IETF Logo Mail Archive

Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

Filip Skokan <panva.ip@gmail.com> Wed, 10 January 2024 08:47 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6508DC1CAF4F for <oauth@ietfa.amsl.com>; Wed, 10 Jan 2024 00:47:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RInnMyTgFhCK for <oauth@ietfa.amsl.com>; Wed, 10 Jan 2024 00:47:49 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F8E7C14F681 for <oauth@ietf.org>; Wed, 10 Jan 2024 00:47:49 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2cc9fa5e8e1so44648801fa.3 for <oauth@ietf.org>; Wed, 10 Jan 2024 00:47:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704876467; x=1705481267; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6XBOUt8qVispv7Ol6o2dxqf8tIVegfvC7Lh05KaVmuY=; b=IAQaYPBRajFMZhkAWq7ubFiTxgF42Fkd9oDs9RC9Nk7Sfjnz6bJUPoOL91sSjNsuIb H/1BCA6L65IOdG5FYTA514R+cp79UD5AbnOcTFog2UKYirist6XPEz0nY7vilIWcGI0K VFXb6zfymgWBdGRSCjUdYOMSDND1dduZN5eCUOPkDpzl5KJ8OKaw17XXMWbKYzAMNeqM 7cV0qmoFiuxh4r/g/b1mzk3DHTSKRaHYwJcBBpSjDw1DNhsrT9JWJDeZB+mBdCgjQWHB t8bHmXRX2w8UPXJtWPpsSZxLoZTbrpArCMwYd/Yj806/TZiCpz9cW1hMwvJZINpBvsfT N35Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704876467; x=1705481267; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6XBOUt8qVispv7Ol6o2dxqf8tIVegfvC7Lh05KaVmuY=; b=rRWnDEU5xbnppy9mDjRt9U+M4s0jFxuizQa+ymCpbvD8jVFUzFGFG5cEZ8zu0fR9ye Zn8lsH9IUj+OUSBkEjjABVQoZAdeBr5NbeN2EIQYfFz87/IzS9pmBpxh1F3TLjZWFM8O mlVGYgzCXeyZDVzXzuTrCqiPafOJDciOMdICgxx/FQG0l4BImXVKFL7nAUF1SymzfAL/ Uk7XX5d0GPXa+odBvj0XuIzrXr6Qq16bNPxYxouFCbebVuDgOJHFFn08tGxSQcJ6ec01 0L4dLWi6/XM08U/hKlvBYnY9WisMCQoAhdAW0DNFKMaETJ9GSTN7jD9d+a3X9d7KdWRK yHBQ==
X-Gm-Message-State: AOJu0YyGAlK6hgp9lE3oOO2BqV5R8sEVCsis3GW/zweNnnWaYauBTNY7 /8zibRkZVufhbNMAaAFRPg3O16IFyq/IsuuXFucKjsCCcLEf
X-Google-Smtp-Source: AGHT+IGhTicaazZx0xc2cecxXPOPF2WHHE0jgnKuiNufpRJmbWPBBRWX8iKPzDHgMV4eIP4FN9yCgz8HwC5rV2ssX9w=
X-Received: by 2002:a05:6512:239c:b0:50e:4316:4a1e with SMTP id c28-20020a056512239c00b0050e43164a1emr270821lfv.15.1704876466774; Wed, 10 Jan 2024 00:47:46 -0800 (PST)
MIME-Version: 1.0
References: <ea11f400-45b4-4ef2-a926-f3f89697bca9@hackmanit.de> <bc5ccf22-47b3-4ca0-996e-c1cebcbe9a36@hackmanit.de> <CALAqi__ACWaAX_CoDQQ3wa_59Gnqr5KFMfgmffw0Gh4v878cjg@mail.gmail.com> <b367c755-07ea-4c19-9fb1-b63bb108e512@hackmanit.de>
In-Reply-To: <b367c755-07ea-4c19-9fb1-b63bb108e512@hackmanit.de>
From: Filip Skokan <panva.ip@gmail.com>
Date: Wed, 10 Jan 2024 09:47:10 +0100
Message-ID: <CALAqi__SLUg1VztZ8CAfZOhd-m=uqgz=WPDvhfDU9P6KP1gn9A@mail.gmail.com>
To: Karsten Meyer zu Selhausen | Hackmanit <karsten.meyerzuselhausen@hackmanit.de>
Cc: oauth <oauth@ietf.org>, Louis Jannett <louis.jannett@rub.de>, Christian Mainka <christian.mainka@hackmanit.de>
Content-Type: multipart/alternative; boundary="000000000000302807060e937cf0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0X5bG_3agB6DnnwuVVXA4GM6rX8>
Subject: Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2024 08:47:53 -0000

>
> our draft covers and is compatible to what's called "simple mode" (both
> with and without prompt) in draft-sakimura-oauth-wmrm-00/-01.


