Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?

Phil Hunt <phil.hunt@oracle.com> Fri, 18 May 2018 16:37 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8DF712E053 for <oauth@ietfa.amsl.com>; Fri, 18 May 2018 09:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mGimfn2m-FmQ for <oauth@ietfa.amsl.com>; Fri, 18 May 2018 09:37:24 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 773C112E049 for <oauth@ietf.org>; Fri, 18 May 2018 09:37:24 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w4IGaTnc142772; Fri, 18 May 2018 16:37:18 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2017-10-26; bh=07KVree2Nx5J7brQ3V9uf0hKE/n//FnqdcZnCUmDiAo=; b=Pi3AT8OIUUeHmbjhbsbGaqgVVv1dcgaeB8j8p34/XPQPwDYhRZw9hZtEPWXalvMdwAtK /FJHGc147eo0EyxwWyRx5Ke43yMe5re0S358fuEc3zRtUY8WSKlXOMjmHGj63BFgPnaw NqPHXd4QYjE5Oj6N4FjzsusT+3/YF9oyJLGVyT8UyZouM7k7IL5hnPsZAPQcw3y95zt1 jQQR/ruXvywocxOBbB3I9QWZmeELeSXyqEt9iuoCiRX96u0d+Ay10FqqdCZtz2Z4lbIh q/td/yYJ3fhjk0K4D3TU1JqsK6POIaIUK3F1y7GeOdwD1OVLRkeq76l9cZ0X1zL0AWhV BA==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2hx29we75n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 18 May 2018 16:37:17 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w4IGbH09017241 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 18 May 2018 16:37:17 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w4IGbGsb014829; Fri, 18 May 2018 16:37:16 GMT
Received: from [10.0.1.20] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 18 May 2018 09:37:16 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-79BB4203-297B-4B01-896E-80E66DFC8ADB"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (15E302)
In-Reply-To: <VI1PR0801MB2112A6F8B47939F8748DEA43FA910@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Date: Fri, 18 May 2018 09:37:10 -0700
Cc: Brock Allen <brockallen@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <DA3E7E6D-C171-4631-87B0-7D8C8741B843@oracle.com>
References: <ab42d84a-5f08-4600-aa36-92e73944cf6c@getmailbird.com> <VI1PR0801MB2112A6F8B47939F8748DEA43FA910@VI1PR0801MB2112.eurprd08.prod.outlook.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8897 signatures=668699
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805180180
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ySUhBpR-nJI3zqbVJIJVRQGtLtM>
Subject: Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2018 16:37:27 -0000

+1. I think this would be good to have. 

Phil

> On May 17, 2018, at 9:23 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
> 
> Hi Brock,
>  
> there have been several attempts to start writing some guidance but so far we haven’t gotten too far.
> IMHO it would be great to have a document.
>  
> Ciao
> Hannes
>  
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brock Allen
> Sent: 17 May 2018 14:57
> To: oauth@ietf.org
> Subject: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
>  
> Much like updated guidance was provided with the "OAuth2 for native apps" RFC, should there be one for "browser-based client-side JS apps"? I ask because google is actively discouraging the use of implicit flow:
>  
> https://github.com/openid/AppAuth-JS/issues/59#issuecomment-389639290
>  
> From what I can tell, the complaints with implicit are:
> * access token in URL
> * access token in browser history
> * iframe complexity when using prompt=none to "refresh" access tokens
>  
> But this requires:
> * AS/OP to support PKCE
> * AS/OP to support CORS 
> * user-agent must support CORS
> * AS/OP to maintain short-lived refresh tokens 
> * AS/OP must aggressively revoke refresh tokens at user signout (which is not something OAuth2 "knows" about)
> * if the above point can't work, then client must proactively use revocation endpoint if/when user triggers logout
>  
> Any use in discussing this?
>  
> -Brock
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth