[OAUTH-WG] oauth-browser-based-apps-05 - BFF
Vittorio Bertocci <vittorio.bertocci@auth0.com> Mon, 06 April 2020 21:35 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62BBA3A0C5F for <oauth@ietfa.amsl.com>; Mon, 6 Apr 2020 14:35:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOlOcVQPK96D for <oauth@ietfa.amsl.com>; Mon, 6 Apr 2020 14:35:48 -0700 (PDT)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1902B3A0CEB for <oauth@ietf.org>; Mon, 6 Apr 2020 14:35:45 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id g2so385826plo.3 for <oauth@ietf.org>; Mon, 06 Apr 2020 14:35:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:subject:thread-topic:thread-index:date:message-id :accept-language:content-language:mime-version; bh=q2UXj+5n3x+K/hNWYZ6hCTM2Cvjb+gV1lwWQmXl9jO0=; b=jJe1epndhOxavBQwkkYgnrTjh7KPr3O6dfA5mROJh8zZrJm7GALfQR8kVjIsjXFy5O OcB7a/Yo99y0e3g+fh+lPmSaBg2Mh3j3Ee2AcsJ21S4F85F1jnZCw4BTqYbnuMsD+3Qm sA9p8t9RnN8NgmQcrvENiV26dSF8cTC4NlAFIR8dszC5SMx6btodvuljGg4uZiCSXmsD 3k/nYF907J1abXMYZpClVlOIitBhOGDMPWW37ezFArky1ANtZYU8kzN3p1TDyCYFhLY9 ki22gOmjXFwlyjrYATmea+3G7+MTFTdog/EpEs5yrrd3MG6fR6cNN58SuNZFSBxbV2HR hweQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:mime-version; bh=q2UXj+5n3x+K/hNWYZ6hCTM2Cvjb+gV1lwWQmXl9jO0=; b=GfTbOD+EchHxOp664rnIu+9EbgBdSEpTAVV9yqaszb4bHNObr5mBjzE7YNPpJxiu2f V2vpT7vcOsjhTHjVDes2yexUA5YMF7w200dXXEB2CywwlWOh2Qz3yBXPFLzgAfQ8M+TG PEYOs1b+MzOZKfifI0y8LX5FQtfB+YvMK9i5Ejee2OYBLWZxxaBk3MkjOjAROxaANcRf IANilCX2UysoaxLyqEjqO16Quo4yCUPJQFKkgwyy9I51hJFXd+sTtPpo36I3UmcGZg+R PtwLbv7ZjqdIZKoFo7yfPzZIzMhGh0p50tBSrix0xgDeMa1YzaGHb8AmhyGzl3Jqrtri Ievg==
X-Gm-Message-State: AGi0Puafz2M7R5V8V1v+mDoNRwsrvyEV1Ke7mm8x5sqTQ3fCC3s9pp0f dUvP6zcj9uiWNHjtyhG56HMz9C0Qz2Z23HmGyR3DddApmgg8UXZvHz5VAm5EqdVPmc91J93FfGW xyEYlivMMCEhlFJ0C1Vh70m6v5MJBl4xrGkq69prqq/5Kv3/DpHqd2jtpw0vgMGxl7Q==
X-Google-Smtp-Source: APiQypLlVTysT6Ci67f6ojv3wjIlr9SfWDj2fcuots841aGizFx7v3iZHIb5xwdoHK4AvIvgOesJWw==
X-Received: by 2002:a17:90a:1101:: with SMTP id d1mr1368950pja.113.1586208943799; Mon, 06 Apr 2020 14:35:43 -0700 (PDT)
Received: from MWHPR19MB1501.namprd19.prod.outlook.com ([2603:1036:120:1d::5]) by smtp.gmail.com with ESMTPSA id i2sm12375627pfr.203.2020.04.06.14.35.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Apr 2020 14:35:43 -0700 (PDT)
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
To: "oauth@ietf.org" <oauth@ietf.org>, "aaron@parecki.com" <aaron@parecki.com>
Thread-Topic: oauth-browser-based-apps-05 - BFF
Thread-Index: AQHWDFtSACwH0zlpuEuhJugkyhq6cA==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Mon, 06 Apr 2020 21:35:42 +0000
Message-ID: <MWHPR19MB1501CE53F9A1EB1ABD7E95A6AEC20@MWHPR19MB1501.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_MWHPR19MB1501CE53F9A1EB1ABD7E95A6AEC20MWHPR19MB1501namp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jPXp0VnsdiY25_luqWo90wZ05IE>
Subject: [OAUTH-WG] oauth-browser-based-apps-05 - BFF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 21:35:50 -0000
Hey Aaron, Thanks for today’s update on oauth-browser-based-apps, very useful. As agreed, here’s the summary of the point mentioned during today’s call. 1. The last paragraph of 6.2 mentions that an access token could be used as session between the JS frontend and its backend, but no details are given about the security characteristics of making that choice vs using cookies. I would suggest that we either give more guidance on the mechanics of how that would happen (how does the AT get delivered to the JS frontend, what attacks developers should watch out for, etc) or that we recommend the traditional cookie based session approach only. 2. Currently 6.2 doesn’t mention topologies where the backend obtains ATs and forwards them to the JS frontend, where they are used to perform the actual API calls. Those topologies do exist in the wild, and I know there are practitioner advocates for that approach on this list too, hence it seems we should at least acknowledge those topologies and give some guidance. If we do position those topologies as legitimate: given that the chatter between JS frontend and backend could in some cases reach sophistication comparable to the client-AS dialog (token requests, renewals, etc), it seems we should either warn people about the security pitfalls they have to watch out for (shorter task for us, but not very actionable) or actually invest some time in specifying how a JS frontend should talk to its backend to delegate its client duties to it and safely retrieve/renew the artifacts the backend obtains on the JS frontend’s behalf (much bigger task for us, but unambiguous guidance and solid threat model developers can safely rely on). Thanks! V.
- [OAUTH-WG] oauth-browser-based-apps-05 - BFF Vittorio Bertocci
- Re: [OAUTH-WG] oauth-browser-based-apps-05 - BFF George Fletcher