IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Warren Parad <wparad@rhosys.ch> Sun, 14 February 2021 17:45 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 482C13A1040 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 09:45:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.188
X-Spam-Level:
X-Spam-Status: No, score=-0.188 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id caaXRbAhwiD4 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 09:45:07 -0800 (PST)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29ABD3A103F for <oauth@ietf.org>; Sun, 14 Feb 2021 09:45:07 -0800 (PST)
Received: by mail-io1-xd2e.google.com with SMTP id y5so824881ioc.2 for <oauth@ietf.org>; Sun, 14 Feb 2021 09:45:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jOEGcHdykuBIM3qs1cUd8yU0XXrr46ZwWPe8abjR7Cw=; b=ZSXsyMqdFEqPdFlDTW5ivLIJ0lGEfS2blHhB7WVReVCgaxl7B3eu1KJny51oUFicc/ //Mi7ifLn8JhiMwf0Jvj2RvTmcK3EJDeqePgtR+BtvlA1/g8lnT5SJog2GJBXErZWitK wp4oY2tCnsNToFZGMxop/aElbGTiOcOVHHVECIFAABULEHtV5rSuS5zvIRg2Inms7NB7 hcOD08u/HAtl1SScMIx6n6WjUCDbejl5Ho9kbG/l58MvLvrDDFtm73D+tWit+mN3eItX wRPZo1CbF8oUvrbHP1TPMo/vAaXLg0elsvMD3+EKoB2nPnDFW+O0lrxSvlWYtb6py4Uv zAtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jOEGcHdykuBIM3qs1cUd8yU0XXrr46ZwWPe8abjR7Cw=; b=htmdKQMNCc+XqPlQJvkomvML5vrxGN1iVA183TIBsrzzzlCNgGp8+tnecpt0qlz4vS VOUunHxhFcdug1ooj3XpIHOk00CdB+mpw+AzIx7NzB1Ad+EaUOkygOTSNvEO1lembqRh glNG0d+qyFPdrdqNbnRvHKySEsB/r1N/eYUPhbVJzGaA21BCw0v7od7dyzt9TIO/M79F 9FuJqqCh2CYxTLw39NPlTRZzcdlWI56zZ/0nRWttU3a6Z4IHJNIpYCsyczGK8tqcaBnV fuUWeVWEohr7gUwSxsnDxge79uTNGRAuV1vH0SBPxdB9AL2UpVzLH8q8Ru6kdoq28Jg2 Rb4A==
X-Gm-Message-State: AOAM531RVVoI1LYSWGI//hlAuzJyeOAtdthUb2aZp6Pt82zZWT/sqgyl +R1P+ig4ZDrN9dma8gve/UbQfr0gXXJQCydWmCY6
X-Google-Smtp-Source: ABdhPJzAFIED2Lj+M5hImAOSIero7fAY4rLZbLpeNAKwbdlhHFVqkHJLN6nAJoXDoGoFS17NBEBfF6I9eyzIb7+Brig=
X-Received: by 2002:a6b:da0f:: with SMTP id x15mr9837416iob.48.1613324706214; Sun, 14 Feb 2021 09:45:06 -0800 (PST)
MIME-Version: 1.0
References: <CAGL0X-qvLz=gG06Q3mL5yNs5f-eqSwxO-g=K=cDKdmC8VP+UEg@mail.gmail.com> <AE8B3F28-D7B3-4A70-8E0D-2F673970E008@forgerock.com> <CAGL0X-o4Aq6Ec0UviqLryrxn0ksetLhjkVfVoNf_Cjtda+MX8g@mail.gmail.com> <CAJot-L3BXNyM3L_74-W+y3cJzmG2UxPiovb3DHLbmBL66-53SQ@mail.gmail.com> <CAGL0X-rwM4Kc4qQSea+gaO7YORZgnJTHWyFM3VPcaJ2ceX527A@mail.gmail.com>
In-Reply-To: <CAGL0X-rwM4Kc4qQSea+gaO7YORZgnJTHWyFM3VPcaJ2ceX527A@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Sun, 14 Feb 2021 18:44:55 +0100
Message-ID: <CAJot-L1UQweut9MmrFYr+4qRGLixEFoECHr_tdLf86w=uVR5ZA@mail.gmail.com>
To: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
Cc: Neil Madden <neil.madden@forgerock.com>, Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000058b5d05bb4f6ecd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mSdEnSjQGdfYf6B_p83zVm5n_Aw>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 17:45:09 -0000

Correct it would never need to be used to authenticate a client, as a
client is always offline and can directly use the backchannel. You would
never need the front channel to authenticate a client, however you might
need the front channel to authorize a client to access user resources
offline. Is that what you are talking about, i.e. the offline refresh_token
authorization code flow?

