After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.
I would like to give a huge thanks to Philippe De Ryck for stepping up to work on this draft as a co-author! This version is a huge restructuring of the draft and now starts with a concrete description of possible threats of malicious JavaScript as well as the consequences of each. The architectural patterns have been updated to reference which of each threat is mitigated by the pattern. This restructuring should help readers make a better informed decision by being able to evaluate the risks and benefits of each solution. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html Please give this a read, I am confident that this is a major improvement to the draft! Aaron On Mon, Oct 23, 2023 at 8:35 AM <internet-dra...@ietf.org> wrote: > Internet-Draft draft-ietf-oauth-browser-based-apps-15.txt is now > available. It > is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. > > Title: OAuth 2.0 for Browser-Based Apps > Authors: Aaron Parecki > David Waite > Philippe De Ryck > Name: draft-ietf-oauth-browser-based-apps-15.txt > Pages: 58 > Dates: 2023-10-23 > > Abstract: > > This specification details the threats, attack consequences, security > considerations and best practices that must be taken into account > when developing browser-based applications that use OAuth 2.0. > > Discussion Venues > > This note is to be removed before publishing as an RFC. > > Discussion of this document takes place on the Web Authorization > Protocol Working Group mailing list (oauth@ietf.org), which is > archived at https://mailarchive.ietf.org/arch/browse/oauth/. > > Source for this draft and an issue tracker can be found at > https://github.com/oauth-wg/oauth-browser-based-apps. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-15 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
