I have made up my own implementations that follow the pattern in the document.
It keeps the security in the server, and allows the app to call the API directly rather than through a backend proxy, which impacts latency and CX. ᐧ On Tue, May 4, 2021 at 8:27 AM Seán Kelleher <s...@trustap.com> wrote: > Hi all, > > I'd like to hear others' take on Brock Allen's prior comment on the > document: > > 5) For me personally in all the consulting I've done helping customers use >> OIDC/OAuth over the past 7 years (since OIDC was released) I've never seen >> anyone trying to do it this way. I do believe that some people try this >> style, but I wonder if it's just because they don't know any better (so >> lacking guidance) or is it really because they're actively trying to >> mitigate the reverse proxy hop performance issue? If it's the former, then >> I don't agree that it makes sense to formalize a less secure approach when >> they simply need better guidance (which arguably is the "full BFF" >> approach), and thus the motivation for the document is slightly weakened >> (IMO). > > > I don't have as much exposure to the way lots of different groups are > implementing OAuth2/OIDC but I agree that this approach is novel for me, > and I'd be interested to hear others' thoughts on that aspect before the > document is adopted. > > Apologies if this is the wrong place to voice such a concern. I would > still be very much interested in a discourse about the relative security > and positives/negatives of this approach regardless of the outcome. > > Kind regards, > > Seán. > > On Tue, 4 May 2021 at 16:03, Aaron Parecki <aa...@parecki.com> wrote: > >> I support adoption. I'm also fine with the BFF acronym since it's common >> in the software development world already. If anything, the TMI acronym is >> the least strong of the two as it's missing a letter from the full name of >> the draft. >> >> Aaron >> >> >> >> >> On Tue, May 4, 2021 at 7:40 AM Dick Hardt <dick.ha...@gmail.com> wrote: >> >>> I'm supportive -- but am concerned with the BFF acronym. >>> ᐧ >>> >>> On Mon, May 3, 2021 at 3:00 PM Rifaat Shekh-Yusef < >>> rifaat.s.i...@gmail.com> wrote: >>> >>>> All, >>>> >>>> This is a call for adoption for the *Token Mediating and Session >>>> Information Backend for Frontend* as a WG document: >>>> https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/ >>>> >>>> Please, provide your feedback on the mailing list by *May 17th*. >>>> >>>> Regards, >>>> Rifaat & Hannes >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> -- >> --- >> Aaron Parecki >> https://aaronparecki.com >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
