IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Philippe De Ryck <philippe@pragmaticwebsecurity.com> Thu, 18 February 2021 12:25 UTC

Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EBE23A1171 for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2021 04:25:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b=oPvXI03G; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=qwr1kSiG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MbDE5Mv-GytP for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2021 04:25:47 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBB763A1172 for <oauth@ietf.org>; Thu, 18 Feb 2021 04:25:47 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 4E0A48EF; Thu, 18 Feb 2021 07:25:44 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Thu, 18 Feb 2021 07:25:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=from:message-id:content-type :mime-version:subject:date:in-reply-to:cc:to:references; s=fm3; bh=IB/ispCCI9wqX793WUBvkPJaLpWCIVlYrTwA3ogn/ms=; b=oPvXI03GPkBr WoCqccRECYuEufqjUM8T3zzwnJ247u0Pa9djyb7ZcDtRgvb399sW83mw2H4XqVNX Pjk2AVxqpgwr0HsHabwNztzYQXDWotExBlUOE4RCsz9zPoEe17wJ4aftbop6yFq6 QYfUWxX38xvEwx4XuFbIwBJPO52AEJchsZaHA0HAmmdhN2J2jKeqz7CT9Y8QaUnW K3EZ1Hp/Hu4F3ZGM2DH9LfO01fiyxVYhC/YFPL5sWxBxYPRwt9kyt8atTPq/1EoG Top0gJo3ZteZxy43laEpZdYh0PJVP0clnD8gQoplhkT0aCa3afKCTxNlzmku1XLt vCS1mp4fhg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=IB/isp CCI9wqX793WUBvkPJaLpWCIVlYrTwA3ogn/ms=; b=qwr1kSiGencwssHRfqP5fa rF4BflDbyihtFKi+/ZVkJqTgduEBdc376SC5eTHdsCyqwYn1fl69R/xAzKVt2Yt6 1pDEcZCtpUi7ZRsdwehN1k5KdnwysNkeq7sSE+75fsm6tcuVGztvgnKBrD9Op5B3 IU+78B+Eu6HjZAfWeiKOAWdhFbPD/L8VBUG8qVcWJO9NhfRRmjLU4C/j08PV0FQf Op9AW5lwLecSZGvZPzUD8ENlHms3fJgDMw3HFC68fwk5+9bGju8QHJNrQBWsD6PV dpfN0J9Yp656YFiXrdiYQHhvCKbr8F7WxuT6VgaUK50CqzuFRmoDbuWjZ/fTrO6Q ==
X-ME-Sender: <xms:xlwuYHRxYF7YDxYYSK5AozAchDHVM79A29rh42TWQ72NsSNOIuWAuQ> <xme:xlwuYNFxhqFKNS5LlUqCpENW5ZYLHuena830natZxiYpM0rjrJxgI4xJu3dXvDDv4 nd2Xx61v9_UgUg7vA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeeggdefjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeenucfhrhhomheprfhhihhlihhp phgvucffvgcutfihtghkuceophhhihhlihhpphgvsehprhgrghhmrghtihgtfigvsghsvg gtuhhrihhthidrtghomheqnecuggftrfgrthhtvghrnhepteelhfeghfevgfffjeefieeu geevffelleegtefgvdehudfhtdehvdethfdvgeeknecuffhomhgrihhnpehprhgrghhmrg htihgtfigvsghsvggtuhhrihhthidrtghomhenucfkphepkedurdduieegrdduvdelrdel heenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehphh hilhhiphhpvgesphhrrghgmhgrthhitgifvggsshgvtghurhhithihrdgtohhm
X-ME-Proxy: <xmx:xlwuYL_uwJb7sQ-BGg4J2jpyg_svXXcbJLsJBHkewMMSNat6pQ616Q> <xmx:xlwuYPI4i_Ji8Aj_XGb2kEk7NRVUKA5fZg1kcpeVlPco5DfaXyWbAA> <xmx:xlwuYGazBuokGEgiI9WmxAg3XrPAlMYANhMBxyxM8Yp1Q--Uqg5-Iw> <xmx:x1wuYLKWD6bwh1db6pLR_R8LGLL2Ciql7QWtRv15FZuMTDuBMLFQ0Q>
Received: from [192.168.1.10] (d51a4815f.access.telenet.be [81.164.129.95]) by mail.messagingengine.com (Postfix) with ESMTPA id 5ECA3108005B; Thu, 18 Feb 2021 07:25:42 -0500 (EST)
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Message-Id: <D3446B66-AB3D-4DE0-A731-6E7A3B48735C@pragmaticwebsecurity.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EF7BB4D9-6385-4ED2-9D26-6E3CBFED946E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Thu, 18 Feb 2021 13:25:40 +0100
In-Reply-To: <35645BCD-A9F5-4A57-9771-836647F08444@forgerock.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
To: Neil Madden <neil.madden@forgerock.com>
References: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com> <C741095F-8350-4531-BFA4-4AAE929C08C3@forgerock.com> <CA+k3eCQ7U6Tv9M=1vwPSDA77kezPFPf9nZZ5q0DFjAo8tLaeSA@mail.gmail.com> <35645BCD-A9F5-4A57-9771-836647F08444@forgerock.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HkKg5KKCHetqL_3L6CSOz00AzeU>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 12:25:49 -0000

> On 18 Feb 2021, at 13:08, Neil Madden <neil.madden@forgerock.com> wrote:
> 
> Thanks for following up, Brian. Responses below.
> 
>> On 17 Feb 2021, at 22:48, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>> 
>> Always appreciate (and often learn from) your insights, Neil. I'd like to dig into the CSRF thing a bit more though to understand better and hopefully do the right thing in the draft. 
>> 
>> It seems to me that a GET at the bff-token endpoint is "safe" in that it's effectively just a read. 
> 
> Well it’s a read that returns an access token. It’s “safe” in the sense of side-effects, but we absolutely want to preserve the confidentiality of what is returned and only allow it to be accessed by authorized clients (the legitimate frontend). At the moment the only thing keeping that safe is the JSON content type. For example, imagine a world in which the token-bff endpoint instead returned the access token as HTML:
> 
> <div id=“accessToken”>abcd</div>
> 
> Then as an attacker I can simply embed an iframe on my site that refers to your bff-endpoint and then parse the access token out of the DOM. The browser will happily load that iframe and send along the cookie when it makes the request.

You are overlooking basic browser security measures like the Same-Origin Policy here. The browser will only allow access to an iframe if it has the same origin as the context accessing the frame. If an attacker embeds this frame in their site, it will be a cross-origin frame, and access will be denied.

FYI, simple CORS requests follow the same security pattern (when headers are missing, browsers do not expose the response). Preflighted CORS requests cover "new features" (i.e., stuff you traditionally could not do with HTML elements) and ask permission before sending a request. 

Also, if you're worried about framing, it's much simpler to require the token endpoint to send "X-Frame-Options: DENY" and "Content-Security-Policy: frame-ancestors 'none'" response headers. This denies framing altogether without going into complicated CORS territory.

Philippe

—
Pragmatic Web Security
Security for developers
https://pragmaticwebsecurity.com/

v2.23.0 | Report a Bug | By Email