Re: [OAUTH-WG] OAuth for Browser-Based Apps
Philippe De Ryck <philippe@pragmaticwebsecurity.com> Sun, 24 March 2024 09:40 UTC
Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98742C14F68F for <oauth@ietfa.amsl.com>; Sun, 24 Mar 2024 02:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b="mVgTZPq4"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="GykYkT//"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqVT73BNath6 for <oauth@ietfa.amsl.com>; Sun, 24 Mar 2024 02:40:11 -0700 (PDT)
Received: from fout2-smtp.messagingengine.com (fout2-smtp.messagingengine.com [103.168.172.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B876EC14F5EB for <oauth@ietf.org>; Sun, 24 Mar 2024 02:40:11 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfout.nyi.internal (Postfix) with ESMTP id 691A71380085; Sun, 24 Mar 2024 05:40:10 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Sun, 24 Mar 2024 05:40:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1711273210; x=1711359610; bh=15HxM+lA/M zdgHWXWEvw9M2A5MSJ0lRO6ZBiOPjSv6U=; b=mVgTZPq4hv4K5bu3tDRRxYGZ+/ jsY4toIouLNgUQuD7T5jjWPS832aiKSOiabfXB/PJZwGtc/3gwy3Mv+Zk7s+FsuS QXuBk5QwGalJvdndkDkVsmLay5eRFUtmP8bztQJLReyiFaoI1zrIhiG32DfTFE6q OFfVltFC67VwNZ1HlkU34OzVoX2UfaLhRS4H08lEgYHct6Wn5z12vkgL4gbcsx7X avKncXzc6Vo5Rh4Ljp7RYrKuCiX9/KnCCvXd17YB07sPxLGTCmdzSBHk7k0WkA96 tNyU2KOOdew0W2wHWgOLYlNVHIyvHwT/1CshV9pn7/6nfZU2xEM+fzhHuQPw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1711273210; x= 1711359610; bh=15HxM+lA/MzdgHWXWEvw9M2A5MSJ0lRO6ZBiOPjSv6U=; b=G ykYkT//zBCv6dw7xjRDvYFFqdDXIto4zrmDKvLWELnpaF8Gi3X2Ar8MFZ03qBMh2 lkC+/qRrMUyyQHd3RECAwNtgkDMe+BSqsIEJjCDl1LLCug3p2U6LDSQblvhYfwOM VExEXuntTapj06LqBtW8mjA3AEKYTJ0kGCfYWZi/wp3uub1kUg+KMi4YfFHdAXbl fmTSZ1RmPQqBnna44XpI/yBqmke5KG1YO+FY+VCu8xI+z/21CdPmV4sYpZ4HeBe+ 2mjCvJR8Rn/IaCByOhgN/kI478gNXZYJ/acGJTAObX56wP2pmB7n7w4ZOO9rM70G Ruf2taSXoBxHNId51UeDg==
X-ME-Sender: <xms:-vT_ZaaaKzezduffDI1nTAWaUu5VK77G9la3VVwIxd2m6qpocb563w> <xme:-vT_ZdYYgHdpjErUvVkoLdGNvZiUhUJZbifWsx19hGQaG2ciyoVNcZxNvWpZqyYL4 n_TE8bl_ExZaOxcFA>
X-ME-Received: <xmr:-vT_ZU8vg2hmSp2Hq1w0sXmnHF9PElWSmiZ4FaJe7tWinMcz3LOtzLDRnLAaQZUPy1KGKUK6zWxLcQMY1oFNnpTZQdhLwEA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledruddtjedgtdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpefrhhhi lhhiphhpvgcuffgvucfthigtkhcuoehphhhilhhiphhpvgesphhrrghgmhgrthhitgifvg gsshgvtghurhhithihrdgtohhmqeenucggtffrrghtthgvrhhnpeefhfdufeekiedvjeet leejieevvddvffelfefgleeggeekhfevlefgheeuhfetudenucevlhhushhtvghrufhiii gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehphhhilhhiphhpvgesphhrrghgmhgr thhitgifvggsshgvtghurhhithihrdgtohhm
X-ME-Proxy: <xmx:-vT_ZcqKE8CdQ9nulan1dtEQ4pHhvtxYh11aUF5pvPXvRasA6Uyw5Q> <xmx:-vT_ZVpYf7FDSsbBm1LsnC_-61mOub1ySYqocl30Kp2XmypraqP7QQ> <xmx:-vT_ZaQWePzpsrCWZwg53zvrnSgpX2lagiUh8JVRqyZptjJmH7BdTw> <xmx:-vT_ZVqNRu1wWJzYHZMeaEWClRsr5nWWHQn1gWGcW230iqytWkV_5Q> <xmx:-vT_ZcUs5yivuU3JsKgoP5z2eFkio5YQBPlJckXsGIDQsE_2GbpXUg>
Feedback-ID: i21e1449f:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 24 Mar 2024 05:40:09 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
In-Reply-To: <B118DE0E-1ED3-404F-A4D4-B815FE582D80@mit.edu>
Date: Sun, 24 Mar 2024 10:40:05 +0100
Cc: oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <00A9B04F-E9EE-4F1F-A4C4-8EDCBF4DB799@pragmaticwebsecurity.com>
References: <B118DE0E-1ED3-404F-A4D4-B815FE582D80@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hX7ed-5lM9LrQnDsNc__yGE7Ilo>
Subject: Re: [OAUTH-WG] OAuth for Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2024 09:40:16 -0000
Hi Justin, Thank you for your detailed review. > §9+ this draft should add privacy considerations, particularly for BFF pattern's proxy architecture.e I wanted to ask for a bit more context on this comment. I understand that having a proxy as a separate entity would expose all requests/responses to this entity. However, in the context of a BFF, the frontend and the BFF belong together (i.e., they are one application deployed as two components). The frontend and BFF are deployed and operated by the same party, so I’m not sure if this comment effectively applies. Looking forward to hearing from you. Philippe
- [OAUTH-WG] OAuth for Browser-Based Apps Justin Richer
- Re: [OAUTH-WG] OAuth for Browser-Based Apps Philippe De Ryck
- Re: [OAUTH-WG] OAuth for Browser-Based Apps Justin Richer