IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth for Browser-Based Apps

Justin Richer <jricher@mit.edu> Mon, 25 March 2024 15:46 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F16FCC14F5E3 for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2024 08:46:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.761
X-Spam-Level:
X-Spam-Status: No, score=-0.761 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8k6hbdfU_hZN for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2024 08:46:36 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2100.outbound.protection.outlook.com [40.107.236.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3CF4C14CEFF for <oauth@ietf.org>; Mon, 25 Mar 2024 08:46:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RReorv8QZm91GlV/c4XK1jzu0pOIvV/UHMqdLFYf48/pr4wKKYtKqTGevCueq5SpZrYMjgSRBTmxt0LRZue0p6xyRaowqmlu167sAHNnrpt4Wab+PV3fkwYr9BOc0lC3ShyA8+QrrISA7tPYsbOnTCx4vazX1OasVL7OKPRHdztO5muPjO/PIc3fQWka6u03ezq69yxSrXTGsDTRhOU11y99Bw/xoUHusXVyoYdkqYeOeKqgAgbzty2QGelTIe0Nl5za/RgQlz2Be5lbl/r7Wh8P3Dh1YfHPoAKOi66yXCW4LbArPEn2pvmWqxUNiEoL6D9ghy9NR4/Ul/FLj/NKdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PtavRNVZgbXwAzckHIQOj1ISWLihnw26P/aKHIqgsZ8=; b=a3m2lSZq+XXWTOfVOPXshwXnBF69lErmEg5kLxR7qRphbHsPpU/zNM90loA8P6GsA1bBPG6B49At8+EDsTlxbrSkJNFj/UxAeHeGkhwuVx6RhT4AzIWazV7G9EZhmpxamnYaJ4RCd0EZ3R8RIXfZ2OVqWe8DXf7R2DHzPzI84ZYE4nyT7M5f80+ShS3QhR/Knq/ARjDtRW8nX+JECGgJi4igHDJfcKfUB0CA3mldg+a7abdNu4v6xL+YM1/ggkghrp7YyRSCRklQ8/Wj/kgT5uBLDwx8+VZVTpmo3uVzsTOvyJ/i2ul9b0nWYGC7Gbfy3nD1ky95ARZPl9JTxHEL7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PtavRNVZgbXwAzckHIQOj1ISWLihnw26P/aKHIqgsZ8=; b=C5Jh4R2fGsbvZUF2r1vsSIvZk8EeBZLvVSUI6YSgG+0i7pug94YR4TvoFpzEhB5oljOxkfqS7wuW8BEgGR8XDGF1siATHkslQN27kto/TY1ZtiPFlZcRx1pKCOs2ifN5l0AKpVS2/Z3TqXRyW43Y+VGA6Qk49I/9as7jU1Xef20=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by BN0PR01MB7006.prod.exchangelabs.com (2603:10b6:408:16f::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.32; Mon, 25 Mar 2024 15:46:34 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::167:b38f:bb84:ecef]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::167:b38f:bb84:ecef%3]) with mapi id 15.20.7409.031; Mon, 25 Mar 2024 15:46:34 +0000
From: Justin Richer <jricher@mit.edu>
To: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth for Browser-Based Apps
Thread-Index: AQHadpSwpoKFXmQu40CTHievSw+HRLFGsVeAgAH3VS0=
Date: Mon, 25 Mar 2024 15:46:34 +0000
Message-ID: <LV8PR01MB8677A30A3AF5500F079469CEBD362@LV8PR01MB8677.prod.exchangelabs.com>
References: <B118DE0E-1ED3-404F-A4D4-B815FE582D80@mit.edu> <00A9B04F-E9EE-4F1F-A4C4-8EDCBF4DB799@pragmaticwebsecurity.com>
In-Reply-To: <00A9B04F-E9EE-4F1F-A4C4-8EDCBF4DB799@pragmaticwebsecurity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|BN0PR01MB7006:EE_
x-ms-office365-filtering-correlation-id: 09093dc7-3c14-4c19-7fd0-08dc4ce2bff1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 63L3CzPGq9gJ7I8w+9BIVbnOwZKFnGIt+3nyPqyrg4Ha+96pVZvX9IKK1b8u2fidRxa82HFxyHFdOw+b+2j0WjTkT3NJymlp9I3XYc3QxisY4C9ZqRIS3Horxu+pLs3OXYYcJlMwpHBg7Bx0lKSamDy8Q1RabPdaeZT7RaF1Ut+jFf60xDpJmtOizz4ypdgHUAGwbGERPS41SuoBRBI2GaGZDQVhbu5ptsNbvjVWkAszdCFj3333hJuC1HqKvni0wN/Zykh+q4y4Jm0yqlsh/BsFKlHxfMR6c2klMk9kI0KAaKojZXtSEvP3FHojsywXxwdoUDvNI8Lnco9uA/rykVIhiYkAd6nm9L+YkcKv6hi3yXJ80/RNxQ6vf/0pUpM2iOOPtcxVHfhhLkWeGG/btD+PRA2mKn+Qev/wbviXV5e6Ir/eJ3aHLMsvgYsqac30W0iAXrq4D1kXhSGoX1InIDc7RcN8h2anPC+UFH/PCCMib5yEE9/CicReEcaZc170H5ITbZi530TAF+67BA+Y1gQR4Z44tYz4IWf/nKSLt3S/IHF+Roar/gxwXgK6VTPq8sPcZRkXXeB5WjNwl2jyZmeVHllEJL4PImdiTZjMfMWbzBNMI8qmbOv+EjXN3COIvmBujZpxlh072Fk5eoDtMtDIH2/vShn5W0veBZtD6Tl8S6fuMqRQVwNEzz4pvZq543eSAhRyBY+q7lRsxxRLSo5d3hhTqykaP3CtBzCpwAc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV8PR01MB8677.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7fzI2BUnTdzQuXqZr2vPhz6wQVTnjswM63PFPOBBqblgeH4VzeO9F8h088TtImOPxs+gQrIBRqoz54bg5rm6npYLT9QpwqwEkRe6lsBrkawQvt8gYQ1XKZBjxnpy0OFPfzCh3VW6n5ewCPpDwu3Sy2wxJEV9/tPZdH4i48RQHG/RV61TypLMfg2qeRTT4IP5t2/vJNJY3INofoLluRw7rsTbAHwE+qdsJDJzvbsaMGO380ho5D0zUbrwSqV9O4o6AFjKB28g4xr70k9ckAgX7WjwO4yyDhFLD4nBAX9f7frMOH3FIqAp5O25iDEZdnDS6P58IGO4YfwdbVLfdt6ZsIuDEzGVEc3AeuWDkJGO7elZLg4eFBetmsb4wWx0Lcg6wQMPIXY28bJL8NJ03O/rSj1rC259a8Bg1ihbOvy1NP17W2Z8rPDWzue+xtZuh4EDbZFLSqJZiQGez8fPdBMDZqWmhen/uc2dl0z9tsc19drKX/x2rpR5GdbOkocKrFW0kEObxvEfdxgCRxEIYFGrORAHZvJcENLcEhQmXFuzK+lE4FH0SLeNKLzReRqjJoDFUZ4uDtOXkN+DDM6U6nFVGNLO4gSKKOg0gpXIjRIsALSpe1YDCHrnUh5qUvt+nQQFpeC5UJeKkckr1BYQ6sA6OMK+erj/z7bfgCAofhTQnXwBJAe5GJ88me+vxF7oRbmxlwiGb6+iGoxS+PN29RfNE5JbK1H4AlOtrByceXfRoVovWGlvihDS7sSs0PaXsjSffnIx1t3Qq5vRTHHvOm7C/AKMM1qK09GlnXUophyaK13RMmQLOf3HAq3om2Lb0WKtHYniP7f1QLe9awbnTUKmsdSn3QGFlYXEeWH0ooLk0sf0tbC/A9rZOsFV52Flv+cA2CtYUzvfRS0I6nMoUTH7bs6QbCbOIxBq+jOrcsCULALOJiVyKdONtEmTuK0wHEmzyfj4aqnO2gRY9NKSR+VKUVFv3nEynOE4MkNvN2w00JTuXdMk+eDs/fI7DyQCGtAtMOxTfAjnjybGe9/6Fehl0xbCXBI9BTc4Ddoi0XwUJ5jxyHv21WA6dtHJJ4IROdpotqQqCq4ba3BPpSxmmnaAauDp2OmBrwTjnY+/lmk+kVVwTTcqe1YB6gd8YQJeMVo383NStLWgIs9wzag1vatzVW2mDfUjV3APvnVGUoMjculmj1+d7tMJbj2zol4H1LBcMSnAf9hcAq73A9ifeDlnaeE5+t9oyfPzJ60+TN4EVXIKgg2MncKmZX719ZFG8Iv97PJDP5GjaSNxMp6I1FHYRU4q1q55mUWwXRvAj36fUy4eHMlkzqfGJFIkhj590YAsaZmrEbrE5fpoqoAJZes58KHoKNnNwtFm6QSJCS91n2BsANRoAIr5wZhrK03L/khdq5PJVVxaCDCJuxoIRhvyuG4il1u26CgkSRFfHHm1OW8k0+KGYIr4MW2pZEGW3P5THxqMtrF3+SQJfCJDlb5e5DIHga/9qn/Xaw7ltQrT3b6M6kIaBXDT/y/Ez83By/8vOVPtAUF38aa1rFzFTQ1wyf3hZyxqd7tZGnQzKyemHcw=
Content-Type: multipart/alternative; boundary="_000_LV8PR01MB8677A30A3AF5500F079469CEBD362LV8PR01MB8677prod_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 09093dc7-3c14-4c19-7fd0-08dc4ce2bff1
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2024 15:46:34.6234 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: R+zep/3aEZxQhgjfWC5kQCDHS5mIUdZvodhPKZiEqK5fOZK12B6L5riS6zpoitvz
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR01MB7006
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_0xXAuabeQFgO7wh16Qg_AYLWMU>
Subject: Re: [OAUTH-WG] OAuth for Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 15:46:39 -0000

I think it does warrant mentioning, because the main assumptions about an spa are that everything goes from the browser to the api itself. It might be surprising to a user or even a naive developer that every request goes through another party as a black box. Even if it's all first party abd deployed together, that model should be called out by the draft as an assumption for privacy. After all, this section is for considerations - things you should think about that might not be obvious.

- Justin
________________________________
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Sent: Sunday, March 24, 2024 5:40 AM
To: Justin Richer <jricher@mit.edu>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth for Browser-Based Apps

Hi Justin,

Thank you for your detailed review.

> §9+ this draft should add privacy considerations, particularly for BFF pattern's proxy architecture.e

I wanted to ask for a bit more context on this comment. I understand that having a proxy as a separate entity would expose all requests/responses to this entity. However, in the context of a BFF, the frontend and the BFF belong together (i.e., they are one application deployed as two components). The frontend and BFF are deployed and operated by the same party, so I’m not sure if this comment effectively applies.

Looking forward to hearing from you.

Philippe

v2.23.0 | Report a Bug | By Email