IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

John Bradley <ve7jtb@ve7jtb.com> Thu, 08 September 2016 22:38 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3843912B098 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 15:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAcCfdRhKYXj for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 15:38:36 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 491DD128B44 for <oauth@ietf.org>; Thu, 8 Sep 2016 15:38:36 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id z190so49381622qkc.3 for <oauth@ietf.org>; Thu, 08 Sep 2016 15:38:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=rcFalxI0ZCPsFleTsmf3j6tjZc3clIkI5PxpyK+I0dU=; b=c/lfaU/n36/NMPEXyLkCrBx3INoeWL7lVJDaIp45QBHKukVbZABcSDa+A0SxIHlfSU f1QmuZDG/5lrAcJPNPjLnSaVOVD1WMKURvHFH7fpgqFaEsi2nJigUl+Kw6gjFUASsqmV 52j+2CjdV9m0FTL+jLsOQr3vNtnngxrG9slUrO9gk10S57xoBR8i1Y1xW3ohJGLYtjyZ 6YTbMiKki7412FRmRLedRDzgb4W3fHPNcEOhmPBwDpIo+3l2HKWrL4+83MaimMPL4pc2 C1d0kspvQxtCKSciTYtTyj+8DO/q3UeCsZFFYr4bALLgi/yEh/fAXbOSnJV2IRXwGz5+ H2tA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=rcFalxI0ZCPsFleTsmf3j6tjZc3clIkI5PxpyK+I0dU=; b=L9v6/TaC1aB3+OexK3oD4cd7BHRd/H+IQSj7J33pzbxkpEElyUVy7LwfjvE9u5aZtu fryJJ9EwmR4Ke6GPlb47c/9v/iM/7e1dw7v2c4nbZENCoj5ZiSdVdMKlIwMZYmXBAFMd sqi7uifyQr+Q69r96N7O8lTB+PjYRXh0UHCa+rMXpDOsa/EskX+c1ujLvnOnC7YwKUqf aR1mNNO774SJlb9cpDEgcgmLIHGwxE5AGnnTb/fFqQdYckDZaeduIaiFH8fJZpKabnxw ZaBG+VuDJu/BBzAbJXy5RIbwbG5xLKWv7/3s8B8XKtfFiXOIf31EclwtUhLGG2R/oKAA VfPQ==
X-Gm-Message-State: AE9vXwPif9usXayraKeQ1wkvXDYoHLjC0bUB04/jNRBe6Fkh8fAbbQbz1pmUkTjy1oZUoMi0
X-Received: by 10.55.99.17 with SMTP id x17mr372341qkb.261.1473374315165; Thu, 08 Sep 2016 15:38:35 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.19.154]) by smtp.gmail.com with ESMTPSA id a193sm178616qkc.46.2016.09.08.15.38.32 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 08 Sep 2016 15:38:33 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_7437DB45-8766-4A5E-B400-760E0381C9A4"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com>
Date: Thu, 08 Sep 2016 19:38:30 -0300
Message-Id: <F9F2BE44-3977-4B37-857A-C9B4A2987FE1@ve7jtb.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com> <1013244548.1998164.1473366003274@mail.yahoo.com> <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com>
To: Jim Manico <jim@manicode.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1J3d7HyehUFF1PRqkmEvWaD7xNs>
Cc: Oleg Gryb <oleg@gryb.info>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 22:38:39 -0000

It is an interesting discussion, indicating that perhaps a best practices document is in order.

I have had several people ask me about SPA using OAuth recently.

Until we get the W3C to finish fetch and extend it for token binding, we are going to have ongoing issues with bearer tokens in the browser and where to store them.

I don’t know that there is a perfect solution for bearer tokens, but documenting the tradeoffs may be useful.

John B.

> On Sep 8, 2016, at 6:07 PM, Jim Manico <jim@manicode.com> wrote:
> 
> +1 I think that's a very fair perspective.
> 
> Putting sensitive data in LocalStorage is still a very bad idea. :) One XSS and gone. Maybe XSS is not a big deal in a native app, but it's death to Web apps.
> Aloha, Jim
> 
> On 9/8/16 10:20 AM, Oleg Gryb wrote:
>> In SPA/REST env session ID is not very useful, so it's *an* auth token or tokens (not necessary OAuth one) that are stored in a cookie. It's used to get REST calls authenticated and yes, it usually runs in a multi-domain envs (think about micro services architecture). It makes me think that the value of HTTPOnly will continue diminishing, while the value of good cross-domain policies will increase. Just my opinion coming from my experience. I don't have big (or small) data available to confirm that.   
>> 
>> 
>> From: Jim Manico <jim@manicode.com> <mailto:jim@manicode.com>
>> To: Oleg Gryb <oleg@gryb.info> <mailto:oleg@gryb.info>; Adam Lewis <adam.lewis@motorolasolutions.com> <mailto:adam.lewis@motorolasolutions.com> 
>> Cc: OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org>
>> Sent: Thursday, September 8, 2016 12:51 PM
>> Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
>> 
>> > Since SPA is a new normal now, it becomes extremely difficult to enforce HTTPOnly flag, because JS needs access to secrets including those stored in cookies.
>> In a browser environment, this is only true when you need to make cross domain requests or are using cookie data for something other than session state.
>> If your current page origin and the page you are requesting are the same, then your cookies can be HTTPOnly without impacting functionality. If you need additional cookies for other things that need to be accessed via JS, use a separate cookie.
>> So sure, there are a few workflows in OAuth where you need to access "cookie data" from JS and HTTPOnly is not viable. But there are a few where it is viable. I don't think it's as simple as "we need to talk to cookie data via JS all the time.".
>> Aloha, Jim
>> On 9/8/16 8:15 AM, Oleg Gryb wrote:
>>> Jim,
>>> 
>>> It's outdated a bit. Since SPA is a new normal now, it becomes extremely difficult to enforce HTTPOnly flag, because JS needs access to secrets including those stored in cookies. 5-10 years ago I would always enforce HTTPOnly and now - I can't.
>>> 
>>> Thanks,
>>> Oleg.
>>> From: Jim Manico <jim@manicode.com> <mailto:jim@manicode.com>
>>> To: Adam Lewis <adam.lewis@motorolasolutions.com> <mailto:adam.lewis@motorolasolutions.com> 
>>> Cc: OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org>
>>> Sent: Thursday, September 8, 2016 10:45 AM
>>> Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
>>> 
>>> In the web world, cookies for session identifiers are much safer - since we can use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is not possible for localStorage. Overall, security folk say •keep sensitive data out of localStorage• since one XSS and it's stolen. There is                                             also a huge body of work underway to make secure cookies even more so.
>>> 
>>> I'm not sure how this translates to native apps.
>>> 
>>> --
>>> Jim Manico
>>> @Manicode
>>> 
>>> On Sep 8, 2016, at 3:02 AM, Adam Lewis <adam.lewis@motorolasolutions.com <mailto:adam.lewis@motorolasolutions.com>> wrote:
>>> 
>>>> Hi,
>>>> 
>>>> The WG is currently putting together best practices for native apps.  I would like to better understand the best practices around ua-based-apps, especially as it relates to token storage.  I've read various blog posts about the preference between storing tokens in cookies vs.  Web Storage (localStorage/sessionStorage).  The current set of specs are rather silent on the matter, as it is more of an implementation issue (but that is where most mistakes are made).
>>>> 
>>>> What is the WG's guidance on this?
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>> 
>> -- 
>> Jim Manico
>> Manicode Security
>> https://www.manicode.com <https://www.manicode.com/>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
> 
> -- 
> Jim Manico
> Manicode Security
> https://www.manicode.com <https://www.manicode.com/>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email