[OAUTH-WG] Recommended OpenId Connect Flow for SPA with Microservices
David Sautter <david.sautter@web.de> Mon, 10 June 2019 08:06 UTC
Return-Path: <david.sautter@web.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E87A11200C1 for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2019 01:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.698
X-Spam-Level:
X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_FAIL=0.001, SPF_HELO_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pE1CxLD8cNVz for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2019 01:06:16 -0700 (PDT)
Received: from outgoing.selfhost.de (mordac.selfhost.de [82.98.82.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 241D5120096 for <oauth@ietf.org>; Mon, 10 Jun 2019 01:06:15 -0700 (PDT)
Received: (qmail 14539 invoked from network); 10 Jun 2019 08:06:12 -0000
Received: from unknown (HELO ?192.168.1.185?) (postmaster@davidsautter.de@95.117.87.75) by mailout.selfhost.de with ESMTPA; 10 Jun 2019 08:06:12 -0000
To: oauth@ietf.org
From: David Sautter <david.sautter@web.de>
Message-ID: <f9e47830-744b-e358-2b13-2bd7de75c513@web.de>
Date: Mon, 10 Jun 2019 10:06:12 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Antivirus: Avast (VPS 190609-4, 09.06.2019), Outbound message
X-Antivirus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m9_1o5FVdoPepO79DIg_1G7Ij1I>
X-Mailman-Approved-At: Tue, 11 Jun 2019 08:01:41 -0700
Subject: [OAUTH-WG] Recommended OpenId Connect Flow for SPA with Microservices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 06:29:16 -0000
Hello, I'm trying to get my head around the current recommendation for using OpenId Connect with an SPA, that cannot directly communicate with a stateful backend for holding a session. First I thought the Implicit Flow would be the way to go, then I noticed that it isn't recommended anymore because of the broad support of CORS nowadays, instead one shall use the Authorization Code Flow. I think what confuses most people is, that the Authorization Code Flow can be implemented in two ways: With or without a backend service doing the token exchange for the frontend. I understood the following: Using a backend service for doing the exchange of the auth code for the token with the IdP is considered more secure, because one cannot trust the browser to store the tokens securely. The drawback is that you will have to create your own session state between your backend and your frontend SPA (e.g. using a cookie). I am in a scenario where I do not have "the one backend", but a bunch of microservices running on Kubernetes, so they could die and respawn at any given time. Do I need a API-Gateway for dealing with the Authorization Code Flow? Which ones would be recommended (standard compliant)? Or is the alternative of handling the complete Authorization Code Flow + PKCE in the Browser considered a safe scenario? I have been doing a lot of research but having trouble to clarify this. Thanks for your help! Regards, David --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
- [OAUTH-WG] Recommended OpenId Connect Flow for SP… David Sautter
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… David Waite
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… David Waite
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… Torsten Lodderstedt
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… David Sautter