IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Vittorio Bertocci <vittorio.bertocci@auth0.com> Thu, 06 December 2018 01:32 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCBF130EFF for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 17:32:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u70rq1Furspq for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 17:32:02 -0800 (PST)
Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27818130F0A for <oauth@ietf.org>; Wed, 5 Dec 2018 17:32:00 -0800 (PST)
Received: by mail-lf1-x144.google.com with SMTP id i26so16230221lfc.0 for <oauth@ietf.org>; Wed, 05 Dec 2018 17:32:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=FGACXNItXpDVAcY542485ItAbjU0XfcKKIwAWvrHll8=; b=aGN8uFesn2RnFqnY2eOvF3NUkhhoOjtGtagMIvH6/8dV3eQOyObQgIgsMGxKMMR8JP w8cskrKwz53KQW/ubO4EodNe6GkCOdGn6qZnP0MnoZ1sCEyH6uc2MQpjm5MgQfi2MvVo e14YztE7ATeQ0Xgg0DntPIyQn6kLk1o8QZxV54FLKy2LXR6xwHcoxo7Figp3cbfYAdY3 IseqRLwzqITomb+rBuGahJHBUexa7yGoF/1gA5R0SGwxbZ1NrwncAIH0+HuHDS8Ov3Mq ZWkcWReTClebYgn8sCfKKihgM/rBoZfRU42jrlwfPUTOkTjZVe6xDiJjjIfGCIVb43p1 nEZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=FGACXNItXpDVAcY542485ItAbjU0XfcKKIwAWvrHll8=; b=IWnFvC/Aky8Sv7k5fiCeZRHU4ju/aDdA1fUmNaDprMomFXNwgOBQIX209/r4ZD6dQ9 eXjbuIN+N26vN1d7bAYe+4gT8xyzuEoFYi6NpqQem6k1bRj4QauxMzt7aCvRlHMBpeNp qg3/tf1MDYJkwFreZL8nhd7qXwES6urZQyuLszHX9FZiM5b+MPomCzHORmfFNgFOwt3R kpg/79JwZWNN1vXiPFs9Biw7TBlwJ/e5Nv7eSv6JwBt62Bv2m12EexCkiNJKS/8R9jeb utQcmtknyI2iDVO8xchsYb9oxRe8A0vbuBowVd3EcA4+3AYTIJ9zhumriT6nA43NTo2m 4Lcw==
X-Gm-Message-State: AA+aEWb4zfjs7aXu5yB8fDq6vw5wwlhQB18KNgeZmAUHKp9kq+OckZ24 uPI0kmbkmjXl2vPSo53D1vVrwHZYFXvujucqzvrB1g==
X-Google-Smtp-Source: AFSGD/U43RYnIG7WRzx7Yt2Ya9f7KqHgXP1vm3YUSkOvt/gKLCi+ZKas0scleBmzBSJx6zNUQQchKVbXGyW0S9cyDp0=
X-Received: by 2002:a19:ae03:: with SMTP id f3mr16358060lfc.86.1544059918178; Wed, 05 Dec 2018 17:31:58 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net>
In-Reply-To: <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net>
Reply-To: Vittorio@auth0.com
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Date: Wed, 05 Dec 2018 17:31:46 -0800
Message-ID: <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Tomek Stojecki <tstojecki@yahoo.com>, Daniel Fett <fett@danielfett.de>, Brian Campbell <bcampbell@pingidentity.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ef718b057c5076be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1e3KKy3-m9CuY8trr2QDkGL7xIk>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 01:32:08 -0000

Hey Torsten/Tomek,
Can I ask a clarification on the below?
Torsten, you mentioned that an AS doesn't need to issue a RT- the browser
code can just repeat an authorization request. Did I get it right?
But in order to preserve the user experience, that cannot really happen as
a full page redirect; right? That wouldn't fly for any kind of background
update, or for retrieving new ATs for different resources based on the same
session. So would we now use a hidden frame to retrieve a code in the same
way in which we used fragments to get new ATs?
Thx
V.

On Wed, Dec 5, 2018 at 7:17 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> Hi Tomek,
>
> > Am 05.12.2018 um 15:27 schrieb Tomek Stojecki <tstojecki@yahoo.com>:
> >
> > Hi Torsten,
> >
> > On Wednesday, December 5, 2018, 1:17:08 PM GMT+1, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
> >
> >
> > >> So if I am putting myself in the shoes of somebody who sets out to do
> that - switch an existing SPA client (no backend)
> >
> > > I would like to ask you a question: how many SPAs w/o a backend have
> you seen in your projects?
> >
> > SPA (html+js) utilizing a 3rd party api that requires authorization?
> > If you do have a backend, aren't you better of handling the token
> request on the backend as pointed out here
> >
> https://github.com/aaronpk/oauth-browser-based-apps/blob/master/oauth-browser-based-apps.md#javascript-app-with-a-backend-component
>
> I agree.
>
> > My point of putting (no backend) in parenthesis was to not derail this
> discussion and of course it had the opposite effect.
> >
>
> You know, I you says „don’t look at the green car“ will cause everyone
> looking for it :-) It asked just out of curiosity.
>
> > >> Is that fair or is that too much of a shortcut? I am familiar with
> the specs you've referenced and have looked at them again, but dealing with
> a SPA, some of the recommendations are not feasible (can't authenticate the
> client,
> >
> > > You could using dynamic registration (see other thread). The
> protection would only differ from refresh token rotation if you would use
> public key crypto for client authentication.
> >
> > Good point. How well is dynamic registration supported across AS?
>
> I leave that to the vendors :-)
>
> >
> > >> confidentiality in storage? - not sure how to read that in the
> context of a browser)
> >
> > > How do you ensure confidentiality of session cookies?
> >
> > All I am trying to say is that I think context is important here. So
> when you point out these best practices, some of them will get people
> confused as far as what it means in the browser based app scenario.
>
> That’s why we have the more general Security BCP and client-specific BCPs,
> like for native apps (https://tools.ietf.org/html/rfc8252) and the new
> BCP for SPAs Aaron started to work on.
>
> > Maybe it is just me :)
>
> thanks for raising the question! We need this kind of input to govern the
> development of our specs.
>
> kind regards,
> Torsten.
>
> >
> > >
> > > On Tuesday, December 4, 2018, 2:08:55 PM GMT+1, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
> > >
> > >
> > > Hi Tomek,
> > >
> > > > Am 04.12.2018 um 09:50 schrieb Tomek Stojecki <tstojecki=
> 40yahoo.com@dmarc.ietf.org>:
> > > >
> > > > I agree with Vittorio, Dominick et al.
> > > >
> > > >> I disagree.
> > > >
> > > >> Existing deployments that have not mitigated against the concerns
> with implicit should be ripped up and updated.
> > > >
> > > > Yes, just like future deployments that will not mitigate against the
> concerns of code in the browser should be a concern.
> > >
> > > I agree. That’s why I pointed point yesterday that the Security BCP
> also defines obligations for clients using code.
> > >
> > >
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1
> > >
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1
> > >
> > > >
> > > > Can somebody on the other side of the argument (and I hate to make
> it sound like there are two sides, because we're on the same side as far as
> Implicit's AT in front-channel is a real issue) address Dominic's comment:
> > > >
> > > >> Also - simply saying “implicit is evil - switch to code” means for
> most people also using refresh token - so we are treating access tokens in
> the URL with refresh tokens in session storage (over simplified - but you
> get the idea).
> > > >
> > > > Does the group agree|disagree that a recommendation to switch to
> code should be made as long as it is followed by an explanation and
> guidance on what to do with RTs? The ideas that were floated around
> > > > - Token bound RTs (even though it was pointed out that token binding
> is still considered an emerging standard). So should the recommendation
> than say "switch to code and MUST use token bound RTs"?
> > > > - Have AS not release RTs. "Switch to code and DO NOT request RTs"?
> Or switch to code and configure AT to not release RTs for this type of
> client (not sure what that even looks like in a form of a 3rd party
> clients)?
> > > > - RTs short lived and bound to a session - "Switch to code as long
> as AT can bind and revoke RTs when you log out“
> > >
> > > Basically, the AS does not need to issue refresh tokens. If the AS
> does not issue refresh tokens, the integration pattern for SPAs does not
> change (beside the code exchange). If the client needs a new access token,
> it will perform another authorization request.
> > >
> > > If it does, this adds another layer of security because it allows the
> client to frequently obtain new access tokens, which can be short-lived and
> scope restricted.
> > >
> > > The refresh tokens should be replay protected by issuing new refresh
> tokens with every refresh and detect replay for refresh tokens belonging to
> the same grant.
> > >
> > > The AS may additionally bind refresh tokens to AS sessions, but as it
> was pointed out by Annabelle and others, there are some implications to be
> understood and managed in that context.
> > >
> > > You may find more text about refresh tokens in the Security BCP
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-3.12
> > >
> > > kind regards,
> > > Torsten.
> > >
> > >
> > > >
> > > > Sorry if I have missed an important detail from the list above,
> people who have proposed these ideas, feel free to clarify.
> > >
> > > >
> > > > On Monday, December 3, 2018, 10:51:00 PM GMT+1, Dick Hardt <
> dick.hardt@gmail.com> wrote:
> > > >
> > > > I disagree.
> > > >
> > > > Existing deployments that have not mitigated against the concerns
> with implicit should be ripped up and updated.
> > > >
> > > > For example, at one time, I think it was Instagram that had deployed
> implicit because it was easier to do. Once the understood the security
> implications, they changed the implementation.
> > > >
> > > > BCPs are rarely a response to a new threat, their are capturing Best
> Current Practices so that they become widely deployed.
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
> > > >> FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are
> saying here. And that was kind of behind the comment I made, or tired to
> make, about this in Bangkok, which was (more or less) that I don't think
> the WG should be killing implicit outright but rather that it should begin
> to recommend against it.
> > > >>
> > > >> I'm not exactly sure what that looks like in this document but
> maybe toning down some of the scarier language a bit, favoring SHOULDs vs.
> MUSTs, and including language that helps a reader understand the
> recommendations as being more considerations for new
> applications/deployments than as a mandate to rip up existing ones.
> > > >>
> > > >>
> > > >>
> > > >> On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7jtb@ve7jtb.com>
> wrote:
> > > >>>
> > > >>> We just need to be sensitive to the spin on this.
> > > >>>
> > > >>
> > > >> CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited...  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any file
> attachments from your computer. Thank
> you._______________________________________________
> > > >> OAuth mailing list
> > > >> OAuth@ietf.org
> > > >> https://www.ietf.org/mailman/listinfo/oauth
> > > >>
> > > > _______________________________________________
> > > > OAuth mailing list
> > > > OAuth@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/oauth
> > > >
> > > > _______________________________________________
> > > > OAuth mailing list
> > > > OAuth@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/oauth
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org
> > > https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email