So a client that's using a simple mode with web_message today could,
without change, utilize your draft as well? That doesn't seem likely given
the message structure is not the same as in draft-sakimura-oauth-wmrm. Is
that an omission or intentional?

S pozdravem,
*Filip Skokan*


On Wed, 10 Jan 2024 at 09:37, Karsten Meyer zu Selhausen | Hackmanit <
karsten.meyerzuselhausen@hackmanit.de> wrote:

> Hello Filip,
>
> our draft covers and is compatible to what's called "simple mode" (both
> with and without prompt) in draft-sakimura-oauth-wmrm-00/-01.
>
> We do not consider the relay mode. The relay mode is motivated by the use
> of the implicit grant which is discouraged nowadays.
>
> The main differences to draft-sakimura-oauth-wmrm-01 can be summarized as
> follows:
>
>    - In general we do not focus on "modes" but instead on the actual
>    communication using the postMessage API. Our draft contains examples for
>    the format/structure for the messages sent using the postMessage API.
>    - Our draft enables iframe flows with user interaction while draft-sakimura-oauth-wmrm-01
>    only covers iframe flows without user interaction.
>    - Our draft contains security considerations describing threats and
>    giving recommendations to address them.
>    - Our draft briefly discusses the implications of the 3rd party cookie
>    phaseout for iframes.
>
> Our main motivation is the belief that there is a need for a specification
> defining how to securely use the postMessage API for OAuth auth. responses.
> The research of my co-authors underlines this need [1].
>
> As I said, at the last OSW there was agreement that it would be a good
> idea to write an RFC for a postMessage-based response mode. draft-sakimura-oauth-wmrm-00
> was expired years ago and seemed to be inactive when we started to work on
> our own draft. In our opinion it is not a great option to rely on an
> expired draft. As for customers I work with this is not an option at all;
> they want to implement and use final RFCs whenever possible.
>
> We are looking for feedback from the WG and are open to collaborate with
> the authors of draft-sakimura-oauth-wmrm if they want to join the efforts.
>
>
> Best regards,
> Karsten
>
> [1] https://distinct-sso.com/
> On 04.01.2024 12:10, Filip Skokan wrote:
>
> Hello Karsten,
>
> Can you summarize in what ways is your draft compatible
> with draft-sakimura-oauth-wmrm-00? Which of the described modes in Nat's
> document does it cover?
>
> There are existing implementations (both partial and full)
> of draft-sakimura-oauth-wmrm-00 so if your draft is not compatible I would
> recommend not using the same response mode name/identifier in your proposal.
>
> What prompted you to start a new draft rather than
> using draft-sakimura-oauth-wmrm-00?
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Thu, 4 Jan 2024 at 12:04, Karsten Meyer zu Selhausen | Hackmanit <
> karsten.meyerzuselhausen@hackmanit.de> wrote:
>
>> Hi all,
>>
>> we would like to ask again for feedback on our draft for the
>> "web_message" response mode:
>> *https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/
>> <https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/>
>> *
>>
>> We think it would be very helpful for implementers and developers to
>> specify a secure standard for a postMessage API-based response mode.
>>
>> Best regards,
>> Karsten
>> On 23.11.2023 10:11, Karsten Meyer zu Selhausen | Hackmanit wrote:
>>
>> Hi everyone,
>>
>> at the last OSW the topic of a response mode based on the postMessage
>> API came up. This approach is already used by multiple parties (e.g.,
>> Google) but lacks standardization.
>>
>> There was some sense of agreement that it would be a good idea to create
>> an RFC defining this response mode to counter security flaws in individual
>> implementations and improve interoperability.
>>
>> Because the efforts in the past were long expired (draft -00 of
>> https://datatracker.ietf.org/doc/draft-sakimura-oauth-wmrm/ expired in
>> 2016) we took the initiative and started to work on a new ID for the
>> "web_message" response mode.
>>
>> *We would like to to ask the members of the working group for feedback on
>> our draft:
>> https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/
>> <https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/>*
>>
>>
>> I see that "draft-sakimura-oauth-wmrm" has been recently updated.
>> However, there have not been any changes to its contents. What are the
>> plans of the authors for this draft?
>>
>> Best regards
>> Karsten
>>
>> --
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:	+49 (0)234 / 54456499
>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>
>> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
>> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>>
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>>
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>>
>> --
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:	+49 (0)234 / 54456499
>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>
>> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
>> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>>
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>>
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>
>

v2.23.0 | Report a Bug | By Email