IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

David Waite <david@alkaline-solutions.com> Wed, 05 December 2018 17:29 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68AEB130E64 for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 09:29:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJUtf0tGlPXi for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 09:29:50 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id 8185F130EA5 for <oauth@ietf.org>; Wed, 5 Dec 2018 09:29:50 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:14ba:4ca3:69e6:a2ec] (unknown [IPv6:2601:282:202:b210:14ba:4ca3:69e6:a2ec]) by alkaline-solutions.com (Postfix) with ESMTPSA id 9EB6131625; Wed, 5 Dec 2018 17:29:48 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net>
Date: Wed, 05 Dec 2018 10:29:47 -0700
Cc: Tomek Stojecki <tstojecki@yahoo.com>, Daniel Fett <fett@danielfett.de>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth@ietf.org, Tomek Stojecki <tstojecki=40yahoo.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E7BB7964-B8E4-4E96-84E3-DCBCACA308E3@alkaline-solutions.com>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <B857DECA-5457-4E62- A720-437832850680@lodderstedt.net> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/p3RxR-d6LzJtBGs8mX6yl4ybPcE>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 17:29:53 -0000


> On Dec 5, 2018, at 5:16 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> Hi Tomek, 
> 
>> Am 04.12.2018 um 19:03 schrieb Tomek Stojecki <tstojecki@yahoo.com>:
>> 
>> Thanks Torsten!
>> So if I am putting myself in the shoes of somebody who sets out to do that - switch an existing SPA client (no backend)
> 
> I would like to ask you a question: how many SPAs w/o a backend have you seen in your projects?

Pivoting to apps with local domain business logic (aka a backend):

Setup - the developer is building a browser-targeted app and at least one mobile app - their backend would likely be identical across all three. 

In that case, would they want client access to that backend to be secured with access tokens? Or should that backend to be the client to the AS, and communication from the javascript to the backend be secured with some non-OAuth method like cookies or API keys? 

I push for OAuth in most of these cases, unless their strategy for mobile apps is to “wrap” the browser code and content into a native app - in which case more flexible access to that backend can be deferred if desired until there is stronger business need.

-DW

v2.23.0 | Report a Bug | By Email