IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Browser-based Apps

Brock Allen <brockallen@gmail.com> Thu, 10 August 2023 14:16 UTC

Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55E30C13AE2D for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 07:16:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxVAW74B8g-x for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 07:16:40 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60AB1C15152E for <oauth@ietf.org>; Thu, 10 Aug 2023 07:16:40 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-63d03d3cac6so5797546d6.2 for <oauth@ietf.org>; Thu, 10 Aug 2023 07:16:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691676999; x=1692281799; h=user-agent:references:in-reply-to:to:from:subject:message-id:date :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rOraCgNa2R4Tv/62+zZ3Hc19ZbAFn1Pr6iVn74SS/vo=; b=jMcHrKIjxneRA+2ClLPFhxJimjP3GGwoQXwiiXr/hn5lZgzgoIF7naXifT7mcbM5Qo P4CM1OdgCAZDrgsOJSnhX+eU/2adP+wCiyf82pWCZ2p8HjcgA0NA5DoyI9lq0LRhk88G h8FkuHzTnFhJ6vJs70itTdu6ixOg5RpUE3pgUkH+JhZU/8jldTAz+LDNIC9dCI8B7w7D +zNvJXLcYkP58MMstKsNPc8q5UWRdoahUyjnGcOuWrZ/yEDS6AwFe01M8gSB7p01se3F VX4PB0j35S53w+ZifdLokhZejUwfLtbPM6r8nxW9zGPFC9/PZiGlk0IYT9dagpyEfL8n 4/rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691676999; x=1692281799; h=user-agent:references:in-reply-to:to:from:subject:message-id:date :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rOraCgNa2R4Tv/62+zZ3Hc19ZbAFn1Pr6iVn74SS/vo=; b=HgOj5PvR8oR9yk8lb40ZHmy2AgvkSxdoHlEt6rrMtMogpGkeic8yIi2bzkOWk2fyhO D0UJ65TZRbuhU5q9xFBcM8d1k39xrgRUb5C/pxlnDy9t+O2h5rNS0C5fZ00+az4eFFeK WqhCc8VfQfElky8Xf67JTQ1q2xvXrqgxDW7EbfgRkkHopVXKGw29U22q+N0jZH7YnLzj iFJ9hrnomNmuZFT7KCaZkMDeYYlSOYEnkOc5tZb2pP7b+UtbOpQ9WkmEhTJ94HOvuHUK CHjgRWc01IbquynODMaYCateosjkowDPG0YqjQuOBUIsno4IZSxb0kDVghTiaH45qJdx qO8Q==
X-Gm-Message-State: AOJu0YyuvY/hhr0+5GdceUYu4qmSzN/dStJVIrMnH1OkGpuELLzZCNI9 H3c1zZA0ENBl/p6kXD+XsCtOFl+Jtdaj0A==
X-Google-Smtp-Source: AGHT+IEzzR9+OpbGkRWToBzjPMoDFiH5RZtv7muRwLlTgeYbWpQpv/kb4e/RYoZXjTVxECSLnEy5Dw==
X-Received: by 2002:a05:6214:80c:b0:635:da2a:4706 with SMTP id df12-20020a056214080c00b00635da2a4706mr2430457qvb.15.1691676999164; Thu, 10 Aug 2023 07:16:39 -0700 (PDT)
Received: from [10.0.1.6] (pool-71-117-150-5.prvdri.fios.verizon.net. [71.117.150.5]) by smtp.gmail.com with ESMTPSA id q9-20020a0cf5c9000000b006262de12a8csm508677qvm.65.2023.08.10.07.16.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Aug 2023 07:16:38 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_22796143.757258794744"
MIME-Version: 1.0
Date: Thu, 10 Aug 2023 10:16:38 -0400
Message-ID: <Mailbird-5be7989f-8d0b-49d9-afb7-b5dbdc4085fa@gmail.com>
From: Brock Allen <brockallen@gmail.com>
To: Philippe De Ryck <philippe@pragmaticwebsecurity.com>, oauth@ietf.org
In-Reply-To: <899023C1-659D-47DB-808E-307F5B5F8FD5@pragmaticwebsecurity.com>
References: <CADNypP9gdt6NiaiMiqaM3mbjb44dRfECBnSgrkCg0DLa+w1fEg@mail.gmail.com> <899023C1-659D-47DB-808E-307F5B5F8FD5@pragmaticwebsecurity.com>
User-Agent: Mailbird/2.9.83.0
X-Mailbird-ID: Mailbird-5be7989f-8d0b-49d9-afb7-b5dbdc4085fa@gmail.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Gijcj1p_GaNcgfQYL75dnOVKAtM>
Subject: Re: [OAUTH-WG] WGLC for Browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 14:16:44 -0000

I agree with Philippe here.

If there are already documented attack vectors working around the techniques presented in this document, then I worry it will give people a false sense of security if they follow the guidance contained therein. 

-Brock

On 8/10/2023 2:51:35 AM, Philippe De Ryck <philippe@pragmaticwebsecurity.com> wrote:
In my opinion, this document is not ready to be published as an RFC. 

In fact, I will be at the OAuth Security Workshop in two weeks to discuss exactly this (See "The insecurity of OAuth 2.0 in frontends" here: https://oauth.secworkshop.events/osw2023/agenda-thursday). My hope is that my presentation can spark the necessary discussion to identify a path forward to make the RFC useful for practitioners building browser-based apps.

I don't have the resources available to write a lengthy email detailing my objections. I just want to point out that I've raised these points on the mailing list in the past, and there have been a couple of threads on this very list suggesting how to move this document forward (e.g., identify concrete threat models). I've also given a talk at NDC Security earlier this year (https://www.youtube.com/watch?v=OpFN6gmct8c) about how the security mechanisms proposed in this document fall short. This video has been posted to this list before as well.

Here are a couple of suggestions that I believe would improve this document:

- Clearly identify the danger of malicious JS (exfiltrating existing tokens is only one threat, and the most trivial one at that)
- State the baseline achievable level of security in light of existing XSS vulnerabilities (i.e., session riding, where the attacker controls the frontend)
- Identify different desired levels of security for a client application (e.g., a "public recipe app" vs "eHealth"). Existing work can help, such as the OWASP ASVS levels (https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md)
- Define which levels of security certain mechanisms can offer (e.g., RTR for level 1, TMI-BFF for level 2, BFF for level 3)
- Remove unproven and overly complicated solutions (i.e., the service worker approach)

As stated before, I'll be at OSW in London in 2 weeks and would be happy to discuss this further.

Kind regards

Philippe

—
Pragmatic Web Security
Security for developers
https://pragmaticwebsecurity.com

On 30 Jul 2023, at 17:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:

All,

This is a WG Last Call for the Browser-based Apps draft.
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-14.html [https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-14.html]


Please, review this document and reply on the mailing list if you have any comments or concerns, by August 11th.

Regards,
 Rifaat & Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email