[OAUTH-WG] SPA applications best practice
Jim Manico <jim@manicode.com> Mon, 27 February 2017 14:18 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3310129FF1 for <oauth@ietfa.amsl.com>; Mon, 27 Feb 2017 06:18:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQd8Y6C-eM9C for <oauth@ietfa.amsl.com>; Mon, 27 Feb 2017 06:18:02 -0800 (PST)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0ABA129FEB for <oauth@ietf.org>; Mon, 27 Feb 2017 06:18:02 -0800 (PST)
Received: by mail-yw0-x229.google.com with SMTP id d1so24767491ywd.2 for <oauth@ietf.org>; Mon, 27 Feb 2017 06:18:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:date:subject:message-id :to; bh=PfpXA7eG7qh9O6fHaqSelNH6W517J9+1SdZFQeUSJks=; b=pqTzycCGaMkP7hLkGkIzdNI2527WOeokJTc+S5AtFQYa+9VckvVRG9qFLygdM47GYW 9KKQRzsTB44oliBeKkrhDRHz9KTP1bU9aY9u0hMMIxDljRERs65w2n5ABT+xfbLn6vL6 o1OaNBk+Pdgu5Fkd3B+ixbVqqS99l+FPzC8WqE6/mOtj4hQCvIG0ChKD1bEZRuWUN7zr PLgv2mXmDJ2VjvcMNkeswWETtdn9GtKNLRVHBizMAj/vA3vTziF11QQW2c4oo8eiBIp9 TP0vvun/9PcAxCgyUHdY48+WIIjkZM04f78aWvt1iTFXcgYL1sI52TBeJf7DEtU2A7QA 4dTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version:date :subject:message-id:to; bh=PfpXA7eG7qh9O6fHaqSelNH6W517J9+1SdZFQeUSJks=; b=h7NUXVtJ0s9MihlX5CDQoYXaJvshIA5ZzAxfACZk49UdPP4IEmFY++UAf9NsccVK1j tMcCnMHT4ZGkIUBXYIzK8dByytJqoXWLB+OlEAgFbkqzARJWGt634RBPoEHb7Nux09Os H5aST9hlYAA7Fka4RPVDCwdgZQZTbEkPgHE4hpjatuE5/yRsS9UgUJ3e+zoAclxq8NvI RrvilibNPTzDhOZZxuPicxD1gheIuF2cXH9N2iN2zUxF4N/WMoYiF9Sdbghs77jG5xPh BkBNPWYu6jjizQ1MeyudPbQg1PEBqo9OUTn/ieIq3JtrgJAdbIpCCovMs6KrHroPAUsE SqPQ==
X-Gm-Message-State: AMke39mw/fUkY9MmOT2xZmKwcDmwcAVB35P+33qtfklwbY7Ded8JpVsyK6bVEgorVcKC2WUE
X-Received: by 10.129.163.65 with SMTP id a62mr13585114ywh.28.1488205081708; Mon, 27 Feb 2017 06:18:01 -0800 (PST)
Received: from [10.95.194.223] ([166.170.52.93]) by smtp.gmail.com with ESMTPSA id h190sm6858282ywf.60.2017.02.27.06.18.00 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Feb 2017 06:18:01 -0800 (PST)
From: Jim Manico <jim@manicode.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Mon, 27 Feb 2017 15:17:59 +0100
Message-Id: <3E02AA83-983E-4529-ABE0-6017829AD28E@manicode.com>
To: IETF OAUTH <oauth@ietf.org>
X-Mailer: iPhone Mail (14D27)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aeyY2TSD7NKcIxNh7sA7oBlCJ80>
Subject: [OAUTH-WG] SPA applications best practice
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2017 14:18:04 -0000
I've been collecting opinions about the best OAuth2 workflows for SPA applications and have come up with the following basic recommendations. 1) The more secure flow is going to be authorization code. Keep access tokens out of the DOM/Browser history. 2) Implicit flows are your only choice if you allow serverless JS clients to access your OAuth endpoints. This is much easier to implement but carries a great deal more risk. Wether or not this is good for you depends on your threat model and risk tolerance. I'd love to keep going and turn this into a RFC but this is over my head. Does anyone here with more experience care to assist in proposing a SPA-OAuth RFC? I'd be happy to help with the grunt work. This is one of the main areas of OAuth where answers are fractured and I'd love to help push more clarity here. Aloha, -- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805
- [OAUTH-WG] SPA applications best practice Jim Manico
- Re: [OAUTH-WG] SPA applications best practice Samuel Erdtman