Dear Rifaat, The main reason for proposing this topic was to gather the members' opinions on whether the current methodology for preserving the application state is adequate or there is a need to explore other alternatives. I don't have any supporting documents to share at this time. My intention was simply to open a discussion and assess the feasibility of alternative methodologies. The topic had come up during the mailing list discussions. As per my understanding, I would like to summarize the issue here:
To ensure a better user experience, it is important to preserve the state from where the OAuth process was initiated. One way to convey this information is through the "state" parameter, which is passed from the client to the authorization server (AS) and back. The primary purpose of the "state" parameter is to mitigate Cross-Site Request Forgery (CSRF) attacks, and the developers may not appreciate its use for restoring the previous state of the application. The "state" parameter is impacted by all the three security principles i.e confidentiality, integrity and availability. The remediation measures in terms of confidentiality and integrity have been well brought out by the members in the mailing list by way of encryption or signing of "state" parameters. However, decryption and verification of the "state" parameter incurs performance penalties. Therefore, two questions arise: (a) Are there any other patterns that we can look at to address the concerns in terms of performance penalty? (b) Is there a need to provide clear guidelines on how to restore the previous state of the client application to ensure a seamless user experience in upcoming RFCs? Regards Jaimandeep Singh On Thu, Mar 16, 2023 at 5:39 PM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > Hi Jaimandeep, > > Can you elaborate on bullet 3? Do you have a document that discusses this > topic? > > Regards, > Rifaat > > > On Thu, Mar 16, 2023 at 2:01 AM Jaimandeep Singh < > jaimandeep.phdc...@nfsu.ac.in> wrote: > >> Dear Rifaat, >> >> I would like to suggest following regarding the upcoming conference: >> >> 1. It would be very beneficial if the presenters could share the >> presentation materials and discussion points for each item on the agenda >> well in advance. This would enable us to go through the same and streamline >> the discussion. IMO when the points for discussion are presented at the >> last moment, it is difficult to make meaningful contributions. >> >> 2. Additionally, I suggest that we establish a hard cutoff time for each >> agenda item to ensure that we cover all the items on the agenda within the >> allocated time. In case of time overrun, we can continue the same in side >> discussions. In the last conference, it was observed that some agenda >> points ran over time, which meant that other important items on agenda were >> not addressed or did not get sufficient time. >> >> 3. If the members agree, a 5-minute agenda item can be added to discuss >> the use of the "state" parameter design pattern for preserving the current >> state and the impact it may have on performance of the oauth. >> >> Regards >> Jaimandeep Singh >> >> On Wed, 15 Mar, 2023, 7:34 pm Rifaat Shekh-Yusef, < >> rifaat.s.i...@gmail.com> wrote: >> >>> All, >>> >>> The following is the agenda for the official two sessions scheduled for >>> the OAuth WG: >>> >>> *Tuesday* >>> >>> - *Chairs update –* Rifaat/Hannes (10 min) >>> - *SD-JWT *– Kristina/Daniel – (20 min) >>> - *Browser-based Apps* – Aaron (20 min) >>> - *OAuth 2.1* – Aaron (20 min) >>> - *Client/Trust Management *– Kristina/Torsten (20 min) >>> - *Protected Resource Metadata *– Mike (15 min) >>> - *Machine Identity *– Pieter (15 min) >>> >>> >>> *Friday* >>> >>> - *JWT Embedded Tokens *– Rifaat/Dick (15 min) >>> - *Cross Device Flow –* Pieter (15 min) >>> - *Identity Chaining *– Rifaat/Pieter (20 min) >>> - *Native Apps UX* – Aaron/Pieter (20 min) >>> - *Authorization Server Discovery *– Aaron/Ben (20 min) >>> - *PoP Security Architecture *– Nat (15 min) >>> - *Power of Attorney (PoA) Grant Type *– Olov (15 min) >>> >>> >>> Please, let us know if you have any comments about the above agenda. >>> >>> Regards, >>> Rifaat & Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> -- Regards and Best Wishes Jaimandeep Singh LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
