Re: [OAUTH-WG] oauth-browser-based-apps-05 - BFF
George Fletcher <gffletch@aol.com> Tue, 07 April 2020 13:51 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D18C93A0A2F for <oauth@ietfa.amsl.com>; Tue, 7 Apr 2020 06:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8ee6UBadJD0 for <oauth@ietfa.amsl.com>; Tue, 7 Apr 2020 06:51:33 -0700 (PDT)
Received: from sonic306-21.consmr.mail.ne1.yahoo.com (sonic306-21.consmr.mail.ne1.yahoo.com [66.163.189.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 468993A0A20 for <oauth@ietf.org>; Tue, 7 Apr 2020 06:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1586267492; bh=FndW3W0uWamAkyAmPhiDN7/TXYkzk3XRJqkftx+cqSE=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=nuQdU8UuwhmevhE0R9wEa9cujTEOhFQa56E6zRgEhDAWTucVKGT9DbQrZEZSFPNGyRpciwo6gJmOyt/bm0r3W+S89JkpOsj3eFuIOQt2tYJGBIHJ3WLlULRY5eCykWQ38pkLnB1gpM6Ca5neq4DX1/Ymj3cFQOqeDHw4LNCba4INywN+iqvlfiCcoRP3+9Wh0vPLOWphRSMA08x6xqNw3z9bVfOrRnJxi7cZNSdkksU/QfrpOOH3hqRchfkFgxJJ0GYi2CL6B16H0oJmLflcuyFoz7/gramM82nCWoYwQ25Pj/8C5+qgVhSgRs71X+0yqU70O9PqY05rvnTHEzv6Tw==
X-YMail-OSG: LNUs2bcVM1k4wLaPu.JA0I32XLiBY1LHqJIRAeR5DALNdzzohK71F6TPbfwibrb .ipB1jU8uOYlVXcjzajrqWvEy0bjOYXZTUzHzM0.cbhQvkgZyrVzqmUfuMRBrpbckhCfEzRC42rC JxCrirNdHLAThEFg8YVEPaOmNlwDmHpnUsHdRLvgjr6i2FW3OAQqQSKvyrm3KCnuYm5BxMxITgHb mptVxsVhlhz_oFSTwXEVZC2N5BGHAcfgAhsgWbsvof3rzt0OTEC8oLZNTCEasjEF2IjZHFG8pPX5 kmBQW.L5OuV_tPEZ5SLc3Xr9cpG_UZJ.iWz8c.pn46FlX5SPE5ZjktLgQ.ow_Tz.mqy68tSIG0pL SS2mQ8ldvbf8x9sBShB8T5Ax4yS6Z0KpI86NelpeJY9FGWPZzjggODmHtWH7gcA40j5aMgnb_r7Q CxDmadiwbcwCgFDK5fB02lSmyIHcN3Ot0z7fMnBOxRbV.pkjW8O8_WzWCi87ihiHrCq8kEH60G6A ZAQXksF1RnbQ4tfsdmnrxPC5FURWZv.g0IBzFy8Oz0fsEJ.8ta_aF_q74u9dRI_MLpjji0ohG7Es fbJo71SkyKe2Gj1axStJBprnQsFNI_Lgu9sbB6y0bGk6MBSTHcoIqJ7EKUzCexLO4zOVNDAtEedR kGtKIkf.qgF4nR4Qrzojd7V4eQAzNRc5vEbFMBeDKu2Og.nkQyMGJRO_wLdwfFWr02Aj_jXkA_cl ST_Wsw.u1wNJJoe1ocMXocQ_nN3xNoIucxbNHsQmgTGqdSMKZFjZ9p7JV.PRiOMZlffRP8ViZTya Re0g1vXabijVqe1cURDciLXx527oH9Q6h5qTp4.pwP2AEe9HH0vvmkkBE.TS4MTaA1czdeJQ.OaR KkWKDhpSIImDt0zhBCuxGuO5em3OAX1oqtOudtXgY3Dv0yCLKkFPvYNJlTN5kKbMhvWVLA8O2K61 MklzUWke.EgYWychlC6fRFQAKcPx1p3Ag_nA0S6fP1Q586S97HjvQ6jaEzSvsOB5oBHRfWN5iaGv ZnfSB1bzY0tui4CWUrYKh7HhxFp9tdg7p5rBhOBvQvXjMZ_Mfr9DFxvpUWbmQlJ69l1lIlJFJu_y 8nhq6mlx8tu4FEqSHHsu5qrFvmigCZDbMim4ZmG_TKj8CTC2xcftp9OlddHOjzgUYDVPOQrqid1N 45ZKstdPadABik9dWbsykXBjVJ3BbM1FXB0lbUw.J5un6d58Q6MBsqFWNsqkvLyIqtNiv4S6kqMY MTJAFehLA4uq4RoVXRvZZECdbyq2dTNU9PgYF6a6cj5e5mxg3jgw5ITGuVZN6RSku3wn1xeTu2v0 mOZZ.uGpBgpnYHllEcCcVHpbsK7PgUo.0p70gXBVE2gwxuJzBaOkJ.RHfmEF1fg--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Tue, 7 Apr 2020 13:51:32 +0000
Received: by smtp427.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 4e0a9430dcee86f68e6a9ea858f1b2a7; Tue, 07 Apr 2020 13:51:27 +0000 (UTC)
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "aaron@parecki.com" <aaron@parecki.com>
References: <MWHPR19MB1501CE53F9A1EB1ABD7E95A6AEC20@MWHPR19MB1501.namprd19.prod.outlook.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <eaff1b0e-22df-14bd-83e2-cee27fba748b@aol.com>
Date: Tue, 07 Apr 2020 09:51:25 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <MWHPR19MB1501CE53F9A1EB1ABD7E95A6AEC20@MWHPR19MB1501.namprd19.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------807DFE58BE20C5ACC41A195B"
Content-Language: en-US
X-Mailer: WebService/1.1.15620 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6UKaB8d6_9ZidJw3vjkYi1lvzGQ>
Subject: Re: [OAUTH-WG] oauth-browser-based-apps-05 - BFF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 13:51:35 -0000
Sorry to have missed the meeting. To your second point, I think we should provide guidance in this area. Currently section 6.2 requires all requests to be proxied via the application server. Should we add an additional section for the use case Vittorio mentions? Also there is no mention of DPoP (which of course is a draft) but if the private key is stored in the secure enclave of the browser/device and all requests to the Authorization server and Resource server are signed, is that not strong protection of the access_token/refresh_token? Even if an attacker can obtain the tokens some how, they would also need to be able to run JS to build the appropriate DPoP header in order to use the tokens. Finally, in the cookie models, I don't see any security considerations around things like Server Side Request Forgery or logging the cookies. As these cookies are all bearer tokens, if they are exposed they can be replayed. On 4/6/20 5:35 PM, Vittorio Bertocci wrote: > Hey Aaron, > Thanks for today�s update on oauth-browser-based-apps, very useful. > As agreed, here�s the summary of the point mentioned during today�s call. > > > 1. The last paragraph of 6.2 mentions that an access token could be used as session between the JS frontend and its backend, but no details are given about the security characteristics of making that choice vs using cookies. I would suggest that we either give more guidance on the mechanics of how that would happen (how does the AT get delivered to the JS frontend, what attacks developers should watch out for, etc) or that we recommend the traditional cookie based session approach only. > 2. Currently 6.2 doesn�t mention topologies where the backend obtains ATs and forwards them to the JS frontend, where they are used to perform the actual API calls. Those topologies do exist in the wild, and I know there are practitioner advocates for that approach on this list too, hence it seems we should at least acknowledge those topologies and give some guidance. > If we do position those topologies as legitimate: given that the chatter between JS frontend and backend could in some cases reach sophistication comparable to the client-AS dialog (token requests, renewals, etc), it seems we should either warn people about the security pitfalls they have to watch out for (shorter task for us, but not very actionable) or actually invest some time in specifying how a JS frontend should talk to its backend to delegate its client duties to it and safely retrieve/renew the artifacts the backend obtains on the JS frontend�s behalf (much bigger task for us, but unambiguous guidance and solid threat model developers can safely rely on). > > Thanks! > V. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] oauth-browser-based-apps-05 - BFF Vittorio Bertocci
- Re: [OAUTH-WG] oauth-browser-based-apps-05 - BFF George Fletcher