After a lot of discussion on the mailing list over the last few months, and
after some excellent discussions at the OAuth Security Workshop, we've been
working on revising the draft to provide clearer guidance and clearer
discussion of the threats and consequences of the various architectural
patterns in the draft.
I would like to give a huge thanks to Philippe De Ryck for stepping up to
work on this draft as a co-author!
This version is a huge restructuring of the draft and now starts with a
concrete description of possible threats of malicious JavaScript as well as
the consequences of each. The architectural patterns have been updated to
reference which of each threat is mitigated by the pattern. This
restructuring should help readers make a better informed decision by being
able to evaluate the risks and benefits of each solution.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
Please give this a read, I am confident that this is a major improvement to
the draft!
Aaron
On Mon, Oct 23, 2023 at 8:35 AM wrote:
> Internet-Draft draft-ietf-oauth-browser-based-apps-15.txt is now
> available. It
> is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
>
>Title: OAuth 2.0 for Browser-Based Apps
>Authors: Aaron Parecki
> David Waite
> Philippe De Ryck
>Name:draft-ietf-oauth-browser-based-apps-15.txt
>Pages: 58
>Dates: 2023-10-23
>
> Abstract:
>
>This specification details the threats, attack consequences, security
>considerations and best practices that must be taken into account
>when developing browser-based applications that use OAuth 2.0.
>
> Discussion Venues
>
>This note is to be removed before publishing as an RFC.
>
>Discussion of this document takes place on the Web Authorization
>Protocol Working Group mailing list (oauth@ietf.org), which is
>archived at https://mailarchive.ietf.org/arch/browse/oauth/.
>
>Source for this draft and an issue tracker can be found at
>https://github.com/oauth-wg/oauth-browser-based-apps.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
>
> A diff from the previous version is available at:
>
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-15
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
