Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps
Justin Richer <jricher@mit.edu> Thu, 25 July 2019 16:50 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18678120125 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 09:50:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNMVtBtV-9Po for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 09:50:47 -0700 (PDT)
Received: from outgoing-exchange-7.mit.edu (outgoing-exchange-7.mit.edu [18.9.28.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3997C1200CD for <oauth@ietf.org>; Thu, 25 Jul 2019 09:50:46 -0700 (PDT)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id x6PGoiDX031172; Thu, 25 Jul 2019 12:50:44 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Thu, 25 Jul 2019 12:49:29 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by oc11expo18.exchange.mit.edu (18.9.4.49) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 25 Jul 2019 12:50:10 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Thu, 25 Jul 2019 12:50:10 -0400
From: Justin Richer <jricher@mit.edu>
To: Filip Skokan <panva.ip@gmail.com>
CC: David Waite <david@alkaline-solutions.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Feedback on OAuth for browser-based Apps
Thread-Index: AQHVQFTCWkkZA5TKMEWuwVFaVw4YoabaiM8AgAC44ACAAD13gIAAB1AAgABN+QA=
Date: Thu, 25 Jul 2019 16:50:10 +0000
Message-ID: <F3AC370D-FB69-4FD8-8466-D52CDADD17F6@mit.edu>
References: <CAO7Ng+tyHaKQgJ4PcrcEpMcteqvdH2PE1CQP5j+5DqKJWuKPoQ@mail.gmail.com> <CAGBSGjoexpLjzOcBV+wjH6+CtRROB1ZbPre+7DgfipsO1RgVOQ@mail.gmail.com> <F6536A63-6950-4A05-A35C-B8215BB04277@alkaline-solutions.com> <DC16FB06-32A8-4CF9-999F-FB9F58E67B99@mit.edu> <CALAqi_93ofkHZevrdEfDyhc92S3Oq3oa6WzxsnrSDGifD4eCjw@mail.gmail.com>
In-Reply-To: <CALAqi_93ofkHZevrdEfDyhc92S3Oq3oa6WzxsnrSDGifD4eCjw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [31.133.148.255]
Content-Type: multipart/alternative; boundary="_000_F3AC370DFB694FD88466D52CDADD17F6mitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2L9_7_1my5gVqbCyrxghyABQOUk>
Subject: Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 16:50:50 -0000
I also think it would be useful, but a problem is that things like “application type” are usually a stand in for a whole bunch of different attributes that we actually care about. That’s what happened with web/native and why, to my knowledge, nobody really uses those in lieu of things like public/confidential and redirect URI locations instead for policy decisions. If we do enumerate these, we would also need to enumerate all of the things it means. I tried to shy away from “application type” style switches in XYZ’s straw man, and instead opt for recipes of applying the different options to different kinds of clients. I don’t know how long that will hold up though. — Justin On Jul 25, 2019, at 8:11 AM, Filip Skokan <panva.ip@gmail.com<mailto:panva.ip@gmail.com>> wrote: Obviously it can do it on a per-client basis still, but now an AS is going to have to know a bit more about the app itself. Perhaps we finally need a few more entries in the “application_type” metadata parameter from OIDC’s extension RFC7591 beyond “native” and “web”? But we at least probably want to point out to AS implementors that this is something they want to consider tracking in their data model for clients. I would very much like to see that. native/web possibly in combination with token_endpoint_auth_method and the client being DCR or "static" is far from being enough to make a policy decision. S pozdravem, Filip Skokan On Thu, 25 Jul 2019 at 13:45, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote: This raises an interesting question that I don’t think we’ve addressed yet: how to appropriately vary token lifetimes and access for different clients. Previously, an AS could see that a client was using the implicit flow and decide to limit token lifetimes or scopes based on that alone. Similarly, I know of at least some AS implementations that let you limit what scopes you allow under the client credentials grant. The key issue is that if all your clients are using the auth code flow (which I agree they should), then how does an AS tell the difference in capabilities between incoming clients? Obviously it can do it on a per-client basis still, but now an AS is going to have to know a bit more about the app itself. Perhaps we finally need a few more entries in the “application_type” metadata parameter from OIDC’s extension RFC7591 beyond “native” and “web”? But we at least probably want to point out to AS implementors that this is something they want to consider tracking in their data model for clients. — Justin On Jul 25, 2019, at 4:04 AM, David Waite <david@alkaline-solutions.com<mailto:david@alkaline-solutions.com>> wrote: On Jul 24, 2019, at 3:03 PM, Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote: On Mon, Jul 22, 2019 at 2:14 AM Dominick Baier <dbaier@leastprivilege.com<mailto:dbaier@leastprivilege.com>> wrote: <snip> I would rather say that ANY JS app should use CSP to lock down the browser features to a minimal attack surface. In addition, if refresh or access tokens are involved - further settings like disabling inline scripting (unsafe inline) and eval should be disabled. I'm not sure what to do with this suggestion. It feels like a blanket recommendation of enabling CSP will likely be ignored since it's too broad, and recommending disabling inline scripts is overreaching unless backed up by a specific threat it's protecting against. Did you have a particular threat in mind? I would say that browser applications should take measures to harden their applications again code injection and arbitrary code execution. Examples include eliminating inline script (and limiting embeddable objects as much as possible) via CSP, and versioning third party resources via techniques like subresource integrity. Mechanisms such as augmenting the codebase to make sure all appropriate user input, data storage, and output properly sanitize data may be used - although they may be more expensive to implement and audit. The AS should likewise take into account an application’s overall security posture when deciding appropriate policies around delegated authorization scopes and token lifetimes. Best current practices include turning the screws tightly around CSP. But it is (theoretically) possible to accomplish the same with brute-force sanitization, which has been made simpler with framework support. It is still ultimately the AS job to decide which clients have which capabilities. -DW _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Feedback on OAuth for browser-based Ap… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Neil Madden
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Filip Skokan
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Neil Madden
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Aaron Parecki
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… David Waite
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Justin Richer
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Filip Skokan
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Justin Richer
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Leo Tohill
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… n-sakimura