+1
This model is useful and should be documented in its own right. Once
documented it could possibly be referenced in the BCP.
On 11/9/18 1:44 PM, David Waite wrote:
Hi Hans, I hope it is acceptable to reply to your message on-list.
Others could correct me if I am wrong, but I believe the purpose of
this document is to recommend uses of other OAuth/OIDC specifications,
not to include its own technologies.
In terms of being another spec to be referenced, I think it would be
useful but I wonder hypothetically how to best write that
specification. This method seems to be relying on standards-defined
tokens and converting them to an application server session, which
isn’t defined by behavior other than HTTP cookies. The session info
hook then lets you use those proprietary session tokens to retrieve
the access/id token.
As such, it is closer to an architecture for implementing a client -
as a confidential client backend with an associated SPA frontend that
needs to make OAuth-protected calls. It is not describing the
communication between existing OAuth roles, such as between the client
and AS.
There’s obvious value here, and it's one of several architectures for
browser-based apps using a confidential client rather than a public
one (another example being a reverse proxy which maps remote OAuth
endpoints into local, session-token-protected ones). I personally am
just not sure how you would define the communication between back-end
and front-end portions of the client in these architectures as a
standard within OAuth.
-DW
On Nov 6, 2018, at 3:03 AM, Hans Zandbelt <hans.zandb...@zmartzone.eu
<mailto:hans.zandb...@zmartzone.eu>> wrote:
Hi Aaron, DW,
About draft-parecki-oauth-browser-based-apps:
would you consider including a recommendation about and the
standardization of a "session info" endpoint (I'm open for better
naming ;-)) as described in:
https://hanszandbelt.wordpress.com/2017/02/24/openid-connect-for-single-page-applications/
this approach is not just something that I cooked up; it is based on
real world requests & deployments at Netflix and OAth.
Let me know what you think,
Hans.
On Tue, Nov 6, 2018 at 10:55 AM Hannes Tschofenig
<hannes.tschofe...@arm.com <mailto:hannes.tschofe...@arm.com>> wrote:
Hi all,
Today we were not able to talk about
draft-parecki-oauth-browser-based-apps-00, which describes
"OAuth 2.0 for Browser-Based Apps".
Aaron put a few slides together, which can be found here:
https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf
Your review of this new draft is highly appreciated.
Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments
are confidential and may also be privileged. If you are not the
intended recipient, please notify the sender immediately and do
not disclose the contents to any other person, use it for any
purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
hans.zandb...@zmartzone.eu <mailto:hans.zandb...@zmartzone.eu>
ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu/>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth