[OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Daniel Fett <danielf+oauth@yes.com> Thu, 08 November 2018 16:42 UTC

Return-Path: <danielf+oauth@yes.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D99A12D4E6 for <oauth@ietfa.amsl.com>; Thu, 8 Nov 2018 08:42:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yes.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5weKveXxXPx for <oauth@ietfa.amsl.com>; Thu, 8 Nov 2018 08:42:27 -0800 (PST)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22ED0128BCC for <oauth@ietf.org>; Thu, 8 Nov 2018 08:42:27 -0800 (PST)
Received: by mail-wr1-x432.google.com with SMTP id k15-v6so18990796wre.12 for <oauth@ietf.org>; Thu, 08 Nov 2018 08:42:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yes.com; s=google; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=lZuifhLpZYTJ39QWIdJlgIsPx1jGCt3eiY4nzXglEhI=; b=VuVj3hWF5dtFL5i23LrI5cckFMaS/f4vxNojO0Pt88d0IToCAwb72LEQX86BlgJiIc O5A93kGbt850ZvR4o05CRCHJpbMKKFoin6BD84+SUOfgjvoaMLs4/O4qyObsY2sMzp9P EckS4UlxP9dToLmJNck454mlwjIEiA5mFMOVRbJzcGw6V8dr4ecel+szBDked2i4wzZN /Yoc4VT6n5uvhiku+AkPBUjU61V5fgllqx/IW8IomZysqtyWl5em36qzncdcSC7xl/ZQ xi8CAYisc1veQ6lRQvmkG5IIV8Ey0AqWusgZFUEmYElr2aHHAcy0Mr9yOBmIvBgAcghd 78/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=lZuifhLpZYTJ39QWIdJlgIsPx1jGCt3eiY4nzXglEhI=; b=WBig6gTK2Ib1NLqq6vVVClOhf27sKq2RJuEvYrzX0rD8SHvPWg2EWXPIXY+6flhVUi qYcSazB7sZkH8JqfadpDh0mxNu5bBrR6dJbe24ZSZwgqlHtnhFmhvRa2Lt3ZxkqTEeJb 7mHGk2dmqq8O+dyLKMsXg7+GTS3COHwqxYyGMFX0XS7IlYZ8OxmJghPx12iJPvnI5cYI YuOdLmst+ubv9ULvHx1qnJnry+TUmQED/Gewpso7i4NIhlH4XKVBCC/4gobQj5A9B0v5 Y4tHA8ulRG/eElC8+SY8LQ30OBf8T4fRR9clEOruLmGfVfyUfQ4xzayMgUIMGDXExyq0 EqqA==
X-Gm-Message-State: AGRZ1gIkRj+1qsv4MEKeWswFNCAybmJON+NrTpzJ1RXu0MWx2/unq+GZ 21gfMzf2hgHw44gm27TWZe2aHt005OY=
X-Google-Smtp-Source: AJdET5d+HBMb/jfjj4b8DnYQSoYl7RyWhF96toBB7BGjYQdu/cqSFVyEMiD7HIdyVctUeW3cczprkg==
X-Received: by 2002:adf:eb0b:: with SMTP id s11-v6mr4698735wrn.102.1541695345307; Thu, 08 Nov 2018 08:42:25 -0800 (PST)
Received: from ?IPv6:2003:c1:4f35:9400:c81c:1386:f2dd:279e? (p200300C14F359400C81C1386F2DD279E.dip0.t-ipconnect.de. [2003:c1:4f35:9400:c81c:1386:f2dd:279e]) by smtp.gmail.com with ESMTPSA id w2-v6sm4043742wre.57.2018.11.08.08.42.24 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Nov 2018 08:42:24 -0800 (PST)
From: Daniel Fett <danielf+oauth@yes.com>
To: oauth@ietf.org
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
Message-ID: <178f104d-0b3d-d2e9-8013-ff57adb9be4b@yes.com>
Date: Thu, 08 Nov 2018 17:42:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------54F40EE5F6C70D4D88933447"
Content-Language: de-DE
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/B7InATyNs3jGfIJtjhUlPE96ObU>
Subject: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 16:42:31 -0000

Hi Aaron,

Thanks for writing up clear guidelines for SPAs. I reviewed the draft
and would like to offer some feedback:

One important aspect I am missing is a brief discussion on how, in
general, SPAs should be implemented; in particular, whether the
browser-app exchanges the code for an access token or whether the server
does that. In Section 7.6 it becomes clear that you propose to use the
first solution (do everything in the browser, as would be expected from
a true in-browser app).

Other remarks:

6.1.:
"The PKCE extension prevents an attack where the authorization code is
intercepted and exchanged for an access token by a malicious client"
I guess what you want to say here is that PKCE prevents the injection of
an *authorization code* by a *malicious user*, right?

6.2.:
"If an authorization server wishes to provide some flexibility in
redirect URI usage to clients, it MAY require that only the hostname
component of the redirect URI match the hostname of the URL the
application is served from."
At the bare minimum, the whole origin should be an exact match
(otherwise a network attacker can intercept the auth code in the authz
response when he uses the redirect URI http://correct-hostname.example ).

This is also further discussed here:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-08#section-3.1
We there recommend exact redirect URI matching only.

And finally some nitpicking:

5.
"For example, an web email client" (an -> a)

"or use the OAuth Password grant" -> should be the "Resource Owner
Password Credentials Grant" to stick to the RFC6749 terminology


- Daniel



Am 06.11.18 um 11:13 schrieb Aaron Parecki:
> Thanks Hannes,
>
> Since I wasn't able to give an intro during the meeting today, I'd
> like to share a little more context about this here as well.
>
> At the Internet Identity Workshop in Mountain View last week, I led a
> session to collect feedback on recommendations for OAuth for browser
> based apps. During the session, we came up with a list of several
> points based on the collective experience of the attendees. I then
> tried to address all those points in this draft.
>
> The goal of this is not to specify any new behavior, but rather to
> limit the possibilities that the existing OAuth specs provide, to
> ensure a secure implementation in browser based apps.
>
> Thanks in advance for your review and feedback!
>
> Aaron Parecki
> aaronpk.com <http://aaronpk.com>
>
>
>
> On Tue, Nov 6, 2018 at 10:55 AM Hannes Tschofenig
> <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
>
>     Hi all,
>
>     Today we were not able to talk about
>     draft-parecki-oauth-browser-based-apps-00, which describes  "OAuth
>     2.0 for Browser-Based Apps".
>
>     Aaron put a few slides together, which can be found here:
>     https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf
>
>     Your review of this new draft is highly appreciated.
>
>     Ciao
>     Hannes
>     IMPORTANT NOTICE: The contents of this email and any attachments
>     are confidential and may also be privileged. If you are not the
>     intended recipient, please notify the sender immediately and do
>     not disclose the contents to any other person, use it for any
>     purpose, or store or copy the information in any medium. Thank you.
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com>
> @aaronpk <http://twitter.com/aaronpk>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth