Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
Brian Campbell <bcampbell@pingidentity.com> Wed, 17 February 2021 22:48 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55FA43A1E06 for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 14:48:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbzd1JofSifT for <oauth@ietfa.amsl.com>; Wed, 17 Feb 2021 14:48:41 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0256B3A1E00 for <oauth@ietf.org>; Wed, 17 Feb 2021 14:48:40 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id w36so740656lfu.4 for <oauth@ietf.org>; Wed, 17 Feb 2021 14:48:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QqKZX9fRo9/GvuRzYuu7Ucg46z2YSwZxsuwWn67ndRw=; b=QE94mJTAPP3F34e4OA3ZQaAJOLV2efxkkWUiXoyqO9IfcLsG8FagFNLzxwhxB6gNtQ X/WlCffFveDB3po7eA/R/TcS4P/i1GaFyoL1SfaTmtK64yOrFh6nUhM93QvcKJIKoswh +6X7/Li2DQeIUGY3dFuNmVE5jUjhOZiFKtNuFbZhsk76BCGHbiS6hjLfDtI22CohZcvi 64Lle/wvAd4W28chaFcPy7IulfkYsK5HomA2Gw/oehiURnkPJ84EO2EIOwAyqVwgDn2v gTPDUYUX189icj9RGedczIczZaU1e2PHEBE4l5bTtkwtID10FZFmmuUrJKwqsnTMXQmv ipdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QqKZX9fRo9/GvuRzYuu7Ucg46z2YSwZxsuwWn67ndRw=; b=EW47m2VkjPu0a/s2BQ2zQ0Ej+Ye2a2FOZWyz7l9SUw44GTIfHBr6J4NWS7/vjtmd60 U4o2R2muvh2sNWVVe3EegQ2s9bYuY1k5zYCZGGJa9xbYju9FcpZ68kUwcvMn7ym6S8oI r56OD3bqw/dDFF6tq6RKTurq0ZEqjEmEesl5RdWjvzBsDgQzEBQH9ecgUelE/S0b3DL3 UsW6U8gn4a1uK09jJopQPMyGoiMYaWa8tDkB232suGO9bMojqrIet+9LrTvCDKlwVF6F BLQTKzuJb9+yrJyZCVXaLxiL8rGB8/HYFDgZIq1LfUEuDoHuvRcBI1GVSBvgDhqbyIHv VcjQ==
X-Gm-Message-State: AOAM531EGwBIt0xuboU5uFC9qNoqvRPRrUd0YVTgA9sZwLEqDwYT/aEr zV4gDAdYg5ShO+QbJGfmowlB8dYWF1TuKWOguMpGTco37duT+rVm4AYrSEf9q4Rj/m2uVM3jp5J tOah8njjKqujkRQ==
X-Google-Smtp-Source: ABdhPJxtLD1kjlmZb4cf2Ms6HiWsr3TBDb8ezywj6+UdZDP5PoUqKpZ+vYPeUDuinb8ti5MJQXx+KinGviwOBe/PWfA=
X-Received: by 2002:ac2:555b:: with SMTP id l27mr640217lfk.173.1613602118711; Wed, 17 Feb 2021 14:48:38 -0800 (PST)
MIME-Version: 1.0
References: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com> <C741095F-8350-4531-BFA4-4AAE929C08C3@forgerock.com>
In-Reply-To: <C741095F-8350-4531-BFA4-4AAE929C08C3@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 17 Feb 2021 15:48:12 -0700
Message-ID: <CA+k3eCQ7U6Tv9M=1vwPSDA77kezPFPf9nZZ5q0DFjAo8tLaeSA@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000018630f05bb900575"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Hrj4wBf85WB3ByRlfgKI2vXCOog>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 22:48:44 -0000
Always appreciate (and often learn from) your insights, Neil. I'd like to dig into the CSRF thing a bit more though to understand better and hopefully do the right thing in the draft. It seems to me that a GET at the bff-token endpoint is "safe" in that it's effectively just a read. There could be a "cache miss" where the backend attempts to use a refresh token it has to get a new access token from the remote AS, which will be more resource intensive but doesn't fundamentally alter the state of the backend so is still "safe". That in conjunction with your pointing to Cross-Origin Read Blocking makes me think your concern isn't so much about traditional CSRF used to take some malicious action but rather about somehow (speculative side-channel attacks, problems with javascript interpreters, other similar vectors that are somewhat beyond me) accessing the data of the response to a forged cross site request. Correct me if I'm wrong. I don't know if or how much the distinction matters in terms of mitigation approach but I'm keen to better understand. It sounds like your preference for only POST rests in an assumption that the larger app will already have in place some CSRF defenses and by using POST the bff-token endpoint will basically inherit said defenses. Or is POST by itself good enough (the CORB writeup seems to suggest that the context in which a POST could be made is more guarded against side channel stuff)? But perhaps then the draft should be more explicit about CSRF defense? Saying it just has to be done. Or like even mandating a non-standard header be in the request, "X-Neil-says-beware-CSRF: yuppers" as a strawman. With such a header it could remain a GET. And I kinda like GET because it is really a request for data. Or perhaps the request should be a POST with built-in CSRF protection by changing it to carry any parameters as JSON in the body with "{}" for the case of no parameters specified? Or just make it a PUT and call it good? Not sure any of these are good ideas but just trying to hash out the most appropriate thing to do. That got a little rambly, sorry. But hopefully it makes some sense. On Sun, Feb 14, 2021 at 1:17 AM Neil Madden <neil.madden@forgerock.com> wrote: > > The combination of the bff-token endpoint recommending the use of GET > requests together with the hint to use cookie-based authentication is > likely going to punch a hole in most CSRF defenses, which assume that GETs > are safe. The only thing preventing this being exploitable is Cross-Origin > Read Blocking ( > https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md) > due to the JSON content-type. That makes me really nervous. We should at > least mandate X-Content-Type-Options: nosniff on that response. I’d feel > more comfortable if this was a POST request only. > > — Neil > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Token Mediating and session Informatio… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Hans Zandbelt
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… George Fletcher
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- [OAUTH-WG] Security of OAuth on Andriod [Was: Re:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Om
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… SOMMER, DOMINIK
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Warren Parad
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Aaron Parecki
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden