Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt

William Denniss <wdenniss@google.com> Tue, 07 March 2017 00:51 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D4B1129A76 for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 16:51:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5kptJ90Pe00j for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 16:51:56 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E763D129AB7 for <oauth@ietf.org>; Mon, 6 Mar 2017 16:50:15 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id p64so65195026qke.1 for <oauth@ietf.org>; Mon, 06 Mar 2017 16:50:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nwrrvGqq8E6/mTOGpX2yqGna0Szd6a6ns/pBubO/TXo=; b=qQD+08r1QfNj50utuXYQiQiaUiOrCUxgjYi/4qa9u7u4vaJIxnZoJ5dYXsjbrY63DW mtoQK3rpprXLai9OvASePm5f2roT21BRYQ8+vR/S/bGweOY9krJUsNUV6SkgDMT7Gmdw a1S5ojX+aFWy6GW1ZzE8SmlmZFTVkFVfynhNo0BYhrEUu20zS2z9vCbVsOSk4aTxWyDD QyXsR4EQm8mkJmQIMOeXPE8lj1jPnqrW79LJnxiVALgMuNmZA/rrQZuWaYPc8tAS+yqr +zyH449BPssl/GwYnTRT5cL77sqtwOujACLjoOU5mBN+GK/dMSLJVHuCh76xlLsYgzsz S/Ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nwrrvGqq8E6/mTOGpX2yqGna0Szd6a6ns/pBubO/TXo=; b=dBmS1AyPWzlcA3JeG8yeY9ZQP2etuZzU/BciyF3JfovCUThD6QcJzQ7cZCIWVsKnQl rNvNWoLmM12YOj3PNUodgevIIpAy04o9oliW3f47Vh/gxEQ0ljNwy3a4o/zPGUPRaS1E Znm2k7J72v/00iRjU+tGxSKDegUUUovI7asLs4MrtZ7BrxWwK2dSkuYVMvFPb0nzpXoc dul2LwAUrY6hqajmRQ+r7i4WQNtryLGlyP+YFWmUizXCl4SqDvbhWeZGJxrtBL+px9bO f+Z7MeyVxjPOIxpM9EcrY7iZoYQgmUTh5KYqRW2d/U3abnzLRweVv9/YrtQh/jW4pK90 GyTg==
X-Gm-Message-State: AMke39l9S0+fir/BuSRJczh8zNXozOpU5fyZ4trNbbWFcL5SWruwCJIXZi4/2TFCHWSsPGECsiuQgQu3HviauYTB
X-Received: by 10.200.42.78 with SMTP id l14mr19696738qtl.15.1488847814807; Mon, 06 Mar 2017 16:50:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Mon, 6 Mar 2017 16:49:54 -0800 (PST)
In-Reply-To: <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com>
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com> <a6596083-6a19-e644-403c-4c1686eba492@gmx.net> <94286D03-D721-41C2-A4DD-D2BC05A6B37F@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 6 Mar 2017 16:49:54 -0800
Message-ID: <CAAP42hC+z6xO2xdcADELWKgBZT1vdCiW1kYLvy1ohCMWo-SdpQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a11403d8620e0f8054a1965de
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BHjixb50gNFMAtwFAKoHHGQx3n4>
Cc: internet-drafts@ietf.org, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 00:51:57 -0000

Section 7.1.1 can probably be rolled up into Section 7.1, I agree it's a
bit out of place. I'll do that in -09.

+1 with the plan that this BCP documents the current state, and we can rev
it if and when that changes.

One comment to add: password eavesdropping isn't the only threat from
WebView, the app is basically in total control and can do other things like
modify the contents of the page, interact with it (like faking a click on
the "Approve" button), copy out the session cookie, etc.



On Mon, Mar 6, 2017 at 12:16 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> On fido I can tell you that for security reasons U2F wont work from a
> web-view currently.
>
> Once we move to Web Auth (Fido 2) where the OS provides a API for apps to
> call to get the token it will work but the tokens are audianced to the app
> based on its developer key and bundle_id so that a app cant ask for a token
> for a different site to do correlation.
>
> It is true that Fido UAF currently requires a web-view to work as the
> authenticator is effectively compiled in to each application, and that
> application has access to the private keys on most platforms (Samsung knox
> being the only exception to that that I know of where the keys are managed
> by a common API to hardware key storage, but they are scoped like U2F as
> well)
>
> So for the most part it is true and that unless you use the browser to get
> the Fido token the audience is for the app.
> Example  Salesforce creates native app that may use enterprise SSO via
> SAML, and the enterprise may use Fido as a authentication factor.
> If they use the webview + fido API approach the app can only get a token
> for SalesForce based on its signing key.  It could fire up the web-view and
> do U2F authentication with the enterprise after Salesforec has redirected
> the user.  However it will give every enterprise a token audience to
> Salesforce with a salesforce specific key.   If there is a second app for
> say Slack if they do the same thing the enterprise would get a slack
> audienced token and a slack key forcing a separate registration.
>
> The recommended alternative is that the app use a custom tab for the user
> to SalesForce and that redirect to the enterprise.
> The enterprise gets the same token/key with the correct audience from all
> apps on the device using the browser or custom tab.
> The user may not need to signin a second time, and if they do there Fido
> token will not need to be re-registerd.
>
> The Fido API approach really only works for first party apps like PayPal
> if the the app is not doing federation and paypal is doing the
> authentication for there own app.
>
> Token binding private keys have similar issues.   The pool of private keys
> will probably not be shared between apps, and not between the app and the
> browser (Win 10 may be an exception but it is not documented yet)
>
> In the case of using AppAuth with token binding the browser maintains the
> keys so the enterprise would be able to see the same key and use the same
> cookies across all AppAuth Apps.
>
> You can include token binding in your app, however the token bindings and
> cookies are going to be sand boxed per app.
> Depending on implementation the app gets access to the cookie, but perhaps
> not to the private token binding key.  (At least I don't think it will in
> Android embedded webview).
>
> We could expand on this later in an update to the BCP once Web
> Authentication and Token Binding are final.
>
> There are still some unknowns, but in general for any sort of
> SSO/Federation 3rd party app I don’t see recommending anything other than a
> custom tab/ view controller/ external browser.
>
> William can take the formatting question:)
>
> John B.
> > On Mar 6, 2017, at 4:41 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net>
> wrote:
> >
> > Hi William, Hi John,
> >
> > I just re-read version -8 of the document again.
> >
> > Two minor remarks only.
> >
> > Editorial issue: Why do you need to introduce a single sub-section
> > within Section 7.1. (namely Section 7.1.1)?
> >
> > Background question: You note that embedded user agents have the
> > disadvantage that the app that hosts the embedded user-agent can access
> > the user's full authentication credential. This is certainly true for
> > password-based authentication mechanisms but I wonder whether this is
> > also true for strong authentication techniques, such as those used by
> > FIDO combined with token binding. Have you looked into more modern
> > authentication techniques as well and their security implication?
> >
> > Ciao
> > Hannes
> >
> > On 03/03/2017 07:39 AM, William Denniss wrote:
> >> Changes:
> >>
> >> – Addresses feedback from the second round of WGLC.
> >> – Reordered security consideration sections to better group related
> topics.
> >> – Added complete URI examples to each of the 3 redirect types.
> >> – Editorial pass.
> >>
> >>
> >>
> >> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org
> >> <mailto:internet-drafts@ietf.org>> wrote:
> >>
> >>
> >>    A New Internet-Draft is available from the on-line Internet-Drafts
> >>    directories.
> >>    This draft is a work item of the Web Authorization Protocol of the
> IETF.
> >>
> >>            Title           : OAuth 2.0 for Native Apps
> >>            Authors         : William Denniss
> >>                              John Bradley
> >>            Filename        : draft-ietf-oauth-native-apps-08.txt
> >>            Pages           : 20
> >>            Date            : 2017-03-02
> >>
> >>    Abstract:
> >>       OAuth 2.0 authorization requests from native apps should only be
> made
> >>       through external user-agents, primarily the user's browser.  This
> >>       specification details the security and usability reasons why this
> is
> >>       the case, and how native apps and authorization servers can
> implement
> >>       this best practice.
> >>
> >>
> >>    The IETF datatracker status page for this draft is:
> >>    https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
> >>    <https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/>
> >>
> >>    There's also a htmlized version available at:
> >>    https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08
> >>    <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08>
> >>
> >>    A diff from the previous version is available at:
> >>    https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08
> >>    <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08>
> >>
> >>
> >>    Please note that it may take a couple of minutes from the time of
> >>    submission
> >>    until the htmlized version and diff are available at tools.ietf.org
> >>    <http://tools.ietf.org>.
> >>
> >>    Internet-Drafts are also available by anonymous FTP at:
> >>    ftp://ftp.ietf.org/internet-drafts/
> >>    <ftp://ftp.ietf.org/internet-drafts/>
> >>
> >>    _______________________________________________
> >>    OAuth mailing list
> >>    OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>    https://www.ietf.org/mailman/listinfo/oauth
> >>    <https://www.ietf.org/mailman/listinfo/oauth>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>