IETF Logo Mail Archive

Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]

Warren Parad <wparad@rhosys.ch> Wed, 17 March 2021 10:48 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DA23A1214 for <oauth@ietfa.amsl.com>; Wed, 17 Mar 2021 03:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52v5T5Z4r8zx for <oauth@ietfa.amsl.com>; Wed, 17 Mar 2021 03:48:27 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2078C3A126B for <oauth@ietf.org>; Wed, 17 Mar 2021 03:48:25 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id o9so40433029iow.6 for <oauth@ietf.org>; Wed, 17 Mar 2021 03:48:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q9AAu36b1CL1KcqoGT9ACIq2IGCbYyiJmwVNjUONLhY=; b=hbV4de4wi65yLElkaiMXRVmcMVhMNhw9Yp8pcs70CxQCvGboejHQvTe6NbZ9fEoWER N9TQujTRY2gqhXan7M5W7A2zM15v5UFL67yT+coBNurHlUcoBF/b126RqF5CXmu+ZJ4m S62T9xzuKLPyDE+Com5c2JjZr4VHGOGg4teIzhRFYaNnof1VXuix2gZMv/sNGRMJEtFi ieClhNOiEWrXAiIqhuCfcXqWp68JWgxR8ayMTG6e4UudijWJnzdrG79uPkjq84EA6Lea /BWXmA9t6NqHAcO4PDr5o55blKu1CUetcUV9RspZw8ZRstli8rmDihQZALl4G38i61R+ s7Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q9AAu36b1CL1KcqoGT9ACIq2IGCbYyiJmwVNjUONLhY=; b=HnqSu1szc6Sb6wcJT2tNtTiV75E8XlTkkyNitn8/XsnxGLM/6ENFWsMy6sWlRgK2tR eAdh3IGy8FXetJ25hBRIBiTep3ygrOaIwkPzgZ7SR+iR06+nChfRyXuOJC7qQ9NdQpmi dFuePEIEpCmxLISGC4a6OBOFgjUkPkcdX6zl70RDYo1zkGvps4YM004g2hAJJfzukiFV FCyZfagLmeJFfxBEU6yBUMertjP4jBrDbCB2XenZaW8zEChGsn54OMpBz7buhoOoXLKl dbXWBqQ3Xi8lyYHelRyreBIeH4NhZx4C3hb3I8hP/BqRdvUdoS6gFzQSmiuukSS/uh8c okRw==
X-Gm-Message-State: AOAM530eEFMqoV05jKWnZ4NCWrklGxYN2hxdcrmzAqa57dLYWS1tzRLV FXLhZHH1xAVJ5JZYxN/WfA3fXxvCt9mEwlJM4vpA
X-Google-Smtp-Source: ABdhPJwAYjw01TR/VXknX2psOA4KqXCsyBPZnqg++MKcNC+N5XH2NHIdQbNAXaFizKEX7WN97lW88MO6Xnnof7JH1Zo=
X-Received: by 2002:a5d:818c:: with SMTP id u12mr6293457ion.81.1615978103195; Wed, 17 Mar 2021 03:48:23 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR09MB2803BF0A50B14B1E2C5F22A4F36A9@AM0PR09MB2803.eurprd09.prod.outlook.com> <F079409D-8D3F-4FE8-A328-A8BE47275238@forgerock.com>
In-Reply-To: <F079409D-8D3F-4FE8-A328-A8BE47275238@forgerock.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 17 Mar 2021 11:48:12 +0100
Message-ID: <CAJot-L3Dh-uEw8R+QAkhCL_1t=YaRcukqLOjm9EnYj4g8CB-Jg@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: "SOMMER, DOMINIK" <dominik.sommer@milesandmore.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce5d9405bdb93810"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4CPcbYNy9R5dyySwKVtzchKcSMY>
Subject: Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 10:48:37 -0000

Would it be fair to characterize this attack vector as a mix-up attack
where the malicious app is essentially an Attacker AS?

In the Desktop OS category, responding with the *issuer* in the
authorization response (
https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00) returned to
the user's browser via the one that presumably user started the flow with.
But on Android apps can directly decide intercept the authorization
response thus invalidating the protection mechanism instituted by the draft?

I do agree that hypothetically there could be a malicious program installed
in the Desktop OS environment that could perpetrate this attack. However,
without thinking too much about it, I'm biased to believe existing TLS and
browser security mechanisms are sufficient with the addition of the
*issuer *included in the response.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Wed, Mar 17, 2021 at 9:15 AM Neil Madden <neil.madden@forgerock.com>
wrote:

> Right, but PKCE doesn’t stop an attack when the malicious app initiates
> the authorization flow.
>
> On 17 Mar 2021, at 08:04, SOMMER, DOMINIK <dominik.sommer@milesandmore.com>
> wrote:
>
> 
>
> I’d throw in PKCE as a means of assuring that the client who made the user
> follow the auth flow in the first place, is apparently the only one able to
> “redeem” the auth code returned to the redirect_uri.
>
>
>
>
>
> *Von:* OAuth <oauth-bounces@ietf.org> *Im Auftrag von *Om
> *Gesendet:* Mittwoch, 17. März 2021 06:17
> *An:* Neil Madden <neil.madden@forgerock.com>
> *Cc:* Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>;
> oauth <oauth@ietf.org>; Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
> *Betreff:* Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token
> Mediating and session Information Backend For Frontend (TMI BFF)]
>
>
>
> If I read this correctly,
> https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-10 the 2.1
> draft already addresses this under best practices.
>
>
>
> On Mon, Mar 15, 2021 at 3:31 PM Neil Madden <neil.madden@forgerock.com>
> wrote:
>
> I want to come back to this topic as a new thread.
>
>
>
> As I understand things, the difference on Android is that any app can
> claim to be a generic web browser and so claim to handle all URIs. Whereas
> on iOS only specifically vetted apps can claim to be web browsers. Is that
> correct?
>
>
>
> If so, this does seem like a quite large hole in security of OAuth on
> Android. Should we be considering a new draft recommending alternative
> measures (such as attestation) on Android? Presumably the same issue is
> also true on most desktop OS?
>
>
>
> — Neil
>
>
>
> On 23 Feb 2021, at 15:20, George Fletcher <gffletch@aol.com> wrote:
>
>
>
> Unfortunately, in the mobile app world this isn't sufficient. On iOS using
> Universal Links will bind the https redirect_url to your app in a secure
> way but it doesn't work the same way on Android with App Links. There is
> still a problem with "mobile app impersonation". If you have an app that
> you want to ensure is "your" app then the most secure way is to look at
> "app attestation". This is however, way off topic for this thread :)
>
> On 2/14/21 9:28 AM, Neil Madden wrote:
>
> Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching.
>
>
>
> There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure.
>
>
>
> — Neil
>
>
>
> On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.sleptsov@gmail.com> <stoycho.sleptsov@gmail.com> wrote:
>
>
>
> 
>
> I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS",
>
> with the objective to verify if they are valid.
>
>
>
> I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example).
>
> If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication.
>
>
>
> Or is it considered a bad practice to do that?
>
>
>
> Regards,
>
> Stoycho.
>
>
> Sitz der Gesellschaft / Corporate Headquarters: Miles & More GmbH,
> Frankfurt am Main, Registereintragung / Registration: Amtsgericht Frankfurt
> am Main HRB 116409
> Geschaeftsfuehrung / Management Board: Sebastian Riedle, Dr. Oliver Schmitt
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> --
>
> - Regards,
> Omkar Khair
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email