Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

David Waite <david@alkaline-solutions.com> Mon, 03 December 2018 09:11 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9A20130E2A for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 01:11:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tx-ewI-hVrz6 for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 01:11:46 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id C871C126C01 for <oauth@ietf.org>; Mon, 3 Dec 2018 01:11:46 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:4050:23a5:fd62:9bc6] (unknown [IPv6:2601:282:202:b210:4050:23a5:fd62:9bc6]) by alkaline-solutions.com (Postfix) with ESMTPSA id 29E85315FE; Mon, 3 Dec 2018 09:11:46 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <33A5FD93-0A1C-426E-9F50-519D51094B28@lodderstedt.net>
Date: Mon, 03 Dec 2018 02:11:45 -0700
Cc: Hans Zandbelt <hans.zandbelt@zmartzone.eu>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8CB0E6D2-7B0F-4807-9CC2-F740EC95ABCF@alkaline-solutions.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net> <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com> <5B60008C-C6A7-44CC-B045-9A8C1248ED30@lodderstedt.net> <CA+k3eCTjRWo-OF+Q=KotOJzfBw1uSe7w_bHWDhDKi3WRjQsH9Q@mail.gmail.com> <VI1PR0801MB21121BCD21DE8ABAF055E603FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <E0F62B7E-9C58-493A-BEFD-91D7441BB5BF@lodderstedt.net> <0BD84A8F-0A71-45CC-BE20-89FBC8FF18D2@lodderstedt.net> <df7c80be-477e-bb4a-cc29-edb233571a2f@ve7jtb.com> <A6E974DC-59C2-43E2-9534-CAD2EE695941@lodderstedt.net> <CAGBSGjoVox6Ab274DbHfEBaXibk8OFeXy6g3SEXxRP1TauPBvQ@mail.gmail.com> <AD6726CE-C348-4461-867E-A53FF19DECC7@alkaline-solutions.com> <C A+iA6ui5JohvWvPczS7xwNV6hAgWQxSApuLDJzRD3a+j__Wb4g@mail.gmail.com> <33A5FD93-0A1C-426E-9F50-519D51094B28@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pH1RN5UXpD3erXgrJhMlEXBT3hA>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 09:11:49 -0000


> On Dec 3, 2018, at 1:25 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> I think the BCP needs to point out there are solutions beyond an app directly interacting with AS and RSs from the browser. Otherwise people get the wrong impression this is the only way to go. To the contrary and as I pointed out, there are a lot of SPAs working as UI of a larger application. 

My feeling is different - these applications all _could_ be expressed/implemented in terms of OAuth 2/OpenID Connect. Instead of authorization being done via opaque access tokens, the non-OAuth application has authorization tracked via opaque cookies.

I think we can state this, and that many of the rules given could be used
> 
> Any multi user app needs a database. Will this database be directly exposed to the frontend? I don’t think so. There will be a backend, exposing relevant capabilities to the SPA.

Sure, but this doesn’t change the interface being exposed around the database as being a protected resource - just one protected by a token acquired via a different non-OAuth manner

> And if this app also uses external services, where do you want to store the respective refresh tokens? In the browser’s local storage? I don’t believe so. They will go into the same backend & database.

> And there are other reasons: No one will ever be able to implement a PSD2 TPP as a stand-alone SPA, obviously because it requires a confidential client but there are more aspects. 

You could have your AS also be responsible for fetching/maintaining remote tokens, and issue local environment tokens. It could expose either local protected resources which use these remote resources, or provide a reverse proxy that translates the calls directly, including applying the remote access token. This also looks very similar whether you are talking about the javascript being OAuth or using a proprietary cookie-based system.

> Moreover, some security objectives can only be achieved if a backend is used. That’s how the discussion started (token binding and the like).

Cookies have browser-level support, so they can have browser-level protections asked for (SameSite, HttpOnly, Secure, separate path/domain limiting). IMHO, the other differences are apples-to-oranges comparing different protected resources, not access-vs-other-tokens.

Is there value in defining “official” recommendations around access tokens within cookies?

> IMHO omitting this option significantly reduces the relevance of the BCP.
> I’m not saying we shall describe the interaction between frontend and backend in detail. I advocate for pointing out this option and its benefits. That’s it.

Again, I think a significant portion of recommendations would have value for non-oauth-client javascript. But I think we should focus on defining solely in terms of OAuth clients. I agree we should point out the option in the sense that it will help people understand that it doesn’t significantly affect the security requirements. The rest seem points around protected resources and cases for a local AS to house business logic.

A lot of the above might be recommendations around protected resources and multi-level authorization (for example: having clients interact with a local environment which may behind-the-scenes be using OAuth itself with remote services). I’m unsure how you would rein in scope on something like this, though.

-DW