Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
David Waite <david@alkaline-solutions.com> Wed, 05 December 2018 17:29 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68AEB130E64 for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 09:29:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJUtf0tGlPXi for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 09:29:50 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id 8185F130EA5 for <oauth@ietf.org>; Wed, 5 Dec 2018 09:29:50 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:14ba:4ca3:69e6:a2ec] (unknown [IPv6:2601:282:202:b210:14ba:4ca3:69e6:a2ec]) by alkaline-solutions.com (Postfix) with ESMTPSA id 9EB6131625; Wed, 5 Dec 2018 17:29:48 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net>
Date: Wed, 05 Dec 2018 10:29:47 -0700
Cc: Tomek Stojecki <tstojecki@yahoo.com>, Daniel Fett <fett@danielfett.de>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth@ietf.org, Tomek Stojecki <tstojecki=40yahoo.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E7BB7964-B8E4-4E96-84E3-DCBCACA308E3@alkaline-solutions.com>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <B857DECA-5457-4E62- A720-437832850680@lodderstedt.net> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/p3RxR-d6LzJtBGs8mX6yl4ybPcE>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 17:29:53 -0000
> On Dec 5, 2018, at 5:16 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > > Hi Tomek, > >> Am 04.12.2018 um 19:03 schrieb Tomek Stojecki <tstojecki@yahoo.com>: >> >> Thanks Torsten! >> So if I am putting myself in the shoes of somebody who sets out to do that - switch an existing SPA client (no backend) > > I would like to ask you a question: how many SPAs w/o a backend have you seen in your projects? Pivoting to apps with local domain business logic (aka a backend): Setup - the developer is building a browser-targeted app and at least one mobile app - their backend would likely be identical across all three. In that case, would they want client access to that backend to be secured with access tokens? Or should that backend to be the client to the AS, and communication from the javascript to the backend be secured with some non-OAuth method like cookies or API keys? I push for OAuth in most of these cases, unless their strategy for mobile apps is to “wrap” the browser code and content into a native app - in which case more flexible access to that backend can be deferred if desired until there is stronger business need. -DW
- [OAUTH-WG] OAuth Security Topics -- Recommend aut… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hans Zandbelt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… William Denniss
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Nat Sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Petteri Stenius
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dave Tonge
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Willeke
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dominick Baier
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Marius Scurtescu
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Justin Richer
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brock Allen
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt