IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Tomek Stojecki <tstojecki@yahoo.com> Tue, 04 December 2018 08:52 UTC

Return-Path: <tstojecki@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4566C128D68 for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2018 00:52:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.798
X-Spam-Level:
X-Spam-Status: No, score=-0.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PW7Pc4r01phh for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2018 00:52:00 -0800 (PST)
Received: from sonic317-36.consmr.mail.ne1.yahoo.com (sonic317-36.consmr.mail.ne1.yahoo.com [66.163.184.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DA9E130E1D for <oauth@ietf.org>; Tue, 4 Dec 2018 00:52:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543913519; bh=R0Dp3bQz42KrLH6OiL7gygTLqCH4a173KEPbADbZEFE=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=WC4enOWOyYtaur2MRjutSIJvKnAdwVvrU3j0lzGck0upWSd99/h1l/j3vVn/FP1/6lfVwGeA/P9QlQ8WxXpSLo4KdUb4zkJd7SKt4UDqerJ82PZVM0i8fh+p6coSsNaNRXh+uu7lNaKL3Uir6I527mL2EgmxRYNubP52Qaq4cSCPV8tph9mkXx9St4OlZZGtnzkLAAC0D5B6pMStvym9xPUkPda+LftMT1e6iVZthsNkFGH8v+QiNYTtMY3Cf34N5/GgDY9TZfkCnDyMhGUvzSznVJP2xgmi7jHhjtynmIyWb9vYKrkPYPT8YLk9jw9391EJFhQWdIpqzdXO4Fs28w==
X-YMail-OSG: rdSLfEAVM1kscUI3SBh4ZQ4eoiCTczAT.jJ.TTVMOP5GuDTorG9T_gPm25_DGNW ivGLbBSlJl73ej8HeQKht.Ujx0lhQCcunVbWFB2yxyFfyHALhNyE9ug1aZruMJsh_Pv9_1J1Pzv_ fB27HzGhixqrfASJLUantENWkuGr8Vo3V06M.6k_w1u33mn2qWlTrSAEqYVYqEUc._W8ugpmFln4 IJ359cnpLSxsrEmnoEDWm2PKt6mIuZtKIU2m9SmL58zTZwOKZobyO7G6bQCsFDsNQxXMBOrmo65v GhR5dHPJxx0RxgoDMISkqR9ulAS5ZQHWtrgts61X7cddmubgjg99pa.Wn0GnYFJGhr3oCPZcyfm1 8lX17n7t8NGbinEjbKfmmDI7G4j.xsDbcTRDfyF6p6vpPDPoYE8kWo14Kn4LrLRoxOX1w6_bEuO. yy7medvdyMd_A1IXa20MQ9A.LGzKB0NEsX6BHxAIN1FP2iVBbHI3IlnPcrsw8sqURtViALpNI.Hi 23v1re6oDnj1_ok_SRd4F5z1fmJxcdLDB255sMbI_EjIU7T7xbXz3eBQeX1MdrfcIKUOsFR0OS8w kpCKYS.5VPBlCJ5YTkC0k8sKka70.AQsDwibu98LAl4pVW38RCVuOfhEV3fSYolVGCe0ND_zOsDs XGXaYfiFvMLaPrHDSM9MUPOAVYOofg1PGlxdsH0a2ZVNqM1qs4qSHZ8pGzWYQQYu1l2q3v..xmin RyWJRv_Uuq1tLr5EATD.gymh8oxBaruOMuG00LCeoIDo1zWd2wpxB1lTJa.6a4dPeMRIaHahpokm eEFBGJkS3Vb6P_2ZRRNqEd0A56vl3340URvLtHiPWoL7DmWttjnEJpynth29pa52cx3Wkr0AVmWB V6UiOUKxfxY59k1lJeqgTU2LawBhwBHMBUps3RdOu.G0X23u7vgZJt2OVQIsEq70hdaSqLmn.usy DEcBx2f65RqJ5hJ.7.VmvopEJTbmJ6TwiCueMxo_EeiDXQApQK6w9X_lLotcknVOiZUHBn7hJY80 2nDL2GUWQRiSRpJjEDAS7gDNaAk2hCiK.Bw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Tue, 4 Dec 2018 08:51:59 +0000
Date: Tue, 04 Dec 2018 08:50:04 +0000
From: Tomek Stojecki <tstojecki@yahoo.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Cc: fett@danielfett.de, vittorio.bertocci=40auth0.com@dmarc.ietf.org, oauth@ietf.org
Message-ID: <458858450.1398445.1543913404101@mail.yahoo.com>
In-Reply-To: <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <B857DECA-5457-4E62- A720-437832850680@lodderstedt.net> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: WebService/1.1.12827 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/I-ic19YcQ5jl32rMSozm5Br-T1Q>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 08:52:02 -0000

I agree with Vittorio, Dominick et al. 

> I disagree. 

> Existing deployments that have not mitigated against the concerns with implicit should be ripped up and updated.

Yes, just like future deployments that will not mitigate against the concerns of code in the browser should be a concern.

Can somebody on the other side of the argument (and I hate to make it sound like there are two sides, because we're on the same side as far as Implicit's AT in front-channel is a real issue) address Dominic's comment: 

> Also - simply saying “implicit is evil - switch to code” means for most people also using refresh token - so we are treating access tokens in the URL with refresh tokens in session storage (over simplified - but you get the idea).

Does the group agree|disagree that a recommendation to switch to code should be made as long as it is followed by an explanation and guidance on what to do with RTs? The ideas that were floated around 
- Token bound RTs (even though it was pointed out that token binding is still considered an emerging standard). So should the recommendation than say "switch to code and MUST use token bound RTs"?
- Have AS not release RTs. "Switch to code and DO NOT request RTs"? Or switch to code and configure AT to not release RTs for this type of client (not sure what that even looks like in a form of a 3rd party clients)?
- RTs short lived and bound to a session - "Switch to code as long as AT can bind and revoke RTs when you log out"

Sorry if I have missed an important detail from the list above, people who have proposed these ideas, feel free to clarify. 

On Monday, December 3, 2018, 10:51:00 PM GMT+1, Dick Hardt <dick.hardt@gmail.com> wrote: 

I disagree. 

Existing deployments that have not mitigated against the concerns with implicit should be ripped up and updated.

For example, at one time, I think it was Instagram that had deployed implicit because it was easier to do. Once the understood the security implications, they changed the implementation. 

BCPs are rarely a response to a new threat, their are capturing Best Current Practices so that they become widely deployed.




On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are saying here. And that was kind of behind the comment I made, or tired to make, about this in Bangkok, which was (more or less) that I don't think the WG should be killing implicit outright but rather that it should begin to recommend against it. 
> 
> I'm not exactly sure what that looks like in this document but maybe toning down some of the scarier language a bit, favoring SHOULDs vs. MUSTs, and including language that helps a reader understand the recommendations as being more considerations for new applications/deployments than as a mandate to rip up existing ones. 
> 
> 
> 
> On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7jtb@ve7jtb.com> wrote:
>> 
>> We just need to be sensitive to the spin on this.  
>> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited...  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email