If yes, then the standard would be to use the authorization code flow
requesting as you've mentioned. Although that flow already exists and well
established, and without any issues, having a standard specifying how to
communicate with the client doesn't seem to be useful, as you only need to
pass an *auth code* and the *issuer* to the client. But since these
endpoints are never exposed nor need to have interoperability between
different owners (i.e. the owner of the front-channel is different from the
owner of the back-channel), what's the benefit of specifying the explicit
endpoints necessary for the BFF to have?

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress <https://authress.io>.


On Sun, Feb 14, 2021 at 6:27 PM Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
wrote:

> Thanks Warren,
>
> as I see you and Neil have the same idea,
> but as of this moment I think this method is not a valid option for
> authenticating
> a client according to the draft-ietf-oauth-v2-1.
>
> On the other hand, authenticating the client through the BFF
> seems conforming to the spec., but in the case when the access token is
> used
> in the browser in fact, I am afraid that it can be regarded as
> some kind of "deception" of the AS.
>
> It seems the frontend SPA is not the easiest way to go with oauth...
>
> Stoycho.
>
> On Sun, 14 Feb 2021 at 17:35, Warren Parad <wparad@rhosys.ch> wrote:
>
>> redirect_uri and use PKCE via the code verifier.
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data and complete your authorization architecture.
>> Implement Authress <https://authress.io>.
>>
>>
>> On Sun, Feb 14, 2021 at 3:51 PM Stoycho Sleptsov <
>> stoycho.sleptsov@gmail.com> wrote:
>>
>>> Thanks a lot for your answer Neil,
>>>
>>> as I am no expert (yet :-)) in security I was afraid to rely on
>>> redirect_uri for authentication of the client,
>>> but I will consider that option as more trustworthy now.
>>>
>>> (it is also not very clear for me which part of the app can be
>>> regarded as the redirect_uri owner, the BFF or the loaded frontend
>>> SPA, but maybe it is not so important)
>>>
>>> If you had the two options for authentication of the frontend SPA
>>> client - the redirect_uri on the one hand, and the Basic
>>> authentication with client secret through the BFF on the other, which
>>> one would you recommend?
>>>
>>> On Sun, 14 Feb 2021 at 16:28, Neil Madden <neil.madden@forgerock.com>
>>> wrote:
>>> >
>>> > Public clients are implicitly authenticated by their ownership of the
>>> registered redirect_uri. This why it’s important to use a redirect_uri for
>>> which ownership can be reasonably established, such as HTTPS endpoints with
>>> exact URI matching.
>>> >
>>> > There are more things that can go wrong with that (see the security
>>> BCP), but it can be made reasonably secure.
>>> >
>>> > — Neil
>>> >
>>> > > On 14 Feb 2021, at 13:48, Stoycho Sleptsov <
>>> stoycho.sleptsov@gmail.com> wrote:
>>> > >
>>> > > 
>>> > > I would like to add my reasons about the "Why are developers
>>> creating BFF for their frontends to communicate with an AS",
>>> > > with the objective to verify if they are valid.
>>> > >
>>> > > I need the client app. to be authenticated at the AS (to determine
>>> if it is a first-party app., for example).
>>> > > If we decide to implement our client as a frontend SPA , then we
>>> have no other option except through a BFF, as PKCE does not help for
>>> authentication.
>>> > >
>>> > > Or is it considered a bad practice to do that?
>>> > >
>>> > > Regards,
>>> > > Stoycho.
>>> > > _______________________________________________
>>> > > OAuth mailing list
>>> > > OAuth@ietf.org
>>> > > https://www.ietf.org/mailman/listinfo/oauth
>>> >
>>> > --
>>> > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
>>>
>>

v2.23.0 | Report a Bug | By Email