Re: [OAUTH-WG] Call for adoption - TMI BFF

Seán Kelleher <sean@trustap.com> Tue, 04 May 2021 15:28 UTC

Return-Path: <sean@trustap.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8F753A0B62 for <oauth@ietfa.amsl.com>; Tue, 4 May 2021 08:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=trustap-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2XWtEl2M86C for <oauth@ietfa.amsl.com>; Tue, 4 May 2021 08:28:01 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0D4F3A0B56 for <oauth@ietf.org>; Tue, 4 May 2021 08:28:01 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id di13so10948203edb.2 for <oauth@ietf.org>; Tue, 04 May 2021 08:28:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trustap-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W8gMDYzVn25G6z1MX+pH8Ybw0YA5/TJLVgRFREar1gM=; b=E6pOrEHdReg6Lsw9xbSwkm4N9Rh8zAgqEMPY5yiM7rJsd4BNIb8YHDgZ2VJ8cyNhRn s3MNOjvXNbTlG1+5lB10Oh7L7st/HyGt9++dfxCP9qBRsiWQTAUTzL/zSWYoetpudREZ 2+UWqokKONu9uXIe5fTL7Q34/Esuk0lzsn8iwsbiI0kHfThSof+wyZQ2nNC4W3Z9oJxk mXkWo+O58PXHqXn7Up1KbIGqJyNdwSs6OoAdBqoGn7w0yTipzNaDTBUtXMMev7P3gF85 Gx394JSKQL4YoSQj33nKdJqNXYV36Mk+AQGcrUWggwZSkZkLV5LFqOCf6UFQhc/QtLFd 3FSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W8gMDYzVn25G6z1MX+pH8Ybw0YA5/TJLVgRFREar1gM=; b=JkwfgZ0pCTMPOtdvgzMkOkH8+HBF5C3jmOrzfQNTtF8RA1HZGbR2HoQCw3XTNDHXWg VZyzZscRU2qfiFFPYiZrzPoBTj0NrabhxxgnJpgMNCYA0aY4rQ7nnR0rzBjmryRxCHyc x0wn/zFU7NgYr71o8AxJDHinFjbjrr+31KIKeGAoDRsrWSHdBloS5wIjqWCsdLa1RApa IkLdKc3Th6j/9I45BmE2YFzVmWhIZJtdEUUyL7dkizMbziO0WuYo6aiAQ04V6bEu/hhN /iot+C7/QI6XUZ/9OONfXx+4GWos/z9Ny5fjrodlv1eCErq5cpmbFsD5tkQXlzzikV++ 7Bfw==
X-Gm-Message-State: AOAM533/zb+nmaf4pN/3Ray71DxX9IT6sTaABbS/oWcHGIkkN24FXBB1 Z4Absd0p2aiBY7fhiZ7xCAGxcEogwHY2UsFfAKXiWw==
X-Google-Smtp-Source: ABdhPJwxLEqfSCF4Q8ntd6fNwQ4szTItLNQZlt2Bzd+Pd+weM2e5pFndkCFcBlHJS8EPbncrCSc0Fqp4u1YAIB9c2bk=
X-Received: by 2002:a05:6402:145:: with SMTP id s5mr26178187edu.221.1620142079399; Tue, 04 May 2021 08:27:59 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9wV6=T-AU+j_hrXT7zH9c8OdKone_0Arq+yPu+aAupNQ@mail.gmail.com> <CAD9ie-uhLf_d0=GpftqoRAZ7_=wEBLBHyUjkR1bomz6xcM_dzQ@mail.gmail.com> <CAGBSGjo=fko9Tc+fbcA3P74xH9bZbg6t6x__-KR7XSfh6A5Evg@mail.gmail.com>
In-Reply-To: <CAGBSGjo=fko9Tc+fbcA3P74xH9bZbg6t6x__-KR7XSfh6A5Evg@mail.gmail.com>
From: =?UTF-8?Q?Se=C3=A1n_Kelleher?= <sean@trustap.com>
Date: Tue, 4 May 2021 16:27:48 +0100
Message-ID: <CAPLh0AME6QbiEOj5uJdyVaNxGaVYLhm7gtgCZj36zVmxO=+DJQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000020f23905c182b926"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zZbRxFo4OBGzd8WYuUDaYJdc-qk>
Subject: Re: [OAUTH-WG] Call for adoption - TMI BFF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2021 15:28:07 -0000

Hi all,

I'd like to hear others' take on Brock Allen's prior comment on the
document:

5) For me personally in all the consulting I've done helping customers use
> OIDC/OAuth over the past 7 years (since OIDC was released) I've never seen
> anyone trying to do it this way. I do believe that some people try this
> style, but I wonder if it's just because they don't know any better (so
> lacking guidance) or is it really because they're actively trying to
> mitigate the reverse proxy hop performance issue? If it's the former, then
> I don't agree that it makes sense to formalize a less secure approach when
> they simply need better guidance (which arguably is the "full BFF"
> approach), and thus the motivation for the document is slightly weakened
> (IMO).


I don't have as much exposure to the way lots of different groups are
implementing OAuth2/OIDC but I agree that this approach is novel for me,
and I'd be interested to hear others' thoughts on that aspect before the
document is adopted.

Apologies if this is the wrong place to voice such a concern. I would still
be very much interested in a discourse about the relative security and
positives/negatives of this approach regardless of the outcome.

Kind regards,

Seán.

On Tue, 4 May 2021 at 16:03, Aaron Parecki <aaron@parecki.com> wrote:

> I support adoption. I'm also fine with the BFF acronym since it's common
> in the software development world already. If anything, the TMI acronym is
> the least strong of the two as it's missing a letter from the full name of
> the draft.
>
> Aaron
>
>
>
>
> On Tue, May 4, 2021 at 7:40 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> I'm supportive -- but am concerned with the BFF acronym.
>> ᐧ
>>
>> On Mon, May 3, 2021 at 3:00 PM Rifaat Shekh-Yusef <
>> rifaat.s.ietf@gmail.com> wrote:
>>
>>> All,
>>>
>>> This is a call for adoption for the *Token Mediating and Session
>>> Information Backend for Frontend* as a WG document:
>>> https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/
>>>
>>> Please, provide your feedback on the mailing list by *May 17th*.
>>>
>>> Regards,
>>>  Rifaat & Hannes
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> --
> ---
> Aaron Parecki
> https://aaronparecki.com
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>