Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Dominick Baier
No. But they are CSRF protected (either SameSite or anti-forgery) and HttpOnly. ——— Dominick Baier On 17. February 2021 at 21:08:37, Neil Madden (neil.mad...@forgerock.com) wrote: Do you eliminate the cookies too? On 17 Feb 2021, at 19:50, Dominick Baier wrote:  Well. Maybe it is at least

Re: [OAUTH-WG] Authorization Header Encoding

2021-02-17 Thread Brian Campbell
AFAIK the character set for the "Bearer" scheme in RFC6750 is what it is to align with the token68 part of "credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]" from https://tools.ietf.org/html/rfc7235#section-2.1 (the draft that would become RFC7235 is referenced by RFC6750 in

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Brian Campbell
Always appreciate (and often learn from) your insights, Neil. I'd like to dig into the CSRF thing a bit more though to understand better and hopefully do the right thing in the draft. It seems to me that a GET at the bff-token endpoint is "safe" in that it's effectively just a read. There could

[OAUTH-WG] Digest for DPoP

2021-02-17 Thread Justin Richer
Two different specifications (GNAP and FAPI signatures) have recently profiled DPoP to use its signature method to protect a different kind of protocol entirely. One thing these methods have in common is that they both define an additional field for holding a digest of the HTTP Message Body:

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Neil Madden
Do you eliminate the cookies too? > On 17 Feb 2021, at 19:50, Dominick Baier wrote: > >  > Well. Maybe it is at least worth while then to at least mention that you > could also take a slightly different approach and eliminate all tokens in the > browser - with the respective trade offs. > >

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Warren Parad
You mean all but the access token and authorization code, right? Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Wed, Feb 17, 2021 at 8:50 PM Dominick Baier wrote: > Well. Maybe it is at least worth while then

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Dominick Baier
Well. Maybe it is at least worth while then to at least mention that you could also take a slightly different approach and eliminate all tokens in the browser - with the respective trade offs. ——— Dominick Baier On 17. February 2021 at 20:46:42, Warren Parad (wpa...@rhosys.ch) wrote: While

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Warren Parad
> > While someone will always say “but this doesn’t solve the XSS problem” - > this is absolutely correct. But when there are no tokens in the browser - > you can simply eliminate that part of the threat model ;) The point was it doesn't eliminate anything, it just changes the request/response

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Dominick Baier
Yes - “no OAuth tokens in the browser” ;) They are all kept server-side and the BFF proxies the API calls if necessary. Also the RT management happens server-side and is transparent to the SPA. I see that in lots of industries - finance, health, cloud providers While someone will always say “but

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Hans Zandbelt
Thanks Vittorio and Brian for starting this work: I have deployed this pattern in the field on a number occasions, at security and tech savvy organizations, on their request. I'd describe it as a regular OAuth 2.0 web client with the addition of a well known endpoint meant for in-browser

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Vittorio Bertocci
Thanks Dominick, It is indeed a very simple spec, but as you can see from the discussion so far, it doesn’t appear to be trivial- and there might be some considerations we consider obvious (eg scope escalation) that might not be super clear otherwise. In terms of the guidance, just to make sure

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-02-17 Thread Dominick Baier
Hey, Tbh - I have a bit of a hard time to see why this requires a spec, if that is all you are aiming at. Wouldn’t that be just an extension to the “OAuth for web apps BCP?”. All I can add here is - this approach would not work for any of our customer. Because their real motivation is to