Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
Filip Skokan <panva.ip@gmail.com> Sun, 09 December 2018 14:23 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4366129A87 for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 06:23:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 361GRoHmj_eF for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 06:23:26 -0800 (PST)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 147F31294D0 for <oauth@ietf.org>; Sun, 9 Dec 2018 06:23:26 -0800 (PST)
Received: by mail-oi1-x22c.google.com with SMTP id a77so7009611oii.5 for <oauth@ietf.org>; Sun, 09 Dec 2018 06:23:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NK2IYJiGBL2dTA31nza3GkQ4BO6/ZTRQg2xqaHutNH8=; b=BNl3BH1ZRSpGeNz/lPKW5DoH37H23OhwdL7f0a/m3kWLMwxiFFnN3CTiPeHeBXj5TG W973jqYUE4G7RY5U5y/zocoqpV6ejWy2qR9VQ9UAqcO21nOnRpFIZApMPxqjCTv3MWlr /IN38IwJDtKaomJFhaYVVjEdy1Khnp+jDhZO4I5WKgeHSC2+nHRuucYRbU5mWeGGScJe upQoKskuqU9f03wUiccSkOUWiaVV0rZ5HKBKpp0g3cMWU84XKyoYVeIbmT7g8RSbA0Ay 8+qymaPPFY1sH0QRmHYuorgXExIS3NXBTBYu0Jo0ZjgNmbWcELh3E1EyLTKe9KSpdnwx fNPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NK2IYJiGBL2dTA31nza3GkQ4BO6/ZTRQg2xqaHutNH8=; b=TzhEeNc+auOfXrlJ+DmpBrwBcDvIFfIEIXEml7sSFyQkdkda8tCeFw+zB4gfVdFwCL IyENTgHJ7rKBsY7Jn+OscMBwiOIch/40JvpnegAqXkshTvpHj1rg4vqHLT7ikB8yNFzC RmLTWVTkvT3YzhGB5ngwwd8ogFTYFnO4ebQFyfOs5689xraeVEWfeyTFfoPo+rdA5mIm hubDz5ceE2AgLhmK0A57JZM3SIeJBifhmUQQBlu5EOaqecI0MFilUpyRfIgJY9SX+SOo e/gj2Bb1h0KlRxrcn5NmVXNtjuaDo/OxpVvlMcb9+bHkY2QekMSRfij1gL/DERvaZcxh T2tA==
X-Gm-Message-State: AA+aEWbC+nyEZy2/5BgclYV/3mhtspjFXhgYbds2XLc0mlcFCJSpfxqW gMiK8XBKWE66fyWu6YKCwiZZLO0EmPHkRLGM6w==
X-Google-Smtp-Source: AFSGD/VO34dANc2wPtwzCfFeYf/rZ37zVMv0DBySyd8lhgD/e2qe0/i9rEIzZL/iudGVxOml2uVHsg68LIMHJjrtvxE=
X-Received: by 2002:aca:60c1:: with SMTP id u184mr5614032oib.45.1544365405178; Sun, 09 Dec 2018 06:23:25 -0800 (PST)
MIME-Version: 1.0
References: <6d88c55a-a300-47ff-af77-8fdb7dcfbc25@getmailbird.com> <CAGBSGjrj95i97mVDJq7jDA0DsLH-NasiH+E0nqc+6XjL-mnt4Q@mail.gmail.com> <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com> <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com> <d34d9d15-6b50-4b1e-8483-80f0ab709a98@getmailbird.com> <F9914ABE-3C3F-4BCE-B623-AECF18E737F9@alkaline-solutions.com> <eeeed3ba-10d3-4b42-9da2-1460d13e4351@getmailbird.com>
In-Reply-To: <eeeed3ba-10d3-4b42-9da2-1460d13e4351@getmailbird.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Sun, 09 Dec 2018 15:23:13 +0100
Message-ID: <CALAqi__Y4ER=xiNkOmEudNS30vsQhuudO9uQU8nPMcxX2suLZQ@mail.gmail.com>
To: Brock Allen <brockallen@gmail.com>
Cc: david@alkaline-solutions.com, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000610f67057c979762"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t_210rJRRePwmBlrt3vUd3d64zA>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 14:23:28 -0000
As David suggested, it is easier to get rid of the code from a query using a referrer policy header or a meta than getting rid of a fragment which would require the each client to have a javascript snippet rewriting the current window.location.hash S pozdravem, *Filip Skokan* On Sun, Dec 9, 2018 at 2:53 PM Brock Allen <brockallen@gmail.com> wrote: > Yes, I meant response_mode. Thanks. > > And those are good points about the referrer policy. Thanks for that > insight as well. > > In the context of this thread/topic, I'm assuming browser-based JS > clients, and a common deployment is from a CDN, so I suspect the <meta> tag > approach for a referrer policy is sufficient (especially since many SPAs > are designed for CDN deployment)? > > -Brock > > On 12/9/2018 3:00:23 AM, David Waite <david@alkaline-solutions.com> wrote: > I assume the original post meant response_mode, not response_type. > > Fragments have their own data leakage problems, in particular they are > preserved on 3xx redirects (per > https://tools.ietf.org/html/rfc7231#section-7.1.2). The form_post mode is > the safest, but unfortunately was not defined in the original > specifications so it doesn’t have as widespread support. > > In the absence of a response_mode RFC, I would typically suggest both > killing the code in the referrer as part of processing, and a server-wide > Referrer Policy of never or origin (as those have reasonably broad support) > as server-wide response headers are easier to operationally audit. > > -DW > > On Dec 8, 2018, at 3:53 PM, Brock Allen <brockallen@gmail.com> wrote: > > Not pure OAuth. This only came up as a question while I was implementing > code flow/pkce for oidc-client-js. > > I can appreciate not expanding the current OAuth2 behavior in the BCP, so > that's fair. I only wanted to mention it in case it had not been considered. > > Having said that, I think I will implement an optional response_type in my > code flow/pkce to allow fragment, but default to query (as that's the > default for pure code flow). > > -Brock > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Filip Skokan
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Jim Manico
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell