Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02
Brian Campbell <bcampbell@pingidentity.com> Tue, 23 July 2019 18:48 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C0EB120860 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 11:48:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KP8VzkR51zT8 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 11:48:22 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2334E120850 for <oauth@ietf.org>; Tue, 23 Jul 2019 11:48:22 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id e20so53705827iob.9 for <oauth@ietf.org>; Tue, 23 Jul 2019 11:48:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FCpZTRamuSte1A0NKJ4MCKzmuvj5VeewlgVL4eJVD8M=; b=Sqccc4QmlpK+KlQYoSCiAx5gt+LvI47SMlAUSnCgtGjmI79oFf+Q+doMuKobJjbX5V pUjsy+yRPc7et9VtskvSQk/oyB1ebZz975GHutoismsB2Qk3ju3gjlhPtg2JWQbkchDg Fi2PNnZpGgjbgmTEbMhMEOdcRR8u7es9UjYyA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FCpZTRamuSte1A0NKJ4MCKzmuvj5VeewlgVL4eJVD8M=; b=kFUDb1AgOJU8zIxhmYSQebGfQaLNxWAifHTvQ0IY9CJuoP/SzVQ2ti4xdUQ921EC6l 509mRkMAPYhfw8ujU0/ZgATZk9BAB+wfLIsVbwuC8o4Oftm1PI6JZ2qgllSC8pyyAomP pntVe3jst5eyazDyVEid0DdQ2DLSjTQPLbCfBccan5NX6xMF+eBeMFmnP/g81rLBFW3V EDpS/0qBhkMoCPGz9sqEXI12pROjBFpSWJ4XPRVJDuhp+fTftYPzhyNFh9ne2M+ELLQ5 SH/q1y/RKTnKM+Zs62g9PYzrKbR4dWcvf2N7By2PIvbOJdCFbfe/9TOxBJtze8q7l2IM 2wbA==
X-Gm-Message-State: APjAAAX3MTiMYemNNEy8rzFtjkv8YGr+2w0HLLN8xJ2Dp+gh+JupS5so qIqQnJAJDuMnMt7ZcSCOJA371GWhGaKhuBk3CTNQgigOnmfmLS/lZW8WJx+Hx8YMsi1SCPRE/YF u73uIpnVEb7KaNOjiW58V8A==
X-Google-Smtp-Source: APXvYqwLOssCAtvuN/OJM3xRumFlHf7WLnz3v6w80RyeC3D6Yqk+G0C0ICFpDTQZ4SXBZk3l2mAG6BYSzIEjbl5daMY=
X-Received: by 2002:a02:a07:: with SMTP id 7mr81896607jaw.65.1563907701224; Tue, 23 Jul 2019 11:48:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjqVV3jJaXEX28N_fKbLSp3ijzb34N9NrZwZ+ZNXwXGKAg@mail.gmail.com> <0C094925-1429-46ED-8CF6-0D7B8DFB332F@lodderstedt.net>
In-Reply-To: <0C094925-1429-46ED-8CF6-0D7B8DFB332F@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 23 Jul 2019 12:47:54 -0600
Message-ID: <CA+k3eCT5eG=S9AjM7Ss=DwHvsjwnriuZC3_yMxhrUaJXf2-vrw@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fe5205058e5da2ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/d3voh-k4URxdiusUxxlaJbIC1zo>
Subject: Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 18:48:35 -0000
On Mon, Jul 22, 2019 at 7:31 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > > 2) Regarding architectures: I think this BCP should focus on > recommendations for securely implementing OAuth in the different potential > architecture. I don’t think we should get into the business of recommending > and assessing other solutions (e.g. section 6.1.). Just to give you an > example: Section 6.1. states > > "OAuth and OpenID Connect provide very little benefit in this deployment > scenario, so it is recommended to reconsider whether you need OAuth or > OpenID Connect at all in this case.” > > Really? What experiences is this statement based on? In my experience, > sharing the same domain == host name tells you nothing about the overall > architecture of a certain deployment. There may be several reasons why > OAuth could be good choice in such a scenario, e.g. security considerations > (since your common domain is just a proxy server encapsulating a whole > universe of systems) or even modularity as an architecture principle. > > I suggest to remove section c. and to rephrase the second paragraph of the > abstract. > I believe the experiences that the statement is based on are the predominant practice over the course of much of the history of the web of using a cookie to maintain an authenticated HTTP session in web applications. When the script of the browser-based application is served from a domain that can share cookies with the domain of the API, then cookies can still be used to authorize requests (even if those requests are API calls rather than full page HTTP request/response). And I do believe that's likely a better decision in a lot of such cases. That authenticated HTTP session may be establish from a username/password form submission, FIDO/WebAuthn, or whatever. Even as a result of an OpenID Connect flow. Or even SAML for that matter. But the the requests after that are authorized by the cookie. I think there's a tendency to assume because SPA style apps make API calls, they simply must use OAuth. Because API implies OAuth in the minds of many (which is a sign of its success). But OAuth isn't necessarily the only thing that can be used for API authorization. Cookies work too. I think/hope that's what Section 6.1. is getting at - providing some potential guidance that OAuth might not necessarily be the right choice in those cases where a common domain allows for a cookie. Perhaps the text in that section could be phased in a different or better way, but I think its useful to have some mention of in this document. Although taking out "and OpenID Connect" from the sentence quoted above might be more appropriate and alleviate some confusion. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] New OAuth for Browser-Based Apps draft… Aaron Parecki
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Leo Tohill
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Leo Tohill
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Leo Tohill
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Janak Amarasena
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Aaron Parecki
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Torsten Lodderstedt
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Leo Tohill
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Brian Campbell
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… David Waite
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Tomek Stojecki
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Aaron Parecki
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Torsten Lodderstedt
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Torsten Lodderstedt
- Re: [OAUTH-WG] New OAuth for Browser-Based Apps d… Torsten Lodderstedt