Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Simon Moffatt <simon.moffatt@forgerock.com> Wed, 07 November 2018 16:09 UTC

Return-Path: <simon.moffatt@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B9DE1274D0 for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2018 08:09:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.609
X-Spam-Level:
X-Spam-Status: No, score=-0.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pcSikfb1IBPf for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2018 08:09:03 -0800 (PST)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC9E130DCA for <oauth@ietf.org>; Wed, 7 Nov 2018 08:09:03 -0800 (PST)
Received: by mail-wm1-x331.google.com with SMTP id f10-v6so2442444wme.3 for <oauth@ietf.org>; Wed, 07 Nov 2018 08:09:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=749W3u7yIsL5zB9kA/k9+a3nNdzDUoWMHvmSUFCwxiE=; b=S3PjoHEc0Egnq0OP2CW3IWBUcdZTcFnLDcDWa2INrFhd4lgXft5zcVg4AIMUoa27Fi TpEVSi3PHwmFFn07+rn4B4h1SxNjHBZstdUfv9CGDkHHF2n5KPsKkJsOBC+B5vxGSECt YW6kSAY39rorFBvEMMp2EfeJCOI/RvzbjHuhY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=749W3u7yIsL5zB9kA/k9+a3nNdzDUoWMHvmSUFCwxiE=; b=dk6rM5RlsifVhTtP13GCRij3ZomwlEIrTa+VH0EDNUYsiDi6ddk9pyqneuwYzjKG8d pB1NGdhsd3nByqxeY1recCrWiZprtVL6exnqORAv2FK33dOTKbVQcnQkOP/CzLyd2G8Q opZmBAYj+QSyTS4gapQwxdxLNgTMewBcTzgyOuaxNlzE3gYB2y+LHiMlbduSyriTU7Xr vlqA2x/DXaWCQ/Btd91tVz5pjDn1YmrgA4z110wb2JjbS13UnHM84bTXj5rV/RVkBJaX 9E3bpzqAbzbho0D6xzV5KwdHeHEI/W8kynDsyI+Bqo3hWBDatzI9u5p8eCDDHc4RG2I6 6wCw==
X-Gm-Message-State: AGRZ1gIgPteURrbmoFfxqcxQWtRO0ppTAp/HeVNVC51bDGBRGRhdFY+G YCnvbzdppHkKjyEaNd3Yg2kRuTCV3YvOGeBqkdVgLv7KMOb/8nckln/ySnn3l68OGVj7bvzESgO qCgWt8CikMMB+Ow6F8qcdasdNqIFNB6cvSU+Z47EbQMM7x6UZYYFjk+EuRj+t79Tqjg==
X-Google-Smtp-Source: AJdET5fcxD6gTQhZsyY/N+YxCdyamcpf03UgZ0stvVNo3/oMb74w6SLU+ieoB98B3vkS43khNDw29Q==
X-Received: by 2002:a1c:c50f:: with SMTP id v15-v6mr742299wmf.22.1541606940962; Wed, 07 Nov 2018 08:09:00 -0800 (PST)
Received: from [192.168.1.140] (host31-51-173-216.range31-51.btcentralplus.com. [31.51.173.216]) by smtp.gmail.com with ESMTPSA id x139-v6sm8551072wme.3.2018.11.07.08.08.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Nov 2018 08:09:00 -0800 (PST)
To: Joseph Heenan <joseph@authlete.com>, Aaron Parecki <aaron@parecki.com>
Cc: oauth <oauth@ietf.org>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <894C1893-8722-4005-8A33-AECADFD18024@authlete.com>
From: Simon Moffatt <simon.moffatt@forgerock.com>
Openpgp: preference=signencrypt
Autocrypt: addr=simon.moffatt@forgerock.com; prefer-encrypt=mutual; keydata= xsFNBFpM/n8BEADaxItKbVxF35pwLIskzqD/KnZPVk3B5bUijuHNNCntemEq5QEfHh1b9Ogx As2hw/ZVND6Q97V7NOMithmrP0N4du+66yK+Ejyqfa8yWQPtx1q7OuscIA9YkrO9NJlKgPQL LTDoMP2hpiu+dAcMs1QxJadXjyGGFzCrLzPgOzzyV6NOGpqdSPDYf819XO2fNgcJD5uQ8D9j ULMufQ+J/+kFPTlYqRai1NTO3QxLk3woFkF8TTqslKjcKmwV7jGtSJFCIKA6CRSZjw9WIq9D 5MtDXwsdh9gUJB+KtwnzTLtOp7en+0YH14KgV/RQyy/dkXzhm8YqhufnP2e4JhFK4TmDLoZU otWid8Hkc8tNn1HwTmBxjDgU7kqvkj06RH9SyZFo8Os8ttcQYtWVahclpnJzogJ8qqL1g2VE hTEjaHdAKi8PC5JK7FEXs041fs+bymnRTczej+ZqU0oFrE/kB4n4X6tq/iWg44YAmcEfiGNN aewcI3oNuOm8qgb+0Z9HldVGSpK9W1eHDVGzNsVfLXSI2h15b0aTurfA/MEtIB5AntZLMgJA R7VQmgzlqT/ujEGMRZZIHxOTxOWisyN267NYIHRZ6ODNiGfM9NMt7srTh9vk1IguhynxdEWN S6MwnrbkdKJf3VlAMcOyckn0lXLbBKgoCXsB0zpOeKTmmi3wgwARAQABzStTaW1vbiBNb2Zm YXR0IDxzaW1vbi5tb2ZmYXR0QGZvcmdlcm9jay5jb20+wsF9BBMBCAAnBQJaTP5/AhsjBQkJ ZgGABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJECJvtLWEryhHkJAQALoR//eJenZoE1SL MNsM0VthhVp7am/5YfcGzkE02h8n96n5R3hJzQaBp9BDdMt2FFWbwEkWaHDujut4rONcWXxh hyfN4uoxzXzqBmcMlemNCaI9IGefGKx6rGEY5PkxAEtCYX2umLbFQGF3ggNOZeIytlK++9Z/ RgYIzKy6yYelxfChAKOd9w9UkuuJ2EfzXcmrFE6DttBBAYIM8qeWe4pVvNqpX1b0cHqkRvYP s+xcbd7qcgMGFOZU3iuBeThJ3Pcy0FncbA+Txr6TZoWChOgqKntlfbDcRbrW7eLig1JFwmm8 Mdt/SbhA4Ry+TyQ7XogsZLNYd4uxF4GVJS4AvYT0cCsDWeUUFonMyvdjJ0b5PlH1NmqKekV0 ey/67RPzGg78ZXdC9R1r+KhDNzd68yb3RCeQ/9eYYHhQ33ShZqhZ8pFOWqy3iuY3MY30kfsg 51ZUBiEZw35GSNBgFmg1sqg37ZSUJLwz89hT1UuwrktHVMxPbBvePr95AY38X+w2JQJvDpli TYu9U4AunxQBdoUMjg2bnIpPxThssTSt6uxMtARi8tItYMVx7hOmJldQQuCELcqkpvqW2uSa Yf3D9tXuEDuBA2b2lQuu2nNgxZe/5biZUoAyBYOKz6ABmZkVFfLh8N5T33UTiAEk9XMclmOd RK97tm+7Zptrv/jNpq3SzsFNBFpM/n8BEAC0WEJPdG15JFgQCZtsacXgltd49ybCqb+Az64f JyqardhHVX1YBbzWFrToKq/MORA67KhG1iAr8qvd8z1DM9K3bfm0pSGtziXAhUV7/+XEes5U ZRtYhkezBmAYZjOUmBPISInM/vSBEHzwUTbpJncUfMmZEJEUXTTSh5xoD2YXuTznY8LccpUV BrGP36BH2aBCyzqcRxXov6Tt9e8Y3QT8sbIM/luBDubL8pPcBDw6dul4g77GKUhjTIdlmF9C wq/Ow9EhT5M+U/msTjyIrInPEDAC+uNGMuMtJFAWU1ZollOqu56GXQU/iPvwmYPwcqjkcNxU hgE0+KK7JF3CwI8loilrYiOmTpaKNti00pFj3EEb2M7Im12L56yJqHjAlSXFaXvGca4LOzm/ H1iO4IcHUgj9tj3hI1DFsdimfyzxuLW67uSwoAKHg3lUMR5di34xfg6dclYH7gMI2o31tkpw CAtDFKDCIKQ118Jph/5aQHOw8nAyZodJZ3ZJGP1TBhlitf6R5vYneQchD7JBueMGHwUZzP0Q ByUN8y78M4+pfasEk4TrEOtR41dFSWD/qm5HG1qNay9gqfn4lfCOQUeYK2qplwgYtwdIdITk BRLfKLdhyJHW2C9e8p0C3lmnmgw7SEA22h3bNx6lL5BABfqQDu1H8HXYcTFS8FUTpxku4wAR AQABwsFlBBgBCAAPBQJaTP5/AhsMBQkJZgGAAAoJECJvtLWEryhHf0AP/3Ms+rqgkONi88Sa FSus/EQ1jCv3jOBe+wrBX+vhNr5fEuOD9InxzlCy9VqfTI7wwqFVXSedyE/9h+Lb1FhJBT6a q7iYtzxkMGq0dBd+8V0oZc4BPClGobxTZ5G0CmcheHcqJrCMoj3x2Fs0lN6Tit98Fip4rhxh y1pTam76ejTCTFOWECFHPDy4ez9lHUZjHGZyBIVAAk0joCrb8zRWk2EFqm5/pu7q803cx8mU 6eNljkdXOVpFxneOJe6Mds1livs/1kmjii8Ffls2VkAlydCjpSVrTUjj9UOy2vlRET1UEqB8 qqzcRLqOSEFYwwzBIDYWCL2Mh+Cr5uIHR3qvgbU8+5DZZRLNPaG5prw0vIlBzcVMKAEpK3Hb oZdajUdCov1ZaZJHsbQg5lnY0lAn62kKxC8FeP/qX6O8baa+GTKCAXdfmIU5dP8yZ9ROxqxR vz7OwioE/vFOzffoUQ/Y/4o6K2dzdP/GzwZ6t9ZV0iTio83pZEE2BlkYP+/TRhEpPdDaBmMs 23Q74rw1nXpWEKuQLPFKSciQHqHxSdSVo+sLZwCrTD5sVaTvRfqQpgl+3PK7jdMO+hMBM24I jgA6Iz9gM2S3HQgsJ44Xt5sfy/X+8g4ycLurxO92YuxKaCg9JbPBUictMBqttOFcPbAbdzhf lzTn1OR1F1ZcV9br/vdY
Message-ID: <5d754635-836d-07b6-4f6e-a2fa2ebbeaca@forgerock.com>
Date: Wed, 07 Nov 2018 16:08:15 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <894C1893-8722-4005-8A33-AECADFD18024@authlete.com>
Content-Type: multipart/alternative; boundary="------------C26569D63D337176A00C42F7"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jtWmuHI3wEZ-YtuQbeyHELJ6eTI>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 16:09:06 -0000

It's an interesting topic.  I think there is a definitely a set of
options and considerations for this.  Namely operational.  For example,
hugely popular mobile apps (multi-million downloads across different
OS's) using dynamic reg with per-instance private creds requires the AS
to be able to store and index those client profiles easily.  Smaller
scale custom built authorization servers are not necessarily going to be
able to handle that - hence the popularity of assuming everything is
generic and public coupled with PKCE.

On the other hand, if a less popular first-party app used internally for
employees for example, might well go for secure element integration on
the appropriate mobile OS.

So, I guess options are needed and best practice for a few subtly
different scenarios.

Regards

Simon



On 07/11/18 15:20, Joseph Heenan wrote:
> Hi Aaron,
>
> Thanks for putting this document together, I think this kind of
> guidance is invaluable.
>
> It may be worth slightly rewording 7.2 as it may encourage a growing
> misconception that all native apps must be public clients. With many
> devices now having embedded HSMs, we’ve seen increasing interest in
> mobile apps being dynamically (per-install) registered oauth2 private
> clients, and that model has a lot of advantages. (I’m not sure if we
> might see a similar model evolving for web apps.) 
>
> The BCP for native apps does allow
> this:https://tools.ietf.org/html/rfc8252#section-8.4
>
> Cheers,
>
> Joseph
>
>
>
>
>
>> On 6 Nov 2018, at 10:13, Aaron Parecki <aaron@parecki.com
>> <mailto:aaron@parecki.com>> wrote:
>>
>> Thanks Hannes,
>>
>> Since I wasn't able to give an intro during the meeting today, I'd
>> like to share a little more context about this here as well.
>>
>> At the Internet Identity Workshop in Mountain View last week, I led a
>> session to collect feedback on recommendations for OAuth for browser
>> based apps. During the session, we came up with a list of several
>> points based on the collective experience of the attendees. I then
>> tried to address all those points in this draft.
>>
>> The goal of this is not to specify any new behavior, but rather to
>> limit the possibilities that the existing OAuth specs provide, to
>> ensure a secure implementation in browser based apps.
>>
>> Thanks in advance for your review and feedback!
>>
>> Aaron Parecki
>> aaronpk.com <http://aaronpk.com/>
>>
>>
>>
>> On Tue, Nov 6, 2018 at 10:55 AM Hannes Tschofenig
>> <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
>>
>>     Hi all,
>>
>>     Today we were not able to talk about
>>     draft-parecki-oauth-browser-based-apps-00, which describes 
>>     "OAuth 2.0 for Browser-Based Apps".
>>
>>     Aaron put a few slides together, which can be found here:
>>     https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf
>>
>>     Your review of this new draft is highly appreciated.
>>
>>     Ciao
>>     Hannes
>>     IMPORTANT NOTICE: The contents of this email and any attachments
>>     are confidential and may also be privileged. If you are not the
>>     intended recipient, please notify the sender immediately and do
>>     not disclose the contents to any other person, use it for any
>>     purpose, or store or copy the information in any medium. Thank you.
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>> -- 
>> ----
>> Aaron Parecki
>> aaronparecki.com <http://aaronparecki.com/>
>> @aaronpk <http://twitter.com/aaronpk>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
ForgeRock <https://www.forgerock.com/> 	*Simon Moffatt*
Technical Director Product Management  |  ForgeRock
*t* (44) 7903 347 240  |  *e* simon.moffatt@forgerock.com
<mailto:simon.moffatt@forgerock.com>
*twitter* @simonmoffatt  |  *web* www.forgerock.com
<https://www.forgerock.com/>



NOTICE: This message, including any attachments, may contain
confidential information. If you are not the intended recipient, please
advise the sender immediately and destroy all copies of this message and
any attachments. ForgeRock Ltd may monitor email traffic data and also
the content of email transmitted over its network for security purposes.
No employee or agent is authorized to conclude any binding agreement on
behalf of ForgeRock Ltd by means of e-mail communication. ForgeRock Ltd
is a limited company registered in England and Wales; its registered
address is 60 Queen Square, Bristol, BS1 4JZ; and its registration
number is 7227664.