Daniel, Thank you for your feedback!
We’re definitely interested in aligning with FAPI and with the proposed OAuth 2.1, as that could greatly simplify what we need to specify in our enterprise profiles if we can point to one or both as a baseline, and help provide a common set of requirements for implementations. We’ll compare with the FAPI 2.0 Baseline profile and bring any specific comments over to its mailing list. Generally we stated requirements as mandatory that we believe many current implementations already can meet, and stated requirements as recommended that we want to encourage implementations to meet. For example PKCE seems to be widely implemented by authorization servers but not yet by many clients. Certainly we’re open to input, and I’m glad to see the strict requirements that are in the current version of the FAPI 2.0 Baseline profile. By “front-end web server” we mean a user-facing (user connects to it from their browser) web server (running on a separate endpoint from the user agent/browser). The web server is acting as an OAuth client to call a backend protected resource (such as a database) on behalf of the user and generally presenting the results back to the user agent/browser. We will try to clarify our terminology. This use case is described in our profile’s section 1.5.1. (Part of the motivation of our use case text is to describe how OAuth can address enterprise needs to those who may be unfamiliar with OAuth.) We’ll fix section 3.7, thanks! That’s a good point about Section 6 of our profile and the Security BCP. We already took the contents of the Security BCP into account throughout the profile. One thought is to just remove our Section 6, as the TLS requirement is already stated elsewhere, and the blanket statements to comply with RFC6749 and RFC6819 appear redundant and could complicate compliance testing. Thanks, Mike From: Daniel Fett <f...@danielfett.de> Date: Tuesday, March 3, 2020 at 9:17 AM To: Michael Peck <mp...@mitre.org>, "oauth@ietf.org" <oauth@ietf.org> Cc: OAuthOIDCProfiles <oauthoidcprofi...@groups.mitre.org> Subject: [EXT] Re: [OAUTH-WG] OAuth and OpenID Connect enterprise profiles Hi Michael et al., Thanks for the document, it is an interesting read! I like the "Security Rationale" section in particular. Very useful! In general, this seems to go into a similar direction as the FAPI 2.0 Baseline profile we are currently developing in the FAPI WG [1]. It might be worthwhile to compare the two. Some other points from a first read: (All page numbers as printed, not the PDF page count.) - Why is PKCE not mandatory for confidential clients? It provides a strong second layer of defense when authorization codes are stolen. - I found the description "front-end web server application" somewhat confusing (Section 2.1.1, p. 9) - The client runs on the server's backend, I assume? On the front-end (browser), it should be a public client. - In Section 3.7 (p. 22), the first and second paragraph seem to contradict each other. First one says "RECOMMENDED lifetimes", second one says "MUST have a valid lifetime no greater than one hour". - I was surprised that the Security BCP does not show up in Section 6. -Daniel [1] https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md Am 02.03.20 um 20:53 schrieb Peck, Michael A: Hello all, For anyone who may be interested: MITRE, in support of the U.S. Government, has developed tailored OAuth and OpenID Connect profiles for use in enterprise environments. We have leveraged previous standards efforts (e.g. work in the IETF and in the OpenID Foundation) and have detailed requirements to use the standards in a secure and interoperable manner to address enterprise environment use cases. These profiles should be considered informational as we seek feedback from subject matter experts. We’re interested in working with standards bodies and others to move these concepts forward. We welcome any comments and suggestions at mailto:oauthoidcprofi...@groups.mitre.org . The profiles can be found at: https://www.mitre.org/publications/technical-papers/enterprise-mission-tailored-oauth-20-and-openid-connect-profiles Michael Peck The MITRE Corporation _______________________________________________ OAuth mailing list mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
