I have made up my own implementations that follow the pattern in the document.
It keeps the security in the server, and allows the app to call the API directly rather than through a backend proxy, which impacts latency and CX. ᐧ On Tue, May 4, 2021 at 8:27 AM Seán Kelleher <[email protected]> wrote: > Hi all, > > I'd like to hear others' take on Brock Allen's prior comment on the > document: > > 5) For me personally in all the consulting I've done helping customers use >> OIDC/OAuth over the past 7 years (since OIDC was released) I've never seen >> anyone trying to do it this way. I do believe that some people try this >> style, but I wonder if it's just because they don't know any better (so >> lacking guidance) or is it really because they're actively trying to >> mitigate the reverse proxy hop performance issue? If it's the former, then >> I don't agree that it makes sense to formalize a less secure approach when >> they simply need better guidance (which arguably is the "full BFF" >> approach), and thus the motivation for the document is slightly weakened >> (IMO). > > > I don't have as much exposure to the way lots of different groups are > implementing OAuth2/OIDC but I agree that this approach is novel for me, > and I'd be interested to hear others' thoughts on that aspect before the > document is adopted. > > Apologies if this is the wrong place to voice such a concern. I would > still be very much interested in a discourse about the relative security > and positives/negatives of this approach regardless of the outcome. > > Kind regards, > > Seán. > > On Tue, 4 May 2021 at 16:03, Aaron Parecki <[email protected]> wrote: > >> I support adoption. I'm also fine with the BFF acronym since it's common >> in the software development world already. If anything, the TMI acronym is >> the least strong of the two as it's missing a letter from the full name of >> the draft. >> >> Aaron >> >> >> >> >> On Tue, May 4, 2021 at 7:40 AM Dick Hardt <[email protected]> wrote: >> >>> I'm supportive -- but am concerned with the BFF acronym. >>> ᐧ >>> >>> On Mon, May 3, 2021 at 3:00 PM Rifaat Shekh-Yusef < >>> [email protected]> wrote: >>> >>>> All, >>>> >>>> This is a call for adoption for the *Token Mediating and Session >>>> Information Backend for Frontend* as a WG document: >>>> https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/ >>>> >>>> Please, provide your feedback on the mailing list by *May 17th*. >>>> >>>> Regards, >>>> Rifaat & Hannes >>>> _______________________________________________ >>>> OAuth mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> -- >> --- >> Aaron Parecki >> https://aaronparecki.com >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
