Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

"Brock Allen" <brockallen@gmail.com> Fri, 09 November 2018 20:22 UTC

Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70DF7127148 for <oauth@ietfa.amsl.com>; Fri, 9 Nov 2018 12:22:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJyVIMf9pO0k for <oauth@ietfa.amsl.com>; Fri, 9 Nov 2018 12:22:16 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC7161293FB for <oauth@ietf.org>; Fri, 9 Nov 2018 12:22:15 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id o125so3889185qkf.3 for <oauth@ietf.org>; Fri, 09 Nov 2018 12:22:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc:in-reply-to :references:user-agent; bh=GL49slKQXmlZBEVguORDHr7bbrFic3yXjs1faydjMEY=; b=VrQkkpeP9/uhyqz5Gv6aATRRqjMCG6VdhYCx3e8zds7Ahgwz+02yFC23MqE5KLDI8q sh6BE+XyQU3gSRlSPjy6qQ71uh6yomZPsGU20tMkKgdeNRV0NR+3MR430S3zjOcrdkcS A677CX0IVQhg6DpCQZPe8hfxDPZg85U4nfZ8yJbQJMvGWfLydlwvgkFiKunN1UtevdyK Nu1rzHI7L9Qti5vvsqZVyqLAWL8yMQg/TEYc+GV2o07g/K88Y7kvhIXaOJ89Eily6ZMm Zsl/oiU+/MDgkKHDkQLWrQRKzbTU9EdwX7RNZkRBNDcTmdG/iAwmJq3BThECS+PLChzi oHlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :in-reply-to:references:user-agent; bh=GL49slKQXmlZBEVguORDHr7bbrFic3yXjs1faydjMEY=; b=r7Slv9spGnC9sOzyN6uQ3UqxYCC+vlUgBXVujeMt5MLLrRutqAKA7HW1sjC2JQxLsD hIbnN0AFx6wMtPho6GAQGQaqT/Ib/SdSO7Md0C0w3K9S85reWhPsyv8h5i3PnuQrbWeV 1eumkMX2sXi+u6tfJrkplYsUPRcs0CNKgFiV3hZoMg+eRt9u2skyF3kRwEim4QVb5FIC XOUTQOuHD8fDXXSlvyzDuHOmvAFicApy5NYvuNhAb/Ln+pdSD412Ejrwx1Z4oOhr7Leq DZ0ld4f0Hg5u2XYOl90EBpw7gkH8Sw12Ox2RN8QM3Y4dgTKrqoDuw8vDtr1EtYrz7XHY heYw==
X-Gm-Message-State: AGRZ1gIjpRswgrDjJnTyneePfB3FwjSH7p3Ml6Nxhf7v9TsSnU4uxWDh ggEejLq9yy31ruweW68CL6Q=
X-Google-Smtp-Source: AJdET5creIQ7CM6bIrKcyImfWCZQwdIrNnaa6ahOo5P26DuImMv5CaU6YsvZeVsFdeUjfXK+NV5ZVA==
X-Received: by 2002:a0c:9359:: with SMTP id e25mr10214616qve.203.1541794934653; Fri, 09 Nov 2018 12:22:14 -0800 (PST)
Received: from [10.0.1.3] (pool-96-253-25-169.prvdri.fios.verizon.net. [96.253.25.169]) by smtp.gmail.com with ESMTPSA id o42sm5022227qtc.90.2018.11.09.12.22.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Nov 2018 12:22:13 -0800 (PST)
Content-Type: multipart/alternative; boundary="----=_NextPart_23549239.598800389680"
MIME-Version: 1.0
Date: Fri, 09 Nov 2018 15:22:11 -0500
Message-ID: <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com>
From: Brock Allen <brockallen@gmail.com>
To: Aaron Parecki <aaron@parecki.com>, Hannes Tschofenig <hannes.tschofenig@arm.com>
Cc: oauth@ietf.org
In-Reply-To: <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com>
User-Agent: Mailbird/2.5.23.0
X-Mailbird-ID: 9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HH9wLwPVCEYohJBW3KLLmIqYWHY>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 20:22:20 -0000

Hello all --

I also have some thoughts/feedback on this document.

Personally I agree with some of the conclusions, but as it stands I think the document's main conclusion that code flow is the real solution is not sufficiently convincing.

I would like to see a brief summary of the current concerns (much like RFC8252 does) so we have context before the document just jumps to what a best practice is. The reason I bring this up is that generally the concept of "best practice" is meaningless without context. I think stating that code flow is best practice without motivation seems somewhat "cart before the horse".

I think just a short blurb about the desire to eliminate the access token from being delivered in the URL, and the current attacks against doing so would be helpful (showing attacks is super important in making this "real"). I guess this would make the most sense in section "4. Overview" prior to the list of "best practice" conclusions.

Section "7.8. OAuth Implicit Grant Authorization Flow" does try to get into specifics, but many of the points seem confused (or at least confuse me) and/or the conclusion that code flow is the only approach seems misleading. For example:

"The Implicit Flow cannot be protected by PKCE [RFC7636] (which is required according to Section 6), so clients and authorization servers MUST NOT use the Implicit Flow for browser-based apps."

This is specious. The threat is the token is in the URL, not that implicit clients can't use PKCE. So perhaps the document should explain the variety of mitigations, not just one? While code flow is one, using CSP and the browser history API to remove the token from the URL is another. Elsewhere in the document the use of CSP is a "SHOULD". That's great, but using CSP can be and is used today, and doesn't necessitate code flow.

"OAuth 2.0 provides no mechanism for a client to verify that an access token was issued to it, which could lead to misuse and possible impersonation attacks if a malicious party hands off an access token it retrieved through some other means to the client."

Sure, but OIDC does provide a mitigation for this (even with implicit). So perhaps it should be offered as a suggestion as well? I did see the point that with code flow id_token validation could instead rely upon the token endpoint, but the client still has other work to do (namely around PKCE). That's just trading one bit of work for another, not a clear cut reason to use one flow over another.

"Supporting the implicit flow requires additional code, more upkeep and understanding of the related security considerations, while limiting the authorization server to just the authorization code flow simplifies the implementation."

As offered by someone else already, this is opinion and not objective. IMO, this diminishes the potential of this document.

"If the JavaScript application gets wrapped into a native app, then [RFC8252] also requires the use of the authorization code flow."

Given how many browser dependencies SPA apps tend to have, is this really common? In all my years building both, I've never seen it.

"Historically, the Implicit flow provided an advantage to single-page apps since JavaScript could always arbitrarily read and manipulate the fragment portion of the URL without triggering a page reload. Now with the Session History API (described in "Session history and navigation" of [HTML]), browsers have a mechanism to modify the path component of the URL without triggering a page reload, so this overloaded use of the fragment portion is no longer needed."

While this section is intended to indicate the existence of the history API is a reason to move away from implicit, it's also what can be used to protect token exposure in the URL, which I think weakens its point. As a section, to me, it seems unnecessary.

The push to a single flow (for consistency) is a marginal motivation, and I agree with that theme in the document.

Much of the other guidance in this document is already covered elsewhere (e.g. RFC6819). I don't know if the goal of the document is to reproduce those existing recommendations (as a contrast RFC8252 does not and mainly focuses on what's unique to the native scenario).

I can't quite tell the real motivation for this "best practice" document. If it's trying to give guidance for browser-based JS apps, then perhaps it should be enhanced to give guidance for the existing implicit flow, as well as suggesting code flow? But if the real motivation is just to kill off implicit flow then more needs to be done, IMO.

Finally, my last real concern (which is why I'm pushing back so much on code flow), is that this implies refresh tokens in the browser. My sense is that given the danger of this, the original OAuth2 RFC (via the implicit flow) was designed to limit the client's ability to obtain new access tokens based on the user's authentication session at the AS (via a cookie). Allowing refresh tokens now means that a successful attacker has unfettered ability to do this (beyond just an access token's lifetime). And yes, CSP is mentioned as a mitigation to protect the refresh token, but it was already necessary to protect the access token, so CSP is not the only mitigation. What's missing is strong guidance for token servers to provide mechanisms to limit the lifetime of refresh tokens for these high risk client scenarios. I have a suspicion that many existing token servers do not have such features, and this would imply more features mandated for the token servers (beyond PKCE for example).

Having said all of these things, I am all for using code flow. I just would like there to be more clear rationale. My comments above were the various counter arguments I was thinking while reading this document, and given how many of these I came up with I was left feeling unconvinced (as I already mentioned).

Thanks for reading this far, and thanks for putting forth the document.


-Brock

On 11/6/2018 5:14:05 AM, Aaron Parecki <aaron@parecki.com> wrote:
Thanks Hannes,

Since I wasn't able to give an intro during the meeting today, I'd like to share a little more context about this here as well.

At the Internet Identity Workshop in Mountain View last week, I led a session to collect feedback on recommendations for OAuth for browser based apps. During the session, we came up with a list of several points based on the collective experience of the attendees. I then tried to address all those points in this draft.

The goal of this is not to specify any new behavior, but rather to limit the possibilities that the existing OAuth specs provide, to ensure a secure implementation in browser based apps.

Thanks in advance for your review and feedback!

Aaron Parecki
aaronpk.com [http://aaronpk.com]



On Tue, Nov 6, 2018 at 10:55 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com [mailto:Hannes.Tschofenig@arm.com]> wrote:

Hi all,

Today we were not able to talk about draft-parecki-oauth-browser-based-apps-00, which describes  "OAuth 2.0 for Browser-Based Apps".

Aaron put a few slides together, which can be found here:
https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf [https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-based-apps-00.pdf]

Your review of this new draft is highly appreciated.

Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
OAuth mailing list
OAuth@ietf.org [mailto:OAuth@ietf.org]
https://www.ietf.org/mailman/listinfo/oauth [https://www.ietf.org/mailman/listinfo/oauth]

--

----
Aaron Parecki
aaronparecki.com [http://aaronparecki.com]
@aaronpk [http://twitter.com/aaronpk]

_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth