwpNlVsx 9L7tWkEBzleis3Trrn6GODfiUSONPcdh7OflFitBqGaalCvNzqQ+CcPw0YmBBQEWmgjL Ts3gLM/4G+nHhmFMsw9moHIS5tq3mucMLn+la2vh/uvCZkA7dqm1LftEFrlqwQV8478D ZXhIhdf+YbmkwqI9KWMpK30bt6go43OVTqduRMBd79MuWIx77EIWDGPOz8EqB49WVPKC 7zVw==
X-Gm-Message-State: AOAM530UefaSwWDO6yo2UwPsENFph+tNXUd3lJGebi2WdHIofdAPMsHK jamoXktJ99C5zVV7THtY8N+vHPG8T2Rq2x36CRc=
X-Google-Smtp-Source: ABdhPJzLUud9jN8hlTRQL2UW9JFSAT6xOGdykEuXpMe1/py9fUxnhilAnt6f9qSL35AH8FxhjWng7qXAs5viYodsO88=
X-Received: by 2002:aa7:c155:: with SMTP id r21mr221610edp.382.1613396109991; Mon, 15 Feb 2021 05:35:09 -0800 (PST)
MIME-Version: 1.0
References: <CAGL0X-rwM4Kc4qQSea+gaO7YORZgnJTHWyFM3VPcaJ2ceX527A@mail.gmail.com> <1A964B70-7C73-4CAE-B3B9-FF3BACF0E698@forgerock.com>
In-Reply-To: <1A964B70-7C73-4CAE-B3B9-FF3BACF0E698@forgerock.com>
From: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
Date: Mon, 15 Feb 2021 15:34:58 +0200
Message-ID: <CAGL0X-o9gvK24U1d=QEfhQyK7YKrA3+FzoWxtYecp-cH4cg4GQ@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Warren Parad <wparad@rhosys.ch>, Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000004a48d05bb600ee5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YktweZF6sz9H3vDQs2PJoQVorJE>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 13:35:14 -0000

Thank you for the comprehensive answer, Neil.

Initially I said that "I need the client app. to be authenticated at the
AS", and I meant authenticated as by the spec (explicit authentication).
It seems that the reason which I gave as an example to explain why would I
need that (to determine if it is a first-party app.), taken alone, is weak
to justify the decision for such a constraint as an explicit authentication.
And I thank you for that clarification.
But the question why would I (or somebody else) need the client to be
explicitly authenticated as a confidential client at the AS is a
different matter.
It is an important question, of course, and it would be very interesting
for me to understand what is the difference between the set of
architectural properties induced by an explicit authentication (credentials
by the spec), and the properties induced by an implicit (redirect_uri)
authentication, but I am afraid to not abduct the conversation away from
the original intent of the TMI-BFF.

The main point for me was to verify that for a proper (explicit) client
authentication we need to go through the backend, because PKCE doesn't help
for that.
Which means that a document like TMI-BFF could be very helpful while trying
to consider all the BFF options.

Regards,
Stoycho.


On Sun, 14 Feb 2021 at 20:30, Neil Madden <neil.madden@forgerock.com> wrote:

> Within the spec “client authentication” refers to explicit authentication
> of the client using credentials. But you said initially that you wanted
> this to “determine if it is a first-party app, for example”. You can
> determine this based on the redirect_uri and the fact that only the
> legitimate client can receive an authorization code at that redirect_uri
> (if its HTTPS, exact matching of URIs, etc). This is what I refer to as
> implicit authentication - the AS knows at the point of auth code exchange
> that only the legitimate client could have obtained that code.
>
> (This is not true for mobile clients using private-use URI schemes).
>
> Note that for both public and confidential clients, the confirmation of
> the client identity happens after the user has gone through the
> authorization flow. PAR fixes this for confidential clients, but not public
> ones. So that is one reason to prefer a BFF pattern and a confidential
> client.
>
> Confidential clients also have an extra layer of defence in depth: they
> need a redirect_uri *and* client credentials. So that is another reason to
> use a confidential client and BFF.
>
> A backend server may also have a more reliable connection to the AS. So
> that may also be a good reason to use a BFF - eg to avoid having to
> reauthorize with the user because an auth code or refresh request timed out
> due to a flaky network connection.
>
> So there may be many good reasons to use a BFF pattern. But if you just
> want a reasonable assurance of client identity at the point of issuing
> tokens, then IMO a public client + PKCE is fine for many cases.
>
> — Neil
>
> On 14 Feb 2021, at 17:27, Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
> wrote:
>
> 
> Thanks Warren,
>
> as I see you and Neil have the same idea,
> but as of this moment I think this method is not a valid option for
> authenticating
> a client according to the draft-ietf-oauth-v2-1.
>
> On the other hand, authenticating the client through the BFF
> seems conforming to the spec., but in the case when the access token is
> used
> in the browser in fact, I am afraid that it can be regarded as
> some kind of "deception" of the AS.
>
> It seems the frontend SPA is not the easiest way to go with oauth...
>
> Stoycho.
>
> On Sun, 14 Feb 2021 at 17:35, Warren Parad <wparad@rhosys.ch> wrote:
>
>> redirect_uri and use PKCE via the code verifier.
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data and complete your authorization architecture.
>> Implement Authress <https://authress.io>.
>>
>>
>> On Sun, Feb 14, 2021 at 3:51 PM Stoycho Sleptsov <
>> stoycho.sleptsov@gmail.com> wrote:
>>
>>> Thanks a lot for your answer Neil,
>>>
>>> as I am no expert (yet :-)) in security I was afraid to rely on
>>> redirect_uri for authentication of the client,
>>> but I will consider that option as more trustworthy now.
>>>
>>> (it is also not very clear for me which part of the app can be
>>> regarded as the redirect_uri owner, the BFF or the loaded frontend
>>> SPA, but maybe it is not so important)
>>>
>>> If you had the two options for authentication of the frontend SPA
>>> client - the redirect_uri on the one hand, and the Basic
>>> authentication with client secret through the BFF on the other, which
>>> one would you recommend?
>>>
>>> On Sun, 14 Feb 2021 at 16:28, Neil Madden <neil.madden@forgerock.com>
>>> wrote:
>>> >
>>> > Public clients are implicitly authenticated by their ownership of the
>>> registered redirect_uri. This why it’s important to use a redirect_uri for
>>> which ownership can be reasonably established, such as HTTPS endpoints with
>>> exact URI matching.
>>> >
>>> > There are more things that can go wrong with that (see the security
>>> BCP), but it can be made reasonably secure.
>>> >
>>> > — Neil
>>> >
>>> > > On 14 Feb 2021, at 13:48, Stoycho Sleptsov <
>>> stoycho.sleptsov@gmail.com> wrote:
>>> > >
>>> > > 
>>> > > I would like to add my reasons about the "Why are developers
>>> creating BFF for their frontends to communicate with an AS",
>>> > > with the objective to verify if they are valid.
>>> > >
>>> > > I need the client app. to be authenticated at the AS (to determine
>>> if it is a first-party app., for example).
>>> > > If we decide to implement our client as a frontend SPA , then we
>>> have no other option except through a BFF, as PKCE does not help for
>>> authentication.
>>> > >
>>> > > Or is it considered a bad practice to do that?
>>> > >
>>> > > Regards,
>>> > > Stoycho.
>>> > > _______________________________________________
>>> > > OAuth mailing list
>>> > > OAuth@ietf.org
>>> > > https://www.ietf.org/mailman/listinfo/oauth
>>> >
>>> > --
>>> > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
>>>
>>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

v2.23.0 | Report a Bug | By Email