IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

David Waite <david@alkaline-solutions.com> Sun, 09 December 2018 08:57 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00289130F35 for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 00:57:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5WaKt-IA_jr for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 00:57:30 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id 3B39E130F09 for <oauth@ietf.org>; Sun, 9 Dec 2018 00:57:30 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:d129:b249:15c0:63a8] (unknown [IPv6:2601:282:202:b210:d129:b249:15c0:63a8]) by alkaline-solutions.com (Postfix) with ESMTPSA id B120431682; Sun, 9 Dec 2018 08:57:28 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <CADB4F42-9B05-4B2C-80F0-AA0F972C684D@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CD3CE160-056B-4587-9F5D-49CEE706F8C1"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Sun, 09 Dec 2018 01:57:27 -0700
In-Reply-To: <CAO_FVe7Kf9gXxi6phY_Mf-aSFV1uQEQu=OAUpST+tcaQc=9zDA@mail.gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Daniel Fett <fett@danielfett.de>, IETF oauth WG <oauth@ietf.org>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net> <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com> <693F457E-3B0F-4612-AE3B-D18462055932@lodderstedt.net> <CAO_FVe7_CsqkTCRSPK5iT5dH5w_NmDuZ-g-2UJgHefUP2i3beQ@mail.gmail.com> <194886B0-D8C8-4489-B66B-7993C7FA0F63@lodderstedt.net> <CAO_FVe7QhqZEcqeSurPU5QxTN3Z1Lp9zY6XpVQxk1VdCGLMUhA@mail.gmail.com> <1333FFC2-A2F0-479D-8E7C-9ACFEC8E5724@lodderstedt.net> <CAO_FVe7Kf9gXxi6phY_Mf-aSFV1uQEQu=OAUpST+tcaQc=9zDA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5m_tEVQt8OqYGZNHeEOfbVLJDz4>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 08:57:32 -0000


> On Dec 8, 2018, at 8:27 PM, Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org> wrote:
> 
> > Can you give a concrete example? To me it feels like you are explaining scenarios where OAuth is used for login.  
> 
> That's one of the scenarios of interest here. We can debate on whether that's proper or not, but the practical consequence is that if I have two (or N) apps that can call APIs via tokens obtained with the implicit flow, eliminating AS the session cookie will prevent them from getting new tokens automatically, without the developer having to write any code for "signout".
> The moment in which apps switch to code and hold on to RTs, the sheer fact that the AS session cookie is gone will NOT stop individual apps from being able to get new access tokens and call API.
> That would be an unintended consequence of the switch to code, and regardless of whether it's a consequence of people abusing the protocol or not, I think this scenario should be documented and people should be warned against it.

The AS is ultimately responsible for the security policy, though - if the AS policy isn’t supposed to allow my application access after the user hits log out, it should either:
1. Tie my application refresh tokens to be revoked at the logout event
2. Not give out refresh tokens to my application

Note that the session cookie is fulfilling the role of the refresh token in the second case. Also note that telling a browser to discard the cookie is not as good as supporting revoking it - if there is no revocation mechanism, a third party who gets the cookie/refresh token can use it for as long as policy allows.

I don’t expect application developers to use libraries that locally enforce more restrictive policy just because the operators of the AS aren’t doing their job setting appropriate policy for their clients. So this is really more of something that the AS needs to understand about their own policy.

-DW

v2.23.0 | Report a Bug | By Email