IETF Logo Mail Archive

[OAUTH-WG] Re: Browser-Swapping

"Primbs, Jonas" <jonas.primbs@uni-tuebingen.de> Thu, 06 November 2025 15:35 UTC

Return-Path: <jonas.primbs@uni-tuebingen.de>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A754C846F0D1 for <oauth@mail2.ietf.org>; Thu, 6 Nov 2025 07:35:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=uni-tuebingen.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jKt9YSnhByLw for <oauth@mail2.ietf.org>; Thu, 6 Nov 2025 07:35:48 -0800 (PST)
Received: from mx04.uni-tuebingen.de (mx04.uni-tuebingen.de [134.2.5.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B4B96846F0C5 for <oauth@ietf.org>; Thu, 6 Nov 2025 07:35:48 -0800 (PST)
Received: from exchange.uni-tuebingen.de (ex03.uni-tuebingen.de [134.2.21.163]) by mx04.uni-tuebingen.de (Postfix) with ESMTPS id DCBE22088A59; Thu, 6 Nov 2025 16:35:41 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx04.uni-tuebingen.de DCBE22088A59
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uni-tuebingen.de; s=20211202prod; t=1762443341; bh=YP93Urq3rfWxpYKFi3ZQWjOfzieYaLT9hWjJt+l1yvI=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=lP43P7Nfn1fWYVPzJd8InKIfjcn8CQBmOjuuYywJoi+kVbqddxhkH7Wqg3sWcSRlF WB04pWbT0SYwSmBOje/tMeEoT1u6zuUjdunZJJatfID1WAYyTIdRm51rnz2LpYmdsG 0qbfwgWuAfQAR/9ADApFmFfiNTswlfnnuV2p89mgQbLLWGyLmq6SUkBJXR9W+btjU5 l/eiUoOz+IzUaIxz0uYKbaIFfnwKhU/i6dp69yEfDI3Swg9Vqx41H8nv96uuEF5a/s P10UEXr7SvzQnCe7KlzwWQ/eE0b4pH5bS+dA4ZLbH0qrl642VpMrjO4gfVPk2PaCZY JTC3pbA1/JuHg==
Received: from Ex02.uni-tuebingen.de (134.2.21.162) by EX03.uni-tuebingen.de (134.2.21.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Thu, 6 Nov 2025 16:35:41 +0100
Received: from Ex02.uni-tuebingen.de ([fe80::5ddd:1152:31fc:6bd3]) by EX02.uni-tuebingen.de ([fe80::5ddd:1152:31fc:6bd3%7]) with mapi id 15.01.2507.061; Thu, 6 Nov 2025 16:35:41 +0100
From: "Primbs, Jonas" <jonas.primbs@uni-tuebingen.de>
To: Frederik Krogsdal Jacobsen <frederik.krogsdal@criipto.com>
Thread-Topic: [OAUTH-WG] Browser-Swapping
Thread-Index: AQHcTUDUzxxd8Ix3dU6emBb6CO2LGbTjunuAgABq5gCAAScHAIAAbkkA
Date: Thu, 06 Nov 2025 15:35:41 +0000
Message-ID: <6F54E803-B4E9-4E68-A48F-2A64560F9688@uni-tuebingen.de>
References: <F032F35A-D55E-40A7-8589-3DD64BF8F7A0@uni-tuebingen.de> <CAMQcq-ZF5QFBELsycQdyQeH8E2kaeCG4P2b=yNtwh=gJRja5hw@mail.gmail.com> <BA78ED94-7575-4ACA-9C26-C135BC424282@uni-tuebingen.de> <CAMQcq-a7LWonU-WS7L5g8pRNsbv7q=mgkioMWvQepvzBL9FMFw@mail.gmail.com>
In-Reply-To: <CAMQcq-a7LWonU-WS7L5g8pRNsbv7q=mgkioMWvQepvzBL9FMFw@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3864.200.81.1.6)
x-originating-ip: [134.2.21.181]
Content-Type: multipart/signed; boundary="Apple-Mail=_92B06582-5DC3-4977-95A1-2DBBBB92EC5C"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Message-ID-Hash: KLC4YNN4QQ6DMCZ2FFNWGLSEAGHDL6CT
X-Message-ID-Hash: KLC4YNN4QQ6DMCZ2FFNWGLSEAGHDL6CT
X-MailFrom: jonas.primbs@uni-tuebingen.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Browser-Swapping
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-oQwz-JAA-3PfjNQwwqI94eMl8k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Frederik,

> Am 06.11.2025 um 04:00 schrieb Frederik Krogsdal Jacobsen <frederik.krogsdal@criipto.com>:
> 
> Hi Jonas,
> 
> On Wed, 5 Nov 2025 at 16:25, Primbs, Jonas <jonas.primbs@uni-tuebingen.de <mailto:jonas.primbs@uni-tuebingen.de>> wrote:
>> yes, calling the token request validly, thereby invalidating the authorization code for future usage by the attacker, and throwing away the token response could also be a solution.
>> However, I am not sure what the implications could be with respect to how authorization servers handle this (e.g., starting a session, which confuses users when they look at the list of active sessions) or how clients handle this (e.g., logging tokens in a potential crash dump).
>> If authorization servers implement token revocation correctly, when authorization codes are used twice, sending a second valid token request with the same authorization code afterwards might ensure that the issued tokens cannot be used anymore.
> 
> Good point about the implications wrt. lists of active sessions etc. For many cases this is a non-issue, but it might be confusing to some users.
> I don't see how logging tokens as a concern is impacted by using the code-exchange invalidation approach. If clients were doing this, they would already be doing it now.
> 
>> Again, this might fail if the client faces any issues. So I prefer a standardized authorization code invalidation mechanism.
>> One opportunity here, which is already standardized, is enforcing PKCE and sending no code_verifier in the token request intentionally.
> 
> Yes, I think this would work for any AS that supports PKCE.
>  
>> If there already is a spec for that in CIBA, we should include or at least reference this in the OAuth 2.1 spec.
> 
> There is not. My intention was to say that a general invalidation mechanism could also be useful for CIBA.
> 

Do you think adding this to OAuth 2.1 and referencing this in CIBA is the right place to go?

> 
> In general, I don't think form_post is the way to go. At least I don't have good experiences with it regarding user drop-off, and there are also the concerns mentioned by others on thread.

What about „client implementers SHOULD use form_post for server-side clients“ and not deprecating response_mode=query?
Because if developers have good reasons why they need response_mode=query, they can still to do that, but they should know about the implications of doing this.

>  
> Cheers,
> Frederik

v2.46.0 | Report a Bug | By Email | System Status