Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?

"Brock Allen" <> Fri, 18 May 2018 17:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E335412D95D for <>; Fri, 18 May 2018 10:55:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kqAwX_m15Yjq for <>; Fri, 18 May 2018 10:55:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 50D1412D942 for <>; Fri, 18 May 2018 10:55:50 -0700 (PDT)
Received: by with SMTP id b22-v6so7095806qkj.9 for <>; Fri, 18 May 2018 10:55:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:date:message-id:subject:from:to:cc:in-reply-to :references:user-agent; bh=Jw3N2yrbgQ0XUf1GNQDCrc+RwLDv5yMSxhA1h2y0/Zw=; b=HbzPQeIk0+eG9l1sOc98tc9DYFKTm3XPAN2sMDbKK1wuUYAWBhCSjEpp0QIN8cPMp7 CDWtWxQLkqgotbMnO9g97MsB4VJ7YTWOVsLcZ6pGZh5QmLsAFU/PqjdURR9RPzplcwhS AnLOWxIiPmY6gAZWsFw/zOlfri8sBIfJqnyboIVxCe4KexI0TLXObTSV5UDHzwMXoEcH u74JZH4lPhry4sRUoDGQswu9c0w6tEpniIEI0l808ZZjzzK/LXwXyPu0iUCf0DOm+Adv OKzHhWg/w9lvKmjnrXT+wnIUo/Z0GleCpN1Cc6sK0kAKkm93ihIcOkbx1UCnJcKiQn1C iT5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :in-reply-to:references:user-agent; bh=Jw3N2yrbgQ0XUf1GNQDCrc+RwLDv5yMSxhA1h2y0/Zw=; b=sJwz+C8DgVN0IuD5srkhpfeC+e7G3/N9vsXA3S7XFl2sAZTW8e7xto3TuZsOMsZcDc IsfRnpzXaiGxuHMqzVEl5t7awDPwp4P1kxAYBMQGLqdqz8zBfeeJR9u/Jl6Q6AndrLiF sNS+kbyYNJSCjJ3ja1cxhYu54DTzGKSKHlVGoPjVPMe+KMxAjhIYz6RCSVFj5A/Etmbk ffpatJtZFCTCZqhkAOKf548U6//C8pRP/F2rRuFC/luHcB37hvQnTzbNdpIZq4D2spHs Z4BV+zv/f83+6rP6gDinEC6krm5r3Bo8tjgAJFoPPavoLreHcBM9u0rWP28WV7o1lGVD FXKw==
X-Gm-Message-State: ALKqPwcNSNwL+sWf8fcJKupAjcJoz+8DKNUC3lhpyOabG0S3coi7ia3L Fogy6/z/3tPamF8YRWjzt/w=
X-Google-Smtp-Source: AB8JxZqvMyQfsKZeKPRLG2QOc27JRtj4jAI/CsdKd2VW+xGFYaMrArGzKzQVYEHntT01TnvORIozxA==
X-Received: by 2002:a37:5ac5:: with SMTP id o188-v6mr9340870qkb.295.1526666149052; Fri, 18 May 2018 10:55:49 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id q8-v6sm5967398qtb.13.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 May 2018 10:55:48 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_12625737.623923963556"
MIME-Version: 1.0
Date: Fri, 18 May 2018 13:55:42 -0400
Message-ID: <>
From: Brock Allen <>
To: David Waite <>, John Bradley <>
Cc: Hannes Tschofenig <>,
In-Reply-To: <>
References: <> <> <> <,> <> <> <> <>
User-Agent: Mailbird/
Archived-At: <>
Subject: Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 May 2018 17:55:52 -0000

> I don’t believe code flow today with an equivalent token policy as you have with implicit causes any new security issues, and it does correct _some_ problems. The problem is that you immediately want to change token policy to get around hidden iframes and special parameters.

Hidden frames and special params -- are those really the main concerns with implicit? Those are just different mechanics to do the same thing. IMO, iframes are just another way to "do" HTTP, albeit more clumsy and effort than XMLHttpRequest. And in my experience, prompt=none is easily done and well supported. Perhaps my perspective is skewed.

I thought the access token being sent in the URL is a bigger concern, and that's why code+PKCE is a better approach.