[OAUTH-WG] Google's use of Implicit Grant Flow
Jim Manico <jim@manicode.com> Thu, 16 February 2017 22:44 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19E8D129526 for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2017 14:44:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtJ29oj3F82o for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2017 14:44:44 -0800 (PST)
Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com [IPv6:2607:f8b0:400e:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A36CB126B6D for <oauth@ietf.org>; Thu, 16 Feb 2017 14:44:44 -0800 (PST)
Received: by mail-pg0-x230.google.com with SMTP id v184so9614899pgv.3 for <oauth@ietf.org>; Thu, 16 Feb 2017 14:44:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version; bh=HQlPzf3W6zUCj5ct75dtswi7BWQ+qu2/4IKe9SCC3UU=; b=TmD/KzH7EKJ50/2ghHBSzGrxnsE0Kwi9VTzvPvQa5G/FM4LiglN068UpaCN7ZZ8chG yyPbJRUA8jZQBNyc2WiXyQ0ScxEEdiF2aU1hbUys2z39hyMCbnbhJXW8gVtW9rB3DZM8 8qLFNUq7s/mUNgVPvHxkdFTVnKdelKwHyrvTu2Ldli7pDvPCSebkk+XAEXWbmwev0JGj Bet/OXwuFJ3SYvbHS3SLeHW6PgptH3zGsjVzen3pi1BJC8jC8EYtyXImc/z0ti4TGHUm 6cDde4VSR6qPS/m6uq+2VhcMhwD+ZPYS2HaJc6/Yu4p5y1kffqGQHMRv4L9Dk6XmWjH6 9zsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=HQlPzf3W6zUCj5ct75dtswi7BWQ+qu2/4IKe9SCC3UU=; b=XAilIn961wu9RoxSFyOHbM8yZFsCs2hLJGTaK3rMtYlUqss/cGlok1aghmyL/HUisy ttFpqrNVghJ4eEJY3iNs6mWRyUUwRT3nampHu97isRIyFJOidlfPGnlYHEEH7FAzVayL H3wob13zvKqwT9iqo/yCjS/72phwZiq7B+EXENhueDm7ZH8y/pUw263+Kxxvne5gae5J RPTq7ue1RjXSF8eSGbSdSjh0iNZpgz/0qPKcUkPyck3QcHNRAKsQDWGVO3jFrjxNAcYq su+eMkMh5qE1xRKOqU87yTlJytDtoOaWtXgnIy8CKJxH+npD6Nzn6GbeLf2E30K6TaSR FmfQ==
X-Gm-Message-State: AMke39muLdskNKWRdFNaZ/vhE426uNW6/RD6wv1y5nTYftlbRrpwssxMo/bgIqElzC1VSlLF
X-Received: by 10.99.226.83 with SMTP id y19mr5847706pgj.34.1487285083918; Thu, 16 Feb 2017 14:44:43 -0800 (PST)
Received: from heembo.local ([2605:e000:112b:c167:9cf4:1bf2:7245:51bb]) by smtp.googlemail.com with ESMTPSA id u24sm15484208pfi.25.2017.02.16.14.44.42 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Feb 2017 14:44:43 -0800 (PST)
To: OAuth WG <oauth@ietf.org>
From: Jim Manico <jim@manicode.com>
Message-ID: <1e63222f-1d3b-59cc-a7c3-f9f3aa14e9df@manicode.com>
Date: Thu, 16 Feb 2017 12:44:42 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------603A028C8258F4716A79857C"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dcFEKJu-J8Juf1CGHMdas2f3sdg>
Subject: [OAUTH-WG] Google's use of Implicit Grant Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 22:44:46 -0000
Hello Folks, I noticed that Google supports the OAuth 2 Implicit flow for third-party JavaScript applications. https://developers.google.com/identity/protocols/OAuth2UserAgent Isn't this generally discouraged from a security POV? *Is there a better OAuth 2 flow for third party SPA applications?* Aloha, -- Jim Manico Manicode Security https://www.manicode.com
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Bill Burke
- [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Josh Mandel
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Sebastian.Ebling
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Adam Lewis
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Aaron Parecki
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier