Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Tomek Stojecki <tstojecki@yahoo.com> Fri, 16 November 2018 12:59 UTC

Return-Path: <tstojecki@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161B3126BED for <oauth@ietfa.amsl.com>; Fri, 16 Nov 2018 04:59:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztlkBfki21Zf for <oauth@ietfa.amsl.com>; Fri, 16 Nov 2018 04:59:54 -0800 (PST)
Received: from sonic313-10.consmr.mail.ne1.yahoo.com (sonic313-10.consmr.mail.ne1.yahoo.com [66.163.185.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0BC7124408 for <oauth@ietf.org>; Fri, 16 Nov 2018 04:59:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1542373192; bh=DG5EU6MBY4219Ly3JGFVisKxvYvKcv3siJPhq0qYVrk=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=HmuO58JPPUpJtV2Yns9zyQyKVDABXY8cVP6AJx6aY2x4pOyP6ZIuhL+4LFIeAHpLfkgFzlnt2k5Fhs9UiLUZZFAqEnqJdG3/qKTjDh2UWUxGPbIaaHi+zh8DvQV2xlnz3nBPnoYhFLCss6Aty6nLadzMSI5JSd6bSMtfb4Zm2kjIaT/7gxXkeRicLv3RLXQZ0JPwn85sWidAwP8ogeWsNOFO3rE+IcqJbgRmtPtutBX4HQi1vShFHyttQMMkOM+r5/kv5bak9wX0yOa3c/9ZmznKjZpWfY6ywdKLWpo+s9QSJJ8RvjkEjXjPTqj0PUc05Yxql8yelQUps5UIys+gdg==
X-YMail-OSG: w0ETXf8VM1k9RT2WPGvoprEECATyYXyRjwBm0c6D_mSEOIMi8aW2zEHYxGwOC31 lKkNsInarhV7uERVDCes2.PZ.EL4QYFMcSgF_mSCDjdC3bHukY2tF0W8GUedPdEPX3HA9aLIZRmm PK9ll5kauXIU2sFYNXKyfz2ruEMEfsKfbHZu9yQO4j6wbHpswMm.JkAZ9NQPNTOjDCyZatmNoCgC Uqxf6daJV7HT_4KR9yTVAkkdGBqX0j88vzRlOpWhaT_apyu2gByRhoMAwHU3b1Q5PvhhOwEqnB2F emzjz_2OywiR7y3Eb8fb1B9UOEc1Izaw4ih3HCO58D7Kgcy1R5QBgZSm4AIFOwr95euBoixqVOum sG4wnp937j.Dtiq88MPfWg46izf4dqYi6lqRu1vM8HkxMFIKPGl3K85ZE7W6_if4tLbGujPiIhge v2iwsFBInxfCEyGm.5ZBKMTRgpsMjrT6yZgYrwjLGQLFTipTb7UAKE.4XMXO0wlwozFZlldcqXPJ xgEVAzBxqENC8EJQ2bNmAp8y_97za34U5H5YNAoPDppZO3nr1W0KcrVywbjI8HG5.3xyinEUMYZV lmSVdSpwYRrue1JFnyDYO4kMLhTqdcQgtsM1zyMVEWoIWhj0lnr4DeOSI2iWAkNzks9xTjeKyjpV BdUA_YGLyEebzJ2qojKF_vjwbZl5n5GqAGlRh_V2YEqzbA7ToFm7S9hW7NckzDd_osweB8bui7tN WgFlyugFHinzV8oqM.rPQuXM99Y8BUizgkrcN9qi5i.no7PWIMegDe3wZbMNx3c5Txb0XZ95igW6 TSCy58VlfT3Zti4VTxvKExxpReDe9pERBkjfrufIfbHE_eXCGM_ahCTrqDnk7FHo_B5bXX91AHCJ YaJ5nxhI5T.Im8SQeIpkTVbL1s.amnqoPRQOplre7LkvIT0IluVbax7a3Hu5pAUBqSZvVWRtCuuo MTFYCohmR.e0uMp18KLLdv0b.XSk9gfOQOU7uzpSaSdspO.Ks4XK6V1cxqA6YeUdpITaK.d0BmCM b1sQOZ0k-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Fri, 16 Nov 2018 12:59:52 +0000
Date: Fri, 16 Nov 2018 12:59:50 +0000
From: Tomek Stojecki <tstojecki@yahoo.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Brock Allen <brockallen@gmail.com>
Cc: oauth@ietf.org
Message-ID: <915498670.1574190.1542373190714@mail.yahoo.com>
In-Reply-To: <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net> <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1574189_953558317.1542373190710"
X-Mailer: WebService/1.1.12729 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9qSBWbFIQvujLphCO7y7BTVN8DU>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2018 12:59:57 -0000

 >> The AS can bind the lifetime of the refresh tokens to the session lifetime, i.e. automatically revoke it on logout. 

> Yea, I saw your other email asking about refresh token revocation relating to session management. Obviously for certain clients, this won't make sense, but for implicit/browser-based ones it's a nice feature to have.
I agree that this can be useful, however with where we are today, is this supported by auth servers such that it can distinguish offline from renewable-online clients and only revoke the latter when logging out? 
> The alternative, as you mentioned, is to not issue refresh tokens and do token renewal the "same old way" via iframe with prompt=none, while still using code flow.

Going from Implicit to Code deals with the problem of sending RT in the URL, which I agree is a plus. Is there anything else in a way of an improvement? I still am not comfortable enough with the idea of releasing RTs to the browser clients where it can't be encrypted, prone to xss, etc... 

-Tomek
    On Thursday, November 15, 2018, 11:01:37 PM GMT+1, Brock Allen <brockallen@gmail.com> wrote:  
 
   > It still lacks the ability to issue sender constraint access tokens.
So you mean at the resource server ensuring the token was really issued to the client? Isn't that an inherent limitation of all bearer tokens (modulo HTTP token binding, which is still some time off)? Resource servers don't know the flow the clients might use, especially if/when they have many clients.
> The AS can bind the lifetime of the refresh tokens to the session lifetime, i.e. automatically revoke it on logout. 

Yea, I saw your other email asking about refresh token revocation relating to session management. Obviously for certain clients, this won't make sense, but for implicit/browser-based ones it's a nice feature to have.
The alternative, as you mentioned, is to not issue refresh tokens and do token renewal the "same old way" via iframe with prompt=none, while still using code flow.
> The only potential „baby step“ I would see is to move towards „token id_token“. Since this requires signature/at_hash checks etc. I doubt this is really easier than moving to code and exchange the code for an access token. What’s your opinion?
Even since OIDC arrived, this is the only flow I use for JS/browser-based clients (anything less has always seemed so obviously inferior). So for me and my customers, all browser-based clients I am involved in are already there. Perhaps this is the reason for all of my questions/comments about the recent BCP doc. Given "id_token token", CSP, and using the browser history API to wipe the access token from browser history, we already have a decent set of tools to mitigate attacks. As I already conceded, the only remaining issue (IMO) is the short window of time the access token is in the URL.
Given that it seems to me that OIDC and OAuth2 are typically used together (at least when a user is involved with authentication), I always wonder why the OAuth and OIDC WGs are separate. Given that so much effort of the two sets of specs overlap, it seems odd to keep adding onto the OAuth specs and ignoring the added features that OIDC provides. I don't mean to derail this thread, or step on any political toes, so apologies in advance.

-Brock
 _______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth