[OAUTH-WG] Review of OAuth 2.0 for Browser-Based Apps

Mike Jones <Michael.Jones@microsoft.com> Sat, 22 February 2020 00:48 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5BA81200E5 for <oauth@ietfa.amsl.com>; Fri, 21 Feb 2020 16:48:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWKlTlYxaWOM for <oauth@ietfa.amsl.com>; Fri, 21 Feb 2020 16:48:27 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650090.outbound.protection.outlook.com [40.107.65.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D92C912006B for <oauth@ietf.org>; Fri, 21 Feb 2020 16:48:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b8X3cHYHY8ZaRaMkE9JzQQ7Ew24s2ZRB1xcsYAkkH3WGChmLrmjlVc7SLOMC1TkLfE5p79rSFpE28wZHWa0+N8SE3q0u5bnix64aKbwwqAnHOStSjUhwOPGE9AQhitAiP2zKo84qlwmy4aZfBFcv8G1j1VYDHa9FNwAOnrD8s8ccJhaskFUMRg9lZXK6LiJZVtrftyZt+0RVJIZdajFrdoVd5qBLBaC+l2RBJUjgYcEInusa3rjuP5AaZUEMMWaGkfhdeZTdkteSKmjbIfKyLZOTkk4CBJb6dnvceTcMQwm6Drm6z0A3reNkE4F6fC6fvsuL/y/H8FlLJJz/H6pGCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jrgiLXQBbvGMfR63jBtGeEn9X5pLdiCQqql0ZfL0c18=; b=HjeL4vvlhG42CJnf2d/FgFCpIrsVCuSgZX1h3mgHRa98fK+vFnXfgJyYuMRXA29/Z14ivbEKaw0aVq3k504xBO+aNooQvj1LExOMU4nnkCIfI7dVAYubnMNByhowUJICw6g7FvTzE8UBxZfs4P9xo+p8tz8azFycBCtEmZOaEl9hn+HY83ljFGR9+9KTi7nGN5nQ0CtS/4oIMVkZLPd8cWdge+ptmpP2MgXNnNtjQLAj/SxOxGXIzY0i27S4c4dZxXEf2qMmYKNba/HzSItNPT7tlKkAnhQ+mbQUxSAiPhIfC11GhJySXoV/hyt9Ux4Fki+7cQq4aSNyWSarT3wtfw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jrgiLXQBbvGMfR63jBtGeEn9X5pLdiCQqql0ZfL0c18=; b=d2rh+Mi6NtPOfDLP/rgvELhPmIAWJ2hZxUoQB7rhT8WyKXXDO6M6mm+oy3Df8DhOCnvdjaANBZLVaBg82y3yq1s1IOJSh0i35KLrkOBKxbX2wKOTscMQ2eMvUsFi11YK2ecXdlxsVqR7LhMQGgDde8yy4tKSQs9mbzcwcXdTrn4=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0559.namprd00.prod.outlook.com (2603:10b6:208:fd::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.0; Sat, 22 Feb 2020 00:48:24 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::2522:39b3:eb98:cc8c]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::2522:39b3:eb98:cc8c%8]) with mapi id 15.20.2798.000; Sat, 22 Feb 2020 00:48:24 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Review of OAuth 2.0 for Browser-Based Apps
Thread-Index: AdXpGM+nGzW/fwd2T9Cfwtta/NQoZg==
Date: Sat, 22 Feb 2020 00:48:24 +0000
Message-ID: <MN2PR00MB0686B2736AFC453F5794F099F5EE0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=88131d1e-6535-418d-a91e-000059587b56; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-02-22T00:40:39Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:0:b0d0:4afa:31da:9bf7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ce96bddd-3fa7-4204-e354-08d7b730ec0a
x-ms-traffictypediagnostic: MN2PR00MB0559:
x-microsoft-antispam-prvs: <MN2PR00MB0559A2B3426D0AF664E0A826F5EE0@MN2PR00MB0559.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03218BFD9F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(396003)(346002)(376002)(39860400002)(136003)(366004)(189003)(199004)(30864003)(52536014)(5660300002)(186003)(8676002)(33656002)(66946007)(6916009)(6506007)(66446008)(64756008)(66556008)(66476007)(81166006)(76116006)(8936002)(4326008)(81156014)(54906003)(316002)(10290500003)(7696005)(478600001)(9686003)(8990500004)(2906002)(86362001)(71200400001)(66574012)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR00MB0559; H:MN2PR00MB0686.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0PiRiz0X2sw5wujEsvq3eV3K7lJ6gDCJFjrkHVdmMgx94RZ1BJnssxlqZ/76MDdq/brsn21WBuO/wRqOuXIejDesYNBIo3Yk5qeCPsG778OZRRSQ+VmFvZVWy9COgbDVf0IovopwoS3Qo/zP7nOdRb53Ms8n389tXn8e826iI865OI9OkARfFCTpfbXVxezRPIlvaSc5zagedK0zES0W8zZlgdivEKX4RQzggPN6VMX5GNyVXSPQuPn86hFehks7ElzJNIOFndW0QSakcHDIboGKomh9PLIwNC/pRex9bVutqYDRf+dOTuRdVBL+cpgb+MdmnpgMzaGeM+djzg2eF4X8Ddd6o8/elLwpOD4U/rRXIPAIEpOoAS3+XmhYbhAfE8fJHgMmngYsoMZ5as9u8Xr6J3TkiBhfFnDQPovXXZlIuU27/1Mo/PKUKxVTXZFKf5hEizxwxy8Zxw9Dj0Ixk0xsQYBVPAm4/r2PqmNmZRZSAB6E39RI4Lptsn8PFAcnp/y7hjtE//ngvljRnWdFUQ==
x-ms-exchange-antispam-messagedata: crmOGICAfW+pvxKtO9PIvjPmUdahnozisiA3YWu+Y7zGVMoEJa4IjaKYTijHDl3FPkLgQ8lBkmAkBtHfOr9ekYJgsUrlVu9QrSz1gik6/YWVp1srjue0a2Up7TXTzJeMA3BlMg8rz8ilJKgxq9hrDUzVmgV5MLadnMO791p1ze/0k/wA59AUAhudEaUZdIY1VXTRPwYuj/ijhgTG6CRS4Q==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0686B2736AFC453F5794F099F5EE0MN2PR00MB0686namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ce96bddd-3fa7-4204-e354-08d7b730ec0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2020 00:48:24.1499 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dbs9mUGZWaHWZnPrrDVRTOY2HrS5bzne1FEkI38tVs91txxVlLTocmO/opLPgXGvTQgmx94jFi1oGOWF1m1xdQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0559
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PZpAcHtZirJAYkeW3Zvcc8QyhRs>
Subject: [OAUTH-WG] Review of OAuth 2.0 for Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Feb 2020 00:48:31 -0000

