IETF Logo Mail Archive

[OAUTH-WG] Recommendations for browser-based apps

Stefan Büringer <sbueringer@gmail.com> Tue, 19 September 2017 13:27 UTC

Return-Path: <sbueringer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 042E4134312 for <oauth@ietfa.amsl.com>; Tue, 19 Sep 2017 06:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 98_UAIUrVCCH for <oauth@ietfa.amsl.com>; Tue, 19 Sep 2017 06:27:03 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CE51132811 for <oauth@ietf.org>; Tue, 19 Sep 2017 06:27:03 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id e189so9982405ioa.4 for <oauth@ietf.org>; Tue, 19 Sep 2017 06:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=WpcnpWWBWx3R3dQSq3hnHal5RwY2p58IrAUeHXaeAK8=; b=nqGa2C61748Wo8CNqLVcdHKxrZkF/EcZGKoSpbcMtlJI1hQfyG2ZgxWKSze0njpIDM 8KyhEkd0PeD5Cy07MK74W8IHxhjVlYFZP6mkhwWdT3fCw76gFBrV5sTnQsiA3BPE/of5 7Upvi0w2/NBkI3HSV7Sys4xDps8KPz9DfdhtX030p57RGfovQCkLwtUI/6z+i4FaPQZO gW06ofnMhoz/CnHyh+NO+vdwIXBnPdCI0a8qJ61wayDIkyhhCIYcfpCUe4FGMyXKzdHX FZPj50VNiytqNPkPoaJTnvAVuLMNdoetUlW0plv6ieSstHDwF0ScgZKorzDMflyWTPWP 4KmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WpcnpWWBWx3R3dQSq3hnHal5RwY2p58IrAUeHXaeAK8=; b=MMpjDDuImrkrOBC3p9QQA2S7f2wjIl7vQncOYQ0ZfZFSuWQwSDvDVq4i6ulE2VtGsw ucLkT8ASIWjfBt/zvqtnrtg3qVIuhoIbw2BsSqKgC4ghXtouRO4BlmQe3IiDXv252yye 1IVc3hX38C8N5tWUQYL5w/Wiy8xDEyYigSB+dHNTLTnFSHCHYCEmUHUk9CLNIeTZDAcp UEkFHy+j923OzG4uHFNKY28H/zSfJ8R/BM5LRr3JD0H+ZLzkm8XvstPdWPu3+TXJZNj0 GMxnVge+gGJGCcRa0PEErVa5+WTa22Kw8zgubhtFRkZN/2h6SgPB589N3Vfo8fY+vj3w Nz+g==
X-Gm-Message-State: AHPjjUgUN0/oIfRYsnCpBqyC8xLQ4YnEL9Bq/TbJmOTimUn/aYv3Kz4o iiYEaum40NAHcwYGUN0fFnGt4M5e2g+3MWOauaBKTw==
X-Google-Smtp-Source: AOwi7QDlRtS1BdMMf+rCM54UAunJ0M5Bt+7Arl0QvBgCzxO2Mw8tNM2lxscDT8AA1VroB1x8+5eAZkkF2QxPYn79wFM=
X-Received: by 10.202.198.79 with SMTP id w76mr1469714oif.74.1505827622549; Tue, 19 Sep 2017 06:27:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.52.212 with HTTP; Tue, 19 Sep 2017 06:27:02 -0700 (PDT)
From: Stefan Büringer <sbueringer@gmail.com>
Date: Tue, 19 Sep 2017 15:27:02 +0200
Message-ID: <CAKAMr-Dws2RVRLv+xTa7j2zk+yhpCpYN-jUgxFos+j--Abv4uQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="001a11c14fa688febf05598ad0ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ntSG8oTUmuYNRKmDEF-qXNp86Jo>
Subject: [OAUTH-WG] Recommendations for browser-based apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 13:27:05 -0000

Hi,

there were some discussions in January regarding recommendations for
browser-based apps (
https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html).

I'd just like to ask if the Authorization Code Flow with PKCE is a valid
option for Single-Page-Applications (in our case Angular), because Implicit
Flow cannot be used in our scenario.

Authorization Code Flow with PKCE eliminates the necessity for client
secrets, but our concern is that exposing the refresh token to the SPA
might be a security risk, compared to the Implicit Flow were no refresh
token is exposed.

What's your take on this?

Kind regards,
Stefan Büringer

P.S. I couldn't find that much on the internet regarding Authorization Code
Flow with PKCE in SPAs, if you have some recommendations for good blog
posts I would be grateful.

v2.23.0 | Report a Bug | By Email