Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps
Dominick Baier <dbaier@leastprivilege.com> Tue, 23 July 2019 08:31 UTC
Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 498D1120104 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 01:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 378JSaiQYGmH for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 01:31:28 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CBAB12007A for <oauth@ietf.org>; Tue, 23 Jul 2019 01:31:28 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id w17so41065154qto.10 for <oauth@ietf.org>; Tue, 23 Jul 2019 01:31:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=uj5OBPDzQJ6+tx+qZZoqTGCO69eviTLhGLv6DNa3/88=; b=B5wKHAp0dVq7wLALApZWVeg7GAJB/0cOImQwF3LzN1MCJxDb5k2wxEWfDY1P3GKZHn AyoUGeY1bITYpFtkvZLrXnBI7uYYUcMLMTc3E5uXIwzJpsitwvxit98LyaRyDV6J1xe4 244newneXgu30gFG5CohaWsSvs/DePbOw4dvqdhi46DHm/DsvAj1RKsJHBK6nNTf3aXz KNe6QYv+GaGCatrI41vlWS9bTlgTtvB+hAnWwOxwCFRlcnz0HMIf1zY/3PuDUQFn/Oko MIPdBxy9Yb/U8qBqlWFDOV8oaQ+jWLAIj099Ur5E1GGIUao0BZixyXvHP42UgwdXVVnh p14g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=uj5OBPDzQJ6+tx+qZZoqTGCO69eviTLhGLv6DNa3/88=; b=l47VXptHiyvCj/MW8rZiMcn6wNkvO3d4FfvilEqL5660RsuRg1oyTMe5bpcHzkgSat Mu5O0oALJeSEWNn3itaV/1DTeluQfhB4z2Lad1vz3zGUx9QKWCjfNuKJGwFRyZZNJOFP e5ts2Lkb+v7DZYRBsmoOG+WnZRfWIWcb2uAOM+XFMKfbqV1IbGtJOyfboTM3PDCG9fIk lkNdh58OdWMpLieFwTx3+b/WBGG9ceCumEwmAWbNUUYwRqSIDQpXKzXQ3J5w12oeuJTE +KwUN4nt9oYKrh4yadyk/ofGPen0HaEB3ZmHJEZKfbk4W+UuF5z/pEGd1aTndu0LS3gv lNQA==
X-Gm-Message-State: APjAAAW8GWEB11Lv/LKT483IuOsN7ENLcXp55rfL4zZemW5pgBjO6mNi BqSohIc6qFm0at3M78pCP0uCTM/o6kOjNwuGTA==
X-Google-Smtp-Source: APXvYqxZ3Fh+Qfnb+CHLKTH7RvbTZbJjpEtgGxojoHedF0SuWGaBseBr46B7/xbJxBe1KYiLbULOSDaKXqeji2EPMYM=
X-Received: by 2002:a0c:b192:: with SMTP id v18mr53585537qvd.90.1563870687492; Tue, 23 Jul 2019 01:31:27 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Tue, 23 Jul 2019 01:31:27 -0700
From: Dominick Baier <dbaier@leastprivilege.com>
In-Reply-To: <7AB72379-075B-411D-B149-3759F16B001A@gmail.com>
References: <CAO7Ng+tyHaKQgJ4PcrcEpMcteqvdH2PE1CQP5j+5DqKJWuKPoQ@mail.gmail.com> <CAO7Ng+sLuLczQYjYX7yHSfVJd7bx5y0RnDofRh_Mb2Se+vA0=A@mail.gmail.com> <DB41BFE8-2123-43B4-9BFB-D548CD96FB72@forgerock.com> <7AB72379-075B-411D-B149-3759F16B001A@gmail.com>
MIME-Version: 1.0
Date: Tue, 23 Jul 2019 01:31:27 -0700
Message-ID: <CAO7Ng+t9dXe1ijNb1eZqAfRMJx6xETp_oFj0SdYXp9FNviAoAA@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>, Filip Skokan <panva.ip@gmail.com>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cd8ddb058e550443"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GN_oeBPuFD0rK1Vt8jlNJ7qjBTY>
Subject: Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 08:31:31 -0000
Yes it would. ——— Dominick On 23. July 2019 at 10:08:43, Filip Skokan (panva.ip@gmail.com) wrote: Wouldn’t that contradict the security topics BCP? Odesláno z iPhonu 23. 7. 2019 v 9:44, Neil Madden <neil.madden@forgerock.com>: Technically it could be optional, but it means that a CSRF attempt will only be detected by the AS not by the client. If we consider the possibility of a malicious AS, then this could allow Login CSRF attacks against the client. The client would also have to be sure that the AS actually implements PKCE. So I think it’s safer to leave the recommendation as-is. On 23 Jul 2019, at 08:28, Dominick Baier <dbaier@leastprivilege.com> wrote: Forgot one more thing In 7.1 Browser-based apps MUST use the OAuth 2.0 "state" parameter to protect themselves against Cross-Site Request Forgery and authorization code swap attacks and MUST use a unique value for each authorization request, and MUST verify the returned state in the authorization response matches the original state the app created. Isn’t state optional when PKCE is used? thanks ——— Dominick On 22. July 2019 at 08:14:33, Dominick Baier (dbaier@leastprivilege.com) wrote: Hey, Just read the spec - good to see the progress. Some feedback: I am yet undecided if I like the categorisation of the “Application Architecture Patterns”. I definitely want to distinguish between applications only accessing same-site back-end services and “others”. Not sure if “dynamic application server" and “static application server” should be handled differently - they are deployment details and should not decide on the application security architecture. Also not sure how realistic it is to deploy a typical applications solely from e.g. a CDN. But I don’t have the right answer wrt to categories right now. 6.1. Apps Served from a Common Domain as the Resource Server > OAuth and OpenID Connect provide very little benefit in this deployment scenario, so it is recommended to reconsider whether you need OAuth or OpenID Connect at all in this case. I think you are mixing authentication and API access here. Depending on application scenario it makes a lot of sense to use OIDC - but rely on the resulting session to control API access. Unless you want to dive into the details here, I suggest you remove the mention of OIDC because it is misleading. 6.2. Apps Served from a Dynamic Application Server I have a .NET sample for that https://github.com/leastprivilege/AspNetCoreSecuritySamples/tree/aspnetcore21/BFF And a blog post https://leastprivilege.com/2019/01/18/an-alternative-way-to-secure-spas-with-asp-net-core-openid-connect-oauth-2-0-and-proxykit/ 9.7 <https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02#section-9.7>. Content-Security Policy A browser-based application that wishes to use either long-lived refresh tokens or privileged scopes SHOULD restrict its JavaScript execution to a set of statically hosted scripts via a Content Security Policy ([CSP2 <https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02#ref-CSP2>]) or similar mechanism. I would rather say that ANY JS app should use CSP to lock down the browser features to a minimal attack surface. In addition, if refresh or access tokens are involved - further settings like disabling inline scripting (unsafe inline) and eval should be disabled. Thanks for doing this work! ——— Dominick _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Feedback on OAuth for browser-based Ap… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Neil Madden
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Filip Skokan
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Neil Madden
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Aaron Parecki
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… David Waite
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Justin Richer
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Filip Skokan
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Justin Richer
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Leo Tohill
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… n-sakimura