IETF Logo Mail Archive

Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps

Filip Skokan <panva.ip@gmail.com> Thu, 25 July 2019 12:11 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CB33120163 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 05:11:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJNznhbXUcql for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 05:11:19 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEFB11201EF for <oauth@ietf.org>; Thu, 25 Jul 2019 05:11:18 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id s7so5272388oth.7 for <oauth@ietf.org>; Thu, 25 Jul 2019 05:11:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JcJN8+4hy8GsDenDz9f+Fi+3uhmbpEKzsXmThyWUufo=; b=J2o9A4c6E3SjYc8HEIlQQ6IDy1rQrKyl750YaxJIM9g6QHgF3C//qiTKzgQIvjrw7j E7+uAtR/yNAVO/546Waj8KpGJQsPiH5PjPghnGwkBxMrXwdxhivGTTPEUGxNXIrTQef/ NS6NlwM6sAf7rU+FJHhLrn5JzVek+AwVbm+1IcaZ9i9pWIuoH4YY5eBcDSsIrmxDtUOs VAq2+WQu5bmOME7gKYQ+uTytdm+mpo7IujX77hw043FIyEdrzzTiC5AE+1fDgLtE6r2E ChHMyJkH5Vo7z2ODxLWV2zJZPARKfC5kUYCXA/D2YnfG3zY21lKjxEF34u3QN9wP9fSP 5Dsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JcJN8+4hy8GsDenDz9f+Fi+3uhmbpEKzsXmThyWUufo=; b=GtAxq+rSBaBKtoP7Ui//ATn7qpkf+BsO8eAUp0YHBiYNIa/D6k/PeHPdPlRmWC+iZv GGIpJQeEUwNy/iXJx7FY6fu2McibZrL1BzLD54cwop39A2cGj/iFBKYk1tv1YaDcQiRD 2qkBCsVytsbUAJJok5erO/8mp520ELbi3N07Xo5K4X+husRvx2rriI8VTuIisrJiLjrB GmSTzY8T49y7vCFzGNCRnSzzGN1DUimPL1l6ReFVJmpuoHmB+AW9s25Bf+kUCFw2Tgd8 IYkPTXDow72W6pVYYsaTvfzR1exkwy1SbP6gA6tN9AnijE+QphfDoJDjKaw41+mMlkS7 4iOA==
X-Gm-Message-State: APjAAAVKbSLB2af7kCkd826HEBqd1d6uE/jvsSBQp1U6szXmLO6CLO5d TrWMm5WdWMcJHMbORQsIpGeXjiADjpV+jMk3fA==
X-Google-Smtp-Source: APXvYqwG2BRRiB89mcRBX0dMiNlcEHxs9m55Ps6BYPvLagUagQrlVpgeThMT2ZrT37m+lgILzdNfb2psBWC8W1lpTzc=
X-Received: by 2002:a9d:65da:: with SMTP id z26mr54290184oth.257.1564056678192; Thu, 25 Jul 2019 05:11:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAO7Ng+tyHaKQgJ4PcrcEpMcteqvdH2PE1CQP5j+5DqKJWuKPoQ@mail.gmail.com> <CAGBSGjoexpLjzOcBV+wjH6+CtRROB1ZbPre+7DgfipsO1RgVOQ@mail.gmail.com> <F6536A63-6950-4A05-A35C-B8215BB04277@alkaline-solutions.com> <DC16FB06-32A8-4CF9-999F-FB9F58E67B99@mit.edu>
In-Reply-To: <DC16FB06-32A8-4CF9-999F-FB9F58E67B99@mit.edu>
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 25 Jul 2019 14:11:06 +0200
Message-ID: <CALAqi_93ofkHZevrdEfDyhc92S3Oq3oa6WzxsnrSDGifD4eCjw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: David Waite <david@alkaline-solutions.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b65aca058e805202"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DNUMU0KYmmalv8mOqxowbzEBR-U>
Subject: Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 12:11:22 -0000

>
> Obviously it can do it on a per-client basis still, but now an AS is going
> to have to know a bit more about the app itself. Perhaps we finally need a
> few more entries in the “application_type” metadata parameter from OIDC’s
> extension RFC7591 beyond “native” and “web”? But we at least probably want
> to point out to AS implementors that this is something they want to
> consider tracking in their data model for clients.
>

I would very much like to see that. native/web possibly in combination with
token_endpoint_auth_method and the client being DCR or "static" is far from
being enough to make a policy decision.

S pozdravem,
*Filip Skokan*


On Thu, 25 Jul 2019 at 13:45, Justin Richer <jricher@mit.edu> wrote:

> This raises an interesting question that I don’t think we’ve addressed
> yet: how to appropriately vary token lifetimes and access for different
> clients.
>
> Previously, an AS could see that a client was using the implicit flow and
> decide to limit token lifetimes or scopes based on that alone. Similarly, I
> know of at least some AS implementations that let you limit what scopes you
> allow under the client credentials grant. The key issue is that if all your
> clients are using the auth code flow (which I agree they should), then how
> does an AS tell the difference in capabilities between incoming clients?
>
> Obviously it can do it on a per-client basis still, but now an AS is going
> to have to know a bit more about the app itself. Perhaps we finally need a
> few more entries in the “application_type” metadata parameter from OIDC’s
> extension RFC7591 beyond “native” and “web”? But we at least probably want
> to point out to AS implementors that this is something they want to
> consider tracking in their data model for clients.
>
> — Justin
>
> On Jul 25, 2019, at 4:04 AM, David Waite <david@alkaline-solutions.com>
> wrote:
>
>
>
>
> On Jul 24, 2019, at 3:03 PM, Aaron Parecki <aaron@parecki.com> wrote:
>
> On Mon, Jul 22, 2019 at 2:14 AM Dominick Baier
> <dbaier@leastprivilege.com> wrote:
>
> <snip>
>
> I would rather say that ANY JS app should use CSP to lock down the browser
> features to a minimal attack surface. In addition, if refresh or access
> tokens are involved - further settings like disabling inline scripting
> (unsafe inline) and eval should be disabled.
>
>
> I'm not sure what to do with this suggestion. It feels like a blanket
> recommendation of enabling CSP will likely be ignored since it's too
> broad, and recommending disabling inline scripts is overreaching
> unless backed up by a specific threat it's protecting against. Did you
> have a particular threat in mind?
>
>
> I would say that browser applications should take measures to harden their
> applications again code injection and arbitrary code execution. Examples
> include eliminating inline script (and limiting embeddable objects as much
> as possible) via CSP, and versioning third party resources via techniques
> like subresource integrity.  Mechanisms such as augmenting the codebase to
> make sure all appropriate user input, data storage, and output properly
> sanitize data may be used - although they may be more expensive to
> implement and audit.
>
> The AS should likewise take into account an application’s overall security
> posture when deciding appropriate policies around delegated authorization
> scopes and token lifetimes.
>
> Best current practices include turning the screws tightly around CSP. But
> it is (theoretically) possible to accomplish the same with brute-force
> sanitization, which has been made simpler with framework support. It is
> still ultimately the AS job to decide which clients have which capabilities.
>
> -DW
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email