Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: narrowing ascii-art and adding svg support #50

Merged
merged 4 commits into from
May 1, 2024
Merged

feat: narrowing ascii-art and adding svg support #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
825266a
feat: narrowing ascii-art and adding svg support
duncanwd Apr 17, 2024
5223715
fix: removing trailing linefeeds
duncanwd Apr 17, 2024
0f6575c
fix: cleanup figure title
duncanwd Apr 17, 2024
ab3750d
feat: automate aasvg install as recommended
duncanwd Apr 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions art/bbapp-pattern-bff.ascii-art
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
+---------------+ +----------+ +----------+
| | | | | |
| Authorization | | Token | | Resource |
| Endpoint | | Endpoint | | Server |
| | | | | |
+---------------+ +----------+ +----------+

^ ^ ^
| (F)| (K)|
| v v
|
| +------------------------------+
| | |
| | Backend for Frontend (BFF) |
(D)| | |
| +------------------------------+
|
| ^ ^ ^ + ^ +
| (B,I)| (C)| (E)| (G)| (J)| |(L)
v v v + v + v

+-----------------+ +-----------------------------------------+
| | (A,H) | |
| Static Web Host | +-----> | Browser |
| | | |
+-----------------+ +-----------------------------------------+
24 changes: 24 additions & 0 deletions art/bbapp-pattern-serviceworker.ascii-art
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
Service Resource Authorization
User Application Worker Server Server
| | | | |
| browse | | | |
|----------->| | | |
| |----------->| | /authorize |
| | |---------------------------------->|
| | | redirect w/ authorization code |
| | |< - - - - - - - - - - - - - - - - -|
| | | | |
| | | token request | |
| | | w/ auth code | /token |
| | |---------------------------------->|
| | |< - - - - - - - - - - - - - - - - -|
| | | | |
| | resource | | |
| | request | | |
| |----------->| | |
| | | resource request | |
| | | w/ access token | |
| | |------------------->| |
| | | | |
User Application Service Resource Authorization
Worker Server Server
19 changes: 19 additions & 0 deletions art/bbapp-pattern-standalone.ascii-art
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
+---------------+ +--------------+
| | | |
| Authorization | | Resource |
| Server | | Server |
| | | |
+---------------+ +--------------+

^ ^ ^ +
| | | |
|(B) |(C) |(D) |(E)
| | | |
| | | |
+ v + v

+-----------------+ +-------------------------------+
| | (A) | |
| Static Web Host | +-----> | Browser |
| | | |
+-----------------+ +-------------------------------+
26 changes: 26 additions & 0 deletions art/bbapp-pattern-tmb.ascii-art
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
+---------------+ +----------+ +----------+
| | | | | |
| Authorization | | Token | | Resource |
| Endpoint | | Endpoint | | Server |
| | | | | |
+---------------+ +----------+ +----------+

^ ^ ^
| (F)| |
| v |
| |
| +---------------------------+ |
| | | |
| | Token-Mediating Backend | |(J)
(D)| | | |
| +---------------------------+ |
| |
| ^ ^ ^ + |
| (B,I)| (C)| (E)| (G)| |
v v v + v v

+-----------------+ +-----------------------------------------+
| | (A,H) | |
| Static Web Host | +-----> | Browser |
| | | |
+-----------------+ +-----------------------------------------+
106 changes: 16 additions & 90 deletions draft-ietf-oauth-browser-based-apps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,32 +372,10 @@ If an attacker is able to execute malicious code within the JavaScript applicati

### Application Architecture

+-------------+ +--------------+ +--------------+
| | | | | |
|Authorization| | Token | | Resource |
| Endpoint | | Endpoint | | Server |
| | | | | |
+-------------+ +--------------+ +--------------+

^ ^ ^
| (F)| (K)|
| v v

| +-----------------------------------+
| | |
| | Backend for Frontend (BFF) |
(D)| | |
| +-----------------------------------+
|
| ^ ^ ^ + ^ +
| (B,I)| (C)| (E)| (G)| (J)| |(L)
v v v + v + v

