IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Vittorio Bertocci <vittorio.bertocci@auth0.com> Sun, 14 February 2021 21:02 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 702F13A0AFB for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 13:02:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aisB-XYbKLjW for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 13:02:45 -0800 (PST)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D45DB3A0AE6 for <oauth@ietf.org>; Sun, 14 Feb 2021 13:02:01 -0800 (PST)
Received: by mail-pf1-x42d.google.com with SMTP id w18so2987729pfu.9 for <oauth@ietf.org>; Sun, 14 Feb 2021 13:02:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=ReDxUV1ILKr/VpW5/HP9YGmFu7S/VfyRHBsrzjqnkBY=; b=FwWp3nvbMtEMUT/8K8p4Iu0UVi22rm0c2oo7ZCwAHOIfpp5XL8BlTCbPGMp+vjTAfZ Wp7pmOEVMcfo+SwStbgsZE/nwmpIFGOZrSk37qJLk6Jd7kQr6nidsRwgYbWA/CsbFUCr ZvAaQhH43cMcNOlH38mYM5kQJxun5y0DCsJmlO6/zLKia2tyLY0oDUE/w9LBoW1IXuj4 SZloV9mF26M6rU1ncIZMhFL01iN9NgClrpDo8lbShS/xMVYzbNX9HLBLPYMMes1/kH1l VP9SlK5fgKBabeRBRpL751KA6PU/E2ItuBkD+BOgO/7sN9SLekXuqSwdgSeiL1pK78jr IB2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:mime-version; bh=ReDxUV1ILKr/VpW5/HP9YGmFu7S/VfyRHBsrzjqnkBY=; b=U2KFysL+J1X0LBrWqMqG7VM9rPPj61PX6ZoBzvUFQ/1i3M2tNDrwmbEDMCEm4SI/4u YV9EBejp370i1v6kRFVeMUokgOiNMY1AX+6efFNHI1iwXlpkauX6it7bWNbxMQGloKbm WLgtXGZBKFkdWJ5KAu8QR5Xe64i0gxubdpq4V7znyEW7K1oVrLilpWsSVl61V0CFLaen BCHcxt9mQ3Bi6snTCn1HkoqdQt7YNC/8wdU/MK59vlPQKO1KzIc7q6p436Z14Gf5Rujy BDGpC8ekveiiXMsI/+oiQqkJyiIJYAlRlD79NEube8o1fFF7c52443zRuHXqcaiDgIAg bfWA==
X-Gm-Message-State: AOAM530yfDomf2Tk3z85JeRRsyS9vrbeUkurq3KCn2nPFpSjzTov2k/E TzAh360tJAWpZbwHkgrEnogdiGzaqC0ykA==
X-Google-Smtp-Source: ABdhPJxK0v+cP83pht0xsczRvHB0KnjDAEHmBYTcDMnvOhtDXOt6HIIyfJdE5IlZefWBAzj7vM1gSA==
X-Received: by 2002:a63:d58:: with SMTP id 24mr1517563pgn.91.1613336521175; Sun, 14 Feb 2021 13:02:01 -0800 (PST)
Received: from CO6PR18MB4052.namprd18.prod.outlook.com ([2603:1036:301:402a::5]) by smtp.gmail.com with ESMTPSA id x20sm15989379pfn.14.2021.02.14.13.02.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 14 Feb 2021 13:02:00 -0800 (PST)
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
To: Warren Parad <wparad@rhosys.ch>
CC: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>, Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
Thread-Index: AQHXAYASMR57RiKGBkS9HwYUcalSA6pXUL8AgAAaNoCAACuILIAAFosAgAALMgCAAAZ4gIAADE4AgAAfRYCAAATwgIAAH9svgAAFFYCAABIfOA==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Sun, 14 Feb 2021 21:01:59 +0000
Message-ID: <CO6PR18MB405282E82D5E7C0C68BFD51BAE899@CO6PR18MB4052.namprd18.prod.outlook.com>
References: <CAGL0X-qvLz=gG06Q3mL5yNs5f-eqSwxO-g=K=cDKdmC8VP+UEg@mail.gmail.com> <AE8B3F28-D7B3-4A70-8E0D-2F673970E008@forgerock.com> <CAGL0X-o4Aq6Ec0UviqLryrxn0ksetLhjkVfVoNf_Cjtda+MX8g@mail.gmail.com> <CAJot-L3BXNyM3L_74-W+y3cJzmG2UxPiovb3DHLbmBL66-53SQ@mail.gmail.com> <CAGL0X-rwM4Kc4qQSea+gaO7YORZgnJTHWyFM3VPcaJ2ceX527A@mail.gmail.com> <CAJot-L1UQweut9MmrFYr+4qRGLixEFoECHr_tdLf86w=uVR5ZA@mail.gmail.com> <CO6PR18MB40520FF440BAD7B312B29904AE899@CO6PR18MB4052.namprd18.prod.outlook.com> <CAJot-L2KdP68DO1GSJGAtGro37JvWZgaLtCqLQDbixVg3-L=_Q@mail.gmail.com>
In-Reply-To: <CAJot-L2KdP68DO1GSJGAtGro37JvWZgaLtCqLQDbixVg3-L=_Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_CO6PR18MB405282E82D5E7C0C68BFD51BAE899CO6PR18MB4052namp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pMaI8C47PSwNcdkn4Nc_fYPGBjk>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 21:02:48 -0000

  *    What is the frontend developer doing any different in the new hypothetical world than they would be, right now they are including an SDK and writing one line of code on login redirect/silent auth and one line of code for PKCE+code validation. If a service client needs to be authorized there would be a third line of code to call the backend.

As mentioned, the client code might not look very different- although in the TMI-BFF model the JS code might be even more succinct (given that the sign in parts are handled by the backend, they might simply be decorated routes on the middleware- no need for the JS to make those calls directly, just to hit the routes) and the SDK far more lightweight. The difference might be that if your authorization server does not support refresh token rotation or sender constraining RTs, with code+PKCE you might not be able to obtain the same functionality as TMI-BFF given that you might not have a way of renewing short lived tokens without full redirects (see discussion on ITP). That is a temporary situation, hopefully eventually all AS vendors will support rotation and/or sender constraint, but it is an example of how the proposal does have advantages.


  *   These three lines still need to be present irrespective of whether you use an AS-proxy TMI-BFF or the AS directly.
See above. That’s not necessarily the case, and what the client code looks like isn’t what TMI-BFF is trying to address anyway.


  *   Except now we are encouraging every app to write a BFF and integrate their front channel with it.
That is not the case. The scope of this proposal remains limited to apps that already have a backend.


  *   Additionally, we aren't requiring less capabilities from the spec, we are just also requiring additional ones for a BFF. If there are capabilities this lets us drop from OAuth could you explain which ones those are, because since an AS can't know whether "customers" are going to want to use a BFF or not, it will still have to implement all the necessary AS features that already exist (and the new ones that don't). I don't see how this affords an AS any additional freedom.
Once again, this proposal is not meant to lighten the AS burden, but to make the life of developers easier. I already mentioned the rotation/sender constraint capabilities that code+PKCE require for RTs to be used in a user agent, and the fact that various important AS on the market today do not offer that capability. There might be others: for example, until recently various important AS did not support CORS on their metadata and token endpoints, making the code+PKCE in the user agent impossible. My hope and assumption is that those are all temporary situations, and TMI-BFF goal is NOT to dispense AS developers from implementing those features.  But those are concrete examples of cases in which TODAY an app developer (whose app has a backend) took a dependency on one AS without those features might be able to do more things in their app when using TMI-BFF than with JS code that relies on those AS capabilities to function.

From: Warren Parad <wparad@rhosys.ch>
Date: Sunday, February 14, 2021 at 11:57
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Cc: Stoycho Sleptsov <stoycho.sleptsov@gmail.com>, Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

but it does make things simpler for the frontend developer and requires less advanced capabilities in the AS.
I guess I'm still getting lost on this point, which seems not yet justified for me. What is the frontend developer doing any different in the new hypothetical world than they would be, right now they are including an SDK and writing one line of code on login redirect/silent auth and one line of code for PKCE+code validation. If a service client needs to be authorized there would be a third line of code to call the backend. These three lines still need to be present irrespective of whether you use an AS-proxy TMI-BFF or the AS directly. Except now we are encouraging every app to write a BFF and integrate their front channel with it.

Additionally, we aren't requiring less capabilities from the spec, we are just also requiring additional ones for a BFF. If there are capabilities this lets us drop from OAuth could you explain which ones those are, because since an AS can't know whether "customers" are going to want to use a BFF or not, it will still have to implement all the necessary AS features that already exist (and the new ones that don't). I don't see how this affords an AS any additional freedom.


[Image removed by sender.]

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture. Implement Authress<https://authress.io>.


On Sun, Feb 14, 2021 at 8:39 PM Vittorio Bertocci <vittorio.bertocci@auth0.com<mailto:vittorio.bertocci@auth0.com>> wrote:
In the TMI-BFF topology, the backend and frontend developer are the same person. The operations TMI-BFF describes are the functional equivalent of what the JS code of one SPA app using a code+PKCE SDK would do when retrieving previously obtaining tokens from the store in order to perform an API call. Whereas such an app would make that call in memory (and result in the same operations described here, either use a previously saved access token matching the requirements of the API call, or use artifacts like RTs to request a new access token matching the request) in TMI-BFF al the logic and persistence layer are in the backend, hence that query becomes a request to the backend instead of a local function call.
The advantages have been described in other branches of this thread, but TL;DR- a lot of the token requesting work can be performed more reliably (eg less things can go wrong) from a confidential client and it’s easier for SDK developers to package it (see existing middlewares vs JS SDKs). Note that for the app developer this might still look like the same flow, asking a JS SDK to get the token the app needs to call an API, but the JS SDK would be dramatically simpler than the one performing code+PKCE in the user agent and entail communication between frontend a backend, hence the need to define how that communication happens if we want developers to be able to mix and match frontend and backend dev stacks.
Again, this does not necessarily add security to the code+PKCE in the user agent model (which remains the only game in town for backendless SPAs), but it does make things simpler for the frontend developer and requires less advanced capabilities in the AS.

From: Warren Parad <wparad@rhosys.ch<mailto:wparad@rhosys.ch>>
Date: Sunday, February 14, 2021 at 09:45
To: Stoycho Sleptsov <stoycho.sleptsov@gmail.com<mailto:stoycho.sleptsov@gmail.com>>
Cc: Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>>, Vittorio Bertocci <vittorio.bertocci@auth0.com<mailto:vittorio.bertocci@auth0.com>>, oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Correct it would never need to be used to authenticate a client, as a client is always offline and can directly use the backchannel. You would never need the front channel to authenticate a client, however you might need the front channel to authorize a client to access user resources offline. Is that what you are talking about, i.e. the offline refresh_token authorization code flow?

If yes, then the standard would be to use the authorization code flow requesting as you've mentioned. Although that flow already exists and well established, and without any issues, having a standard specifying how to communicate with the client doesn't seem to be useful, as you only need to pass an auth code and the issuer to the client. But since these endpoints are never exposed nor need to have interoperability between different owners (i.e. the owner of the front-channel is different from the owner of the back-channel), what's the benefit of specifying the explicit endpoints necessary for the BFF to have?


Error! Filename not specified.

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture. Implement Authress<https://authress.io>.


On Sun, Feb 14, 2021 at 6:27 PM Stoycho Sleptsov <stoycho.sleptsov@gmail.com<mailto:stoycho.sleptsov@gmail.com>> wrote:
Thanks Warren,

as I see you and Neil have the same idea,
but as of this moment I think this method is not a valid option for authenticating
a client according to the draft-ietf-oauth-v2-1.

On the other hand, authenticating the client through the BFF
seems conforming to the spec., but in the case when the access token is used
in the browser in fact, I am afraid that it can be regarded as
some kind of "deception" of the AS.

It seems the frontend SPA is not the easiest way to go with oauth...

Stoycho.

On Sun, 14 Feb 2021 at 17:35, Warren Parad <wparad@rhosys.ch<mailto:wparad@rhosys.ch>> wrote:
redirect_uri and use PKCE via the code verifier.


Error! Filename not specified.

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture. Implement Authress<https://authress.io>.


On Sun, Feb 14, 2021 at 3:51 PM Stoycho Sleptsov <stoycho.sleptsov@gmail.com<mailto:stoycho.sleptsov@gmail.com>> wrote:
Thanks a lot for your answer Neil,

as I am no expert (yet :-)) in security I was afraid to rely on
redirect_uri for authentication of the client,
but I will consider that option as more trustworthy now.

(it is also not very clear for me which part of the app can be
regarded as the redirect_uri owner, the BFF or the loaded frontend
SPA, but maybe it is not so important)

If you had the two options for authentication of the frontend SPA
client - the redirect_uri on the one hand, and the Basic
authentication with client secret through the BFF on the other, which
one would you recommend?

On Sun, 14 Feb 2021 at 16:28, Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>> wrote:
>
> Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching.
>
> There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure.
>
> — Neil
>
> > On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.sleptsov@gmail.com<mailto:stoycho.sleptsov@gmail.com>> wrote:
> >
> > 
> > I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS",
> > with the objective to verify if they are valid.
> >
> > I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example).
> > If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication.
> >
> > Or is it considered a bad practice to do that?
> >
> > Regards,
> > Stoycho.
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org<mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
>
> --
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

v2.23.0 | Report a Bug | By Email