IETF Logo Mail Archive

[OAUTH-WG] Recommended OpenId Connect Flow for SPA with Microservices

David Sautter <david.sautter@web.de> Mon, 10 June 2019 08:06 UTC

Return-Path: <david.sautter@web.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E87A11200C1 for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2019 01:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.698
X-Spam-Level:
X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_FAIL=0.001, SPF_HELO_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pE1CxLD8cNVz for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2019 01:06:16 -0700 (PDT)
Received: from outgoing.selfhost.de (mordac.selfhost.de [82.98.82.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 241D5120096 for <oauth@ietf.org>; Mon, 10 Jun 2019 01:06:15 -0700 (PDT)
Received: (qmail 14539 invoked from network); 10 Jun 2019 08:06:12 -0000
Received: from unknown (HELO ?192.168.1.185?) (postmaster@davidsautter.de@95.117.87.75) by mailout.selfhost.de with ESMTPA; 10 Jun 2019 08:06:12 -0000
To: oauth@ietf.org
From: David Sautter <david.sautter@web.de>
Message-ID: <f9e47830-744b-e358-2b13-2bd7de75c513@web.de>
Date: Mon, 10 Jun 2019 10:06:12 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Antivirus: Avast (VPS 190609-4, 09.06.2019), Outbound message
X-Antivirus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m9_1o5FVdoPepO79DIg_1G7Ij1I>
X-Mailman-Approved-At: Tue, 11 Jun 2019 08:01:41 -0700
Subject: [OAUTH-WG] Recommended OpenId Connect Flow for SPA with Microservices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 06:29:16 -0000

Hello,

I'm trying to get my head around the current recommendation for using 
OpenId Connect with an SPA, that cannot directly communicate with a 
stateful backend for holding a session.

First I thought the Implicit Flow would be the way to go, then I noticed 
that it isn't recommended anymore because of the broad support of CORS 
nowadays, instead one shall use the Authorization Code Flow.

I think what confuses most people is, that the Authorization Code Flow 
can be implemented in two ways: With or without a backend service doing 
the token exchange for the frontend.

I understood the following: Using a backend service for doing the 
exchange of the auth code for the token with the IdP is considered more 
secure, because one cannot trust the browser to store the tokens 
securely. The drawback is that you will have to create your own session 
state between your backend and your frontend SPA (e.g. using a cookie).

I am in a scenario where I do not have "the one backend", but a bunch of 
microservices running on Kubernetes, so they could die and respawn at 
any given time. Do I need a API-Gateway for dealing with the 
Authorization Code Flow? Which ones would be recommended (standard 
compliant)?

Or is the alternative of handling the complete Authorization Code Flow + 
PKCE in the Browser considered a safe scenario?

I have been doing a lot of research but having trouble to clarify this. 
Thanks for your help!

Regards,

David


---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus

v2.23.0 | Report a Bug | By Email