Urm, hi! Chiming in on pros/cons for the various patterns, related to something we’ve been working on here. Both section 6.2 and 6.3 don’t mention that the pattern obfuscates the original user agent’s IP or other identifying markers. If, hypothetically, you care about access from sanctioned IP ranges, neither of those two would fully permit that. Only getting tokens directly from the authorization server would allow that.
Also – typo in 6.4, first sentence: “’from the authorization itself’ should likely read ‘from the authorization server itself’. Happy Friday! Michael From: OAuth <oauth-boun...@ietf.org> on behalf of Aaron Parecki <aaron=40parecki....@dmarc.ietf.org> Date: Tuesday, September 13, 2022 at 11:25 AM To: oauth@ietf.org <oauth@ietf.org> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-11.txt ⚠ External Email Hello all, With the help of a few kind folks, we've made some updates to this draft as discussed during the last IETF meeting in Philadelphia. You can find the current version, draft 11, here: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-11.html<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-browser-based-apps-11.html&data=05%7C01%7Cmkrotscheck%40vmware.com%7C35ace0f16d72449f7a6308da95b55b50%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637986903422013221%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=54W3e4ViJaRgjk7yAl3OFAAL7g3vgmlH5VeSCJcsdlA%3D&reserved=0> The major changes in this version are adding two new architecture patterns, the "Token Mediating Backend" pattern based on the TMI-BFF draft, and the "Service Worker" pattern of using a Service Worker as the OAuth client. I've also done a fair amount of rearranging of various parts of the document to hopefully make more sense. Obviously there is no clear winner in terms of which architecture pattern is best, so instead of trying to make a blanket recommendation, the goal of this draft is to document the pros and cons of each. If you have any input into either benefits or drawbacks that aren't mentioned yet in any of the patterns discussed, please feel free to chime in so we can add them to the document! You're welcome to either reply on the list, open an issue on the linked GitHub repository, or contact me directly. Keep in mind that only comments on the mailing list are part of the official record. Thanks, Aaron Parecki On Tue, Sep 13, 2022 at 10:42 AM <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename : draft-ietf-oauth-browser-based-apps-11.txt Pages : 29 Date : 2022-09-13 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org<mailto:oauth@ietf.org>), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fbrowse%2Foauth%2F&data=05%7C01%7Cmkrotscheck%40vmware.com%7C35ace0f16d72449f7a6308da95b55b50%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637986903422013221%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yIqnVIeSWGa62Vo41630360tGpwYXUU%2B3UD9Kb25UEg%3D&reserved=0>. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foauth-wg%2Foauth-browser-based-apps&data=05%7C01%7Cmkrotscheck%40vmware.com%7C35ace0f16d72449f7a6308da95b55b50%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637986903422013221%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=A3A01iAXDAb3ME4AvKsBFhb50EmLIpsSi7P4iteDNAs%3D&reserved=0>. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-browser-based-apps%2F&data=05%7C01%7Cmkrotscheck%40vmware.com%7C35ace0f16d72449f7a6308da95b55b50%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637986903422013221%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=K22gbKvH7CMRWrFYmNd4mfyDqZvShWo6UJYwh07tV8Y%3D&reserved=0> There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-11.html<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-browser-based-apps-11.html&data=05%7C01%7Cmkrotscheck%40vmware.com%7C35ace0f16d72449f7a6308da95b55b50%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637986903422169450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=z%2B2uTIG58J%2FK43pkuA97%2BZYRERFcscbi9MHJzvEKCtA%3D&reserved=0> A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-browser-based-apps-11<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-oauth-browser-based-apps-11&data=05%7C01%7Cmkrotscheck%40vmware.com%7C35ace0f16d72449f7a6308da95b55b50%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637986903422169450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nF58f9jNSo1rNU3TqIgz270Pfm%2BdgDlFGk9ZqsRs%2FUA%3D&reserved=0> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cmkrotscheck%40vmware.com%7C35ace0f16d72449f7a6308da95b55b50%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637986903422169450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=We5G2rp5k%2B5OOKKhbXaG64kb6M9kIe76jBTxXaYXTeI%3D&reserved=0> ________________________________ ⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
