[OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Daniel Fett <danielf+oauth@yes.com> Thu, 08 November 2018 16:43 UTC

Return-Path: <danielf+oauth@yes.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1DC130DC5 for <oauth@ietfa.amsl.com>; Thu, 8 Nov 2018 08:43:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yes.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZ7cGTXe9i1i for <oauth@ietfa.amsl.com>; Thu, 8 Nov 2018 08:43:43 -0800 (PST)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52D9012D4EE for <oauth@ietf.org>; Thu, 8 Nov 2018 08:43:43 -0800 (PST)
Received: by mail-wr1-x42e.google.com with SMTP id d10-v6so21972612wrs.5 for <oauth@ietf.org>; Thu, 08 Nov 2018 08:43:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yes.com; s=google; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=y+kD1SwySdTj2pwpehzYO4f+qEzeiR/P+3Ey/2k2Pks=; b=Rx/ihEmR33se9ar5/0bnoikjomZnxLul0xv3/fnWwgDXWEJ1qLXW69iDQvVVxUmzFk x4yexqjlgNnQDctTN3YAdFGgPTueLXNU9wuTvBpnOQr/4XiCFetmtsD1LwV65R5Y93Yi 2DFlOWeAOmLH1/aNLFxMuCe4OsoudSiC4rkOSBHsN3W2lXk4IAFnciC9TxM0Rae0RyRW SchaLjCqqc+XMTkqyPv/1tuLrtFCzYwuThVEJLk56U5f9a++nSEBzH/2C+HIa6Mh4Xel fiEuqavox/3nhQhOQhIND1PNGwEQFEHQyOv+LyOPnU3HFe+/9ZVRhmjQ/CDI+s8Xk1FD CL1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=y+kD1SwySdTj2pwpehzYO4f+qEzeiR/P+3Ey/2k2Pks=; b=l/2tLkOshPOJ/YMC3E04vTiuMHaJ5OComtLhKPB70KBPRIqZ2jyvz13GYa4DBrF0Nw 32wx4N9ZHgCFU8pCqAb6xm9lJDqufj/Fm1jOOYOIps0zhf0od/UaigHykYukHLiC+oF6 u92KOWvyvxt82o9W+EedLclOdIxAa3ETF1eaiCB6rPXJhuLXybx4s+2mZY20vHCbmt7Z nFiXl81bQNYpMTOzkdm1EMddfAfv1cM0jp5meajLRfr2lVRJccuFA+UajKDqMWcDa6rT w4KOmWrRzjxlRXpYsRB1ZDbnkOTgWGpIosG9EhUxZW6QV4d4dDQZ0or+fQZqYw4BJjdD mpyQ==
X-Gm-Message-State: AGRZ1gLy5QbAnTsZn6+dhLYPMQWu1mJK1BPOMK1ZTzXBGGm2jHyljc2t tc+NiVQHaZlcFhkUWVfIZnlZTI/rDdM=
X-Google-Smtp-Source: AJdET5e8HxrbLKtDEN3RWYu9DZxgbdWLIo8yfEpX6zgHU6aWtUOhBNgUcKlo9KZHQJPxyFdp4bzyMA==
X-Received: by 2002:adf:80c8:: with SMTP id 66-v6mr4766031wrl.57.1541695421382; Thu, 08 Nov 2018 08:43:41 -0800 (PST)
Received: from ?IPv6:2003:c1:4f35:9400:c81c:1386:f2dd:279e? (p200300C14F359400C81C1386F2DD279E.dip0.t-ipconnect.de. [2003:c1:4f35:9400:c81c:1386:f2dd:279e]) by smtp.gmail.com with ESMTPSA id z8-v6sm4816004wrr.94.2018.11.08.08.43.40 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Nov 2018 08:43:40 -0800 (PST)
From: Daniel Fett <danielf+oauth@yes.com>
To: oauth@ietf.org
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <710899611.302780.1541675954453@mail.yahoo.com>
Message-ID: <b03ecdaf-3e43-441a-d2a5-1bcd830c2f31@yes.com>
Date: Thu, 08 Nov 2018 17:43:38 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <710899611.302780.1541675954453@mail.yahoo.com>
Content-Type: multipart/alternative; boundary="------------D28C4B34CAD45317707B79A1"
Content-Language: de-DE
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5bGpbOyGyc4M2mUJc4SBTGX2gPA>
Subject: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 16:43:46 -0000

Hi Tomek,

Am 08.11.18 um 12:19 schrieb Tomek Stojecki:
> Thanks for putting this together Aaron. 
>
> Having read through the document, I am not as convinced that there is enough of a benefit of Authorization Code + PKCE vs Implict Flow for SPAs.
>
> In section 7.8. the document outlines the Implicit flow disadvantages as following:
>
> "- OAuth 2.0 provides no mechanism for a client to verify that an access token was issued to it, which could lead to misuse and possible impersonation attacks if a malicious party hands off an access token it retrieved through some other means to the client."
>
> If you use Code + PKCE with no client secret (public client) as it is being advocated, you can't verify the client either. PKCE is not for authenticating the client, it is there to provide a mechanism to verify inter-app communication, which occurs between a browser and a native app. There is no inter-app communication in implicit (everything stays in the browser), so no need for PKCE.

PKCE can protect the auth code also in SPAs:

The assumption is that the authz response can leak - it is just a URL
after all. It can appear in log files, leak through mix-up, and many
other attacks. (Browser-to-native app communication is just one case
where the authz response can leak.)

When using PKCE, an attacker cannot redeem a leaked auth code for a
token at the token endpoint, since he does not know the pkce verifier. 

That is the extra protection that PKCE provides.

- Daniel