I did a cover-to-cover read of draft-ietf-oauth-browser-based-apps-04<https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04>04>.  My review comments follow in three sections:  substantive comments on the text, substantive overall issues to consider (provided by Microsoft product engineers), and editorial issues.

SUBSTANTIVE

1. Introduction - The first sentence says that this spec is about applications running entirely in a browser.  Many browser-based applications also use helper services.  Please broaden the scope to encompass both patterns.

2.  Overview - Change "This was the principal motivation" to "This was one of the motivations".

3.  Terminology - In the "OAuth" definition, also reference RFC 6750.

4.  Overview - Change "the current best practice for browser-based applications is to use OAuth 2.0 authorization code flow with PKCE" to "the current best practice for browser-based applications is to use either OAuth 2.0 authorization code flow with PKCE or OpenID Connect <xref target="OpenID.Core"/>".  This parallels the same recommendation in the forthcoming OAuth Security BCP specification.

4.  Overview - Change "Use the OAuth 2.0 authorization code flow with the PKCE extension" to  "Use either the OAuth 2.0 authorization code flow with the PKCE extension or OpenID Connect".

4.  Overview - Change "Protect themselves against CSRF attacks by using the OAuth 2.0 state parameter to carry one-time use CSRF tokens, or by ensuring the authorization server supports PKCE" to "Protect themselves against CSRF attacks by using the OAuth 2.0 state parameter or the OpenID Connect nonce parameter to carry one-time use CSRF tokens or by ensuring the authorization server supports PKCE".

4.  Overview - The intended meaning of this text isn't clear: "Register one or more redirect URIs, and not vary the redirect URI per authorization request".  Do you mean to include a registered redirect_uri value in each authorization request?  This needs to be clarified.

4.  Overview - Change "Support the PKCE extension" to "Support the PKCE extension or OpenID Connect".

5.  First-Party Applications - The third paragraph says that "first-party applications using OAuth or OpenID Connect MUST use the authorization code flow".  OpenID Connect can be safely used with other response_type values than simply "code".  For instance, the "code id_token" value is just as safe.  Please generalize this language when describing the use of OpenID Connect to recognize that other response_type value may continue to be safely used.

6.2.  JavaScript Applications with a Backend - The sentence "The Application Server utilizes own session with the browser to store the access token" raises a question with no obvious answer:  Where is the specification recommending or suggesting that the access token be stored in this case?  Please clarify.

6.2.  JavaScript Applications with a Backend - The last paragraph talks about exposing the access token to the end user but fails to describe the perceived risk or threat.  If there are such risks or threats, please be explicit about what they are and their mitigations.

6.3.  JavaScript Applications without a Backend - This sentence tells a false and incomplete story "The application then runs in the browser, and is considered a public client since it has no ability to be issued a client secret."  Public clients can definitely be issued Client ID/Client Secret pairs using OAuth Dynamic Client Registration [RFC 7591].  Please revise this description accordingly.  (Likewise, the following paragraph says that "The JavaScript app is then responsible for storing the access token securely using appropriate browser APIs.  If this is safe, then storing the dynamically issued Client ID/Client Secret pair should be safe to do so in the same manner.)

7.1.  Initiating the Authorization Request from a Browser-Based Application - As in other places where the text says that PKCE must be used, please revise this instance to say that either PKCE or OpenID Connect must be used - just as is done in the forthcoming Security BCP.

7.1.  Initiating the Authorization Request from a Browser-Based Application - As in other places where the spec says that the "state" parameter must be used, revise this instance to say that either the OAuth "state" parameter or the OpenID Connect "nonce" parameter must be used to prevent the applicable attacks.

9.2.  Client Authentication - The second paragraph talks about secrets that are statically included and warns against them, which is good.  But please also add text describing how OAuth Dynamic Client Registration [RFC 7591] can be used to safely statically create these secrets.

9.3.  Client Impersonation - Add text to the first paragraph describing how the use of the OpenID Connect "id_token_hint" parameter can be used to satisfy the requirement that the identity of the client can be assured.

9.3.  Client Impersonation - The wording of this phrase is ambiguous:  "If authorization servers restrict redirect URIs to a fixed set of absolute HTTPS URIs without wildcard domains, paths, or query string components..."  It could be interpreted with the "without" applying to "paths or query string components", meaning that no path or query string components may be present at all.  (I think you meant only that wildcard values not be present, but that's not the meaning of the phrase, as written.)

9.4.  Cross-Site Request Forgery Protections - As in other places where the spec says that the "state" parameter must be used, revise this instance to say that either the OAuth "state" parameter or the OpenID Connect "nonce" parameter must be used to prevent the applicable attacks.

9.8.  OAuth Implicit Grant Authorization Flow - The paragraph ends with "not all of which have sufficient mitigation strategies".  It would be useful to be more specific here, saying which attacks do not have sufficient mitigation strategies.

9.8.5.  Countermeasures - The phrase "using the authorization code with PKCE avoids these attacks" doesn't say what attacks are being referred to.  Please revise so that the attacks in question are unambiguously referenced.

Appendix A.  Server Support Checklist - In bullet 3, revise to say that either PKCE or OpenID Connect is required, as per other locations in the specification.

ADDITIONAL OVERALL ISSUES FROM MICROSOFT ENGINEERS

These issues should be considered in the context of this document.  For these, I'm requesting working group discussions - not specific resolutions at this time.

  1.  There seems to be a lot of focus on exact redirect URI validation for addressing the biggest risk (open redirect), but while certainly absolutely critical, it frankly ignores the reality of how apps integrate with authorization servers these days a bit. The pattern we are seeing is that a lot of applications have simply shifted to including their own redirect URIs in 'state' parameters. Even our own services use this pattern as cookie space is quite limited. We are seeing a lot of security issues and there are no real solutions in any of the BCP documents or RFCs.
  2.  In Section 4, the spec requires exact matching of redirect URIs. The OAuth Security BCP mentions that there are alternatives to exact redirect URI matching "As an alternative to exact redirect URI matching, the AS could also authenticate clients, e.g., using [I-D.ietf-oauth-jwsreq]." While I don't think client authentication is suitable for browser based apps, accepting signed requests via OpenID Connect's "request_uri" parameter<https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests> would be a suitable alternative pattern to exact redirect URI checking. For consistency, I think both docs should have the same recommendation for redirect URI matching.
  3.  Considering the above, we probably don't have many more good options for fragment flows. That's one of the reasons why I still think hybrid patterns have a place, but we need mechanisms to protect against code injection. Unfortunately, the security-topics document dismisses solutions that we could make work (code-bound state, nonce) in favor of solutions that don't help (PKCE). This might be outside of this immediate discussion about the implicit flow, but standards need to evolve to better mitigate that risk.
  4.  The big problem with giving SPAs refresh tokens is that refresh tokens provide offline access - they live on after the user signs out - including when an attacker steals them. For JavaScript SPAs, where XSS is a big concern, and where access is only intended to be provided for an online user, these refresh tokens represent an unnecessary security liability. Disabling CORS on /token forces an implementation pattern without refresh tokens for web apps. So today, we have a tradeoff between using the implicit flow and accepting attacks around browser history and generically injected scripts with limited impact duration OR using the two legged flow and accept attacks with specifically injected scripts with unlimited duration, plus a little perf/cogs hit.

EDITORIAL

1.  Introduction - Change "native apps as well as browser-based apps" to "native apps and browser-based apps".

4.  Overview - Change "OAuth 2.0 RFC 6749" to "OAuth 2.0 <xref target="RFC6749"/> <xref target="RFC6750"/>".

4.  Overview - Change "the flow assures that" to "the flow ensures that".

5.  First-Party Applications - The first sentence of the second paragraph has no verb.

5.  First-Party Applications - The fifth paragraph starts with "By using the Authorization Code flow and redirecting the user to the authorization server".  I believe that this is continuing the message in the (single-sentence) fourth paragraph.  The exposition will be less confusing if these paragraphs are merged.

6.  Application Architecture Patterns - The bulleted list is not in the same order as the corresponding subsections.  Please reorder them to make them parallel.

6.2.  JavaScript Applications with a Backend - This section references the OWASP Foundation as an organization.  It would be far more useful to instead list the documents containing the specific applicable recommendations.  Please revise accordingly.

9.5.  Authorization Server Mix-Up Mitigation - Please also reference draft-ietf-oauth-mix-up-mitigation<https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01> here.

9.8.3.  Threat: Manipulation of Scripts - Please change "is far greater" to "may be amplified" to avoid an overreaching statement.  Likewise, delete the word "very" later in the paragraph.

9.9.  Additional Security Considerations - This section references the OWASP Foundation as an organization.  It would be far more useful to instead list the documents containing the specific applicable recommendations.  Please revise accordingly.

11.1.  Normative References - These references are missing URLs:  CSP2, Fetch, oauth-security-topics.

11.1.  Informative References - This reference is missing a URL:  HTML.

                                                                -- Mike