+-----------------+ +-------------------------------------------------+
| | (A,H) | |
| Static Web Host | +-----> | Browser |
| | | |
+-----------------+ +-------------------------------------------------+
~~~ aasvg
{::include art/bbapp-pattern-bff.ascii-art}
~~~
{: #fig-bbapp-pattern-bff title="OAuth 2.0 BFF Pattern" }


In this architecture, the JavaScript code is first loaded from a static web host into the browser (A), and the application then runs in the browser. The application checks with the BFF if there is an active session (B). If an active session is found, the application resumes its authenticated state and skips forward to step J.
Expand Down Expand Up @@ -578,32 +556,10 @@ If an attacker is able to execute malicious code within the JavaScript applicati

### Application Architecture

+-------------+ +--------------+ +--------------+
| | | | | |
|Authorization| | Token | | Resource |
| Endpoint | | Endpoint | | Server |
| | | | | |
+-------------+ +--------------+ +--------------+

^ ^ ^
| (F)| |
| v |
|
| +-----------------------+ |
| | | |
| |Token-Mediating Backend| | (J)
(D)| | | |
| +-----------------------+ |
| |
| ^ ^ ^ + |
| (B,I)| (C)| (E)| (G)| |
v v v + v v

+-----------------+ +-------------------------------------------------+
| | (A,H) | |
| Static Web Host | +-----> | Browser |
| | | |
+-----------------+ +-------------------------------------------------+
~~~ aasvg
{::include art/bbapp-pattern-tmb.ascii-art}
~~~
{: #fig-bbapp-pattern-tmb title="OAuth 2.0 TMB Pattern" }


In this architecture, the JavaScript code is first loaded from a static web host into the browser (A), and the application then runs in the browser. The application checks with the token-mediating backend if there is an active session (B). If an active session is found, the application receives the corresponding access token, resumes its authenticated state, and skips forward to step J.
Expand Down Expand Up @@ -757,25 +713,10 @@ If an attacker is able to execute malicious JavaScript code, this application ar

### Application Architecture

+---------------+ +--------------+
| | | |
| Authorization | | Resource |
| Server | | Server |
| | | |
+---------------+ +--------------+

^ ^ ^ +
| | | |
|(B) |(C) |(D) |(E)
| | | |
| | | |
+ v + v

+-----------------+ +-------------------------------+
| | (A) | |
| Static Web Host | +-----> | Browser |
| | | |
+-----------------+ +-------------------------------+
~~~ aasvg
{::include art/bbapp-pattern-standalone.ascii-art}
~~~
{: #fig-bbapp-pattern-standalone title="Browser-based OAuth 2.0 Client Pattern" }

In this architecture, the JavaScript code is first loaded from a static web host into
the browser (A), and the application then runs in the browser. This application is considered a public
Expand Down Expand Up @@ -1210,25 +1151,10 @@ In an attempt to limit the attacker's ability to extract existing tokens or acqu

The sequence diagram included below illustrates the interactions between the client, the Service Worker, the authorization server, and the resource server.

Resource Authorization
User Application Service Worker server server
| browse | | | |
| ------------>| | | |
| |-------------------> | /authorize |
| | -------------------------------------------------------->
| | | redirect w/ authorization code |
| | < - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| | | | |
| | | token request w/ auth code | /token |
| | | ------------------------------------------------------>
| | | <- - - - - - - - - - - - - - - - - - - - - - - - - - -|
| | | | |
| | resource request | | |
| |-------------------> resource request with token | |
| | | ---------------------------->| |
| | | | |
User Application Service Worker Resource Authorization
server server
~~~ aasvg
{::include art/bbapp-pattern-serviceworker.ascii-art}
~~~
{: #fig-bbapp-pattern-serviceworker title="OAuth 2.0 Service Worker Pattern" }

Note that this pattern never exposes the tokens to the application running in the browser. Since the Service Worker runs in an isolated execution environment, there is no shared memory and no way for the client application to influence the execution of the Service Worker.

Expand Down
5 changes: 5 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"dependencies": {
"aasvg": "^0.4.0"
}
}
Loading