From 825266acda66fbe1077839fe22cde306571cebbe Mon Sep 17 00:00:00 2001 From: duncanwd <86387101+duncanwd@users.noreply.github.com> Date: Tue, 16 Apr 2024 20:21:49 -0500 Subject: [PATCH 1/4] feat: narrowing ascii-art and adding svg support --- art/bbapp-pattern-bff.ascii-art | 26 ++++++ art/bbapp-pattern-serviceworker.ascii-art | 24 +++++ art/bbapp-pattern-standalone.ascii-art | 19 ++++ art/bbapp-pattern-tmb.ascii-art | 26 ++++++ draft-ietf-oauth-browser-based-apps.md | 106 ++++------------------ 5 files changed, 111 insertions(+), 90 deletions(-) create mode 100644 art/bbapp-pattern-bff.ascii-art create mode 100644 art/bbapp-pattern-serviceworker.ascii-art create mode 100644 art/bbapp-pattern-standalone.ascii-art create mode 100644 art/bbapp-pattern-tmb.ascii-art diff --git a/art/bbapp-pattern-bff.ascii-art b/art/bbapp-pattern-bff.ascii-art new file mode 100644 index 0000000..e2854a8 --- /dev/null +++ b/art/bbapp-pattern-bff.ascii-art @@ -0,0 +1,26 @@ + +---------------+ +----------+ +----------+ + | | | | | | + | Authorization | | Token | | Resource | + | Endpoint | | Endpoint | | Server | + | | | | | | + +---------------+ +----------+ +----------+ + + ^ ^ ^ + | (F)| (K)| + | v v + | + | +------------------------------+ + | | | + | | Backend for Frontend (BFF) | + (D)| | | + | +------------------------------+ + | + | ^ ^ ^ + ^ + + | (B,I)| (C)| (E)| (G)| (J)| |(L) + v v v + v + v + ++-----------------+ +-----------------------------------------+ +| | (A,H) | | +| Static Web Host | +-----> | Browser | +| | | | ++-----------------+ +-----------------------------------------+ \ No newline at end of file diff --git a/art/bbapp-pattern-serviceworker.ascii-art b/art/bbapp-pattern-serviceworker.ascii-art new file mode 100644 index 0000000..ea554c2 --- /dev/null +++ b/art/bbapp-pattern-serviceworker.ascii-art @@ -0,0 +1,24 @@ + Service Resource Authorization + User Application Worker Server Server + | | | | | + | browse | | | | + |----------->| | | | + | |----------->| | /authorize | + | | |---------------------------------->| + | | | redirect w/ authorization code | + | | |< - - - - - - - - - - - - - - - - -| + | | | | | + | | | token request | | + | | | w/ auth code | /token | + | | |---------------------------------->| + | | |< - - - - - - - - - - - - - - - - -| + | | | | | + | | resource | | | + | | request | | | + | |----------->| | | + | | | resource request | | + | | | w/ access token | | + | | |------------------->| | + | | | | | + User Application Service Resource Authorization + Worker Server Server \ No newline at end of file diff --git a/art/bbapp-pattern-standalone.ascii-art b/art/bbapp-pattern-standalone.ascii-art new file mode 100644 index 0000000..a760976 --- /dev/null +++ b/art/bbapp-pattern-standalone.ascii-art @@ -0,0 +1,19 @@ + +---------------+ +--------------+ + | | | | + | Authorization | | Resource | + | Server | | Server | + | | | | + +---------------+ +--------------+ + + ^ ^ ^ + + | | | | + |(B) |(C) |(D) |(E) + | | | | + | | | | + + v + v + ++-----------------+ +-------------------------------+ +| | (A) | | +| Static Web Host | +-----> | Browser | +| | | | ++-----------------+ +-------------------------------+ diff --git a/art/bbapp-pattern-tmb.ascii-art b/art/bbapp-pattern-tmb.ascii-art new file mode 100644 index 0000000..4f5ac86 --- /dev/null +++ b/art/bbapp-pattern-tmb.ascii-art @@ -0,0 +1,26 @@ + +---------------+ +----------+ +----------+ + | | | | | | + | Authorization | | Token | | Resource | + | Endpoint | | Endpoint | | Server | + | | | | | | + +---------------+ +----------+ +----------+ + + ^ ^ ^ + | (F)| | + | v | + | | + | +---------------------------+ | + | | | | + | | Token-Mediating Backend | |(J) + (D)| | | | + | +---------------------------+ | + | | + | ^ ^ ^ + | + | (B,I)| (C)| (E)| (G)| | + v v v + v v + ++-----------------+ +-----------------------------------------+ +| | (A,H) | | +| Static Web Host | +-----> | Browser | +| | | | ++-----------------+ +-----------------------------------------+ diff --git a/draft-ietf-oauth-browser-based-apps.md b/draft-ietf-oauth-browser-based-apps.md index 3ac957e..fb79fa6 100644 --- a/draft-ietf-oauth-browser-based-apps.md +++ b/draft-ietf-oauth-browser-based-apps.md @@ -372,32 +372,10 @@ If an attacker is able to execute malicious code within the JavaScript applicati ### Application Architecture - +-------------+ +--------------+ +--------------+ - | | | | | | - |Authorization| | Token | | Resource | - | Endpoint | | Endpoint | | Server | - | | | | | | - +-------------+ +--------------+ +--------------+ - - ^ ^ ^ - | (F)| (K)| - | v v - - | +-----------------------------------+ - | | | - | | Backend for Frontend (BFF) | - (D)| | | - | +-----------------------------------+ - | - | ^ ^ ^ + ^ + - | (B,I)| (C)| (E)| (G)| (J)| |(L) - v v v + v + v - - +-----------------+ +-------------------------------------------------+ - | | (A,H) | | - | Static Web Host | +-----> | Browser | - | | | | - +-----------------+ +-------------------------------------------------+ +~~~ aasvg +{::include art/bbapp-pattern-bff.ascii-art} +~~~ +{: #fig-bbapp-pattern-bff title="OAuth 2.0 BFF Pattern" } In this architecture, the JavaScript code is first loaded from a static web host into the browser (A), and the application then runs in the browser. The application checks with the BFF if there is an active session (B). If an active session is found, the application resumes its authenticated state and skips forward to step J. @@ -578,32 +556,10 @@ If an attacker is able to execute malicious code within the JavaScript applicati ### Application Architecture - +-------------+ +--------------+ +--------------+ - | | | | | | - |Authorization| | Token | | Resource | - | Endpoint | | Endpoint | | Server | - | | | | | | - +-------------+ +--------------+ +--------------+ - - ^ ^ ^ - | (F)| | - | v | - | - | +-----------------------+ | - | | | | - | |Token-Mediating Backend| | (J) - (D)| | | | - | +-----------------------+ | - | | - | ^ ^ ^ + | - | (B,I)| (C)| (E)| (G)| | - v v v + v v - - +-----------------+ +-------------------------------------------------+ - | | (A,H) | | - | Static Web Host | +-----> | Browser | - | | | | - +-----------------+ +-------------------------------------------------+ +~~~ aasvg +{::include art/bbapp-pattern-tmb.ascii-art} +~~~ +{: #fig-bbapp-pattern-tmb title="OAuth 2.0 TMB Pattern" } In this architecture, the JavaScript code is first loaded from a static web host into the browser (A), and the application then runs in the browser. The application checks with the token-mediating backend if there is an active session (B). If an active session is found, the application receives the corresponding access token, resumes its authenticated state, and skips forward to step J. @@ -757,25 +713,10 @@ If an attacker is able to execute malicious JavaScript code, this application ar ### Application Architecture - +---------------+ +--------------+ - | | | | - | Authorization | | Resource | - | Server | | Server | - | | | | - +---------------+ +--------------+ - - ^ ^ ^ + - | | | | - |(B) |(C) |(D) |(E) - | | | | - | | | | - + v + v - - +-----------------+ +-------------------------------+ - | | (A) | | - | Static Web Host | +-----> | Browser | - | | | | - +-----------------+ +-------------------------------+ +~~~ aasvg +{::include art/bbapp-pattern-standalone.ascii-art} +~~~ +{: #fig-bbapp-pattern-standalone title="OAuth 2.0 Browser-based OAuth 2.0 Client Pattern" } In this architecture, the JavaScript code is first loaded from a static web host into the browser (A), and the application then runs in the browser. This application is considered a public @@ -1210,25 +1151,10 @@ In an attempt to limit the attacker's ability to extract existing tokens or acqu The sequence diagram included below illustrates the interactions between the client, the Service Worker, the authorization server, and the resource server. - Resource Authorization - User Application Service Worker server server - | browse | | | | - | ------------>| | | | - | |-------------------> | /authorize | - | | --------------------------------------------------------> - | | | redirect w/ authorization code | - | | < - - - - - - - - - - - - - - - - - - - - - - - - - - - | - | | | | | - | | | token request w/ auth code | /token | - | | | ------------------------------------------------------> - | | | <- - - - - - - - - - - - - - - - - - - - - - - - - - -| - | | | | | - | | resource request | | | - | |-------------------> resource request with token | | - | | | ---------------------------->| | - | | | | | - User Application Service Worker Resource Authorization - server server +~~~ aasvg +{::include art/bbapp-pattern-serviceworker.ascii-art} +~~~ +{: #fig-bbapp-pattern-serviceworker title="OAuth 2.0 Service Worker Pattern" } Note that this pattern never exposes the tokens to the application running in the browser. Since the Service Worker runs in an isolated execution environment, there is no shared memory and no way for the client application to influence the execution of the Service Worker. From 5223715f64a0a939ce4845a2df04582cd62ce23e Mon Sep 17 00:00:00 2001 From: duncanwd <86387101+duncanwd@users.noreply.github.com> Date: Tue, 16 Apr 2024 20:46:40 -0500 Subject: [PATCH 2/4] fix: removing trailing linefeeds --- art/bbapp-pattern-standalone.ascii-art | 2 +- art/bbapp-pattern-tmb.ascii-art | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/art/bbapp-pattern-standalone.ascii-art b/art/bbapp-pattern-standalone.ascii-art index a760976..5c43d3a 100644 --- a/art/bbapp-pattern-standalone.ascii-art +++ b/art/bbapp-pattern-standalone.ascii-art @@ -16,4 +16,4 @@ | | (A) | | | Static Web Host | +-----> | Browser | | | | | -+-----------------+ +-------------------------------+ ++-----------------+ +-------------------------------+ \ No newline at end of file diff --git a/art/bbapp-pattern-tmb.ascii-art b/art/bbapp-pattern-tmb.ascii-art index 4f5ac86..f7ee9f3 100644 --- a/art/bbapp-pattern-tmb.ascii-art +++ b/art/bbapp-pattern-tmb.ascii-art @@ -23,4 +23,4 @@ | | (A,H) | | | Static Web Host | +-----> | Browser | | | | | -+-----------------+ +-----------------------------------------+ ++-----------------+ +-----------------------------------------+ \ No newline at end of file From 0f6575c8e84f4d0679fb7c3bfad5d9ab2818a212 Mon Sep 17 00:00:00 2001 From: duncanwd <86387101+duncanwd@users.noreply.github.com> Date: Tue, 16 Apr 2024 21:27:37 -0500 Subject: [PATCH 3/4] fix: cleanup figure title --- draft-ietf-oauth-browser-based-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-browser-based-apps.md b/draft-ietf-oauth-browser-based-apps.md index fb79fa6..4a8a568 100644 --- a/draft-ietf-oauth-browser-based-apps.md +++ b/draft-ietf-oauth-browser-based-apps.md @@ -716,7 +716,7 @@ If an attacker is able to execute malicious JavaScript code, this application ar ~~~ aasvg {::include art/bbapp-pattern-standalone.ascii-art} ~~~ -{: #fig-bbapp-pattern-standalone title="OAuth 2.0 Browser-based OAuth 2.0 Client Pattern" } +{: #fig-bbapp-pattern-standalone title="Browser-based OAuth 2.0 Client Pattern" } In this architecture, the JavaScript code is first loaded from a static web host into the browser (A), and the application then runs in the browser. This application is considered a public From ab3750d2d0592b55fdc506bee9b1e84af2d422a3 Mon Sep 17 00:00:00 2001 From: duncanwd <86387101+duncanwd@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:17:43 -0500 Subject: [PATCH 4/4] feat: automate aasvg install as recommended --- package.json | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 package.json diff --git a/package.json b/package.json new file mode 100644 index 0000000..887fabe --- /dev/null +++ b/package.json @@ -0,0 +1,5 @@ +{ + "dependencies": { + "aasvg": "^0.4.0" + } +}