Re: [OAUTH-WG] More product group review comments on the OAuth 2.0 for Browser-Based Apps spec
Aaron Parecki <aaron@parecki.com> Fri, 28 February 2020 21:03 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5292C3A1DE4 for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 13:03:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWf19mUnYzT0 for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 13:03:10 -0800 (PST)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599943A1DD9 for <oauth@ietf.org>; Fri, 28 Feb 2020 13:03:10 -0800 (PST)
Received: by mail-il1-x12f.google.com with SMTP id w69so3985030ilk.6 for <oauth@ietf.org>; Fri, 28 Feb 2020 13:03:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=wyx00yQAA+yJHA2tnj/NtzAWmTwxFd/jdVBt1BcCiuc=; b=t3pdLxwp5nRr+tpgxydHHM4V9Jp8MRPuI+0t7ZjRXD3ScYZKXU8GZpxPosojsstyQv +pH894QUzfpvNqi7uTfSUlbjiPmCI1n1HS+a05eiN7rUltBEjCvgHCCrgq8UjIpTISXB uHZKNYr50leH7A1VbgeKcWb8a4ss4Ke4yrBddEjuN7yTCTTlM4VS/9EFkXABeHO43T5M TRejIRnIArJL0ZX2ygusfFXMakj/jmdEHbD4unSXP/5vnJgo1qrOU0ltTrn6dFSFcH9e ZBYAtPpsX1+PoAlf8B0VHU9pW0rNCx4C5ZJoCskhkwSkauYzhNDs6AYiKoBYp21h1BSL ki6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=wyx00yQAA+yJHA2tnj/NtzAWmTwxFd/jdVBt1BcCiuc=; b=Xe2vH0AV6GixIEWlaZGhA1z6wB7YUifjl9mqGibsUQ7NAkz/y2rPkidl4MgdT6CRfx V5xm9VM7TWpbK5/sShDkbYSiLEBMmYfr7tIuf1qY/JysQCN07g4j69dOWEpAI4HtUMzD Jt1lk6vrTHTujRQUd2tQu4As1Nhg48GKnz+lyRMKEJ/Qqo4LM6TgKV51dN+r/2Gt3Emo JTY6XEjzdBCgWLiBSvP1a2wdHOLRnAaDyxVx03F/tK3U8Qn7PfDFIAOjZGBaPyYlbS4J PRbgm1DlQFT3eBVfqKk0ia36nNlDbrLdMJYRZwuoHEHXAZfbg42rJJgA3sXLeMb40pPH Kbgw==
X-Gm-Message-State: APjAAAWUwa3A3WKyKLl/rUiz/nVfHwWNKWYN5+B2OZ3GNwWZ01xKqxxQ whl9sVeSp9a+xessdgzRg3R3C5cggTc=
X-Google-Smtp-Source: APXvYqwLtOR+2cbc8UNT0ngN30wGzyLcvUZB0a0OwhZQZrG2hz5sEbzK69YDVXYhj5YAfSwo8YTSYg==
X-Received: by 2002:a92:9603:: with SMTP id g3mr6263267ilh.231.1582923789325; Fri, 28 Feb 2020 13:03:09 -0800 (PST)
Received: from mail-io1-f51.google.com (mail-io1-f51.google.com. [209.85.166.51]) by smtp.gmail.com with ESMTPSA id n81sm640276ili.28.2020.02.28.13.03.08 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Feb 2020 13:03:08 -0800 (PST)
Received: by mail-io1-f51.google.com with SMTP id n21so4980770ioo.10 for <oauth@ietf.org>; Fri, 28 Feb 2020 13:03:08 -0800 (PST)
X-Received: by 2002:a6b:148b:: with SMTP id 133mr4977237iou.214.1582923788408; Fri, 28 Feb 2020 13:03:08 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR00MB06861DECA92E8CDA95610699F5EE0@MN2PR00MB0686.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB06861DECA92E8CDA95610699F5EE0@MN2PR00MB0686.namprd00.prod.outlook.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 28 Feb 2020 13:02:57 -0800
X-Gmail-Original-Message-ID: <CAGBSGjoqY4VM77qbutn+az8KijLnauPX+c5vQLBfNL5-RwKELQ@mail.gmail.com>
Message-ID: <CAGBSGjoqY4VM77qbutn+az8KijLnauPX+c5vQLBfNL5-RwKELQ@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>, "david@alkaline-solutions.com" <david@alkaline-solutions.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gziPLR8bXUagdu9Zco3RoANKlNg>
Subject: Re: [OAUTH-WG] More product group review comments on the OAuth 2.0 for Browser-Based Apps spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 21:03:13 -0000
> 9.3. Client Impersonation > It is implied that consent granted to public client should not be recorded: >> Even when the user has previously approved an >> authorization request for a given client_id, the request SHOULD be >> processed as if no previous request had been approved, unless the >> identity of the client can be proven. > Do we agree with this? If implemented, it will add significant number of consent prompts. This text in this BCP is summarizing section 10.2 of RFC6749, not defining anything new. The following paragraph allows the authorization server to treat an exact match of a registered redirect URI as proof of identity for the client to avoid the consent screen. This is actually allowing the exact behavior the commenter wants. I will try to rephrase this text to make it more clear. > Many of our application services give the access tokens to browser instead and have JS call the resource server directly. How is this different from the pattern defined in 6.3, "JavaScript Applications without a Backend"? Is the difference that the OAuth exchange is handled by something other than the SPA? If that's the case, it sounds like that might be a new pattern that could be worth documenting as well, if that's a common pattern others have implemented and have good suggestions for. ---- Aaron Parecki aaronparecki.com @aaronpk ---- Aaron Parecki aaronparecki.com @aaronpk On Fri, Feb 21, 2020 at 5:02 PM Mike Jones <Michael.Jones@microsoft.com> wrote: > > More comments hot off the presses from a Microsoft product architect… > > > > https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04#section-6.2 > > Applications with BE > > > > If I read this correctly, the prescribed pattern is to have browser JS call into its own BE only and have the BE call into 3P WebAPIs: > > When the JavaScript application in the browser wants to make a > > request to the Resource Server, it MUST instead make the request to > > the Application Server, and the Application Server will make the > > request with the access token to the Resource Server (C), and forward > > the response (D) back to the browser. > > > > Many of our application services give the access tokens to browser instead and have JS call the resource server directly. > > If we enforce the prescribed pattern, then app server becomes proxy to all resource servers. This may not scale of our services > > > > SPO, for example, has a pattern that is a mix b/n application with and without BE. It can behave as public or conf client depending on the redirect URI as we allow URI to be marked as ‘SPA’. > > > > https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04#section-9.3 > > 9.3. Client Impersonation > > It is implied that consent granted to public client should not be recorded: > > Even when the user has previously approved an > > authorization request for a given client_id, the request SHOULD be > > processed as if no previous request had been approved, unless the > > identity of the client can be proven. > > > > Do we agree with this? If implemented, it will add significant number of consent prompts. > > > > tx > >
- [OAUTH-WG] More product group review comments on … Mike Jones
- Re: [OAUTH-WG] More product group review comments… Aaron Parecki