Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
Stoycho Sleptsov <stoycho.sleptsov@gmail.com> Sun, 14 February 2021 03:39 UTC
Return-Path: <stoycho.sleptsov@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A7403A13B4 for <oauth@ietfa.amsl.com>; Sat, 13 Feb 2021 19:39:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jywMJxWq7MKi for <oauth@ietfa.amsl.com>; Sat, 13 Feb 2021 19:39:40 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B83C3A13B2 for <oauth@ietf.org>; Sat, 13 Feb 2021 19:39:40 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id lg21so5905465ejb.3 for <oauth@ietf.org>; Sat, 13 Feb 2021 19:39:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=9icbxbQ7V6dDHeNxN5/VQ2p2gqhYMcAXJxLR5rb0Na4=; b=Mo7R00VI2FJ/uDC9BMJ7BGb2uzT5baFoVT0OA6u0KjIzX/13kmRDbcqRAt7qTghF2t Ow26NK/WOLEXDxJWMtMzzaIinLhzNLtNCFQYYH+HIuNzypiIYsVDyyyf4COBWpEkfCcE AbEtz0hCAQYJvSgrqKjXKzd0LfarzUv4PzeuZ+1S09vL8hDgdh/f1iJt2hframLDefud yL46jj2oC3kD671K3kW6g6pa/2196dMeRMEyIN5VgmwUyeWzlvFAwwUTrXbEfT6JWYhU SVIhHxU5Ez4CX6sm+1qNFPk2LdJ0ht3OIeg2iQ1250wwhpfVyWDwepu0SyAlZ4Ix/dlV 0RGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=9icbxbQ7V6dDHeNxN5/VQ2p2gqhYMcAXJxLR5rb0Na4=; b=JaKYCVDMkl+oN4oJ2/tfvtG8ouQB6IHTKC6MVJwM2YsqhRU3fK1/zXKIHytuOD4ZkO +Xt1n2vn1UjfzxDpyNSWeJqWVuj5piWB6UoqvZC1S8+MYgpRI3wwtleoFK3Q5QhGGt83 0PD2hkUCFCiUJS/AToCBgSEzbjLZz6N7dAAhtH81Ym6MjzqxgNrFGUVP19nvyx3k2H+q RL/oYbhgRkeKCrj1Lzrs2HTgbBI6pkSlazXsRUIsdIOgoOxvy7TYdN+LHCmbBCl5kOwb QtX3tOIdKWwKnlcd5L2LC88jlmXK7NFSoqPAGNNZB1iT2vw4w6SSAWWUjwBGPwiXRjFn N4Gg==
X-Gm-Message-State: AOAM531l2dai7QFvLn+7rWimporHpKcAUnnJJraXxXe5rdXNVxqn/K1U Qvih+TlKBXanQZ7pMpfYK31vE2my8eSiF7peCMZJOPeW3hI=
X-Google-Smtp-Source: ABdhPJw7dunIfGKSDZ6FEwE6ayFzzFudMBmN4xwroP2JxCHSq2iV5eDDawBSKEy1KE3QvVVjoVUqfStmlHCrka2LQoo=
X-Received: by 2002:a17:906:c0cd:: with SMTP id bn13mr9469530ejb.368.1613273978500; Sat, 13 Feb 2021 19:39:38 -0800 (PST)
MIME-Version: 1.0
References: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com>
In-Reply-To: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com>
From: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>
Date: Sun, 14 Feb 2021 05:39:26 +0200
Message-ID: <CAGL0X-r93p=mTmQE+Q4j23_Ydu1AS7mHsd614Q0dpOPL7nJ4=A@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000069fab105bb439ec0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tsCjBKNOGn9Q7UidXiEOROBoCmo>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 03:39:43 -0000
Hello Mr. Bertocci, I am a novice yet at APIs and OAuth, but nevertheless am entrusted by the executives of our organisation to expose some of the capabilities of our system through APIs. For that I have set out to implement an OAuth server (based on the 2.1 draft), which is basically functional now, and the corresponding APIs (resource servers). Our team will also have to implement some initial frontend applications which will consume those exposed resources. I was exactly at the point of considering how to organise the correspondence of the access token from the auth server to the frontend and from the frontend to the resource servers, when I received as a very nice surprise the news about tmi-bff draft. It was such a relief, as the option to delegate access token acquisition to a backend component, while still accessing resource servers directly from the frontend, seemed most suitable and well balanced for our case. I have read the draft with great pleasure, but one thing concerns me in it. In the description of the protocol flow (1.2), in the step of token request from backend to AS (step B), it mentions that the AS should "issue the requested token without requiring user interaction". Same thing is reconfirmed in section 4, step 4: "the backend verifies whether it has the necessary artifacts to request it to the authorization server without requiring user interaction". But an initial interaction between the resource owner and the authorization server is required by the authorization code flow (section 1.3.1 of the draft-ietf-oauth-v2-1-01). So where does this interaction fit in the tmi-bff protocol flow? Or tmi-bff is not supposed to be used with authorization code flow? Thank you for your time, hoping to hear from you, Stoycho. На пт, 12 фев 2021 г., 22:46 Vittorio Bertocci <vittorio.bertocci= 40auth0.com@dmarc.ietf.org> написа: > Dear all, > Brian and yours truly are proposing a new specification that shows how the > user agent frontend of a web app can delegate token acquisition and > persistence to its backend, and request such tokens when needed for direct > access of protected resources from the frontend code. > > The pattern is already in use, in proprietary form, by various modern > development stacks, such as Next.JS. Variants of the pattern, often > discussed under the catch-all term BFF (backend for frontend), have been > often mentioned in this workgroup’s activity, but always left all > implementation details to the reader. > We believe the pattern has merit, as corroborated by its growing adoption. > By delegating access token acquisition to the backend, we avoid many of the > often brittle moving parts (and implied attack surface) required to acquire > access tokens from a user agent. The topology also relieves the frontend > from the need of persisting tokens in local storage, a well known sore > point of using OAuth directly in JavaScript, by relying on its backend > storage and session to preserve tokens. > > Although the specification is very simple, providing explicit guidance on > the scenario offers many advantages. > - It makes it possible to create interoperable SDKs, where frontend dev > stacks (any JS flavor) can be mixed and matched with compliant backend > stacks (middlewares in node, java, ASP.NET, PHP etc) > - It allows us to provide guidance on how to properly tackle the scenario > and warn implementers against security risks (scope escalations, using > IDtokens instead of access tokens, etc) > - It allows us to discuss (and when appropriate, promote) this pattern as > part of the browser apps security guidance, and position the scenario where > frontend only calls API on its own backed (hence doesn’t need access > tokens) simply as a special case of this more general pattern > - This approach makes mocking and testing apps very easy, possibly > preventing developers from weakening the security of their system (eg > turning on ROPG options) or turning to risky practices like scraping > > Needless to say, this specification doesn’t entirely eliminate the risks > inherent to direct use of access tokens from a browser. But reality is that > the pattern is in widespread use, and the circumstances leading to that (eg > developers on a particular project only work with frontend stacks; > components like reverse proxies might not always be viable; etc) aren’t > going away any time soon. By providing simple guidance on this pattern, we > can simplify the life of many developers while enshrining basic security > hygiene in scenarios that would have otherwise be left to their own device. > > Looking forward for your feedback! > > B&V > > On 2/12/21, 12:41, "internet-drafts@ietf.org" <internet-drafts@ietf.org> > wrote: > > > A new version of I-D, draft-bertocci-oauth2-tmi-bff-00.txt > has been successfully submitted by Vittorio Bertocci and posted to the > IETF repository. > > Name: draft-bertocci-oauth2-tmi-bff > Revision: 00 > Title: Token Mediating and session Information Backend > For Frontend > Document date: 2021-02-12 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.txt > Status: > https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/ > Html: > https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.html > Htmlized: > https://tools.ietf.org/html/draft-bertocci-oauth2-tmi-bff-00 > > > Abstract: > This document describes how a JavaScript frontend can delegate > access > token acquisition to a backend component. In so doing, the frontend > can access resource servers directly without taking on the burden of > communicating with the authorization server, persisting tokens, and > performing operations that are fraught with security challenges when > executed in a user agent, but are safe and well proven when executed > by a confidential client running on a backend. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Token Mediating and session Informatio… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Hans Zandbelt
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… George Fletcher
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- [OAUTH-WG] Security of OAuth on Andriod [Was: Re:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Om
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… SOMMER, DOMINIK
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Warren Parad
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Aaron Parecki
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden