[OAUTH-WG] Binding Access Tokens is not enough!
Daniel Fett <danielf+oauth@yes.com> Thu, 22 November 2018 14:42 UTC
Return-Path: <danielf+oauth@yes.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17188130ED9 for <oauth@ietfa.amsl.com>; Thu, 22 Nov 2018 06:42:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yes.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFoK3gvi3hVt for <oauth@ietfa.amsl.com>; Thu, 22 Nov 2018 06:42:10 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEDCB130E46 for <oauth@ietf.org>; Thu, 22 Nov 2018 06:42:09 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id h15so7915825edb.4 for <oauth@ietf.org>; Thu, 22 Nov 2018 06:42:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yes.com; s=google; h=to:from:subject:message-id:date:user-agent:mime-version :content-language; bh=tlSP+0m7tl+9jxX5z8JUmAMjDpkPhGY98ofMF1tCBhc=; b=kDMo022cfVNZRtOJkQBmicrdpwHNVHDWcdsbNvtTd5aCJtkB26iSqIfMg0PT3hxJGF dYr+Qii8NkpJnJuzKcSKhtR+8flH82WQOEraDa0KyDsNYY1tuBJapdoHZk+5lczICdKT lcxz7WdfJ35DdQYPjKOLHEOWNzP4DY074kcCvfdtMWSXwIEjLOPFhYin87xLi8Qsh7+D M072HX40nEThbnE0WF4hy4vybD4HcDQDqxSLHd+OmhRW+Qnn8s9g26RKoMUo3uflNWYU vLkQq7QLR6ARpOZUEoMowi8+ZwL0Z5AfrsCDGUIOvCHlrMgwJibBJzT1NP4Vndcp33jA J29w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language; bh=tlSP+0m7tl+9jxX5z8JUmAMjDpkPhGY98ofMF1tCBhc=; b=ryT8NXHPrLl68DQGoyJnNb8tbvryugb2hXnwu9TVIJTNl4qxiqH3pOEKnQeC7mDJkl ro6Px9jXpvFz9dFQSbx3PVYosUz6zRDhZbTeGPiuDjQ3fp7gIM+JNI6XMTM1P12SYAGG pRpCdW+j/2mIVNO+/nuTxkvMIlKu+5kQFNM6MpX6XYHZtw8DgksRJ3O3p5OCACht5M5j Wlum39h5fB2y6lRW06r5yfYXgvJkZboqTUBWszD3xt7cpVxh0kQLLstM44x+snSxBLA5 AukQ31BGWHjL2Uyqh29TFcH9JHV0TR1c+06vi1sja9p2r7WZy382l0+lQqb9hCLRzDmh WLbA==
X-Gm-Message-State: AA+aEWbSp5/iEHiWMtUx70VKk34dfuhktU0+WXxkCVsKYHgsqAzCNmXh XPZeZEUn192XBmmt4NmDEnjpGXldLwc=
X-Google-Smtp-Source: AFSGD/UX2+xnzCBhw9hcfD06mKcxMUDEg6StCBqDMRGiF/eX5sCrZQ+gDaLIE8AaHlpBZ61Ei0Ja8Q==
X-Received: by 2002:a50:b36f:: with SMTP id r44mr6543092edd.284.1542897727875; Thu, 22 Nov 2018 06:42:07 -0800 (PST)
Received: from [10.3.12.70] ([80.155.34.3]) by smtp.gmail.com with ESMTPSA id e35sm8482105eda.13.2018.11.22.06.42.06 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Nov 2018 06:42:07 -0800 (PST)
To: "oauth@ietf.org" <oauth@ietf.org>
From: Daniel Fett <danielf+oauth@yes.com>
Message-ID: <c3e42d96-ab4f-c9dc-de08-e55c40a95414@yes.com>
Date: Thu, 22 Nov 2018 15:42:06 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------476A46BFDA9420A85F39158D"
Content-Language: de-DE
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HyRAMaF4W2CrpwCm1oWgLe_ubt8>
Subject: [OAUTH-WG] Binding Access Tokens is not enough!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2018 14:42:12 -0000
Hi all, I would like to discuss a text proposal for the security BCP. Background: Yesterday, Neil pointed out the following problem with binding access tokens using mTLS or token binding in SPAs: "I am talking about scripts from places like ad servers that are usually included via an iframe to enforce the SOP and sandbox them from other scripts. If they get access to an access token - e.g. via document.referrer or a redirect or some other leak, then they still act within the same TLS context as the legitimate client." The problem is that a browser's TLS stack will attach the proof of possession no matter which origin started a request. (This seems like a real downside of token binding - why does it not have the "same site" option that cookies nowadays have?) I prepared the following addition to the security BCP and would like to hear your opinions: "It is important to note that constraining the sender of a token to a web browser (using a TLS-based method) does not constrain the origin of the script that uses the token (lack of origin binding). In other words, if access tokens are used in a browser (as in a single-page application, SPA) and the access tokens are sender-constrained using a TLS-based method, it must be ensured that origins other than the origin of the SPA cannot misuse the TLS-based sender authentication. The problem can be illustrated using an SPA on origin A that uses an access token AT that is bound to the TLS connection between the browser and the resource server R. If AT leaks to an attacker E, and there is, for example, an iframe from E's origin loaded in the web browser, that iframe can send a request to origin R using the access token AT. This request will contain the proof-of-posession of the (mTLS or token binding) key. The resource server R therefore cannot distinguish if a request containing a valid access token originates from origin A or origin E. If the resource server only accepts the access token in an Authorization header, then Cross-Origin Resource Sharing (CORS) will protect against this attack by default. If the resource server accepts the access tokens in other ways (e.g., as a URL parameter), or if the CORS policy of the resource server permits requests by origin E, then the TLS-based token binding only provides protection if the browser is offline." The "summary" above this text reads as follows: "If access tokens are sender-constrained to a web browser, the resource server MUST ensure that the access token can only be used by the origin to which the access token was issued (origin binding). One solution for the resource server to accomplish this is to only accept the access token in an Authorization header (as described in RFC 6750) and to ensure that the active CORS policy prevents third parties from sending Authorization headers. See <xref target="pop_tokens"/> for details." What do you think? -Daniel
- [OAUTH-WG] Binding Access Tokens is not enough! Daniel Fett
- Re: [OAUTH-WG] Binding Access Tokens is not enoug… Neil Madden
- Re: [OAUTH-WG] Binding Access Tokens is not enoug… Torsten Lodderstedt
- Re: [OAUTH-WG] Binding Access Tokens is not enoug… Daniel Fett
- Re: [OAUTH-WG] Binding Access Tokens is not enoug… Neil Madden
- Re: [OAUTH-WG] Binding Access Tokens is not enoug… Richard Backman, Annabelle
- Re: [OAUTH-WG] Binding Access Tokens is not enoug… Neil Madden
- Re: [OAUTH-WG] Binding Access Tokens is not enoug… Richard Backman, Annabelle