IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Browser-based Apps

Dick Hardt <dick.hardt@gmail.com> Fri, 11 August 2023 00:57 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8E7DC15109E for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 17:57:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UYTquKqjd75I for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 17:56:58 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98F53C15109C for <oauth@ietf.org>; Thu, 10 Aug 2023 17:56:58 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-d3d729a08e4so1378414276.3 for <oauth@ietf.org>; Thu, 10 Aug 2023 17:56:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691715417; x=1692320217; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=K353A2skHFAxB1CyRczea+pz48S1IncTMN2g2rDp+9k=; b=s1+GixcpW6FRcHddzezq1/C8QJZauIZTSyrGQrkP6JW+UVFXZWMfJXsDsWFPyaOaIF B+sGiKNYl4zYzdiQlZNILq0fN7GzWvo2SmHYDJ7jnRQtoArtOq3eT3Gi/C5RlyTYVc5+ oKgoJ1YIwuSMNkJnYRpQxTLMVNm3YWdMjHKn7x9KTG2gHdpzbUS6jxEzdcP8bHhUXsHE Sn9B23nCFIR+GU3hu8Q/jevE2Vgvp44UNtguzOT1clNpyJoZhEvoL2fFAAPGEwmaYTL/ dSaMDFMYXeAqLYdiDytfczQrvHxMl7c2uDCAEO5WTJz7WoV1dwXb+3RCwfWh0eCzmoI+ URGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691715417; x=1692320217; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=K353A2skHFAxB1CyRczea+pz48S1IncTMN2g2rDp+9k=; b=PKtlF0lHVIQRE8axD0cjMvJgg7IdgWnQg4UWhtvIx9mhzgI5L1D7WFLIaJrmuIe9PT kPtCN0DIPbJ5gJpjwWqGqgN8XFHZxJbRDtiV3y+k9AOyjGfPv1kpdZvn0PFLYxkrFPDs m5/04SfA2t1GqamoPpGC2eEo5Fe7yaw2uTf4YcRkpK5XVby0/mCP06TxG8ZqQyY4tNzq boxL4r18ayljKZ1Wv94Ia1k2BMBcZdpkhzxtoZH91/Kz18PqQqxNv/0YW7tvjkXRHvFz JpCey0bAIHKI6Zw94pZZq6lbL2W9wciOnNf3XZSIFmqHFokn4J+YwwMWg1q9/yheqrDo diEg==
X-Gm-Message-State: AOJu0Yxiyg+N7D5C+mqOcp1vwNYz9YK89sTgwm6Dw6Lih6pFRfWR/BcK iV0Ygw/HZurV9ROziSO3UCtnrrtun/l6sS1faKnUgcCKK7u0gw==
X-Google-Smtp-Source: AGHT+IFWbV9zK2G3GdQat4W/eCrRAvYP0ZNNLmoIZ9zk8G00UDhrxbiTM/5QkW/q/1QpiVXZ2WX8ecW8mNB70LueWyI=
X-Received: by 2002:a81:4897:0:b0:579:dfd8:d4b3 with SMTP id v145-20020a814897000000b00579dfd8d4b3mr442994ywa.17.1691715417255; Thu, 10 Aug 2023 17:56:57 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9gdt6NiaiMiqaM3mbjb44dRfECBnSgrkCg0DLa+w1fEg@mail.gmail.com> <899023C1-659D-47DB-808E-307F5B5F8FD5@pragmaticwebsecurity.com>
In-Reply-To: <899023C1-659D-47DB-808E-307F5B5F8FD5@pragmaticwebsecurity.com>
Reply-To: Dick.Hardt@gmail.com
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 10 Aug 2023 17:56:20 -0700
Message-ID: <CAD9ie-sWpmHRVC_4BvhH4qHKfcLSh3VvhRSwR_FOOPEA4RQLnA@mail.gmail.com>
To: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000081b63f06029b30e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LuwWL-ANXzknZPd5RSDrHeiCOTY>
Subject: Re: [OAUTH-WG] WGLC for Browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2023 00:57:02 -0000

Philippe: would you expand on your comment:

On Wed, Aug 9, 2023 at 11:51 PM Philippe De Ryck <
philippe@pragmaticwebsecurity.com> wrote:

- Remove unproven and overly complicated solutions (i.e., the service
worker approach)


A quick Google on oauth service workers returned a number of articles and
descriptions of using service workers:

https://github.com/ForgeRock/appAuthHelper/blob/master/service_workers.md

https://gaurav-techgeek.medium.com/re-architecting-authentication-with-service-workers-ff8fbbbfbdeb

https://itnext.io/using-service-worker-as-an-auth-relay-5abc402878dd

https://about.grabyo.com/service-workers-jwt-tokens/




On Wed, Aug 9, 2023 at 11:51 PM Philippe De Ryck <
philippe@pragmaticwebsecurity.com> wrote:

> In my opinion, *this document is not ready to be published as an RFC*.
>
> In fact, I will be at the OAuth Security Workshop in two weeks to discuss
> exactly this (See "The insecurity of OAuth 2.0 in frontends" here:
> https://oauth.secworkshop.events/osw2023/agenda-thursday). My hope is
> that my presentation can spark the necessary discussion to identify a path
> forward to make the RFC useful for practitioners building browser-based
> apps.
>
> I don't have the resources available to write a lengthy email detailing my
> objections. I just want to point out that I've raised these points on the
> mailing list in the past, and there have been a couple of threads on this
> very list suggesting how to move this document forward (e.g., identify
> concrete threat models). I've also given a talk at NDC Security earlier
> this year (https://www.youtube.com/watch?v=OpFN6gmct8c) about how the
> security mechanisms proposed in this document fall short. This video has
> been posted to this list before as well.
>
> Here are a couple of suggestions that I believe would improve this
> document:
>
> - Clearly identify the danger of malicious JS (exfiltrating existing
> tokens is only one threat, and the most trivial one at that)
> - State the baseline achievable level of security in light of existing XSS
> vulnerabilities (i.e., session riding, where the attacker controls the
> frontend)
> - Identify different desired levels of security for a client application
> (e.g., a "public recipe app" vs "eHealth"). Existing work can help, such as
> the OWASP ASVS levels (
> https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md)
> - Define which levels of security certain mechanisms can offer (e.g., RTR
> for level 1, TMI-BFF for level 2, BFF for level 3)
> - Remove unproven and overly complicated solutions (i.e., the service
> worker approach)
>
> As stated before, I'll be at OSW in London in 2 weeks and would be happy
> to discuss this further.
>
> Kind regards
>
> Philippe
>
> —
> *Pragmatic Web Security*
> *Security for developers*
> https://pragmaticwebsecurity.com
>
> On 30 Jul 2023, at 17:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
> wrote:
>
> All,
>
> This is a *WG Last Call *for the* Browser-based Apps* draft.
> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-14.html
>
> Please, review this document and reply on the mailing list if you have any
> comments or concerns, by *August 11th*.
>
> Regards,
>  Rifaat & Hannes
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email