IETF Logo Mail Archive

Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

n-sakimura <n-sakimura@nri.co.jp> Fri, 16 November 2018 09:12 UTC

Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B028A130EC2 for <oauth@ietfa.amsl.com>; Fri, 16 Nov 2018 01:12:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nri365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rl8-BPYBssPs for <oauth@ietfa.amsl.com>; Fri, 16 Nov 2018 01:12:17 -0800 (PST)
Received: from nrifs01.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id 874D4124D68 for <oauth@ietf.org>; Fri, 16 Nov 2018 01:12:16 -0800 (PST)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs01.index.or.jp (Postfix) with ESMTP id 883E377EFB; Fri, 16 Nov 2018 18:12:15 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id 323284E0046; Fri, 16 Nov 2018 18:12:15 +0900 (JST)
Received: from nriea04.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id wAG9CFo5006485; Fri, 16 Nov 2018 18:12:15 +0900
Received: from nrims00a.nri.co.jp ([192.50.135.11]) by nriea04.index.or.jp with ESMTP id wAG9CExK006480; Fri, 16 Nov 2018 18:12:15 +0900
Received: from nrims00a.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id wAG9CEhp061146; Fri, 16 Nov 2018 18:12:14 +0900
Received: (from mailnull@localhost) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id wAG9CEqb061145; Fri, 16 Nov 2018 18:12:14 +0900
X-Authentication-Warning: nrims00a.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf14.index.or.jp ([172.100.25.23]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id wAG9CEui061142; Fri, 16 Nov 2018 18:12:14 +0900
Received: from CUEXE01PA.cu.nri.co.jp (192.51.23.31) by CUEXM02SA.cu.nri.co.jp (172.59.253.44) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 16 Nov 2018 18:12:12 +0900
Received: from JPN01-TY1-obe.outbound.protection.outlook.com (23.103.139.183) by ex.nri.co.jp (192.51.23.33) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 16 Nov 2018 18:12:11 +0900
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nri365.onmicrosoft.com; s=selector1-cu-nri-co-jp; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dXJ4htByQakF72OwxYssW++d8+IKJm0qyY0OBFxFgwo=; b=sTD6aDksPT6J4jLfWL6jxfFi8PdIHJff4eziJKVM7o7BSqBWLn0sTU0fqbqpCs0AI12q+k3hzyJKaLO7DRETS8BSTV0N9QXZ/teGqbLLTs97x0OHmy9skp1n0vKIdegRBI19/07wqn5YuCdHoH63EXhMADHixcjKVrhH3sXToK4=
Received: from OSBPR01MB2869.jpnprd01.prod.outlook.com (52.134.253.15) by OSBPR01MB2885.jpnprd01.prod.outlook.com (52.134.253.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.26; Fri, 16 Nov 2018 09:12:11 +0000
Received: from OSBPR01MB2869.jpnprd01.prod.outlook.com ([fe80::d1ae:ff36:e681:ce6c]) by OSBPR01MB2869.jpnprd01.prod.outlook.com ([fe80::d1ae:ff36:e681:ce6c%4]) with mapi id 15.20.1294.045; Fri, 16 Nov 2018 09:12:11 +0000
From: n-sakimura <n-sakimura@nri.co.jp>
To: Brock Allen <brockallen@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
Thread-Index: AdR1tZqXsuKHZhdYRhq5sgoVL0Z8egAA8cqAAKwg0oAAxpLdAABZ4LyAAAtfsIAABWFQAAAXI//g
Date: Fri, 16 Nov 2018 09:12:11 +0000
Message-ID: <OSBPR01MB28699EE24930C1B23C131316F9DD0@OSBPR01MB2869.jpnprd01.prod.outlook.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net> <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com>
In-Reply-To: <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailadviser: 20170719
authentication-results: spf=none (sender IP is ) smtp.mailfrom=n-sakimura@cu.nri.co.jp;
x-originating-ip: [133.250.250.4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; OSBPR01MB2885; 6:wUAsRFdazgIsP7MCrSc66k1ySvO8bLjNBB4xaow+wb0at1d28gc2A4+kQ+PoLSP5bpDdgkDXJEr5515fLlHvrwHMEnSofVRpZkQun7ETjm5fNIyghRWQz8pbBvYpUFo1unRvVAnnZBtMCPztp8lEaRQccGz9P8qDWZiHdwWoBfTgF0ujvuB49fcnEoccXYMonik3JoMzy/zq6K3XoQhfPExWMnMo62UkEczV0Uu2mEzylR6HRWAcMPgnUwTqZwf/yQ0RmK36AdQHkLD+4bwBeA8V8Tt2CTK8CRZv4j+lAQQ8tYYmKdbg23WlbGgsTTCJxvUUTXXoZN0KhpwWTAXPxR2lyi4qmPt4bVmsNe5PMxCa90hY9MKfZglGTkkHtzBV3rg50J4P2fzbdQT+b9mycF5gn5VRA6lhJYsOKoSY6xlGwNUX/MgwdNA3jYrs5KE6aNlWfIYyuj1Wfaz5yFciFg==; 5:3jWEHBFetqljUGjmsS6mKmz1Hc5z2CsCL7aXDA/pQ5h+IwkKuVBufSPpgXCm8V5TBQLl5Sczn5PmSU0M1n0VGd+Zwy5LXiqWPOwx0KNG6lGB+WBg0OvT9j4UF6Q5U2yOMdhhkk0n+AjXJK+ZHf+jWHV1IL7urdYzie2BJcaYB88=; 7:3N88UX3GvS/u5wbPXXFXOrxYcq9MaZM4M9D2f4F1/8hyzEb/kMwZ5VAfRm5aSSr5dLmW9BaWE4pF78VaA1Qf1sOFnIaspKZXAdUTTbJ+4ezio59NlCYEdAwkw9EsQ9DY/lCSJU9M5w3NNXiQWb2Fjw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 4f015e24-b2a0-4dc4-84c7-08d64ba39793
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:OSBPR01MB2885;
x-ms-traffictypediagnostic: OSBPR01MB2885:
x-microsoft-antispam-prvs: <OSBPR01MB28856D44CE09256E50C064BBF9DD0@OSBPR01MB2885.jpnprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(17755550239193)(265634631926514)(158342451672863)(21748063052155)(28532068793085)(190501279198761)(227612066756510);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(3231415)(944501410)(4982022)(52105112)(10201501046)(93006095)(93001095)(148016)(149066)(150057)(6041310)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:OSBPR01MB2885; BCL:0; PCL:0; RULEID:; SRVR:OSBPR01MB2885;
x-forefront-prvs: 0858FF8026
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(346002)(39840400004)(396003)(136003)(199004)(189003)(7736002)(105586002)(14444005)(486006)(256004)(446003)(11346002)(476003)(6246003)(9686003)(86362001)(110136005)(2900100001)(53936002)(55016002)(74316002)(26005)(186003)(106356001)(54896002)(93886005)(14454004)(6306002)(8676002)(790700001)(4326008)(8936002)(76176011)(5660300001)(53546011)(33656002)(102836004)(81166006)(71190400001)(81156014)(7696005)(99286004)(6506007)(68736007)(66574009)(6436002)(25786009)(74482002)(316002)(66066001)(6116002)(71200400001)(39060400002)(229853002)(3846002)(2906002)(478600001)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:OSBPR01MB2885; H:OSBPR01MB2869.jpnprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: cu.nri.co.jp does not designate permitted sender hosts)
x-microsoft-antispam-message-info: pFMd0I5CkvGAScg9eoPuOug2u94DSRlB9Ea/YZEvT1sAkoozAxAaqQMOce+tnQki031cC6Aj6VRhDH0bpnW2zluaiZ6l3edP62QTokAhHXmRDUs0qE9ovhS1X4n/4gq7Lv9IobnTLl9psS51mRsrxfT9ZMBQDH2WeeMBb/r/w1Z/ttl/BxeSzqYMr/SrqoHfFQTywitqSL3Rw1olrAvVPLbHiW4EkzBor9/TOgtQvU+OmKYNEDi27bKclHHMoXm7Zww1fHpgd0AGmJPXZlReifufo9fEsvU5yBA4CD9FKxI4ztBDTAD08MTRF0/0tVLCRk8GDgEn49ZMbaQist6tcLJ8zC/nNh8FbSdyR48PNZg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_OSBPR01MB28699EE24930C1B23C131316F9DD0OSBPR01MB2869jpnp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f015e24-b2a0-4dc4-84c7-08d64ba39793
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2018 09:12:11.3132 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e3e360d9-7e7f-48d5-ac33-3c5de61f0a75
X-MS-Exchange-Transport-CrossTenantHeadersStamped: OSBPR01MB2885
X-OrganizationHeadersPreserved: OSBPR01MB2885.jpnprd01.prod.outlook.com
X-CrossPremisesHeadersPromoted: CUEXE01PA.cu.nri.co.jp
X-CrossPremisesHeadersFiltered: CUEXE01PA.cu.nri.co.jp
X-OriginatorOrg: cu.nri.co.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CgEUI6UHYjI3gPc0pTRoaP67sbs>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2018 09:12:19 -0000

Good points.

Also, while it may be off-topic, I do see values in implicit flows. In some cases, such as when the AS is inside the firewall or on a localhost (e.g., smartphone), “code flow” is not possible as the client cannot reach the AS directly. Banning implicit (and thus “token id_token” as well) has this repercussion and I would not agree to it.

Best,

Nat Sakimura

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brock Allen
Sent: Friday, November 16, 2018 7:01 AM
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

> It still lacks the ability to issue sender constraint access tokens.

So you mean at the resource server ensuring the token was really issued to the client? Isn't that an inherent limitation of all bearer tokens (modulo HTTP token binding, which is still some time off)? Resource servers don't know the flow the clients might use, especially if/when they have many clients.

> The AS can bind the lifetime of the refresh tokens to the session lifetime, i.e. automatically revoke it on logout.

Yea, I saw your other email asking about refresh token revocation relating to session management. Obviously for certain clients, this won't make sense, but for implicit/browser-based ones it's a nice feature to have.

The alternative, as you mentioned, is to not issue refresh tokens and do token renewal the "same old way" via iframe with prompt=none, while still using code flow.

> The only potential „baby step“ I would see is to move towards „token id_token“. Since this requires signature/at_hash checks etc. I doubt this is really easier than moving to code and exchange the code for an access token. What’s your opinion?

Even since OIDC arrived, this is the only flow I use for JS/browser-based clients (anything less has always seemed so obviously inferior). So for me and my customers, all browser-based clients I am involved in are already there. Perhaps this is the reason for all of my questions/comments about the recent BCP doc. Given "id_token token", CSP, and using the browser history API to wipe the access token from browser history, we already have a decent set of tools to mitigate attacks. As I already conceded, the only remaining issue (IMO) is the short window of time the access token is in the URL.

Given that it seems to me that OIDC and OAuth2 are typically used together (at least when a user is involved with authentication), I always wonder why the OAuth and OIDC WGs are separate. Given that so much effort of the two sets of specs overlap, it seems odd to keep adding onto the OAuth specs and ignoring the added features that OIDC provides. I don't mean to derail this thread, or step on any political toes, so apologies in advance.


-Brock

v2.23.0 | Report a Bug | By Email