Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Joseph Heenan <joseph@authlete.com> Wed, 07 November 2018 15:20 UTC

Return-Path: <joseph@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09436130DC8 for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2018 07:20:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sf-UAt0ZwU7 for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2018 07:20:19 -0800 (PST)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64E0712F295 for <oauth@ietf.org>; Wed, 7 Nov 2018 07:20:19 -0800 (PST)
Received: by mail-wr1-x432.google.com with SMTP id z16-v6so17833535wrv.2 for <oauth@ietf.org>; Wed, 07 Nov 2018 07:20:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=+vFlKtTzfHTCyXDQUh48ACc92U1igigyXDbyOD8Jt/Y=; b=V9kXMpZ4mHS0N9GPUlcjtvwVl4n8r5zvD63lOv6pt1JbsgjjyMUAMTb8LelL/ferM9 qTbGHKivoxk9+OZ92QT/C8Cf5a+MhTZVOVPN4slNkZG2P5Kd+739jaaqzao9vU4m91da 5hA+xySDEzs3dzI6JpEmmPQknnNv8Hu8o9DnaMulK2hmPu5+1nHDsjQ11FXMYFJJuXe7 9/+ynr+MS+qidRQIGE+PJSJAcAbCTYzh4CiVpIRRtpCdIiCJYeHKDZsEaKdNPocmqGTc f08oU/w4nFvLso6vgqMwyZFOplFFZuCCQQGlApDbkKaeBV650eQ/BQHZM48EoyArJrIs RztQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=+vFlKtTzfHTCyXDQUh48ACc92U1igigyXDbyOD8Jt/Y=; b=NjoR8oKL1zl9khxQctkoagEPzkFKIN3pdBPz6FibNuhKDpLK9DvLN5F1UlwMlBJPX5 uCia5z0hOgdf8ufOG09GcxvBMdS5HrCyU500zN6/yetjWbJ39kiOyvw21hTPT6FXtSGe 4+2cLo1p9QnivKQ91yiZmV2PuYyfwiX51cYgPoj0NHl3bUkMuS77yYX8mTMiVz8eJdS8 FWKLs+e6qjsv3IMvfX7pFxaFSNlnnNMvw22QneVtPX40DFVLMSOgVWMpLv2BazKGT7dt SixJXIIdebhKMAcLWiS5T+u76uSjM62poQoA7x/XG/detW0q5QBTj435tY/uT/Gqyg54 5/wA==
X-Gm-Message-State: AGRZ1gI9NHiEzWlTuWmoGjxYch9AtHupUmBjEzX3wKcqb4/2WBzGagPq L5lxWgRTRhN1xOp/Swh9ze+r/yQsE+U=
X-Google-Smtp-Source: AJdET5dQILWIXJvLiQ6ZijZZGJGl+opzGJKKUCLtWgmZPwYZvmTZ0mfFTTcY5MzrkEdKuZ+AiZv2vQ==
X-Received: by 2002:adf:e808:: with SMTP id o8-v6mr632233wrm.112.1541604017588; Wed, 07 Nov 2018 07:20:17 -0800 (PST)
Received: from [10.32.3.105] ([194.168.45.114]) by smtp.gmail.com with ESMTPSA id v9-v6sm1649617wmh.32.2018.11.07.07.20.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Nov 2018 07:20:16 -0800 (PST)
From: Joseph Heenan <joseph@authlete.com>
Message-Id: <894C1893-8722-4005-8A33-AECADFD18024@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E2018F02-2B33-46FF-9742-7230D559A120"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Wed, 07 Nov 2018 15:20:14 +0000
In-Reply-To: <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Aaron Parecki <aaron@parecki.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/a57mqE9FqYpxEsuXGURnGbm8apI>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 15:20:22 -0000

Hi Aaron,

Thanks for putting this document together, I think this kind of guidance is invaluable.

It may be worth slightly rewording 7.2 as it may encourage a growing misconception that all native apps must be public clients. With many devices now having embedded HSMs, we’ve seen increasing interest in mobile apps being dynamically (per-install) registered oauth2 private clients, and that model has a lot of advantages. (I’m not sure if we might see a similar model evolving for web apps.) 

The BCP for native apps does allow this:https://tools.ietf.org/html/rfc8252#section-8.4

Cheers,

Joseph





> On 6 Nov 2018, at 10:13, Aaron Parecki <aaron@parecki.com> wrote:
> 
> Thanks Hannes,
> 
> Since I wasn't able to give an intro during the meeting today, I'd like to share a little more context about this here as well.
> 
> At the Internet Identity Workshop in Mountain View last week, I led a session to collect feedback on recommendations for OAuth for browser based apps. During the session, we came up with a list of several points based on the collective experience of the attendees. I then tried to address all those points in this draft.
> 
> The goal of this is not to specify any new behavior, but rather to limit the possibilities that the existing OAuth specs provide, to ensure a secure implementation in browser based apps.
> 
> Thanks in advance for your review and feedback!
> 
> Aaron Parecki
> aaronpk.com <http://aaronpk.com/>
> 
> 
> 
> On Tue, Nov 6, 2018 at 10:55 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
> Hi all,
> 
> Today we were not able to talk about draft-parecki-oauth-browser-based-apps-00, which describes  "OAuth 2.0 for Browser-Based Apps".
> 
> Aaron put a few slides together, which can be found here:
> https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf <https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf>
> 
> Your review of this new draft is highly appreciated.
> 
> Ciao
> Hannes
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> -- 
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com/>
> @aaronpk <http://twitter.com/aaronpk>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth