IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Justin Richer <jricher@mit.edu> Thu, 06 December 2018 14:48 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16C771271FF for <oauth@ietfa.amsl.com>; Thu, 6 Dec 2018 06:48:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s3y7QZ-DFbF8 for <oauth@ietfa.amsl.com>; Thu, 6 Dec 2018 06:48:30 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCC55130E3A for <oauth@ietf.org>; Thu, 6 Dec 2018 06:48:29 -0800 (PST)
X-AuditID: 12074423-cf3f39e0000053bc-ae-5c0936bb2eea
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 80.86.21436.BB6390C5; Thu, 6 Dec 2018 09:48:27 -0500 (EST)
Received: from outgoing-exchange-3.mit.edu (OUTGOING-EXCHANGE-3.MIT.EDU [18.9.28.13]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wB6EliR4011698; Thu, 6 Dec 2018 09:48:26 -0500
Received: from OC11EXEDGE4.EXCHANGE.MIT.EDU (OC11EXEDGE4.EXCHANGE.MIT.EDU [18.9.3.27]) by outgoing-exchange-3.mit.edu (8.14.7/8.12.4) with ESMTP id wB6ElqqK029225; Thu, 6 Dec 2018 09:48:40 -0500
Received: from W92EXCAS20.exchange.mit.edu (18.7.71.33) by OC11EXEDGE4.EXCHANGE.MIT.EDU (18.9.3.27) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 6 Dec 2018 09:47:09 -0500
Received: from OC11EXPO25.exchange.mit.edu ([169.254.1.53]) by W92EXCAS20.exchange.mit.edu ([18.7.71.33]) with mapi id 14.03.0352.000; Thu, 6 Dec 2018 09:47:29 -0500
From: Justin Richer <jricher@mit.edu>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
Thread-Index: AdR/8wsdlCSgLoNZTem+1MxrAorhbwNqXmAA
Date: Thu, 06 Dec 2018 14:47:28 +0000
Message-ID: <6F8AA173-9C30-46C6-892B-CEDA40379916@mit.edu>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [18.9.1.91]
Content-Type: multipart/alternative; boundary="_000_6F8AA1739C3046C6892BCEDA40379916mitedu_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA01Sa0gUYRTtmxl3Z8WRb0dtv1b90fZAJZ+UmET6o8gQooe/zNTJndyl3VV2 VlODMNTykT0VdXF9borbpmSRYom1hOhq9COJrHwrqZiEKBWUNuP4+nM5957DOffjuyRON0qU pNZgYo0GRqeSuBK0zGtf4KtwWUKIZTkkYrjSiUX0/5iXRGMx9ho7iLFa/2BnsXjXY2pWp81k jcHHk1017f2zIH3xetb7tyG5oCerGMhIBA8jS8VHrBi4kjS0Y6jh32dcbHoAGhn9KRWbXoBm ClsJsXkJ0LO1Wy5i08IzvUOYYCaBB1CFPX8de8JQ1J3ncBEwDpVoMt9JCNgDpqDekXreluQ1 arQ64iXCMNTTnCMoCLgfDQzexgVMwUi0UrcGBAkNk1Fr4yFhLIMMKqp7JBEwgLvRL6cdE4MU 6Mt0LSa+DCLr6w+4iL3Q3NSqi2CDoC9aKIgS5Ymoq2xuI0mO+qumiftAYd7hZN4hM++QmXkn HPqjtq5gUbIXlZVMSEXshwqqLRs4Cj3oWyJ2auoAaQO+an1OoJ7R6jg2JZBLYQwG1hgYHqTX moJYdUY7EH5YemJfJ5i7G+sAkAQqN2p2XJpAuzCZXLbeAfaQmMqLKnnDj9wvp6mzNQynSTJm 6FjOARCJqzypXUFkAk2pmewc1pi2SXmThEpB/fWcukjDVMbEXmXZdNa4yfqQpApRY76yBFpu ZFPZrCtanWmbxkiZYO7Gm08e4TUUl87oOW2qyDtBLGmrLKzEycn1urhehwaL+Lpg+c3Xwtam apwmDGkGVqmgPMf5/aBgockwbKWIt417zwMF/2gPiuBPnHbjL38rZ55fAeNX0L3AhBVMzDal zAWSznelpk9jkfHFN9uszaU1spYuTv7Y/1qeWUecdxy0fW1G5ffk1o4LcUldl6qaJmzeDYa4 +tGHR938aqNLQIyl8UxBd/z38m+JM7h3mElZ9mRZETCWlut/+uSS5fm0u0/oqcpz/fIB242a O93ufdrRGGs61TEWrlyssg2vqJ+qCE7DhAbgRo75D9HYn/+2AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OSN5bzjh8SO83VbMZGzhufapAS4>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 14:48:35 -0000

I support the move away from the implicit flow toward using the authorization code flow (with PKCE and CORS)  for JavaScript applications. The limitations and assumptions that surrounded the design of the implicit flow back when we started no longer apply today. It was an optimization for a different time. Technology and platforms have moved forward, and our advice should move them forward as well. Furthermore, the ease of using the implicit flow incorrectly, and the damage that doing so can cause, has driven me to telling people to stop using it.

There are a number of hacks that can patch the implicit flow to be slightly better in various ways — if you tack on the “hybrid” flow from OIDC or JARM plus post messages and a bunch of other stuff, then it can be better. But if you’re doing all of that, I think you really need to ask yourself: why? What do you gain from jumping through all of those hoops when a viable alternative sits there? Is it pride? I don’t see why we cling to it. To me, it’s like saying “hey sure my leg gets cut off when I do this, but I can stitch it back on!”, when you could simply avoid cutting your leg off in the first place. The best cure is prevention, and what’s being argued here is prevention.

So many of OAuth’s problems in the wild come from over-use of the front channel, and any place we can move away from that is a good move.

— Justin

On Nov 19, 2018, at 5:34 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:

Hi all,
The authors of the OAuth Security Topics draft came to the conclusion that it is not possible to adequately secure the implicit flow against token injection since potential solutions like token binding or JARM are in an early stage of adoption. For this reason, and since CORS allows browser-based apps to send requests to the token endpoint, Torsten suggested to use the authorization code instead of the implicit grant in call cases in his presentation (see https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01).
A hum in the room at IETF#103 concluded strong support for his recommendations. We would like to confirm the discussion on the list.
Please provide a response by December 3rd.
Ciao
Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email