Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 17 May 2018 16:23 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF73120725 for <oauth@ietfa.amsl.com>; Thu, 17 May 2018 09:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id za2xC57G6KzW for <oauth@ietfa.amsl.com>; Thu, 17 May 2018 09:23:23 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10060.outbound.protection.outlook.com [40.107.1.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7813F1242F5 for <oauth@ietf.org>; Thu, 17 May 2018 09:23:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MYZW2FxJDWS1dsdHeGuRnIRxHPntcWrlNhx8VqOq8/Q=; b=pmdzPirorT6jgZEUKUpGx0TMbEQbrF0+MggegFxkuj47EIWuV47dsU5zzgy341KD9bJENlHsjv+Y8nr4CnzQ75pnMDkhNjdTldMwodg0rBs4GWOXS/ZSPkJ9NC67VZMwhqWq/z/5/ActlJm473xkJbbgp+f7XhS8IQstkY/1xlo=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1806.eurprd08.prod.outlook.com (10.168.67.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.776.11; Thu, 17 May 2018 16:23:19 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::7c43:c1a5:4f69:5365]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::7c43:c1a5:4f69:5365%17]) with mapi id 15.20.0755.018; Thu, 17 May 2018 16:23:19 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Brock Allen <brockallen@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
Thread-Index: AQHT7d6TKnUPm2MfgEWeZp6kt5T8v6Q0Gp5g
Date: Thu, 17 May 2018 16:23:19 +0000
Message-ID: <VI1PR0801MB2112A6F8B47939F8748DEA43FA910@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <ab42d84a-5f08-4600-aa36-92e73944cf6c@getmailbird.com>
In-Reply-To: <ab42d84a-5f08-4600-aa36-92e73944cf6c@getmailbird.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [156.67.194.220]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1806; 7:T75WybIAIlhGaS9HH1K7y738fPs47zmZ4A/kLIiTwhg9inEL7TSwl8X1//13/D6ugftEtQJ8hRAr54qm9WsNSBhKkETWrQB5BbtghWuA9d9Lf3LNn8n96f977sTnamc15Q9cxygxaucMPlefIJbLe9gzdPn6NZeY/tioQBn2U4k/E+nsPdBGP5mM4MnZOz+U5yHOq1QmagSrYnnrtyx/wbC6iU5a1GKGs9NsxFs6VGze3YTifpc7JzagzaNvPPkL
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1806;
x-ms-traffictypediagnostic: VI1PR0801MB1806:
x-microsoft-antispam-prvs: <VI1PR0801MB1806B92FA5E84A8E871352FCFA910@VI1PR0801MB1806.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(166708455590820)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231254)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:VI1PR0801MB1806; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1806;
x-forefront-prvs: 067553F396
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(39380400002)(396003)(366004)(39860400002)(40434004)(199004)(189003)(97736004)(55016002)(6246003)(11346002)(446003)(7110500001)(10710500007)(86362001)(236005)(53936002)(2906002)(3660700001)(105586002)(110136005)(3280700002)(186003)(7736002)(5660300001)(68736007)(476003)(39060400002)(486006)(229853002)(25786009)(6436002)(15650500001)(6306002)(5250100002)(2420400007)(54896002)(9686003)(5890100001)(2501003)(2900100001)(76176011)(7696005)(59450400001)(74316002)(6506007)(53546011)(26005)(99286004)(606006)(72206003)(33656002)(966005)(14454004)(9326002)(790700001)(6116002)(3846002)(106356001)(478600001)(66066001)(8936002)(81156014)(316002)(81166006)(8676002)(102836004); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1806; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: fFuYhwk15VfDu1M56u6rtg6e4cQWB9Qoj0qEU+4YIyNbVQphKQszdgA6q/ew+O3GBzyDDsd8RBEYzfhvDolAFTljrm6OAdxb1plFfBft0gUG+cKr/2DWtIGjQdk3isQxg1bc6Hlmzf+ue7kzhu+aO3LQcfK2ta9T3HUbWNYlb0QNOZWTC6O+Ev+bzbB62hR3
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB2112A6F8B47939F8748DEA43FA910VI1PR0801MB2112_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 346255f0-df21-4472-c63a-08d5bc128076
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 346255f0-df21-4472-c63a-08d5bc128076
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2018 16:23:19.2556 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1806
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/c7KuMgXHhhzbc2JzV5GLWpPAO6k>
Subject: Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 16:23:26 -0000
Hi Brock, there have been several attempts to start writing some guidance but so far we haven’t gotten too far. IMHO it would be great to have a document. Ciao Hannes From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brock Allen Sent: 17 May 2018 14:57 To: oauth@ietf.org Subject: [OAUTH-WG] is updated guidance needed for JS/SPA apps? Much like updated guidance was provided with the "OAuth2 for native apps" RFC, should there be one for "browser-based client-side JS apps"? I ask because google is actively discouraging the use of implicit flow: https://github.com/openid/AppAuth-JS/issues/59#issuecomment-389639290 From what I can tell, the complaints with implicit are: * access token in URL * access token in browser history * iframe complexity when using prompt=none to "refresh" access tokens But this requires: * AS/OP to support PKCE * AS/OP to support CORS * user-agent must support CORS * AS/OP to maintain short-lived refresh tokens * AS/OP must aggressively revoke refresh tokens at user signout (which is not something OAuth2 "knows" about) * if the above point can't work, then client must proactively use revocation endpoint if/when user triggers logout Any use in discussing this? -Brock IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] is updated guidance needed for JS/SPA … Brock Allen
- Re: [OAUTH-WG] is updated guidance needed for JS/… Hannes Tschofenig
- Re: [OAUTH-WG] is updated guidance needed for JS/… David Waite
- Re: [OAUTH-WG] is updated guidance needed for JS/… Brock Allen
- Re: [OAUTH-WG] is updated guidance needed for JS/… John Bradley
- Re: [OAUTH-WG] is updated guidance needed for JS/… Brock Allen
- Re: [OAUTH-WG] is updated guidance needed for JS/… Phil Hunt
- Re: [OAUTH-WG] is updated guidance needed for JS/… Jim Manico
- Re: [OAUTH-WG] is updated guidance needed for JS/… John Bradley
- Re: [OAUTH-WG] is updated guidance needed for JS/… John Bradley
- Re: [OAUTH-WG] is updated guidance needed for JS/… Brock Allen
- Re: [OAUTH-WG] is updated guidance needed for JS/… Jim Manico
- Re: [OAUTH-WG] is updated guidance needed for JS/… Jim Manico
- Re: [OAUTH-WG] is updated guidance needed for JS/… Jim Manico
- Re: [OAUTH-WG] is updated guidance needed for JS/… Neil Madden
- Re: [OAUTH-WG] is updated guidance needed for JS/… David Waite
- Re: [OAUTH-WG] is updated guidance needed for JS/… John Bradley
- Re: [OAUTH-WG] is updated guidance needed for JS/… Brock Allen
- Re: [OAUTH-WG] is updated guidance needed for JS/… David Waite
- Re: [OAUTH-WG] is updated guidance needed for JS/… Neil Madden
- Re: [OAUTH-WG] is updated guidance needed for JS/… Jim Manico
- Re: [OAUTH-WG] is updated guidance needed for JS/… Jim Manico
- Re: [OAUTH-WG] is updated guidance needed for JS/… Brock Allen