Re: [OAUTH-WG] Recommended OpenId Connect Flow for SPA with Microservices
David Waite <david@alkaline-solutions.com> Wed, 12 June 2019 02:01 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F63F12007A for <oauth@ietfa.amsl.com>; Tue, 11 Jun 2019 19:01:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBeCpeSqrd_4 for <oauth@ietfa.amsl.com>; Tue, 11 Jun 2019 19:01:27 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id B196912002F for <oauth@ietf.org>; Tue, 11 Jun 2019 19:01:27 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:461:b22c:577:5eb1] (unknown [IPv6:2601:282:202:b210:461:b22c:577:5eb1]) by alkaline-solutions.com (Postfix) with ESMTPSA id E23D2315C9; Wed, 12 Jun 2019 02:01:26 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3554.18.2\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <f9e47830-744b-e358-2b13-2bd7de75c513@web.de>
Date: Tue, 11 Jun 2019 20:01:26 -0600
Cc: oauth@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <503669B0-8DCD-4811-8B69-0CE0F4E0D8B0@alkaline-solutions.com>
References: <f9e47830-744b-e358-2b13-2bd7de75c513@web.de>
To: David Sautter <david.sautter@web.de>
X-Mailer: Apple Mail (2.3554.18.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AeV8qNftA80CAzA2_KVGRoWhZ1A>
Subject: Re: [OAUTH-WG] Recommended OpenId Connect Flow for SPA with Microservices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 02:01:30 -0000
On Jun 10, 2019, at 2:06 AM, David Sautter <david.sautter@web.de> wrote: > I understood the following: Using a backend service for doing the exchange of the auth code for the token with the IdP is considered more secure, because one cannot trust the browser to store the tokens securely. The drawback is that you will have to create your own session state between your backend and your frontend SPA (e.g. using a cookie). Security-wise your risks include both token exfiltration and arbitrary code execution. A proxying backend that holds the token might prevent XSS from exfiltrating the token, but by default does not limit the impact of someone driving the user’s browser directly instead. There can certainly be other implementation/architectural benefits of this approach, however. You can limit actions taken by the SPA, provide a bridge to a remote domain for an API that doesn’t advertise CORS support, enforce rate limiting of APIs which may be charged upstream, and so on. You could also use this to enforce a common processing layer across user-facing components. > I am in a scenario where I do not have "the one backend", but a bunch of microservices running on Kubernetes, so they could die and respawn at any given time. Do I need a API-Gateway for dealing with the Authorization Code Flow? Which ones would be recommended (standard compliant)? The standards mostly focus on the protocols between client, AS/IDP, and protected resource. The products which say help you implement just the client don’t necessarily have standards to leverage between your code and theirs. Leveraging OIDC for web access is mostly pain free for traditional applications, but SPA applications are more like API clients and take some of the passive browser behaviors that you would leverage here (such as potentially redirecting for authentication on new page request). > Or is the alternative of handling the complete Authorization Code Flow + PKCE in the Browser considered a safe scenario? This is what we are recommending by default for https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps Content Security Policy is recommended for preventing XSS in that document. Subresource integrity isn’t explicitly called out, but is also invaluable. To prevent exfiltration, the options are limited. - Token Binding will work, but only currently has support in Edge. - Mutual TLS will work, but has a poor experience unless you are deploying alongside group policy. - DPoP was written specifically for the browser use case (such as letting you use WebCrypto for non-exportable tokens). It is an early draft but has some initial implementations already. You can also have risk and fraud analsyis against both. XSS would need to be detected by usage behavior, while Exfiltration could use environmental detection like address and user agent changes. > > I have been doing a lot of research but having trouble to clarify this. Thanks for your help! Hope this helps! -DW
- [OAUTH-WG] Recommended OpenId Connect Flow for SP… David Sautter
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… David Waite
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… David Waite
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… Torsten Lodderstedt
- Re: [OAUTH-WG] Recommended OpenId Connect Flow fo… David Sautter