IETF Logo Mail Archive

[OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Vittorio Bertocci <vittorio.bertocci@auth0.com> Fri, 12 February 2021 20:46 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B15963A0E21 for <oauth@ietfa.amsl.com>; Fri, 12 Feb 2021 12:46:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4-1b1UaZiOU for <oauth@ietfa.amsl.com>; Fri, 12 Feb 2021 12:46:05 -0800 (PST)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC89F3A0E1B for <oauth@ietf.org>; Fri, 12 Feb 2021 12:46:05 -0800 (PST)
Received: by mail-pj1-x102b.google.com with SMTP id t2so312549pjq.2 for <oauth@ietf.org>; Fri, 12 Feb 2021 12:46:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:subject:thread-topic:thread-index:date:message-id :accept-language:content-language:content-transfer-encoding :mime-version; bh=BNP9onb1LQKmmN1hWZVfq+7j9EvbSHf1xVJle8yyGE4=; b=DoatqCaFuvmmodynCP6bTRkQoyDbplWRo41ita8gPU3zxea4wciHCGPjiS+8E6pFVd LbujWLhkOCgJZHdlCZRSj6IvzKXRFnqz9pqZihTLXjk9wacmySkSrjyr5rt9X5s5OQ+Z HIOrs5bz1owmjPHOqhosssqodvHFcgAhCXgfI6nZPYAUp/qWUP4vTguGG98xKosd0EEH uJ7ypoooo/Y3rA/8nfO8OVcMlcK1Be1aSq7mYg3GztpC1SZU/YkY4xW3eYQfAKK2bcT7 bGuetyV6gtOXhHx+SFwkRb0OiXV+/+PPkP4ufX/Z5Caw2pBjpGNUXdh8FI8Ky/tzHQhE KMIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language :content-transfer-encoding:mime-version; bh=BNP9onb1LQKmmN1hWZVfq+7j9EvbSHf1xVJle8yyGE4=; b=cPeZ8Ap+Hz29V426lDUJxJfhjfIyor0C1DLz3iXfjIkt0nfW2hqoD4K2N+kKeKACLc aCF3UyAsemzbPWgGCtXcDnGLsU/pSq2Ni7tLgclO5pE+fEVgX6g6n9L4cUaT68E0SjUN eSK4U4e+VCGzB3qIpXvnG5BpiMWK09hNFrFheEUwjw1LD2kicole6mh23/mHn2QbnoQY 6xfo9mX/cY+By9N6ctVshVhIGxXfc/CGmxe9WmCmCq6XoQcY6IdnwwGh8Ku9ShSPQ6GI uUe7O1XIWGtFu0NV+QIS3E/ilM2ID4EX+zn/N1DEbizDaAuQHV4JXUwsX3qFOTWs291y Cplw==
X-Gm-Message-State: AOAM531Yu/D4+GFMebKjgEDdggLk5xc9WbaoX2V2ADBdmaJaUfXFhiWb GYWrQ5m35EZyu4rg+Rh+rm32F8KL6U/h6uTERmcMi56YxA3MoxAa5pgpvfeC+andohMM5mVS1Oc QgQsRdpP6nO4IZ+BpnUxcusOnmOyUV27bYy9Z6tNOlEPfwE6W85fG9Yomo4loPRE1fv/6
X-Google-Smtp-Source: ABdhPJzIECdf9BxyiwlmRnmSiH+fgT/eIFxr8ZzWZnYJMZ1DrSFiCD5jhR4eprck/UL5Al3x4vI3UQ==
X-Received: by 2002:a17:90a:aa0d:: with SMTP id k13mr4503006pjq.210.1613162763214; Fri, 12 Feb 2021 12:46:03 -0800 (PST)
Received: from CO6PR18MB4052.namprd18.prod.outlook.com ([2603:1036:301:402a::5]) by smtp.gmail.com with ESMTPSA id z2sm9682492pfj.100.2021.02.12.12.46.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Feb 2021 12:46:02 -0800 (PST)
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: Token Mediating and session Information Backend For Frontend (TMI BFF)
Thread-Index: AQHXAYASMR57RiKGBkS9HwYUcalSAw==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Fri, 12 Feb 2021 20:46:00 +0000
Message-ID: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OxEs-Cru0BYNCdOEttLi0hA976Y>
Subject: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 20:46:08 -0000

Dear all,
Brian and yours truly are proposing a new specification that shows how the user agent frontend of a web app can delegate token acquisition and persistence to its backend, and request such tokens when needed for direct access of protected resources from the frontend code.

The pattern is already in use, in proprietary form, by various modern development stacks, such as Next.JS. Variants of the pattern, often discussed under the catch-all term BFF (backend for frontend), have been often mentioned in this workgroup’s activity, but always left all implementation details to the reader.
We believe the pattern has merit, as corroborated by its growing adoption. By delegating access token acquisition to the backend, we avoid many of the often brittle moving parts (and implied attack surface) required to acquire access tokens from a user agent. The topology also relieves the frontend from the need of persisting tokens in local storage, a well known sore point of using OAuth directly in JavaScript, by relying on its backend storage and session to preserve tokens.

Although the specification is very simple, providing explicit guidance on the scenario offers many advantages.  
- It makes it possible to create interoperable SDKs, where frontend dev stacks (any JS flavor) can be mixed and matched with compliant backend stacks (middlewares in node, java, ASP.NET, PHP etc)
- It allows us to provide guidance on how to properly tackle the scenario and warn implementers against security risks (scope escalations, using IDtokens instead of access tokens, etc)
- It allows us to discuss (and when appropriate, promote) this pattern as part of the browser apps security guidance, and position the scenario where frontend only calls API on its own backed (hence doesn’t need access tokens) simply as a special case of this more general pattern
- This approach makes mocking and testing apps very easy, possibly preventing developers from weakening the security of their system (eg turning on ROPG options)  or turning to risky practices like scraping

Needless to say, this specification doesn’t entirely eliminate the risks inherent to direct use of access tokens from a browser. But reality is that the pattern is in widespread use, and the circumstances leading to that (eg developers on a particular project only work with frontend stacks; components like reverse proxies might not always be viable; etc) aren’t going away any time soon. By providing simple guidance on this pattern, we can simplify the life of many developers while enshrining basic security hygiene in scenarios that would have otherwise be left to their own device.
 
Looking forward for your feedback!

B&V  

On 2/12/21, 12:41, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:

    
    A new version of I-D, draft-bertocci-oauth2-tmi-bff-00.txt
    has been successfully submitted by Vittorio Bertocci and posted to the
    IETF repository.
    
    Name:		draft-bertocci-oauth2-tmi-bff
    Revision:	00
    Title:		Token Mediating and session Information Backend For Frontend
    Document date:	2021-02-12
    Group:		Individual Submission
    Pages:		16
    URL:            https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.txt
    Status:         https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/
    Html:           https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.html
    Htmlized:       https://tools.ietf.org/html/draft-bertocci-oauth2-tmi-bff-00
    
    
    Abstract:
       This document describes how a JavaScript frontend can delegate access
       token acquisition to a backend component.  In so doing, the frontend
       can access resource servers directly without taking on the burden of
       communicating with the authorization server, persisting tokens, and
       performing operations that are fraught with security challenges when
       executed in a user agent, but are safe and well proven when executed
       by a confidential client running on a backend.
    
                                                                                      
    
    
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org.
    
    The IETF Secretariat

v2.23.0 | Report a Bug | By Email