Re: [OAUTH-WG] Google's use of Implicit Grant Flow

Aaron Parecki <aaron@parecki.com> Fri, 17 February 2017 18:05 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0D35129631 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 10:05:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGCHYkpK910j for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 10:05:30 -0800 (PST)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45282129B08 for <oauth@ietf.org>; Fri, 17 Feb 2017 10:05:30 -0800 (PST)
Received: by mail-it0-x22a.google.com with SMTP id g67so23404332itb.1 for <oauth@ietf.org>; Fri, 17 Feb 2017 10:05:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IibxqxLOjBTg6WVyU7qCfmYPT0dO9KuTtkKpaHJmZYQ=; b=F5czkaVoWl9BEFjS+vVPUNuGxQFecgwlLOU1g/aGnuIhI/+LFldyX2eQVgG8ITWKjc 4NnStitZyQD+qltqCodpIGJcCQWyYJSxQTxpxNtkKZKw0l+4Dr1vvVJQANFW6XmZRvKM ErF92RfeZmjaMGjYZZiZrdxZBgEBx3DPUpjhlv/z1e1RCrqzbxfeT9kZSultk/P1xkH1 eBMQsJDwrpd6xq++vtk4XhTrQMIL4+nyKQpRvkyfD6PpcMztTuogy5QY2Cee+T93SUGL MNniNVgYtt+yoJ52oIh6OkpJwrqQ22glfVjPbqKw3UUqiwEAPcBxPCPHzhMBCS7jVeL4 no2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IibxqxLOjBTg6WVyU7qCfmYPT0dO9KuTtkKpaHJmZYQ=; b=mMKvAoOdDiDMaDH4t8c6JYX/uxym4tZrt37bPJ9Q/EnTVAQsn5qGPXqvspRks7y9uO z8Sjre6094rH1eI6mqvyqr+WYRpTcdYUmX1aZ+cCoaMtSh0ChfMxS3AWWp24krHYuyFQ vVlDYkcFGrZtE8KS/Qa7rxTvX8/QHdztB5SZgdtgex7xAq+ccfob4kKwG1zOZMrsYz9d 2W0Du6cebuLKezG1jTunvb1ZtPWjXutgjQ2//0OIK6TBgdJbxjswnR5OJgbGTPZQU4Hy irxgflbU5snl8jK1iYgwtV1E7NmQdE15cCc/PCuJocY4MgalRNo/JzhOJntdlqpVNh+p YINg==
X-Gm-Message-State: AMke39nenqZcpIA1ns7PrF8oX3KLh/0t9UuKzfvK+Gb6ubTD15pl/aH9016aego6Jej5rw==
X-Received: by 10.107.14.78 with SMTP id 75mr7598791ioo.76.1487354729405; Fri, 17 Feb 2017 10:05:29 -0800 (PST)
Received: from mail-it0-f47.google.com (mail-it0-f47.google.com. [209.85.214.47]) by smtp.gmail.com with ESMTPSA id o26sm4984579ioi.4.2017.02.17.10.05.28 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Feb 2017 10:05:28 -0800 (PST)
Received: by mail-it0-f47.google.com with SMTP id g67so23403630itb.1 for <oauth@ietf.org>; Fri, 17 Feb 2017 10:05:28 -0800 (PST)
X-Received: by 10.107.200.70 with SMTP id y67mr7929341iof.73.1487354728394; Fri, 17 Feb 2017 10:05:28 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.183.81 with HTTP; Fri, 17 Feb 2017 10:05:27 -0800 (PST)
In-Reply-To: <CAO7Ng+uDJ8CoxMN3XsgFCMpwvsN+_yBZ3GkDBquH6wcmtPs5Gw@mail.gmail.com>
References: <1e63222f-1d3b-59cc-a7c3-f9f3aa14e9df@manicode.com> <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com> <600a2fe3fbc147588baedb557e6e5938@HE105717.emea1.cds.t-internal.com> <9f795a60-5345-61b6-356a-cc871164ba8d@manicode.com> <CAOahYUyR3pG_Ae7OH-XVevh-STSz5Z_7EvBv+NQ58Lw5cOLvEg@mail.gmail.com> <CAO7Ng+uDJ8CoxMN3XsgFCMpwvsN+_yBZ3GkDBquH6wcmtPs5Gw@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 17 Feb 2017 10:05:27 -0800
X-Gmail-Original-Message-ID: <CAGBSGjrfehZdAzWdEVLzBr+kMv83ZtCZzGD+BEZuHPnLrt2UGQ@mail.gmail.com>
Message-ID: <CAGBSGjrfehZdAzWdEVLzBr+kMv83ZtCZzGD+BEZuHPnLrt2UGQ@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
Content-Type: multipart/alternative; boundary=94eb2c0c0b823dd51f0548bdc256
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/O0flAkHkxX-Dn2uat5iTYFDnMWs>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's use of Implicit Grant Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 18:05:33 -0000

Can you describe the aspects that make a JS client library "solid"? This is
what I think would be useful to see written up in a document like the
Native Apps one.

It's interesting to me that so many of you have independently opted to use
the auth code flow for Javascript apps. I think that's a sign that it's a
better recommendation than the implicit flow for JS apps.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>


On Fri, Feb 17, 2017 at 10:02 AM, Dominick Baier <dbaier@leastprivilege.com>;
wrote:

> Given a solid client library for JS, I think implicit flow is OK to use.
>
> But I agree that there are many “home grown” implementation out there that
> are not secure - and the necessary JS code to write a good client is not
> necessarily the “pit of success”.
>
> You should give this lib a go (it’s also a certified RP):
>
> https://github.com/IdentityModel/oidc-client-js
>
> Many people argue that handling the protocol and crypto pieces in JS is
> problematic (and I agree if no proper lib is used for that) - but at then
> end of the day the access token will end up in the browser - and a sloppy
> developer (e.g. not using CSP) will always write bad code that might lead
> to leaking a token.
>
> -------
> Dominick Baier
>
> On 17 February 2017 at 18:43:25, Adam Lewis (adam.lewis@motorolasolutions.
> com) wrote:
>
> +1000
>
> We are currently going through internal turmoil over the usage of implicit
> grant for ua-based apps.  The webapp case is well understood and the WG has
> work in progress to define best practices for native apps.  Having one for
> ua-based apps would be HUGELY beneficial
>
>
>
> On Fri, Feb 17, 2017 at 11:40 AM, Jim Manico <jim@manicode.com>; wrote:
>
>> Thank you to those answering my question on implicit for JS clients.
>>
>> The responses so far seem to represent what the security world is saying
>> about the implicit grant - keep away from it other than for a few OIDC use
>> cases.
>>
>> Does anyone think it would be valuable to author a brief RFC to give
>> clear OAuth 2 recommendations for JavaScript client developers?
>>
>> I mean - the OAuth 2 body of work just needs a few more RFC's, right? :)
>>
>> Aloha, Jim
>>
>>
>>
>> On 2/17/17 6:03 AM, Sebastian.Ebling@telekom.de wrote:
>>
>> Same for Deutsche Telekom. Our javascript clients also use code flow
>> with CORS processing and of course redirect_uri validation.
>>
>>
>>
>> Best regards
>>
>>
>>
>> Sebastian
>>
>>
>>
>> * Von:* OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] *Im
>> Auftrag von* Bill Burke
>> *Gesendet:* Freitag, 17. Februar 2017 00:14
>> *An:* oauth@ietf.org
>> *Betreff:* Re: [OAUTH-WG] Google's use of Implicit Grant Flow
>>
>>
>>
>> For our IDP [1], our javascript library uses the auth code flow, but
>> requires a public client, redirect_uri validation, and also does CORS
>> checks and processing.  We did not like Implicit Flow because
>>
>> 1) access tokens would be in the browser history
>>
>> 2) short lived access tokens (seconds or minutes) would require a browser
>> redirect
>>
>> I'd be really curious to hear other's thoughts though.
>>
>> [1] http://keycloak.org
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__keycloak.org&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=YExyuyZO5YNpSvS3mEUG5pjKAjRXXVT8Xvk8hIb-Efw&e=>
>>
>>
>>
>>
>>
>>
>>
>> On 2/16/17 5:44 PM, Jim Manico wrote:
>>
>> Hello Folks,
>>
>> I noticed that Google supports the OAuth 2 Implicit flow for third-party
>> JavaScript applications.
>>
>> https://developers.google.com/identity/protocols/OAuth2UserAgent
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__developers.google.com_identity_protocols_OAuth2UserAgent&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=_Mig-zmCt1y9dZpCece1dqby3VmcZVOu2JPcmAwzwKU&e=>
>>
>> Isn't this generally discouraged from a security POV? *Is there a better
>> OAuth 2 flow for third party SPA applications?*
>>
>> Aloha,
>>
>> --
>>
>> Jim Manico
>>
>> Manicode Security
>>
>> https://www.manicode.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=>
>>
>>
>>
>>
>> _______________________________________________
>>
>> OAuth mailing list
>>
>> OAuth@ietf.org
>>
>> https://www.ietf.org/mailman/listinfo/oauth <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=>
>>
>>
>> --
>> Jim Manico
>> Manicode Securityhttps://www.manicode.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>