IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Neil Madden <neil.madden@forgerock.com> Wed, 17 February 2021 20:08 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFAA63A1CFA for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 12:08:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpO0ghlsFaGa for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 12:08:39 -0800 (PST)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B61D3A1CFB for <oauth@ietf.org>; Wed, 17 Feb 2021 12:08:39 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id v15so18708835wrx.4 for <oauth@ietf.org>; Wed, 17 Feb 2021 12:08:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=e40ja4l8NS6Oij7TjnEAcodjIQQ+z0EClXIMKF8h4c4=; b=WM6rq2XU8w3R1aVthNghjxpiw6fvtgTIaq5VYTQTohumDA64Ofn0R4aHAt39VMUFwx nrwLb/SHGeeO6nXoHGqQo9cBBijZM0Zny7e8TT3gUAAWcDZDNMJ9fOTKfvdBihzQieuK tR0QIl/J5s3NkVj2qoH/f7FXuCTN8rQTalLoA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=e40ja4l8NS6Oij7TjnEAcodjIQQ+z0EClXIMKF8h4c4=; b=Px77J9Y5HwdkbsZVGQnxX8zx7gcgTsjIfxrlfwplQ1YTP3ixhBY3MCxW2tueJMUuL4 05429xKQb+I9utW+SALOIA0qAC8KXWcLfeyb6xSAic9vY2+HHrkcSX3DrRaKSDmJlkrh lQ3C0/f7Sbs44a8/q1L0C5qrKOoGwGUrj4lQcHlT+8an8ksr8oy1xhUEtrt4Hn/4z3Ay 70Vcr0MtIodkv/W6MC43/6ZNgGzxiK4SXdDqDhYDQUyyF+MAv1BGZ8DJpnp0373fFC8R n2eJwotyMtu9HZGXx2O4dbcdoWsHf+jzyzBXCp4pb38/FnVtNjJTCP4AO6B50EllnsUC bmZQ==
X-Gm-Message-State: AOAM531f/y7JBfsG833Oic1GSZrRCOtl++m5Y3/3frPOEPaqk4PGUc1m vEMfORbLu+r7KEgltdF0thptKya6Dp9eb6ofm6r90C7H0ssqJq8NUEZoLQMhHQZypcoZgYaqXg= =
X-Google-Smtp-Source: ABdhPJx8K1GOLhZBnbSB8/6q6COuIg9R0pjT/UP+hfJSd59bG5xtRFz03CYSEd3QsklaBsBIY6qsvA==
X-Received: by 2002:a5d:570a:: with SMTP id a10mr894869wrv.70.1613592517571; Wed, 17 Feb 2021 12:08:37 -0800 (PST)
Received: from ?IPv6:2a01:4c8:62:ae76:a858:a8e7:1bf2:2da8? ([2a01:4c8:62:ae76:a858:a8e7:1bf2:2da8]) by smtp.gmail.com with ESMTPSA id n186sm4511513wmn.22.2021.02.17.12.08.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 17 Feb 2021 12:08:37 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 17 Feb 2021 20:08:36 +0000
Message-Id: <98E38875-F022-419C-87FA-1218B4A16660@forgerock.com>
References: <CAO7Ng+s+wpvCtaE+1K+C30LmN1osBoqEUYWBbkDgaoWFg9sJeg@mail.gmail.com>
Cc: Warren Parad <wparad@rhosys.ch>, Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth@ietf.org
In-Reply-To: <CAO7Ng+s+wpvCtaE+1K+C30LmN1osBoqEUYWBbkDgaoWFg9sJeg@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
X-Mailer: iPhone Mail (18D52)
Content-Type: multipart/alternative; boundary="Apple-Mail-14816776-DE3A-48CB-A17E-7C51B65C73FB"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m8FtuF-_hRuR33RQhDoodsqbtfo>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 20:08:43 -0000

Do you eliminate the cookies too?

> On 17 Feb 2021, at 19:50, Dominick Baier <dbaier@leastprivilege.com> wrote:
> 
> 
> Well. Maybe it is at least worth while then to at least mention that you could also take a slightly different approach and eliminate all tokens in the browser - with the respective trade offs.
> 
> ———
> Dominick Baier
> 
>> On 17. February 2021 at 20:46:42, Warren Parad (wparad@rhosys.ch) wrote:
>> 
>>> While someone will always say “but this doesn’t solve the XSS problem” - this is absolutely correct. But when there are no tokens in the browser - you can simply eliminate that part of the threat model ;)
>> The point was it doesn't eliminate anything, it just changes the request/response data that is part of the attack. This doesn't increase security, as a matter of fact, with regard to the RFC, we shouldn't talk about security at all, since it has zero impact on it.
>> 
>> It is worth talking about that pattern as one possible solution to maintaining sessions, but that's it.
>> 
>> 
>> Warren Parad
>> Founder, CTO
>> Secure your user data with IAM authorization as a service. Implement Authress.
>> 
>> 
>>> On Wed, Feb 17, 2021 at 8:43 PM Dominick Baier <dbaier@leastprivilege.com> wrote:
>>> Yes - “no OAuth tokens in the browser” ;) They are all kept server-side and the BFF proxies the API calls if necessary. Also the RT management happens server-side and is transparent to the SPA.
>>> 
>>> I see that in lots of industries - finance, health, cloud providers
>>> 
>>> While someone will always say “but this doesn’t solve the XSS problem” - this is absolutely correct. But when there are no tokens in the browser - you can simply eliminate that part of the threat model ;)
>>> 
>>> ———
>>> Dominick Baier
>>> 
>>>> On 17. February 2021 at 18:30:23, Vittorio Bertocci (vittorio.bertocci@auth0.com) wrote:
>>>> 
>>>> Thanks Dominick,
>>>> 
>>>> It is indeed a very simple spec, but as you can see from the discussion so far, it doesn’t appear to be trivial- and there might be some considerations we consider obvious (eg scope escalation) that might not be super clear otherwise.
>>>> 
>>>> In terms of the guidance, just to make sure I get the scope right- that means that also code+PKCE+rotating RTs in JS would not be acceptable for your customers?
>>>> 
>>>>  
>>>> 
>>>> From: Dominick Baier <dbaier@leastprivilege.com>
>>>> Date: Wednesday, February 17, 2021 at 00:27
>>>> To: Brian Campbell <bcampbell@pingidentity.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
>>>> Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>, "oauth@ietf.org" <oauth@ietf.org>
>>>> Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
>>>> 
>>>>  
>>>> 
>>>> Hey, 
>>>> 
>>>>  
>>>> 
>>>> Tbh - I have a bit of a hard time to see why this requires a spec, if that is all you are aiming at. Wouldn’t that be just an extension to the “OAuth for web apps BCP?”.
>>>> 
>>>>  
>>>> 
>>>> All I can add here is - this approach would not work for any of our customer. Because their real motivation is to implement a more and more common security guideline these days - namely: “no JS-accessible tokens in the browser” - but this document doesn’t cover this.
>>>> 
>>>>  
>>>> 
>>>> cheers 
>>>> 
>>>> ———
>>>> 
>>>> Dominick Baier
>>>> 
>>>>  
>>>> 
>>>> On 16. February 2021 at 22:01:37, Brian Campbell (bcampbell=40pingidentity.com@dmarc.ietf.org) wrote:
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>>  
>>>> 
>>>> On Mon, Feb 15, 2021 at 9:48 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>> 
>>>> Thank you again for the explanation. 
>>>> 
>>>> I think your assumption about the overall flow should be described in the draft.
>>>> 
>>>>  
>>>> 
>>>> We did attempt to capture the assumptions in the draft but clearly could have done a better job with it :)
>>>> 
>>>>  
>>>> 
>>>> 
>>>> As I understand it now the core contribution of your proposal is to move refresh token management from frontend to backend. Is that correct? 
>>>> 
>>>>  
>>>> 
>>>>  Taking that a bit further - the idea is that the backend takes on the responsibilities of being a confidential client (client creds, token acquisition, token management/persistence, etc.) to the external AS(s). And TMI BFF describes a way for that backend to deliver access tokens to its own frontend. 
>>>> 
>>>> 
>>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ 
>>>> OAuth mailing list 
>>>> OAuth@ietf.org 
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

v2.23.0 | Report a Bug | By Email