IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Neil Madden <neil.madden@forgerock.com> Wed, 21 November 2018 10:01 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988F512D4EB for <oauth@ietfa.amsl.com>; Wed, 21 Nov 2018 02:01:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yiFBiGjKTvtv for <oauth@ietfa.amsl.com>; Wed, 21 Nov 2018 02:01:53 -0800 (PST)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B42129AB8 for <oauth@ietf.org>; Wed, 21 Nov 2018 02:01:52 -0800 (PST)
Received: by mail-wr1-x434.google.com with SMTP id 96so4998655wrb.2 for <oauth@ietf.org>; Wed, 21 Nov 2018 02:01:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YS7gj/At/cdkb0NpU3qLGh7k8yDHGMQ3/15aIWy8/9o=; b=c/kqzY6sZd9H0eVh+r7QsAA4neU2YoyQGIOtmFkMGJJqcCyj28BvEeLIYwyuGl0ihq W3ORTPDTcXXK2DdCuVw0k+ndNUWba3XEyL7SQ6VJpmcZrcflK7BuxpoQZF8+dN1PBGZ8 v9+25R1dPzwhhBaM8pP2bLD98uWccmFp654Ho=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YS7gj/At/cdkb0NpU3qLGh7k8yDHGMQ3/15aIWy8/9o=; b=TBOczW8/1pFbj2h3iWuL3O0unSTffgic84NNNP357VN9inVX52xrKVFytzuCxqntRF Mz/EeWgUuWRRO74+xjFy6EDU/e2JzG48hQloHgczxo0sUHLQhhpN92ZRMWJd1kdb9Lpl 3/+8572n3PdbqjEcg6uJ60x786luPL41GTy9C4ElNRYZkLJbEojv5XU/tYCfFSFtOAnY k/OI1I9OSxfEWrufmePE1QNftOQV0fwFMCsRJcHla+DJrwKcSdIoYx3aJJLAX911PhHd b03VA5bQ9paGYjmz0zoAU1eYaUf9X7HmwvvzTl4bTq/2kAUtF5jEyNwv+5FiJWkhPnS3 5aVg==
X-Gm-Message-State: AA+aEWYoQMOlp1knmxrM1eF1ngYK45SUeT4OM77OylL43eTMEkZSiYXZ HYpYXyOcrHvnAahtnN6g/jSpd6eYXx0=
X-Google-Smtp-Source: AFSGD/Xv0RrFxyI5jzWM4zjOTujL/UTda/4dJwh89WJBcWdVQxbfxFKOqXL8GhcTbYvArDEK8uxXeg==
X-Received: by 2002:adf:800b:: with SMTP id 11-v6mr5428242wrk.106.1542794511148; Wed, 21 Nov 2018 02:01:51 -0800 (PST)
Received: from guest2s-mbp.lan (41.167.189.80.dyn.plus.net. [80.189.167.41]) by smtp.gmail.com with ESMTPSA id e8-v6sm275215wmf.22.2018.11.21.02.01.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Nov 2018 02:01:50 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <83034de5-cde8-8cd9-ff11-7ce22b61fee6@yes.com>
Date: Wed, 21 Nov 2018 10:01:49 +0000
Cc: oauth@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <70557E9F-8A8B-4BEB-80CC-07EFD74FFBF0@forgerock.com>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <BL0PR00MB029244CACC634E2D2E923B77F5D80@BL0PR00MB0292.namprd00.prod.outlook.com> <61A6D327-D4EE-4954-B57F-4FF42BB22E7E@lodderstedt.net> <3AA54AC6-BE0B-4535-AF1D-919236EF69B8@forgerock.com> <65005ad9-238e-9fe4-fb4b-ef54e93f84c3@yes.com> <92C3D667-E43E-4622-A688-689C216789BF@forgerock.com> <ccf62b34-5cd0-1473-ae7e-a7d166b28b80@yes.com> <3C8699BF-EE70-4299-91F2-87E8818E7464@forgerock.com> <83034de5-cde8-8cd9-ff11-7ce22b61fee6@yes.com>
To: Daniel Fett <danielf+oauth@yes.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7F7Ph8CEqgnqudTX0mKWg63FcwE>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 10:01:55 -0000

> On 21 Nov 2018, at 09:25, Daniel Fett <danielf+oauth@yes.com> wrote:
> 
> Am 21.11.18 um 10:09 schrieb Neil Madden:
>>> If a page from origin A includes a third-party script from origin B, that external script runs in origin A and has access to all cookies and the JavaScript context of the page.
>>> 
>>> The SPA from origin A would be compromised. That is why we need things such as Subresource Integrity.
>>> 
>> I think we’re talking about different things. I am talking about scripts from places like ad servers that are usually included via an iframe to enforce the SOP and sandbox them from other scripts. If they get access to an access token - e.g. via document.referrer or a redirect or some other leak, then they still act within the same TLS context as the legitimate client.
> Thanks for the clarification! I see that you highlight an important point there.
> 
> The protection that would be required essentially boils down to something similar to a CSRF protection for the resource server.
> 
> Luckily, CORS covers this: You can't set the Authorization header cross-origin unless the appropriate CORS headers are set. So while the third party origin would be able to send a request through the browser using the TLS context, it would not be able to attach the access token. (Unless, of course, that third party origin is whitelisted, or if the bearer token is sent in a different way, e.g., as a URL parameter.)

Right. But two points here:

Firstly, this assumes the access token is actually passed in an Authorization header and not just sent in a URL parameter or a CORS-safe form POST body (e.g. application/x-www-form-urlencoded). This should probably be its own security best practice recommendation, but I haven’t seen it anywhere. I think most REST APIs already do this following RFC 6750, but we should spell out that it has security benefits.

Secondly, this means that we are relying on something other than (TLS-based) sender-constrained access tokens to prevent this, so we should clarify that in the document.

> 
> As a side note, interestingly, this would leave an authorization code unprotected, if the sender authentication would be mTLS or token binding. PKCE on the other hand is fine.

Right - that’s why I am glad to see the security topics draft recommending PKCE in all cases.

Why is PKCE so effective? In my opinion, you can view PKCE as a one-time PoP scheme for the auth code - you prove possession of the secret to the AS by simply giving it the secret along with the auth code. You could do something similar with the implicit flow, but I won’t share that scheme here as I am happy for the implicit flow to die ;-)

— Neil

v2.23.0 | Report a Bug | By Email