Re: [OAUTH-WG] Google's use of Implicit Grant Flow

<Sebastian.Ebling@telekom.de> Fri, 17 February 2017 16:03 UTC

Return-Path: <prvs=214125624=Sebastian.Ebling@telekom.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23C3112944D for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 08:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4nNy1kRnf_2 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 08:03:56 -0800 (PST)
Received: from MAILOUT21.telekom.de (MAILOUT21.telekom.de [80.149.113.251]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D305127071 for <oauth@ietf.org>; Fri, 17 Feb 2017 08:03:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1487347435; x=1518883435; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=OzhPpuqs/GLG1zRLbhNeqUzthXwxEejg1dRS3pwC+Y8=; b=xEDPFIMoqAhQXa9QXOI5vUsuO7UkXk01PK1+mDiMoEj0mBBDoBjkzmcg w6cA8Dgigxzro536i1K4DTrLV2/sGpmvpQEfEwWhYn+ZIN6a17HcCgT+P rLx29WzohkEaK7M+f2/TsMIpEbLoCOcqRjNreafdBLJNTIqlm/F8rDDeA pgbt+otLmrlSkk0Ie9WVHiILhgZzY7yXVvbeYFLg2JHuEP6/rjF5Tpplc AL86CZxfyVOQi7AbXQ/glmY8/96YYNVvqkyi0NMbLzpTNKQIv2Cdu3dWT xEYriwLChVbC9P8ilO5eUWJsfMu7TWQA9pvNK9uFwsU4FLZiQnsvtfa6k w==;
Received: from q4de8psa04t.blf.telekom.de ([10.151.13.130]) by MAILOUT21.telekom.de with ESMTP/TLS/DHE-RSA-AES128-SHA; 17 Feb 2017 17:03:53 +0100
X-IronPort-AV: E=Sophos;i="5.35,172,1484002800"; d="scan'208,217";a="621113027"
Received: from he105715.emea1.cds.t-internal.com ([10.169.118.51]) by Q4DE8PSA04V.blf.telekom.de with ESMTP/TLS/AES256-SHA; 17 Feb 2017 17:03:53 +0100
Received: from HE105717.EMEA1.cds.t-internal.com (10.169.118.53) by HE105715.emea1.cds.t-internal.com (10.169.118.51) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 17 Feb 2017 17:03:53 +0100
Received: from HE105717.EMEA1.cds.t-internal.com ([fe80::5881:9115:c037:89f8]) by HE105717.emea1.cds.t-internal.com ([fe80::5881:9115:c037:89f8%26]) with mapi id 15.00.1263.000; Fri, 17 Feb 2017 17:03:52 +0100
From: <Sebastian.Ebling@telekom.de>
To: <bburke@redhat.com>, <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Google's use of Implicit Grant Flow
Thread-Index: AQHSiKZY8rBjj2HMMkuyqR4U8Rqi96FsMosAgAEqb+A=
Date: Fri, 17 Feb 2017 16:03:52 +0000
Message-ID: <600a2fe3fbc147588baedb557e6e5938@HE105717.emea1.cds.t-internal.com>
References: <1e63222f-1d3b-59cc-a7c3-f9f3aa14e9df@manicode.com> <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com>
In-Reply-To: <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.157.116.64]
Content-Type: multipart/alternative; boundary="_000_600a2fe3fbc147588baedb557e6e5938HE105717emea1cdstintern_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-lEv3Uw2bygZfAczwVHLu5A443c>
Subject: Re: [OAUTH-WG] Google's use of Implicit Grant Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 16:03:58 -0000

Same for Deutsche Telekom. Our javascript clients also use code flow with CORS processing and of course redirect_uri validation.

Best regards

Sebastian

Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Bill Burke
Gesendet: Freitag, 17. Februar 2017 00:14
An: oauth@ietf.org
Betreff: Re: [OAUTH-WG] Google's use of Implicit Grant Flow


For our IDP [1], our javascript library uses the auth code flow, but requires a public client, redirect_uri validation, and also does CORS checks and processing.  We did not like Implicit Flow because

1) access tokens would be in the browser history

2) short lived access tokens (seconds or minutes) would require a browser redirect

I'd be really curious to hear other's thoughts though.

[1] http://keycloak.org





On 2/16/17 5:44 PM, Jim Manico wrote:

Hello Folks,

I noticed that Google supports the OAuth 2 Implicit flow for third-party JavaScript applications.

https://developers.google.com/identity/protocols/OAuth2UserAgent

Isn't this generally discouraged from a security POV? Is there a better OAuth 2 flow for third party SPA applications?
Aloha,


--

Jim Manico

Manicode Security

https://www.manicode.com




_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth