Re: [OAUTH-WG] WGLC for Browser-based Apps
Dick Hardt <dick.hardt@gmail.com> Mon, 28 August 2023 16:14 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E6C8C151522 for <oauth@ietfa.amsl.com>; Mon, 28 Aug 2023 09:14:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVi7gt0eb-pA for <oauth@ietfa.amsl.com>; Mon, 28 Aug 2023 09:14:15 -0700 (PDT)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D15D4C15107D for <oauth@ietf.org>; Mon, 28 Aug 2023 09:14:14 -0700 (PDT)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-58fba83feb0so38927697b3.3 for <oauth@ietf.org>; Mon, 28 Aug 2023 09:14:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693239254; x=1693844054; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wKGCW/TVP8DBkQJ/SzDh7k9u7ab/WZ0U9y7WD8vFbJw=; b=GLY2OItSCYJu0L+KYPOY2VhYh9yu2w/dURittvRzaYK3XUw7fNyv7WGJuXj/0Csnsb K9yKI+XXuc9p2LSOGtzjk7YaTMBJtJYPaa9wGKovOwHvQeT3xJ1H8jSLNNAar2ZcYNx/ QhzfycXNbFvCGJLwnzruN4guOoyudd284I56rTCFbEJEh1XzPK63lHN1eHR2yEnrF0Bj hyU4yJ+dyXtWKtao9qhket4tHlT3hxfEC9/TGK2ECOu6Phd+p+XZlzkpilt63/UPFnHU QRGavtxFPJQtmrX9QCjcW8gZfGxk4yAO0WNPNSpCZIA3s6WrRLltdZD2J+1z1DFUUWcJ aA/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693239254; x=1693844054; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wKGCW/TVP8DBkQJ/SzDh7k9u7ab/WZ0U9y7WD8vFbJw=; b=S8gxYZs2a2oZocMRsMD1sQ73xZxNMhZCHxkdz7Q6gTPZycWlV8FNyNAAcM8tlXniGl KdNt4pUmh8C0JJxlzdWfei4gj2O1nkLp7K+XnEx3Li5j4zDQ4d6xs6DKzdqVsWY5IfLm nw/805mKyhw8/tDWadeYHfhPwsMnTqH4MPHCkQQEVgm6s+UK1iERVPhsCP3ARCjAXTSt /Aw4oOIANtc8caTGM/poeKeOPmAU0M0OzNPFgXNPThr8kStGtDUV4oHlzoJRApfYHRSs 5X3H7sODZAfVKs4B6Q9HuYBtZB/tgwSOhln0T+LV/CGaYd4nc+/OlhnVlcRxWuvI+sCl sa4A==
X-Gm-Message-State: AOJu0YxwS9lCUhiCHhWoQxthHnOaf1bkEN/XMNGaAwHcpJlNp9w19Qy2 v/DKROLT9B1SLhdAcwvkaT4/GtUodHTOpcEHWDeHo3Xh
X-Google-Smtp-Source: AGHT+IHY0+JHlLMC+jrR+4KvjbrIpxQ5lIVwtlNclr9eNM/tDIjLamNKSXtBE/AzrxMHxRloNA/muH4uRLjoMJyLbEU=
X-Received: by 2002:a5b:610:0:b0:d74:62df:e802 with SMTP id d16-20020a5b0610000000b00d7462dfe802mr23543999ybq.0.1693239253725; Mon, 28 Aug 2023 09:14:13 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9gdt6NiaiMiqaM3mbjb44dRfECBnSgrkCg0DLa+w1fEg@mail.gmail.com> <899023C1-659D-47DB-808E-307F5B5F8FD5@pragmaticwebsecurity.com> <CAD9ie-sWpmHRVC_4BvhH4qHKfcLSh3VvhRSwR_FOOPEA4RQLnA@mail.gmail.com> <5570D43B-B477-44B6-B135-0F0C069129D1@pragmaticwebsecurity.com> <CAD9ie-v1xUQ2a5n527d38tQ91CkChP0NQcAjdzi+AwOV-Yh4oQ@mail.gmail.com> <0F60DFB9-B815-4A80-AFE5-AF73DBF634FD@pragmaticwebsecurity.com> <CALNQ_jJgN2t9ObzSPHYBajkFyiDX1P0xNt6VwAH3BWftCv_JHQ@mail.gmail.com> <6B24C74F-A35B-4229-BE70-4DD1414A9161@pragmaticwebsecurity.com> <CALNQ_jL0yDpNx5NsJZK+ssTxc3=krUUPAFAWBByU64LNL6+OqA@mail.gmail.com> <0B0FA547-78DC-4F71-83CD-8F07A97811F1@pragmaticwebsecurity.com> <CALNQ_jJkECULxcBG_NYY1aNdFPht9LNcmknKw21O38eLoi-9Eg@mail.gmail.com> <CAK2Cwb5BNfZtKSYXUj-Sy9QDPeEM-gUewYPyn4zxX0X6dV+DDQ@mail.gmail.com> <CALNQ_jLYm+bE6rR7pXHSHiSS7s=n23kqrp-1TduCeuPo9c4izQ@mail.gmail.com> <CAHsNOKcRUmZ5TgjUmmD0fJ7LePkmWr8yUjsduurxUERw8nik2Q@mail.gmail.com> <CALNQ_jJrcQWOmvJYOzB62kC3gvyNJ-fjNEsdsAsA9jC-S_ikJQ@mail.gmail.com> <CAGBSGjrxf1_afvJ3hbbX_SXeRK9GSEoocTQVyB1CkXEaHpoqTg@mail.gmail.com> <CALNQ_jLZ5QnOcbFUpSgoRy1j0UdVUqF_N_GA3KEtsSYeatg7uQ@mail.gmail.com> <CAGBSGjoxZ7r31cwT+=oWqXw5YYDUycxdJUMsUdq3X7SsGsavAg@mail.gmail.com>
In-Reply-To: <CAGBSGjoxZ7r31cwT+=oWqXw5YYDUycxdJUMsUdq3X7SsGsavAg@mail.gmail.com>
Reply-To: Dick.Hardt@gmail.com
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 28 Aug 2023 09:13:37 -0700
Message-ID: <CAD9ie-vBkbG1d_rNuMyCxL+XRA44aFBwMyvyW8D+nHvdk8cumQ@mail.gmail.com>
To: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>
Cc: Yannick Majoros <yannick@valuya.be>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003cf8670603fdfc74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-pd84hUXPNlcTOobW90Yjc-9QCI>
Subject: Re: [OAUTH-WG] WGLC for Browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2023 16:14:19 -0000
While a breach of a BFF may be as catastrophic as an exfiltration of an access token, the BFF may also be more secure against a breach. For example, a BFF could detect a possible compromise by the API usage pattern becoming unusual to the app, that a RS is not able to detect as the general usage patterns are less defined, and the BFF could then stop processing requests. On Mon, Aug 28, 2023 at 8:58 AM Aaron Parecki <aaron= 40parecki.com@dmarc.ietf.org> wrote: > > An XSS compromise would allow an attacker to call the resource server > from the browser context through the BFF, which would lead to the same > catastrophous result as doing it from another context. > > There is a huge difference between being able to access resources through > the user's browser while it's online vs being able to access resources > without the browser's involvement. > > Additionally, in many cases, the BFF exposes only a subset of actions of > the resource server to the client. Or put another way, sometimes access > tokens can access more resources than just the ones the BFF can access. > This obviously doesn't apply to everyone, but it's still common enough to > be significant. This is briefly mentioned in the security considerations > already: > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-reducing-the-impact-of-toke > > Aaron > > > On Mon, Aug 28, 2023 at 8:51 AM Yannick Majoros <yannick@valuya.be> wrote: > >> An XSS compromise would allow an attacker to call the resource server >> from the browser context through the BFF, which would lead to the same >> catastrophous result as doing it from another context. >> >> Cookies are sent automatically, potentially to resources which shouldn't >> get it. Same threat level as a token that is too broadly scoped, really. >> >> You really have a point about refresh tokens here, but they are a >> separate, real issue. Refresh tokens should be avoided whenever you can do >> without. Any pattern that can keep them safe is on the same level, but >> their safety is always relative. They make any attack worse, indeed (and >> that is also true for BFFs in some scenario's). This isn't specifically >> about BFFs. >> >> Le lun. 28 août 2023 à 17:38, Aaron Parecki <aaron@parecki.com> a écrit : >> >>> > BFFs are not any safer, XSS or any successful malicious javascript >>> execution has the same end effect >>> >>> As described in the draft as well as in this email thread, this is >>> incorrect. >>> >>> An XSS compromise of the BFF architecture results in the attacker being >>> able to make requests to the BFF with the legitimate user's cookie, as long >>> as the user's browser is active. An XSS compromise of a SPA results in the >>> attacker being able to obtain access tokens (and possible refresh tokens), >>> which results in the attacker being able to access the resource server >>> directly, outside of the context of the user's browser, which may allow the >>> attacker to access far more data than the browser app alone, and for a >>> longer period of time. >>> >>> The difference between these threats is extremely significant. >>> >>> Aaron >>> >>> On Mon, Aug 28, 2023 at 8:14 AM Yannick Majoros <yannick@valuya.be> >>> wrote: >>> >>>> My last comment was rather ironic: user-facing applications are >>>> dangerous (security is hard, which I say nothing with), and that is true >>>> for any scheme.. BFFs are not any safer, XSS or any successful malicious >>>> javascript execution has the same end effect (=game over, complete >>>> compromise of authenticated calls), and there was still no >>>> factual demonstration of multiple levels of security here. See my detailed >>>> explanations. >>>> >>>> Le lun. 28 août 2023 à 11:35, Steinar Noem <steinar@udelt.no> a écrit : >>>> >>>>> I think this is a great discussion, and it seems to me that Yannicks >>>>> last comment is basically what Phillippe is trying to point out.. >>>>> I just wanted to remind the authors about a couple of things that we >>>>> briefly discussed during OSW in London. >>>>> >>>>> Although it might not be directly relevant for this discussion I do >>>>> think that it might be a good idea that the spec mentions that: >>>>> >>>>> - The level of security you require for any client is often a >>>>> reflection of the sensitivity of the information