Re: [OAUTH-WG] Google's use of Implicit Grant Flow
Jim Manico <jim@manicode.com> Fri, 17 February 2017 17:40 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B38E1295F4 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 09:40:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L3A8WtIi91Sw for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 09:40:29 -0800 (PST)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A58C51295D3 for <oauth@ietf.org>; Fri, 17 Feb 2017 09:40:29 -0800 (PST)
Received: by mail-pf0-x232.google.com with SMTP id 189so15022214pfu.3 for <oauth@ietf.org>; Fri, 17 Feb 2017 09:40:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=l+C6sA2ycyWmw7GwTrObejs+2r7l7M82BTcr2c9iHVI=; b=G7AFi/wZw58Xa5aruKUUMBYVESTX7yQER2EQJV2BGiquEHO/m5rasjXztRXMdFOMvU HAUKkuPjUzTHXDZVuHS4Y//Zct02WEJa3Emu18Nl9/aKKGDbscigzR8/fx3yYznp2Fgy 2vxL5WTzPAJ1HC/cWZ4kx8Kkia04ORUnh2JGnzMrlcutrCbCSQMpPtrPnPyFLusXi9F4 a/f6P/bGTPJZU/fTwuvk/9UWKPEq6vTeo7vnBZ0xhXTuA4rBjSE7tA3gUJvrpEisNFhs t+JbTV2f7Yas2bXsFAu39h+7iFjKVuaKTfPwtCa+Q2DaDDFzFzI+EV1sSR0GvI14ciKQ CLgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=l+C6sA2ycyWmw7GwTrObejs+2r7l7M82BTcr2c9iHVI=; b=DX18qT5Aj2VIgiwMscRrfhTGjvA2ZOUw4+MU6RlypbcuokPmdCuvGSz6Cu3b4kkkhs lIOoiqVevXGQrAk3GlkJOUKi7yWAZ2OZVTwdHRUa6M0mwQFgBjmeGsOzHERftnSAHIpM fub1aW3bvQAahQwWn1op2UQcYFgZ7Az8+kOPaQ6Z2t75KbL7elc+43KyBaPIqbLSKu8/ 09DYXXABRWNLKtiNheSDfwolAt5uVwSQjn/UdxI5Nh+gBfIdQoUn5Kctz39CPN6SFFt5 GLCugGzZHRVtYxN8Is2iAKhCc47Uxljt2tcAD0fNXnghIacdsMToHNl0Ny4+szBW/my+ 1n7Q==
X-Gm-Message-State: AMke39lWQJEQicvVwr/eHPLQhv1Dv0UzY37KfHxUIa1pG+MgmSsj93U/9d7O4k9FNf6NCE0I
X-Received: by 10.99.108.74 with SMTP id h71mr11400805pgc.99.1487353229132; Fri, 17 Feb 2017 09:40:29 -0800 (PST)
Received: from heembo.local ([2605:e000:112b:c167:3519:b801:95b1:4955]) by smtp.googlemail.com with ESMTPSA id e2sm20861131pga.61.2017.02.17.09.40.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Feb 2017 09:40:27 -0800 (PST)
To: Sebastian.Ebling@telekom.de, bburke@redhat.com, oauth@ietf.org
References: <1e63222f-1d3b-59cc-a7c3-f9f3aa14e9df@manicode.com> <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com> <600a2fe3fbc147588baedb557e6e5938@HE105717.emea1.cds.t-internal.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <9f795a60-5345-61b6-356a-cc871164ba8d@manicode.com>
Date: Fri, 17 Feb 2017 07:40:25 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <600a2fe3fbc147588baedb557e6e5938@HE105717.emea1.cds.t-internal.com>
Content-Type: multipart/alternative; boundary="------------817491028CB9E0D4B82C3911"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BGip74HW0P0aMwhsYqCWNBg99Tw>
Subject: Re: [OAUTH-WG] Google's use of Implicit Grant Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 17:40:31 -0000
Thank you to those answering my question on implicit for JS clients. The responses so far seem to represent what the security world is saying about the implicit grant - keep away from it other than for a few OIDC use cases. Does anyone think it would be valuable to author a brief RFC to give clear OAuth 2 recommendations for JavaScript client developers? I mean - the OAuth 2 body of work just needs a few more RFC's, right? :) Aloha, Jim On 2/17/17 6:03 AM, Sebastian.Ebling@telekom.de wrote: > > Same for Deutsche Telekom. Our javascript clients also use code flow > with CORS processing and of course redirect_uri validation. > > > > Best regards > > > > Sebastian > > > > *Von:*OAuth [mailto:oauth-bounces@ietf.org] *Im Auftrag von *Bill Burke > *Gesendet:* Freitag, 17. Februar 2017 00:14 > *An:* oauth@ietf.org > *Betreff:* Re: [OAUTH-WG] Google's use of Implicit Grant Flow > > > > For our IDP [1], our javascript library uses the auth code flow, but > requires a public client, redirect_uri validation, and also does CORS > checks and processing. We did not like Implicit Flow because > > 1) access tokens would be in the browser history > > 2) short lived access tokens (seconds or minutes) would require a > browser redirect > > I'd be really curious to hear other's thoughts though. > > [1] http://keycloak.org > > > > > > > > On 2/16/17 5:44 PM, Jim Manico wrote: > > Hello Folks, > > I noticed that Google supports the OAuth 2 Implicit flow for > third-party JavaScript applications. > > https://developers.google.com/identity/protocols/OAuth2UserAgent > > Isn't this generally discouraged from a security POV? *Is there a > better OAuth 2 flow for third party SPA applications?* > > Aloha, > > -- > > Jim Manico > > Manicode Security > > https://www.manicode.com > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Bill Burke
- [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Josh Mandel
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Sebastian.Ebling
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Adam Lewis
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Aaron Parecki
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier