Re: [OAUTH-WG] Confusion on Implicit Grant flow

John Bradley <ve7jtb@ve7jtb.com> Tue, 10 February 2015 17:12 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B8CA1A9148 for <oauth@ietfa.amsl.com>; Tue, 10 Feb 2015 09:12:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LP0iHDA6pNBL for <oauth@ietfa.amsl.com>; Tue, 10 Feb 2015 09:12:10 -0800 (PST)
Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCB251A9123 for <oauth@ietf.org>; Tue, 10 Feb 2015 09:10:14 -0800 (PST)
Received: by mail-qc0-f171.google.com with SMTP id l6so11242520qcy.2 for <oauth@ietf.org>; Tue, 10 Feb 2015 09:10:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=KTDKji58opzKSdk2bodaqSCt8JoMdli0o0M5YA+sWVM=; b=CEdKZ4TGLKcIGGRrRCm6QoZpOlKYxtDwsBjzAF2fwO6hALLPy120ZaXOqW4Tokq5c+ NKislIUXrGtI/Q7Z/+cRAO2dEAZ78Co6IafS54JnHnkYeDJW7bO2XO3W4WW6+Z4VHuI6 jYU3xc782asCyR2h0vklqY4wf6B78fxX9Q5Pliy+bRJA2or5VvBm8I6wecMrSACV6Ipc PNkV5Pq1ojWF3reDpGp9J6a8Z6wVJ8WN3G8wDYw0S3F4C7p6xp6e3OLOw9mR2VnvqQha zhVJ/zpqFx2yxzNbN2i44v7AAWERmAoJljspeXSG7CinEy60kxxogdWJLKjpcKDqV6kN RuFg==
X-Gm-Message-State: ALoCoQkQFnUqQ4srBDJCA1fVrye3bd9rzBh24JRyt7Ntz1laytLPq0y1OQ/4yVl9yhZNorWhidG+
X-Received: by 10.224.28.70 with SMTP id l6mr23346321qac.77.1423588213497; Tue, 10 Feb 2015 09:10:13 -0800 (PST)
Received: from [192.168.8.101] ([181.202.146.189]) by mx.google.com with ESMTPSA id m10sm15863138qat.7.2015.02.10.09.10.10 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Feb 2015 09:10:12 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_FE78E31C-C0DF-40F6-A1DD-2408EB63A6C7"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BLUPR04MB6914D0257B18CDBE1A9909395240@BLUPR04MB691.namprd04.prod.outlook.com>
Date: Tue, 10 Feb 2015 14:10:07 -0300
Message-Id: <5078C62F-DB84-435E-858E-D72013BE6BBA@ve7jtb.com>
References: <BLUPR04MB6918C7701D0DB90B0FA6B0D95380@BLUPR04MB691.namprd04.prod.outlook.com> <CANSMLKFMUQsBfOo=i0ki8PF_8PjRf7W3t=PiPo7qnftN9gUyWg@mail.gmail.com> <54D91317.9010101@redhat.com> <1E340378-2D34-4AC8-906C-415EF025068E@ve7jtb.com> <54D91D87.8040303@redhat.com> <FD337176-C292-4688-9CFA-A3C7DF40FCA2@ve7jtb.com> <54D924CB.6070504@oracle.com> <3B0DDA4D-F540-4E23-9842-275532F7405F@ve7jtb.com> <BLUPR04MB6914D0257B18CDBE1A9909395240@BLUPR04MB691.namprd04.prod.outlook.com>
To: Adam Lewis <Adam.Lewis@motorolasolutions.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Ngvb00tfTZsLInh5ilzxO1DNFqk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confusion on Implicit Grant flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 17:12:22 -0000

Inline
> On Feb 10, 2015, at 1:12 PM, Adam Lewis <Adam.Lewis@motorolasolutions.com> wrote:
> 
> Hi John,
>  
> What do you mean by the app that is “already loaded and cached in the browser?”  Where did this app come from initially?  Is this what comes from the web-hosted client resource in step D/E of section 4.2?  So the first time D/E *will* flow over the wire, and in all subsequent requests it will be cached? 

Yes the web hosted client resource is typically the same JS code that is creating the Authorization request in A.   Now that you mention it the diagram in 4.2 is ambiguous about where that request comes from , the fact that it is coming from the browser implies that it is a JS CORS type request.

In some cases you might have a webserver invoke it via a 302 redirect and load a new JS app from the redirect URI.
 
The important thing is that the fragment is not sent to the server on the call that loads the JS even if it is not cached.  

The thing people do (facebook and others) that is twisting implicit in my opinion is having the callback URI just load a JS snipppet that extracts the token and posts it back to “Web hosted client resource”
Those applications should be using the code flow. 


>  
> And with respect to the web hosted client resource, is this a resource deployed by the same domain as the RS to facilitate the deployment of user-agent-based apps to access the APIs exposed by that RS?

The hosted client resource is typically a AJAX/AngularJS application that doesn’t want to swap out it’s context by doing a full 302 redirect to the AS.  

The AS and RS could be completely separate from the client.

However it is not uncommon for people developing AngularJS apps to protect the API that they use with OAuth, in that case they may all be from the same domain.

It might be that a sophisticated app may have multiple tokens for different API across multiple providers.

John B.
>  
>  
> adam
>  
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
> Sent: Monday, February 09, 2015 3:31 PM
> To: Prateek Mishra
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Confusion on Implicit Grant flow
>  
> Typically the implicit callback JS is part of the application that is already loaded and cached in the browser.
>  
> The implicit flow doesn’t depend on on the fragment not being re-appended to the resource location URI in the 302.  It would admittedly be more secure if that didn’t happen.  
> Re-appending the fragment is the correct browser behaviour according to the W3C.
>  
> I still think you are farther ahead with that than leaking the code in the referrer.
>  
> Implicit if done correctly has the token in one leg.  code on the other hand has the code in 4 legs and the token in one.
>  
> It is having the JS make the exchange of code for the AT without a secret that is the problem in my opinion.
>  
> If the client is a server that is doing the code -> token exchange then the answer is different, but the question was for a JS only client.
>  
> John B.
>  
>  
> On Feb 9, 2015, at 6:21 PM, Prateek Mishra <prateek.mishra@oracle.com <mailto:prateek.mishra@oracle.com>> wrote:
>  
> The implicit flow depends upon a subtle and little known aspect of browser behavior - that the URI fragment component isn't propagated across redirects. 
> 
> I havent checked this recently - but I am aware that several folks have found that some browser versions dont comply with this requirement.
> http://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2 <http://weblog.bulknews.net/post/85008516879/covert-redirect-vulnerability-with-oauth-2>
> 
> The additional round-trip issue is also unclear. The implicit flow requires an additional redirect (round-trip) to retrieve JS which retrieves the access token from the fragment URI. 
> 
> How is that different from a HTTPs callback to exchange the access code for the access token?
> 
> - prateek
> 
> 
> You are passing code in a query parameter, and without a secret that is more likely to be leaked than sending token in the fragment directly from the authorization endpoint to the browser JS in a fragment.
>  
> You have several extra round trips for no security benefit.   In your case the code in the query parameter goes from the browser to the redirect endpoint then must be sent back to the browser, and then to the token endpoint.
>  
> So yes using code for that is less secure.
>  
> Both rely solely on the registered redirect URI for security, but implicit has fewer hopes and is more friendly to JS.
>  
> John B.
> On Feb 9, 2015, at 5:50 PM, Bill Burke <bburke@redhat.com> <mailto:bburke@redhat.com> wrote:
>  
> If you don't have a client secret, why is Javascript-based auth code grant flow more risky?  We also require SSL and valid redirect URI patterns to be registered for the application.  The code can only ever be sent to specific URLs and can only be used once.  CORS origin validation is also an extra step we do to ensure a rogue javascript app isn't making any code-to-token requests.
>  
> I'm just trying to figure out if we missed anything...
>  
> On 2/9/2015 3:16 PM, John Bradley wrote:
> If you don't have a client secret, or are storing the the client secret in the Javascrypt, then you are probably more at risk using code than implicit.
>  
> Implicit is risky because running a OAuth client in the browser is risky.  Using code in that case makes it no better, and arguably worse.
>  
> Perhaps I don't understand the environment.
>  
> John B.
>  
> On Feb 9, 2015, at 5:05 PM, Bill Burke <bburke@redhat.com> <mailto:bburke@redhat.com> wrote:
>  
> Due to the security risks of implicit Grant flow, our Javascript adapter only supports  Auth Code Grant flow.  Our IDP has an extra step of allowing you to specify a valid CORS origin for an application.  Anybody see any problems with this kind of approach?  Implicit Grant Flow just seemed really risky to even support as a protocol.
>  
>  
> On 2/6/2015 4:40 PM, Josh Mandel wrote:
> Hi Adam,
>  
> I'm not 100% sure what you're envisioning as an alternative to the
> implicit flow, but if I'm reading between the lines of your question
> correctly, there are two key parts to the answer, because the implicit
> flow is designed to accomplish two key goals (vs. the authorization code
> grant):
>  
> 1. Shave off one round-trip HTTP request (the step of exchanging a code
> for a token)
> 2. Avoid unnecessarily leading the token to the client's back-end web server
>  
> Goal 1 is straightforward. For goal 2: OAuth2's implicit flow takes
> advantage of the fact that a URL's "#hash" is not sent to the server
> with an HTTP request. By embedding the token in a "#hash", it won't
> inadvertently appear in server logs, for example. So with the implicit
> flow, I can (for example) statically host a browser-based app at Amazon
> S3 without having access tokens leak to Amazon. (Of course, if your
> threat model includes a compromised server, then bets are off on this
> point.)
>  
> Hope this helps,
>  
>   -Josh
>  
>  
>  
> On Fri, Feb 6, 2015 at 1:27 PM, Adam Lewis
> <Adam.Lewis@motorolasolutions.com <mailto:Adam.Lewis@motorolasolutions.com>
> <mailto:Adam.Lewis@motorolasolutions.com> <mailto:Adam.Lewis@motorolasolutions.com>> wrote:
>  
>    Hi,____
>  
>    __ __
>  
>    Having spent most of my time with native apps and web apps, I now am
>    looking at use cases where I need to implement a user-agent-based
>    app.  The Implicit flow seems to be optimized for this.____
>  
>    __ __
>  
>    To test my understanding, this flow is for a JavaScript client (or
>    similar) executing within a web browser.____
>  
>    __ __
>  
>    At step (a) the client directs the UA to the authorization server,
>    but the authorization server redirects the UA to a web-hosted client
>    resource.  Why?  It says so that the web-hosted client resources can
>    push javascript (or other) back into the UA so it can extract the
>    access token in the fragment; but some sort of javascript is already
>    running in the browser, since it initiated the authorization request
>    in the first place.  So why this extra step?  Why not treat the
>    javascript client running in the UA like a native app and handle the
>    redirect uri?____
>  
>    __ __
>  
>    I know this was well thought out when the spec was written, so
>    trying to figure out what I’m missing?____
>  
>    __ __
>  
>    __ __
>  
>    __ __
>  
>    Tx!
>    adam____
>  
>  
>    _______________________________________________
>    OAuth mailing list
>    OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org>
>    https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>  
>  
>  
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>  
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>