that the API exposes. You >>>>> will have different requirements for confidential information than for open >>>>> data. An example of a similar recommendation can be found in the HTTP >>>>> Semantics specification: https://httpwg.org/specs/rfc9110.html#GET >>>>> - In my domain it is most often the owner of the API (the data >>>>> controller) who defines and approves the level of security which it finds >>>>> to fit their responsibilities (e.g. legal obligations) - although in some >>>>> cases it might be both the data provider and the data consumer. Meaning - >>>>> this BCP might be equally important for the API-owner as it is to the >>>>> client developer. >>>>> - I think this discussion shows that any mitigation on the browser >>>>> side will only raise the bar for the attacker, and can never be a fully >>>>> effective countermeasure. I think this point could be even more clearly >>>>> stated early in the spec, and that both the API-owner or client owner >>>>> should be aware of this risk, and select their appropriate choice of >>>>> security measures based on a risk assessment. In some cases their >>>>> conclusion might be that a browser based app is not secure enough for >>>>> their responsibilities. >>>>> >>>>> >>>>> S >>>>> >>>>> søn. 27. aug. 2023 kl. 18:41 skrev Yannick Majoros <yannick@valuya.be >>>>> >: >>>>> >>>>>> Yes, but this is true for all flows. Web applications are dangerous. >>>>>> Applications handling user input are dangerous too. >>>>>> >>>>>> Le dim. 27 août 2023, 17:46, Tom Jones <thomasclinganjones@gmail.com> >>>>>> a écrit : >>>>>> >>>>>>> You can write your code as strong as you wish. You cannot determine >>>>>>> if the code running in the computer is that code running unaltered. >>>>>>> ..tom >>>>>>> >>>>>>> >>>>>>> On Sun, Aug 27, 2023 at 5:25 AM Yannick Majoros <yannick@valuya.be> >>>>>>> wrote: >>>>>>> >>>>>>>> Thanks for taking the time to respond and for the constructive >>>>>>>> feedback. >>>>>>>> >>>>>>>> Still, there is some initial incorrect point that makes the rest of >>>>>>>> the discussion complicated, and partly wrong. >>>>>>>> >>>>>>>> Specifically, §6.4.2.1 says this: *The service worker MUST NOT >>>>>>>> transmit tokens, authorization codes or PKCE code verifier to the frontend >>>>>>>> application.* >>>>>>>> >>>>>>>> Wording should be refined, but the idea is that the service worker >>>>>>>> is to actually restrict authorization codes from even reaching the >>>>>>>> frontend. Of course, easier said than done, but that part happens to be >>>>>>>> quite easy to implement. >>>>>>>> >>>>>>>> This has further impact on much of the other statements: >>>>>>>> *> The main problem with a browser-only client is that the attacker >>>>>>>> with control over the client has the ability to run a silent Authorization >>>>>>>> Code flow, which provides them with an independent set of tokens* >>>>>>>> [...] >>>>>>>> *> **The security differences between a BFF and a browser-only app >>>>>>>> are not about token storage, but about the attacker being able to run a new >>>>>>>> flow to obtain tokens.* >>>>>>>> [...] >>>>>>>> *> Again, the security benefits of a BFF are not about stoken >>>>>>>> storage. Even if you find the perfect storage solution for non-extractable >>>>>>>> tokens in the browser, an attacker still controls the client application >>>>>>>> and can simply request a new set of tokens. * >>>>>>>> >>>>>>>> Truth is: no, you can't start a new authentication flow and get the >>>>>>>> authorization code back in the main thread. I'm talking about the >>>>>>>> redirection scenario, which I'm the most familiar with, but it would >>>>>>>> probably apply to the "message" one as well (which is new to me and seems >>>>>>>> to be ashtoningly legit due to vague "for example" wording in the OAuth2 >>>>>>>> spec :-) ). >>>>>>>> >>>>>>>> The service worker, according to >>>>>>>> https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerGlobalScope/fetch_event#description >>>>>>>> , just intercepts the authorization code, gets a token, and never sends it >>>>>>>> back to the main code. >>>>>>>> >>>>>>>> But don't trust me on my words: what about demonstrating our claims >>>>>>>> with actual code, and as such create a shorter, simpler, but more >>>>>>>> constructive discussion? >>>>>>>> >>>>>>>> The demonstration in its current form would not lead to a >>>>>>>> successful compromise of a good implementation of access tokens handled by >>>>>>>> a service worker. >>>>>>>> >>>>>>>> Yannick >>>>>>>> >>>>>>>> >>>>>>>> Le sam. 26 août 2023 à 14:20, Philippe De Ryck < >>>>>>>> philippe@pragmaticwebsecurity.com> a écrit : >>>>>>>> >>>>>>>>> My responses inline. >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi everyone, >>>>>>>>> >>>>>>>>> The document is about "OAuth 2.0 for Browser-Based Apps". Its >>>>>>>>> abstract further explains that it "details the security considerations and >>>>>>>>> best practices that must be taken into account when developing >>>>>>>>> browser-based applications that use OAuth 2.0.". >>>>>>>>> >>>>>>>>> As such, detailing security considerations is important. I share >>>>>>>>> the point of view that basing web applications on proven concepts is >>>>>>>>> important. The approaches detailed in the document have all their >>>>>>>>> advantages and disadvantages. >>>>>>>>> >>>>>>>>> >>>>>>>>> We have discussed the topic of browser-based apps in depth at the >>>>>>>>> OAuth Security Workshop last week. I am also working with Aaron Parecki on >>>>>>>>> updating the specification to more accurately reflect these advantages and >>>>>>>>> disadvantages. Updates will go out in the coming days/weeks, so we more >>>>>>>>> than welcome concrete feedback on the content there. >>>>>>>>> >>>>>>>>> There are 2 main approaches to browser-based applications >>>>>>>>> security. One of them is to store security credentials at the frontend. The >>>>>>>>> other one is to use cookies and a BFF. Though common practice, there is >>>>>>>>> nothing fundamentally more secure about them in a demonstrable way. >>>>>>>>> Different approaches, different characteristics and security assumptions. >>>>>>>>> Nobody can prove that either approach is better, just that there are >>>>>>>>> different concerns. >>>>>>>>> >>>>>>>>> Handling security in BFFs relies on cookies that cannot be read by >>>>>>>>> the javascript application. This mechanism provides some reliable >>>>>>>>> protection about the cookie itself that is used as a kind of credential to >>>>>>>>> access confidential web resources. It obviously demands some additional >>>>>>>>> layers in the flow (proxy or light server). You also need a mechanism to >>>>>>>>> share session information, either at the server side, or for example by >>>>>>>>> having the cookie itself hold that information. A bigger concern to me is >>>>>>>>> that you basically give up standard mechanisms for securing the flow >>>>>>>>> between the frontend and the backend: the security between the two is a >>>>>>>>> custom solution (based on cookies, in a specific, custom way, this part >>>>>>>>> being in no way OAuth or standard). This solves the problem by not using >>>>>>>>> OAuth at all in the browser part of the application, basically making the >>>>>>>>> client application purely backend. However, the fact that browser-based >>>>>>>>> applications cannot be secured with OAuth isn't universally true, and >>>>>>>>> strongly depends on one's definition of "secure", and basically comes down >>>>>>>>> to what the security issue is. >>>>>>>>> >>>>>>>>> >>>>>>>>> The updated specification will clearly outline the security >>>>>>>>> considerations when making the browser-based application a public OAuth >>>>>>>>> client. >>>>>>>>> >>>>>>>>> *The main problem with a browser-only client is that the attacker >>>>>>>>> with control over the client has the ability to run a silent Authorization >>>>>>>>> Code flow, which provides them with an independent set of tokens.* >>>>>>>>> These tokens give the attacker long-term and unrestricted access in the >>>>>>>>> name of the user. A BFF-based architecture does not suffer from this issue, >>>>>>>>> since the OAuth client is a confidential client. Regardless of one’s >>>>>>>>> definition of “secure”, this is a clear difference on the achievable level >>>>>>>>> of security. >>>>>>>>> >>>>>>>>> Of course, as stated multiple times before, the use of a BFF does >>>>>>>>> not eliminate the presence of the malicious JS, nor does it solve all abuse >>>>>>>>> scenarios. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Storing tokens at the frontend has advantages: it solves my >>>>>>>>> concern above about a standard based flow between the frontend and the >>>>>>>>> backend. >>>>>>>>> >>>>>>>>> >>>>>>>>> The use of cookies is a core building block of the web, and is >>>>>>>>> quite standard. >>>>>>>>> >>>>>>>>> It's simpler from an operational point of view. And it's been used >>>>>>>>> in the wild for ages. >>>>>>>>> >>>>>>>>> >>>>>>>>> Anyone using a browser-only client should be informed about the >>>>>>>>> clear and significant dangers of this approach, which the updated >>>>>>>>> specification will do. >>>>>>>>> >>>>>>>>> >>>>>>>>> Both flows have been compromised numerous times. This doesn't mean >>>>>>>>> they are not right by design, but that the specific security concerns have >>>>>>>>> to be addressed. >>>>>>>>> >>>>>>>>> >>>>>>>>> If you have specific security concerns about a BFF, I’d suggest >>>>>>>>> raising them. Until now, I have only seen arguments that highlight the >>>>>>>>> additional effort it takes to implement a BFF, but nothing to undermine its >>>>>>>>> security. Plenty of highly sensitive applications in the healthcare and >>>>>>>>> financial industry opt for a BFF for its improved security properties and >>>>>>>>> consider this trade-off to be favorable. >>>>>>>>> >>>>>>>>> >>>>>>>>> Now, the concerns we are really discussing is, what happens in >>>>>>>>> case of XSS or any form of malicious javascript. >>>>>>>>> >>>>>>>>> In this case, for all known flows, session riding is the first >>>>>>>>> real issue. Whether the injected code calls protected web resources through >>>>>>>>> the BFF or using the stored tokens, is irrelevant: the evil is done. Seeing >>>>>>>>> different threat levels between token abuse and session riding is a logical >>>>>>>>> shortcut: in many cases, the impact will be exactly the same. >>>>>>>>> >>>>>>>>> >>>>>>>>> Stating that using stolen tokens is the same as sending requests >>>>>>>>> through a compromised client in the user’s browser (client hijacking) is >>>>>>>>> categorically false. Here are two concrete differences: >>>>>>>>> >>>>>>>>> >>>>>>>>> - Stolen refresh tokens give an attacker long-term access in >>>>>>>>> the name of the user. Client hijacking only works as long as the user’s >>>>>>>>> browser is online and the client is effectively running. >>>>>>>>> - Stolen access tokens give an attacker unfettered access to >>>>>>>>> any resource server that accepts it. Client hijacking forces the attacker >>>>>>>>> to play by the rules of the client. For example, an attacker can abuse a >>>>>>>>> stolen token with fake origin headers to access a resource server that >>>>>>>>> would accept the token, but has a CORS policy that rejects requests from >>>>>>>>> the client’s origin >>>>>>>>> >>>>>>>>> >>>>>>>>> As stated before, the DPoP specification takes a similar point of >>>>>>>>> view on these consequences. They explicitly aim to prevent the abuse of >>>>>>>>> stolen tokens, while considering client hijacking to be out of scope ( >>>>>>>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#name-objectives >>>>>>>>> ) >>>>>>>>> >>>>>>>>> >>>>>>>>> On a sidenote, the term “session riding” seems to refer to CSRF, >>>>>>>>> not to client hijacking. I have only learned this myself recently and have >>>>>>>>> mis-used this term before as well. I wanted to point this out to avoid >>>>>>>>> further confusion. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Reducing the attack surface with a BFF or even a simple proxy is a >>>>>>>>> possible but separate topic: this doesn't have to be linked to where tokens >>>>>>>>> are stored. Alternatively, services that shouldn't be accessible could >>>>>>>>> simply not be exposed, and token scope and audience must be well thought. >>>>>>>>> >>>>>>>>> As such, BFFs as well as frontend token storage, though different, >>>>>>>>> are application design choices and have no demonstrable superiority from a >>>>>>>>> security point of view. >>>>>>>>> >>>>>>>>> >>>>>>>>> *The security differences between a BFF and a browser-only app are >>>>>>>>> not about token storage, but about the attacker being able to run a new >>>>>>>>> flow to obtain tokens.* >>>>>>>>> >>>>>>>>> You also talk about “demonstrable” differences. I have shown >>>>>>>>> examples (both in text and video) of these consequences in browser-only >>>>>>>>> apps, resulting in the attacker obtaining both an access token and a >>>>>>>>> refresh token. If you claim that BFFs are just the same, I invite you to >>>>>>>>> demonstrate your point of view. >>>>>>>>> >>>>>>>>> >>>>>>>>> Still, it seems it matters to some people to not exfiltrate tokens >>>>>>>>> in case of successful XSS. In the first instance, I don't share this need >>>>>>>>> to protect short-lived tokens in a game over scenario, but the whole >>>>>>>>> investigation of more secure frontend storage mechanisms started because >>>>>>>>> some customers are concerned. We are in the realm of choice, not of >>>>>>>>> provable security need, but it is still important to them. >>>>>>>>> >>>>>>>>> Documenting security concerns and possible solutions is part of >>>>>>>>> the document. Where you store the tokens has an impact on how easy it will >>>>>>>>> be for an attacker to exfiltrate them. Local or session storage is >>>>>>>>> obviously not the best choice here, as injected javascript can easily >>>>>>>>> access it. >>>>>>>>> >>>>>>>>> >>>>>>>>> Again, the security benefits of a BFF are not about stoken >>>>>>>>> storage. Even if you find the perfect storage solution for non-extractable >>>>>>>>> tokens in the browser, an attacker still controls the client application >>>>>>>>> and can simply request a new set of tokens. >>>>>>>>> >>>>>>>>> This link points to the exact demo scenario in the video I have >>>>>>>>> referenced before: >>>>>>>>> https://youtu.be/OpFN6gmct8c?feature=shared&t=1366 It clearly >>>>>>>>> shows how the attacker runs a new flow to obtain tokens, without ever >>>>>>>>> touching the application’s tokens. >>>>>>>>> >>>>>>>>> >>>>>>>>> A service worker is an interesting place to store them, as it can >>>>>>>>> additionally play the role of a front-end proxy that both holds the token >>>>>>>>> securely, and securely proxy requests to the resource server. Besides, a >>>>>>>>> track was started with Rifaat to initiate changes to the service worker >>>>>>>>> specifications to make some things simpler. >>>>>>>>> >>>>>>>>> The point that the service worker solution isn't that widespread >>>>>>>>> is indeed correct and should be addressed. I propose transparently >>>>>>>>> mentioning that it is seen as a possible but uncommon storage mechanism. >>>>>>>>> There should also be some explanation about other kinds of web workers, >>>>>>>>> which are more commonly used but exploitable, so less secure when token >>>>>>>>> exfiltration is a concern. The document isn't only about security best >>>>>>>>> practices, though, but about security concerns. Implementations are >>>>>>>>> explicitly out of scope. >>>>>>>>> >>>>>>>>> >>>>>>>>> Using a SW for storage does not solve anything, since the attacker >>>>>>>>> can simply request fresh tokens. >>>>>>>>> >>>>>>>>> >>>>>>>>> My conclusion is that, though we can surely make the document >>>>>>>>> better, there is no all-encompassing solution. Similarly, BFFs are not >>>>>>>>> a higher level of security for healthcare of banks, just a different >>>>>>>>> solution. Service workers are still an interesting solution for people who >>>>>>>>> absolutely want to secure tokens at the frontend, and as improvable as >>>>>>>>> the document is, shouldn't be left out. >>>>>>>>> >>>>>>>>> >>>>>>>>> You, as the creator of the SW approach, have clearly stated that >>>>>>>>> you don’t even use it in practice, so I don’t really understand the urge to >>>>>>>>> make this a recommended pattern. On the contrary, BFFs are used in practice >>>>>>>>> in a variety of scenarios. >>>>>>>>> >>>>>>>>> That said, the SW approach should indeed be mentioned in the >>>>>>>>> document, to clearly illustrate the security considerations and >>>>>>>>> limitations. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> About some specific concerns: >>>>>>>>> > *While content injection attacks are still possible, the BFF >>>>>>>>> limits the attacker’s ability to abuse APIs by constraining access through >>>>>>>>> a well-defined interface to the backend which eliminates the possibility of >>>>>>>>> arbitrary API calls.* >>>>>>>>> Session riding is still the main issue and isn't addressed at all. >>>>>>>>> If the intention here was to limit the number of exposed endpoints, the >>>>>>>>> application can still be designed to either only expose what is needed, or >>>>>>>>> put a proxy or api manager between for limiting exposition, unrelated to >>>>>>>>> where token storage happen. >>>>>>>>> >>>>>>>>> >>>>>>>>> No-one has ever stated that a BFF would solve the consequences of >>>>>>>>> an attacker hijacking a client. However, when the attacker is forced to >>>>>>>>> launch attacks through a client running in the user’s browser, they are >>>>>>>>> forced to go through the BFF. That gives you a point of control which you >>>>>>>>> *could* use to implement restrictions. This is not required to >>>>>>>>> benefit from a BFF, since the main benefit is moving from a public client >>>>>>>>> to a confidential client. >>>>>>>>> >>>>>>>>> You state that you can achieve the same by using a careful design >>>>>>>>> of the application. However, you fail to mention what you consider the >>>>>>>>> “application” and where exactly this restriction fits in. This is >>>>>>>>> important, because once the attacker has exfiltrated access tokens, they >>>>>>>>> can send arbitrary requests. If the resource servers are not fully shielded >>>>>>>>> by an API manager, the attacker can contact them directly with a stolen >>>>>>>>> token. And if you apply this close to the resource servers, how will you >>>>>>>>> then configure them to only allow certain clients to access certain >>>>>>>>> endpoints? >>>>>>>>> >>>>>>>>> >>>>>>>>> *> No, because running a silent flow in an iframe typically uses >>>>>>>>> a web message response. In essence, the callback is not the redirect URI, >>>>>>>>> but a minimal JS page that sends the code to the main application context >>>>>>>>> using the web messaging mechanism. The message will have the origin of the >>>>>>>>> authorization server as a sender. * >>>>>>>>> The iframe needs to get the auth code somehow, and that typically >>>>>>>>> happens by setting its src to the auth endpoint, and having a redirect URI >>>>>>>>> that points to that minimal js page. This would mean an attacker can >>>>>>>>> change the redirect URI to be able to point to some custom js in the >>>>>>>>> application, which is a whole different >>>>>>>>> >>>>>>>>> Philippe, I'm honestly quite skeptical about that attack, but it >>>>>>>>> sounds interesting. Can you provide some details or a reproducer? >>>>>>>>> >>>>>>>>> >>>>>>>>> In all honesty, my understanding that the Web Messaging approach >>>>>>>>> was universally used turned out to be inaccurate. There are two concrete >>>>>>>>> ways to run a silent authorization code flow: (1) using >>>>>>>>> response_mode=web_message and (2) using the proper redirect URI. Both >>>>>>>>> scenarios allow the attacker to obtain the authorization code by starting >>>>>>>>> the flow with an authorization request that *is indistinguishable* from >>>>>>>>> a request coming from the legitimate application. >>>>>>>>> >>>>>>>>> *Scenario 1 (web messaging)* >>>>>>>>> >>>>>>>>> >>>>>>>>> - The iframe src points to the authorize endpoint >>>>>>>>> - The AS does not redirect, but responds with an HTML page >>>>>>>>> containing JS code. This JS code uses postmessage to send a message >>>>>>>>> containing the authorization code to the main application context. >>>>>>>>> - The attacker receives this message and obtains the >>>>>>>>> authorization code >>>>>>>>> >>>>>>>>> >>>>>>>>> This approach is used by Auth0 and Apple. I have tested my attack >>>>>>>>> scenario against Auth0. Note that while this flow *does not use* the >>>>>>>>> redirect URI, it does validate the provided redirect URI. Additionally, the >>>>>>>>> admin needs to configure the AS to include the client’s origin in a list of >>>>>>>>> “Allowed Web Origins”. >>>>>>>>> >>>>>>>>> This is also the scenario I use in the demo I have linked to >>>>>>>>> above, so you can see it in action there. >>>>>>>>> >>>>>>>>> >>>>>>>>> *Scenario 2 (redirect)* >>>>>>>>> >>>>>>>>> >>>>>>>>> - The iframe src points to the authorize endpoint >>>>>>>>> - The AS redirects the frame to the application’s callback >>>>>>>>> with the authorization code as a query parameter >>>>>>>>> - The attacker can monitor the iframe for a URL that contains >>>>>>>>> the authorization code, stop the frame from loading (and redeeming the >>>>>>>>> authorization code), and extract the code >>>>>>>>> >>>>>>>>> >>>>>>>>> This approach is more universal, but just as vulnerable. The >>>>>>>>> scenario is exactly the same as in the demo linked to above, but the attack >>>>>>>>> code looks slightly different. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> To conclude, I have carefully argued my point of view on this >>>>>>>>> mailing list, in recorded videos, and in the sessions at the OAuth Security >>>>>>>>> Workshop last week. As far as I can tell, the experts in the community >>>>>>>>> acknowledge the dangers of browser-only apps (i.e., the attacker running a >>>>>>>>> silent flow) and agree that the browser-based apps BCP should accurately >>>>>>>>> reflect this information. We’re currently working on updating the >>>>>>>>> specification (which will happen in multiple steps, so we ask for a bit of >>>>>>>>> patience). >>>>>>>>> >>>>>>>>> Unless you have anything new to add or any new issues to raise, I >>>>>>>>> respectfully opt to disengage from further discussion. >>>>>>>>> >>>>>>>>> Kind regards >>>>>>>>> >>>>>>>>> Philippe >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Yannick Majoros >>>>>>>> Valuya sprl >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>> >>>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>> >>>>> >>>>> -- >>>>> Vennlig hilsen >>>>> >>>>> Steinar Noem >>>>> Partner Udelt AS >>>>> Systemutvikler >>>>> >>>>> | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no | >>>>> >>>> >>>> >>>> -- >>>> Yannick Majoros >>>> Valuya sprl >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >> >> -- >> Yannick Majoros >> Valuya sprl >> >> _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] WGLC for Browser-based Apps Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for Browser-based Apps Philippe De Ryck
- Re: [OAUTH-WG] WGLC for Browser-based Apps Brock Allen
- Re: [OAUTH-WG] WGLC for Browser-based Apps Aaron Parecki
- Re: [OAUTH-WG] WGLC for Browser-based Apps Dick Hardt
- Re: [OAUTH-WG] WGLC for Browser-based Apps Philippe De Ryck
- Re: [OAUTH-WG] WGLC for Browser-based Apps Dick Hardt
- Re: [OAUTH-WG] WGLC for Browser-based Apps Philippe De Ryck
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Dick Hardt
- Re: [OAUTH-WG] WGLC for Browser-based Apps Philippe De Ryck
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Philippe De Ryck
- Re: [OAUTH-WG] WGLC for Browser-based Apps Tom Jones
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Tom Jones
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Steinar Noem
- Re: [OAUTH-WG] WGLC for Browser-based Apps Philippe De Ryck
- Re: [OAUTH-WG] WGLC for Browser-based Apps Jim Manico
- Re: [OAUTH-WG] WGLC for Browser-based Apps Jim Manico
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Aaron Parecki
- Re: [OAUTH-WG] WGLC for Browser-based Apps Tom Jones
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Aaron Parecki
- Re: [OAUTH-WG] WGLC for Browser-based Apps Dick Hardt
- Re: [OAUTH-WG] WGLC for Browser-based Apps Dick Hardt
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Philippe De Ryck
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps Yannick Majoros
- Re: [OAUTH-WG] WGLC for Browser-based Apps David Waite