Re: [OAUTH-WG] not using oauth for this architecture in oauth for browser based apps.
"Brock Allen" <brockallen@gmail.com> Mon, 22 July 2019 16:25 UTC
Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29559120179 for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 09:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZlQRzmRFFlA for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 09:25:36 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E1B4120168 for <oauth@ietf.org>; Mon, 22 Jul 2019 09:25:36 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id s4so15561149uad.7 for <oauth@ietf.org>; Mon, 22 Jul 2019 09:25:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:message-id:subject:from:to:in-reply-to:references :user-agent; bh=cpzAHThI8n/KL9E6BemiwbcZv4GBN/+3uijGgs9bxy4=; b=Fe6IVMvIB6hfYPZ9ARFyrd7IwiaTZsZXOC4vlt/gskBTNc2PAtWnPY7Y1dHhL8u48s SVPBAGgJG5h89pvQ9wRB5xGROWbQQRxjMlute33OAkKQTFd6AggFqTAWXj6fYHjvkrVK rLMMYDcEhg9+/x+GC3IeJ6/bEgMKr6S25sh7AxzS/D46NNMNUO3jT1kl1b01tzzQerjp Hny9vhERCo/p4jNAbWzP4tmkHxoxkAt/L1UcwYVLtxQsyj6XJL+kFpgj9qsOPfQwqAWE 3Yf9Y/2FcoRl0PFer4BsS3cf4JPFZIoyxkqe2UHwLxVJLYLhqwDeUJhvM2ECCF1ny7A7 ZsYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :in-reply-to:references:user-agent; bh=cpzAHThI8n/KL9E6BemiwbcZv4GBN/+3uijGgs9bxy4=; b=WYtAGVAM+vmN1r2ihEeAB1FbHU1hWkhyst13yvbIeYu6oFBsQBzqjVWxKNcOSdem+X k1XmDL8Yk1ZO6bnFMaCHAmB5Bx5l68dP28ZDhsFlPrOQpV0WgMzpaL4iZw5O4JDDok5E 9MjlgzMSvR4C1aLnYXn36dusrwwY0GeGJla5j6KU3B+EkZ5+PQuKkLIkDVBxu4wejHQ6 dQ3Ryr34mn/XgG0x9SEvHLcHpZkz9Vov4NtAFuIJn2GjHXcLUIxo2SuPyv00Tyunkfgn pDjZbAzDtiFbyoAWpG/Ab8ykxpv3/cV0jX7ysFCZdY5btOvUJO3gRBxIGRGtu/uNCtB2 2mBg==
X-Gm-Message-State: APjAAAXzX3x6Jsm9NLOXRHiTK24T35cEk5mBE3nMpMiw41HvkgeD2A47 x2X0DqwRUwm73hQPM2m3i8M=
X-Google-Smtp-Source: APXvYqwnGfQxNcsj1dE7pqrqs/IpceRVOBVPUFAkON3rhz/prEan2m7VYa3lX4DYd92uUYhxinAxDQ==
X-Received: by 2002:ab0:5ea6:: with SMTP id y38mr43255978uag.40.1563812735251; Mon, 22 Jul 2019 09:25:35 -0700 (PDT)
Received: from [10.0.1.3] (pool-74-103-207-160.prvdri.ftas.verizon.net. [74.103.207.160]) by smtp.gmail.com with ESMTPSA id v5sm44155510vsi.24.2019.07.22.09.25.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jul 2019 09:25:34 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_23523404.149303177364"
MIME-Version: 1.0
Date: Mon, 22 Jul 2019 12:25:32 -0400
Message-ID: <67ed81f2-77dc-4acc-a499-2772c5fa4a85@getmailbird.com>
From: Brock Allen <brockallen@gmail.com>
To: Leo Tohill <leotohill@gmail.com>, oauth@ietf.org
In-Reply-To: <CABw+Fcuv2banmDtqC_6A4j6Vw7OgTLEDFOf0mn4YSeMaNkUsrA@mail.gmail.com>
References: <CABw+Fcuv2banmDtqC_6A4j6Vw7OgTLEDFOf0mn4YSeMaNkUsrA@mail.gmail.com>
User-Agent: Mailbird/2.6.1.0
X-Mailbird-ID: 67ed81f2-77dc-4acc-a499-2772c5fa4a85@getmailbird.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ndaFhoObnypMokGjhw4TLDBgCDE>
Subject: Re: [OAUTH-WG] not using oauth for this architecture in oauth for browser based apps.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 16:25:39 -0000
I think the implication is that the server-side would use something like OIDC to the token server in order to establish the identity of the user. The difference is that this would be driven from the server-side piece of the application, as any other normal server-side client would. The result would then simply be a cookie-based authentication session in the client, and any JS code would leverage the http only, same-site cookie for Ajax calls. -Brock On 7/21/2019 10:22:38 PM, Leo Tohill <leotohill@gmail.com> wrote: The advice for the architectural pattern "JavaScript served from a common domain as the resource server" reads: "For simple system architectures, such as when the JavaScript application is served from a domain that can share cookies with the domain of the API (resource server), it may be a better decision to avoid using OAuth entirely, and instead use session authentication to communicate directly with the API." I can agree that session authentication could be best here, but how was the user authenticated in order to create the trusted session? Wouldn't that/shouldn't that still use an oauth flow to collect credentials? We need to be clear on the distinction between browser based apps that hold the token(s) in the browser space, vs. those that don't. I agree that with this "common domain" architecture, the tokens should not be held in the browser, but it doesn't follow that oauth should not be used at all. Leo _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] not using oauth for this architecture … Leo Tohill
- Re: [OAUTH-WG] not using oauth for this architect… Brock Allen
- Re: [OAUTH-WG] not using oauth for this architect… Hans Zandbelt
- Re: [OAUTH-WG] not using oauth for this architect… Leo Tohill
- Re: [OAUTH-WG] not using oauth for this architect… Justin Richer
- Re: [OAUTH-WG] not using oauth for this architect… Aaron Parecki