Re: [OAUTH-WG] OAuth Digest, Vol 148, Issue 45
Joey Galvin <joeyg42090.jg@gmail.com> Mon, 15 February 2021 19:58 UTC
Return-Path: <joeyg42090.jg@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 210963A106F for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 11:58:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IPsJ9d481sXM for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 11:58:51 -0800 (PST)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B1AE3A1076 for <oauth@ietf.org>; Mon, 15 Feb 2021 11:58:50 -0800 (PST)
Received: by mail-yb1-xb2c.google.com with SMTP id p193so8304569yba.4 for <oauth@ietf.org>; Mon, 15 Feb 2021 11:58:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=8kda1FRmf2FQRtSftb1nuu7sDyefHvSvy1kR+0wnMms=; b=qa+/kYuq9peHQ/ue1vaHufnb86HksNe0clBzVpvpmS+Zg6tH98TTz1Y2ssdMxjFGpU pTAtZaRSrj7gQKpOTH/s605IWGRz3lCnA+2rEhJfWtS9U5HAv7fN5Irv/IZxL/d4rg7M 4Bg42xe3aKL5rhoDOduiif4x/8PUemY4bu7Sfy9jHC5pd7tMrpfdOTpSEe5jvrQVk91X OM53+C8jOG9U30tBa5iWodRLoUTRjN9BX55Z7RS+EIQhwzjD17K26J4xj8RY/WE8zaN2 CRMR9UTL1VLAItcnytYWmVJMZ33va1NVhSh2bIdP4jR+QcQ+2U9t1x4xvHYekdDOX92c f8Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=8kda1FRmf2FQRtSftb1nuu7sDyefHvSvy1kR+0wnMms=; b=QPfuBbIyrbevDIAvjDx3NAxqpaI4wKD58a3LADP4xXlMVsHcJ7ziKErnfyuoCP5rNc olQOdSkFgWg1soZrY/1lnme2H++OE3TgR2Qwxmyn3ezcVNe8MxGvr1v0IjlDiIFRPC3k TzDDN4/zcTN2loUNPpiy9pY5EqEHzu37YP5dULTCk8LjfBsLnWjolqXe6iZW0T0GOuPO iNowe45gqAn7Np1eXued6OWZ6m20OIvvkNpKlimfYVkSdGltJMzgLvjMiCV3iCQ7nbGF q/vKWG5NpVCcZfCsIWmEQkpjZo2XFMeG7S03yrgYutNE+QgGb7LtOBzI2HOr38RStKzj BOfw==
X-Gm-Message-State: AOAM531Mcg7SXuMCawRYZC+DqKONAY1rOCWZ/caKl7B5sWEYJMkcoUrZ NHYwfO2RUiQVyZfPgcmh24lmackI5oMrLUg+ZxEEMnlGQo0=
X-Google-Smtp-Source: ABdhPJw9fDdaWrm8qsrx84JD9Gs704DS7uKST4VRpDWNvex40Z0WLpqbwoSnGlzUWFZ3kNX2EpFCIu4/jpPN/0o+ww8=
X-Received: by 2002:a25:a541:: with SMTP id h59mr25712823ybi.203.1613419129656; Mon, 15 Feb 2021 11:58:49 -0800 (PST)
MIME-Version: 1.0
References: <mailman.178.1613388856.6343.oauth@ietf.org>
In-Reply-To: <mailman.178.1613388856.6343.oauth@ietf.org>
From: Joey Galvin <joeyg42090.jg@gmail.com>
Date: Mon, 15 Feb 2021 11:58:38 -0800
Message-ID: <CAAVB11CXjFf3e+FKPqUgBOjWV5imBocQAekdiOrCDnWsgW3RVQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000018daf205bb656a72"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ags_5XQK33_79tBnlEHNn_cRhYk>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 148, Issue 45
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 19:58:54 -0000
On Mon, Feb 15, 2021 at 3:34 AM <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: Token Mediating and session Information Backend For > Frontend (TMI BFF) (Philippe De Ryck) > 2. Re: Token Mediating and session Information Backend For > Frontend (TMI BFF) (Neil Madden) > 3. Re: Authorization Header Encoding (Vladimir Dzhuvinov) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 15 Feb 2021 12:09:10 +0100 > From: Philippe De Ryck <philippe@pragmaticwebsecurity.com> > To: Neil Madden <neil.madden@forgerock.com> > Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth@ietf.org > Subject: Re: [OAUTH-WG] Token Mediating and session Information > Backend For Frontend (TMI BFF) > Message-ID: > <8B710018-3605-483D-B4A8-191A5BBFFEBC@pragmaticwebsecurity.com> > Content-Type: text/plain; charset="utf-8" > > > > > On 15 Feb 2021, at 11:50, Neil Madden <neil.madden@forgerock.com> wrote: > > > >> On 15 Feb 2021, at 10:26, Philippe De Ryck < > philippe@pragmaticwebsecurity.com> wrote: > >> > >>> On 15 Feb 2021, at 11:14, Neil Madden <neil.madden@forgerock.com > <mailto:neil.madden@forgerock.com>> wrote: > >>> > >>>> On 15 Feb 2021, at 08:32, Philippe De Ryck < > philippe@pragmaticwebsecurity.com <mailto: > philippe@pragmaticwebsecurity.com>> wrote: > >>>> > >>>> [...] > >>>> > >>>> Compared to using a worker for handling RTs, I believe the TMI-BFF > only adds a single security benefit: an attacker is no longer able to run a > silent flow to obtain a fresh set of tokens (since the client is now a > confidential client). > >>> > >>> But they can just call the bff-token endpoint to do the same. If there > is a security advantage, IMO it is as a defence in depth against open > redirects, unicode normalisation attacks (ie not validating the > redirect_uri correctly at the AS), etc. > >> > >> A Web Worker and the TMI-BFF both encapsulate the RT and only expose > the (short-lived) AT. > > > > I don?t think this distinction matters at all from a security point of > view. It?s the AT that attackers are after - why bother with a RT if I can > just call the bff-token endpoint to get a new AT every time? > > Getting an AT from the BFF (or a worker) is an ?online? attack, which only > works as long as the application/malicious code is loaded in the browser of > the user. > > Stealing a working refresh token (e.g., with a silent flow) is an > ?offline? attack, which gives long-term access (lifetime of the RT), > independent of the state of the application in the user?s browser. > > There is a clear distinction, but whether that matters is a different > discussion. It depends on how the application used, and how token lifetimes > are configured. FWIW, the DPoP threat model makes the same distinction > ("Stolen token (XSS)? vs ?XSS (Victim is online)?) here: > https://danielfett.de/2020/05/04/dpop-attacker-model/ < > https://danielfett.de/2020/05/04/dpop-attacker-model/> > > Philippe > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210215/9caa8a97/attachment.htm > > > > ------------------------------ > > Message: 2 > Date: Mon, 15 Feb 2021 11:15:47 +0000 > From: Neil Madden <neil.madden@forgerock.com> > To: Philippe De Ryck <philippe@pragmaticwebsecurity.com> > Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth@ietf.org > Subject: Re: [OAUTH-WG] Token Mediating and session Information > Backend For Frontend (TMI BFF) > Message-ID: <17812F95-7350-4595-9867-EF9D9452CC07@forgerock.com> > Content-Type: text/plain; charset="utf-8" > > Yes, I?ve argued against this distinction for DPoP too. Since the first > days of HttpOnly attackers learnt to proxy requests through the browser (as > you know of course). This is not only to bypass the restrictions but it?s > also just much better for the attacker because it hides their traffic and > origin. People are online all the time now, so this is at best a mild > inconvenience. > > ? Neil > > > On 15 Feb 2021, at 11:09, Philippe De Ryck < > philippe@pragmaticwebsecurity.com> wrote: > > > > ? > >> > >>> On 15 Feb 2021, at 11:50, Neil Madden <neil.madden@forgerock.com> > wrote: > >>> > >>>> On 15 Feb 2021, at 10:26, Philippe De Ryck < > philippe@pragmaticwebsecurity.com> wrote: > >>> > >>>>> On 15 Feb 2021, at 11:14, Neil Madden <neil.madden@forgerock.com> > wrote: > >>>>> > >>>>>> On 15 Feb 2021, at 08:32, Philippe De Ryck < > philippe@pragmaticwebsecurity.com> wrote: > >>>>>> > >>>>> [...] > >>>>> > >>>>> Compared to using a worker for handling RTs, I believe the TMI-BFF > only adds a single security benefit: an attacker is no longer able to run a > silent flow to obtain a fresh set of tokens (since the client is now a > confidential client). > >>>> > >>>> But they can just call the bff-token endpoint to do the same. If > there is a security advantage, IMO it is as a defence in depth against open > redirects, unicode normalisation attacks (ie not validating the > redirect_uri correctly at the AS), etc. > >>> > >>> A Web Worker and the TMI-BFF both encapsulate the RT and only expose > the (short-lived) AT. > >> > >> I don?t think this distinction matters at all from a security point of > view. It?s the AT that attackers are after - why bother with a RT if I can > just call the bff-token endpoint to get a new AT every time? > > > > Getting an AT from the BFF (or a worker) is an ?online? attack, which > only works as long as the application/malicious code is loaded in the > browser of the user. > > > > Stealing a working refresh token (e.g., with a silent flow) is an > ?offline? attack, which gives long-term access (lifetime of the RT), > independent of the state of the application in the user?s browser. > > > > There is a clear distinction, but whether that matters is a different > discussion. It depends on how the application used, and how token lifetimes > are configured. FWIW, the DPoP threat model makes the same distinction > ("Stolen token (XSS)? vs ?XSS (Victim is online)?) here: > https://danielfett.de/2020/05/04/dpop-attacker-model/ > > > > Philippe > > > > > > -- > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210215/6d5945f3/attachment.htm > > > > ------------------------------ > > Message: 3 > Date: Mon, 15 Feb 2021 13:34:10 +0200 > From: Vladimir Dzhuvinov <vladimir@connect2id.com> > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] Authorization Header Encoding > Message-ID: <97a82c6d-1410-a9a9-a7aa-e8cff61a1807@connect2id.com> > Content-Type: text/plain; charset="utf-8" > > Hi Justin, > > Thanks for alerting us on this development. > > +1 for keeping the updated HTTP semantics unencumbered by the > Authorization header formatting in RFC 6750. > > IMO revising the RFC 6750 to reflect that is too late now, as few people > will notice. So updating the Bearer header definition in OAuth 2.1 seems > like the most sensible move. I expect OAuth 2.0 implementers who > maintain their software to pick up the 2.1 spec, sooner or later. > > Vladimir > > > On 12/02/2021 00:01, Justin Richer wrote: > > The HTTP Working Group opened an issue for discussion in relation to > > the updated HTTP semantics specification. The core of the issue is the > > format of the ?Authorization? header, which of course gets used by the > > ?Bearer? scheme defined in RFC6750. > > > > https://github.com/httpwg/http-core/issues/733 > > > > As it turns out, Bearer defines a more limited character set than is > > allowed by core HTTP, and doesn?t follow the HTTP guidelines and > > definitions for the Authorization header. There were a few > > observations on the call: > > > > ?- The Bearer spec was limited because OAuth tokens were also allowed > > in HTTP URLs and form parameters (and therefore had to have a more > > limited character set) > > ?- In practice people don?t actually restrict the values they put into > > this field; pretty much any implementation is just going to > > concatenate whatever access token value they get to the magic word > > ?Bearer? and send it > > ?- It?s not likely (or in my opinion proper) for the HTTP spec to > > change to address the oddities of RFC6750 and decisions that were made > > many years ago > > > > So the question is, what do we do about it? We could do a revision of > > 6750 that reflects reality better, pretty much just changing the ABNF. > > > > Or, we could update the definition of the Bearer header in the > > upcoming OAuth 2.1 specification. > > > > Are there other options? > > > > ?? Justin > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > -- > Vladimir Dzhuvinov > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210215/10958cdf/attachment.htm > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 4007 bytes > Desc: S/MIME Cryptographic Signature > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210215/10958cdf/attachment.p7s > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 148, Issue 45 > ************************************** >
- Re: [OAUTH-WG] OAuth Digest, Vol 148, Issue 45 Joey Galvin