Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

George Fletcher <gffletch@aol.com> Tue, 20 November 2018 22:00 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6DD4130E41 for <oauth@ietfa.amsl.com>; Tue, 20 Nov 2018 14:00:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6lBYFuiuy2E for <oauth@ietfa.amsl.com>; Tue, 20 Nov 2018 14:00:32 -0800 (PST)
Received: from sonic309-14.consmr.mail.bf2.yahoo.com (sonic309-14.consmr.mail.bf2.yahoo.com [74.6.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 268A1130DF3 for <oauth@ietf.org>; Tue, 20 Nov 2018 14:00:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1542751222; bh=RRHVp3RFuwnxsrWGhZ6N5RjzXvMNgX6fb3wao+kAo/E=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Kep4u9P8xLVo/najbaLbu8sjv+LpQ6BjfHeg1NS4iPef8/kpfMu5EzASdv3YYjyA4TiX/kjCg0weQaQEIXKJWhoagzdZ/8OEUhWLV44Sfs2NQnOSoe7FBVFajkEzLcct1SCaTSy9lV5hxW27A9IIcG4ImrzEEGYl1DyNid6DfBN/k2YVW3bqeMg7YQBdDmKGgvP+LSpkbIIOZRgwPW3ZTfiG7dRixtEkS5PbU2mhUeB5Wp/mxgH7ftDQnJtrRytJ3hwZB+88Z9ORmgerdI+aufhA6L0RdPqd6ZLlSlaggJvnuJcWz+JpUW+QTxrQbpvC0EJRgIEKR3QcqWCc8zl2ag==
X-YMail-OSG: QLfKa20VM1kAj4uPh0EIMnJvrc9CqCsgve1PZSVvMUXe09rc8cKQxHF3vfwotd2 .uqECDXGDfCWePHFFevlOZ0i.UZMxPEQpy_s5uvL1MQ0GucFOCiyrmedY0qW3xIYHsK_QyIKVAcb 5G0Aa6c653OlVCdM.iS9IsunL.YKAEXlLawSUq4H9UG92_bafXwMC9sEatYN5BTA3eC4QKrmigVk T0KjchW_UBHfimWgtD6Znj7MJiR1j_t2ARXUhjkWTpfvCHG6RZwyg4wt81OfNq6dmqnD_mUooYLW QWpRuyPorhaj4oE9tVUaDi7g83z74IdvTFkb9Bmofz5Db5MbSLETdICIxHZ_3b2BmqeA5iDGnjIn V1C7yVfJMgYTT_7j2PXYyZAoML7rSsmU1dI.sJNBRfhO7Genxs_ySPRbP5qZSNe1Lyng2S7cLBwS r.LvchOzut4T.2ijMu0r4XRV2aVz3P.WK7DLfXAO4dPGl7k7q71dtW2Z74.qtmzLQLK_nJOY7h9x G40fS4so2vex83N.zk5rO_LfAPz7.0Z5_SsQyVj1hV9k40AfdalUicpGNrxwk03dXMW_loGk2iaZ 90ymT2_JMDv7WxV1D0LgkkkDK2b6KNYlda6pb8Dd2pc6nuqQ0dX86ar9IY9bcnBz_W8VZGgTHuFD 6y1DeZBq0mbUYCTNN1nbNLBq8VBfKF.muQ_9x2WP8wI1ISeiSlKk5O4eB6hsXt1nlqnVcw1VwpoQ n6SqBklPQVeGRA3kERo1A3253kR77FyTI.RlmdXIYGY5TnelzNPtU9k7epp54cRligUNn9WYttBp wWzpzcXXwfys90JBpS9M2fuSyJ2lw6S4FST9zSA7X4LoHhpzQZsnsKISIWqK0aYPS0XjhksFnsmt tVLvUDC9olgmdBJToJe4mGM9ncvAtdLe7DjqOYc3QFoew43D4IszKN2ADU1xSAitAhWaScW6TQWo t_HSRQbmJR7AAYYpACl60OgdFd8oOvw67oU0_YfgIwgkU0hDJlQArhepCZCnXij1YO1rHng2RYHS YRoMOIs6c386sUZEaGAkj1u1trSMngIczS.jkTemnp0FFG53NSt8O_mGX
Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.bf2.yahoo.com with HTTP; Tue, 20 Nov 2018 22:00:22 +0000
Received: from nat-vpn-users4.cfw-a-gci.net.buffalo.office.oath (EHLO [172.135.132.163]) ([184.165.8.99]) by smtp415.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e20dd9db169329cbd357893d9002dab8; Tue, 20 Nov 2018 22:00:21 +0000 (UTC)
To: David Waite <david@alkaline-solutions.com>, Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: oauth <oauth@ietf.org>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CA+iA6uinC=pp=0sQJyNUifd8HfRZk3-h+RXK4VnymVz2Rd++CQ@mail.gmail.com> <14BB75BB-F650-408D-8359-B25FA4E66DC9@alkaline-solutions.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <1b451ff4-9de5-c3e2-acf3-f8b50b0212ff@aol.com>
Date: Tue, 20 Nov 2018 17:00:19 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <14BB75BB-F650-408D-8359-B25FA4E66DC9@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="------------BD60D0F8A17CDBF9F295ACD5"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dr628gu7F500GxDBCcoLXv2divI>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 22:00:35 -0000

+1

This model is useful and should be documented in its own right. Once 
documented it could possibly be referenced in the BCP.

On 11/9/18 1:44 PM, David Waite wrote:
> Hi Hans, I hope it is acceptable to reply to your message on-list.
>
> Others could correct me if I am wrong, but I believe the purpose of 
> this document is to recommend uses of other OAuth/OIDC specifications, 
> not to include its own technologies.
>
> In terms of being another spec to be referenced, I think it would be 
> useful but I wonder hypothetically how to best write that 
> specification. This method seems to be relying on standards-defined 
> tokens and converting them to an application server session, which 
> isn’t defined by behavior other than HTTP cookies. The session info 
> hook then lets you use those proprietary session tokens to retrieve 
> the access/id token.
>
> As such, it is closer to an architecture for implementing a client - 
> as a confidential client backend with an associated SPA frontend that 
> needs to make OAuth-protected calls. It is not describing the 
> communication between existing OAuth roles, such as between the client 
> and AS.
>
> There’s obvious value here, and it's one of several architectures for 
> browser-based apps using a confidential client rather than a public 
> one (another example being a reverse proxy which maps remote OAuth 
> endpoints into local, session-token-protected ones). I personally am 
> just not sure how you would define the communication between back-end 
> and front-end portions of the client in these architectures as a 
> standard within OAuth.
>
> -DW
>
>> On Nov 6, 2018, at 3:03 AM, Hans Zandbelt <hans.zandbelt@zmartzone.eu 
>> <mailto:hans.zandbelt@zmartzone.eu>> wrote:
>>
>> Hi Aaron, DW,
>>
>> About draft-parecki-oauth-browser-based-apps:
>> would you consider including a recommendation about and the 
>> standardization of a "session info" endpoint (I'm open for better 
>> naming ;-)) as described in:
>> https://hanszandbelt.wordpress.com/2017/02/24/openid-connect-for-single-page-applications/
>>
>> this approach is not just something that I cooked up; it is based on 
>> real world requests & deployments at Netflix and OAth.
>>
>> Let me know what you think,
>>
>> Hans.
>>
>> On Tue, Nov 6, 2018 at 10:55 AM Hannes Tschofenig 
>> <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
>>
>>     Hi all,
>>
>>     Today we were not able to talk about
>>     draft-parecki-oauth-browser-based-apps-00, which describes 
>>     "OAuth 2.0 for Browser-Based Apps".
>>
>>     Aaron put a few slides together, which can be found here:
>>     https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf
>>
>>     Your review of this new draft is highly appreciated.
>>
>>     Ciao
>>     Hannes
>>     IMPORTANT NOTICE: The contents of this email and any attachments
>>     are confidential and may also be privileged. If you are not the
>>     intended recipient, please notify the sender immediately and do
>>     not disclose the contents to any other person, use it for any
>>     purpose, or store or copy the information in any medium. Thank you.
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> -- 
>> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu>
>> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu/>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth