IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Neil Madden <neil.madden@forgerock.com> Sun, 14 February 2021 18:30 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0655E3A10C7 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 10:30:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.188
X-Spam-Level:
X-Spam-Status: No, score=-0.188 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrM3xEPzOpva for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 10:30:53 -0800 (PST)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79CA63A10C5 for <oauth@ietf.org>; Sun, 14 Feb 2021 10:30:53 -0800 (PST)
Received: by mail-wm1-x336.google.com with SMTP id m1so5876108wml.2 for <oauth@ietf.org>; Sun, 14 Feb 2021 10:30:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:cc:date:message-id:references :to:content-transfer-encoding; bh=ZbLYx5xbrwhvkJzyjJGG8ik1PDJpoL55HdJSfkx65pE=; b=BvvC65QXM3Gj+2LF7k6I/LGTaFpkbXXL1yqYV55eCcOwSwPvw3Jga7jYTFLZnVPi/Q K1lDeKuTT64n9ltoG55Cz5Zz1GD3ugofUGsNZ2tn4RU5iXJMQssrmcQlDTe2R7up75CL 5jRIiXYKGXvAPISdVz0+5T3rQevAfN9LkmR4A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:cc:date :message-id:references:to:content-transfer-encoding; bh=ZbLYx5xbrwhvkJzyjJGG8ik1PDJpoL55HdJSfkx65pE=; b=Ry6puUNt2/wGOxFJbknEE1BBrn1uLn21Y9SWNY9YWIxqNgvt9akMGfE75RulHBzNWy wP4+drBQdxuPNPuR0yTxMOrHrytzjGRn6Qhi044Rv6z1xwsHbaUPDX3kH5nMWZASQCUu 4bF4ikAyVlAHmrrhKNI5mwJjY7TfCSxF/U0cIqf3iu826XIzcU1nuVCFl+GoSBGXqpLa qQF9iosX/XaxkbA0Yw3+giDzesZ4Vu+KOITYzoENHUlZOxU/EBqv1I6e/ObHriL6InEx xemHsiW2Yq8B7FeTe+zXYqJ2MbeHsjf7OLur57f5vsnBTR18RfmCiDzktdUO8nZXMeyd N8Iw==
X-Gm-Message-State: AOAM5332tOaC7u+Mig48lvBaCjj7trzS0OZWYNC2crrBpwzzSgSBtDf+ X5vtqOjlVQggJOa7Mo5t7wH6WcTWfvwn6dtMoJsMRx7XsKsK9ULcFZHME0Sx26GfteCKgRUiKA= =
X-Google-Smtp-Source: ABdhPJzzeFHkxIMyiU20GUgIUzX3cv4MOCZ4CM2JpmhVKOz6iT3314zwvRNQSkkkSRdOCiuaeTcsFw==
X-Received: by 2002:a1c:8096:: with SMTP id b144mr11443862wmd.169.1613327451612; Sun, 14 Feb 2021 10:30:51 -0800 (PST)
Received: from [10.0.0.2] (252.207.159.143.dyn.plus.net. [143.159.207.252]) by smtp.gmail.com with ESMTPSA id 11sm20293569wmo.46.2021.02.14.10.30.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 14 Feb 2021 10:30:51 -0800 (PST)
Mime-Version: 1.0 (1.0)
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <CAGL0X-rwM4Kc4qQSea+gaO7YORZgnJTHWyFM3VPcaJ2ceX527A@mail.gmail.com>
Cc: Warren Parad <wparad@rhosys.ch>, Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth <oauth@ietf.org>
Date: Sun, 14 Feb 2021 18:30:47 +0000
Message-Id: <1A964B70-7C73-4CAE-B3B9-FF3BACF0E698@forgerock.com>
References: <CAGL0X-rwM4Kc4qQSea+gaO7YORZgnJTHWyFM3VPcaJ2ceX527A@mail.gmail.com>
To: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
X-Mailer: iPhone Mail (18C66)
Content-Type: multipart/alternative; boundary="Apple-Mail-6B1DD390-D2ED-4DAF-9B64-D8D7BF0E098E"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/g9zHFAsMchtvf0nKOzqohI7vbdg>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 18:30:56 -0000

Within the spec “client authentication” refers to explicit authentication of the client using credentials. But you said initially that you wanted this to “determine if it is a first-party app, for example”. You can determine this based on the redirect_uri and the fact that only the legitimate client can receive an authorization code at that redirect_uri (if its HTTPS, exact matching of URIs, etc). This is what I refer to as implicit authentication - the AS knows at the point of auth code exchange that only the legitimate client could have obtained that code. 

(This is not true for mobile clients using private-use URI schemes).

Note that for both public and confidential clients, the confirmation of the client identity happens after the user has gone through the authorization flow. PAR fixes this for confidential clients, but not public ones. So that is one reason to prefer a BFF pattern and a confidential client. 

Confidential clients also have an extra layer of defence in depth: they need a redirect_uri *and* client credentials. So that is another reason to use a confidential client and BFF. 

A backend server may also have a more reliable connection to the AS. So that may also be a good reason to use a BFF - eg to avoid having to reauthorize with the user because an auth code or refresh request timed out due to a flaky network connection. 

So there may be many good reasons to use a BFF pattern. But if you just want a reasonable assurance of client identity at the point of issuing tokens, then IMO a public client + PKCE is fine for many cases. 

— Neil

> On 14 Feb 2021, at 17:27, Stoycho Sleptsov <stoycho.sleptsov@gmail.com> wrote:
> 
> Thanks Warren,
> 
> as I see you and Neil have the same idea,
> but as of this moment I think this method is not a valid option for authenticating
> a client according to the draft-ietf-oauth-v2-1.
> 
> On the other hand, authenticating the client through the BFF
> seems conforming to the spec., but in the case when the access token is used
> in the browser in fact, I am afraid that it can be regarded as
> some kind of "deception" of the AS.
> 
> It seems the frontend SPA is not the easiest way to go with oauth...
> 
> Stoycho.
> 
> On Sun, 14 Feb 2021 at 17:35, Warren Parad <wparad@rhosys.ch> wrote:
>> redirect_uri and use PKCE via the code verifier.
>> 
>> 
>> Warren Parad
>> Founder, CTO
>> Secure your user data and complete your authorization architecture. Implement Authress.
>> 
>> 
>> On Sun, Feb 14, 2021 at 3:51 PM Stoycho Sleptsov <stoycho.sleptsov@gmail.com> wrote:
>>> Thanks a lot for your answer Neil,
>>> 
>>> as I am no expert (yet :-)) in security I was afraid to rely on
>>> redirect_uri for authentication of the client,
>>> but I will consider that option as more trustworthy now.
>>> 
>>> (it is also not very clear for me which part of the app can be
>>> regarded as the redirect_uri owner, the BFF or the loaded frontend
>>> SPA, but maybe it is not so important)
>>> 
>>> If you had the two options for authentication of the frontend SPA
>>> client - the redirect_uri on the one hand, and the Basic
>>> authentication with client secret through the BFF on the other, which
>>> one would you recommend?
>>> 
>>> On Sun, 14 Feb 2021 at 16:28, Neil Madden <neil.madden@forgerock.com> wrote:
>>> >
>>> > Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching.
>>> >
>>> > There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure.
>>> >
>>> > — Neil
>>> >
>>> > > On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.sleptsov@gmail.com> wrote:
>>> > >
>>> > > 
>>> > > I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS",
>>> > > with the objective to verify if they are valid.
>>> > >
>>> > > I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example).
>>> > > If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication.
>>> > >
>>> > > Or is it considered a bad practice to do that?
>>> > >
>>> > > Regards,
>>> > > Stoycho.
>>> > > _______________________________________________
>>> > > OAuth mailing list
>>> > > OAuth@ietf.org
>>> > > https://www.ietf.org/mailman/listinfo/oauth
>>> >
>>> > --
>>> > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

v2.23.0 | Report a Bug | By Email