Re: [OAUTH-WG] OAuth Digest, Vol 121, Issue 45
Adam Cashion <cashionmke@gmail.com> Tue, 20 November 2018 20:37 UTC
Return-Path: <cashionmke@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AFF112785F for <oauth@ietfa.amsl.com>; Tue, 20 Nov 2018 12:37:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StPeLVoIQc-P for <oauth@ietfa.amsl.com>; Tue, 20 Nov 2018 12:37:34 -0800 (PST)
Received: from mail-oi1-x244.google.com (mail-oi1-x244.google.com [IPv6:2607:f8b0:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B25B12D4EF for <oauth@ietf.org>; Tue, 20 Nov 2018 12:37:34 -0800 (PST)
Received: by mail-oi1-x244.google.com with SMTP id y23so2664324oia.4 for <oauth@ietf.org>; Tue, 20 Nov 2018 12:37:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=9uXMbqSVB03G6NltLxqCYWk/JrT2emEqlTEx+rPVAEI=; b=MHTX8atpNc/VTAyYWjllnmgGcmuRF4Zx24xuCIQekIRSt+xlnBF/cI0HNLIf9d+Syl NTYFHgkPSoTcXacEzh3K0VAMKv73PcGMSP65ptr4Rvv6BgwiKv4cVnn5Kk3msPcelL4J 4kgTND3xmuSfzWDBvoB/rzIZdHyMeV6QA/QCSvsPj6cQvcEhLfybaWHPJMvud3f2RaQv Bq5I9a7ViJK90mnAVIr1GzYx4AVwyyQM7fsK7mMjuE1OpwnaFTP7wnJWmZgLGo6TC1xO C/BmI0o+nD4eK3ZNaHvf+uIcgF0PUOo3DmPyCIID+ubVKMKHxqIGX0pkINO8nMekUOHO bY3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=9uXMbqSVB03G6NltLxqCYWk/JrT2emEqlTEx+rPVAEI=; b=MORkinHYwYQYypTpluM4ljXWl2g1cyOADPKjNZmJRIWUnupOJCcWi1ruIifX4CYiy6 cgjYi+m993lxil31C8AGplk9EffXIVcJrLpWHUrkvrvTo4o3nGReGwM5SwppPp3uVmL0 ZfXpqIX+80oW4r6EtMqNqhDjhZi4imGa2E8BYouzBYsZSI8g7Ad3/J6JncfY7i4skyQs bibJINTYh5Yzp6lxM5SV7Mshj8P8f7tcAc0LFulwflPKvbm4U0+YB1cCviiHCrXJVtNm jgYMlkjHUVyzC4i9VWQOQ3ZnZiflLyYEKuJtNJhImbAqDcIy9bepyXbK5gIigMrXSY+Z AMBA==
X-Gm-Message-State: AGRZ1gIAl/tJPB5y7D3hSjknDUjFYzsKA19TLAseZ44W5s0NybeocIAu PdYWRWGzSeOsksQCgKWuyeU+u/JMPVpFmZW8k/vGftWc
X-Google-Smtp-Source: AJdET5fuXV3DdK1C3UQiqpqs9YEXnRSxXsStWyWb4jEjn4+/PzAktTauxISKhMmph3RA49qharv8plTUv2bAo0jxIKQ=
X-Received: by 2002:aca:53cd:: with SMTP id h196mr2086963oib.355.1542746253039; Tue, 20 Nov 2018 12:37:33 -0800 (PST)
MIME-Version: 1.0
References: <mailman.6221.1542742606.6265.oauth@ietf.org>
In-Reply-To: <mailman.6221.1542742606.6265.oauth@ietf.org>
From: Adam Cashion <cashionmke@gmail.com>
Date: Tue, 20 Nov 2018 14:04:34 -0600
Message-ID: <CAKro1JJ=aS-iT_sT5Kwhd3dTZSoSYke3LeGQ4wZ12DEU++Xonw@mail.gmail.com>
To: oauth <oauth@ietf.org>, Adam Cashion <adam@learnmoresearch.com>
Content-Type: multipart/alternative; boundary="000000000000641b79057b1e9a8b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Qcbim8j54dzNnUhjETzeBYjqOW8>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 121, Issue 45
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 20:37:38 -0000
email On Tue, Nov 20, 2018, 1:37 PM <oauth-request@ietf.org wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > Today's Topics: > > 1. Re: OAuth Security Topics -- Recommend authorization code > instead of implicit (John Bradley) > 2. I-D Action: draft-ietf-oauth-security-topics-10.txt > (internet-drafts@ietf.org) > 3. Re: I-D Action: draft-ietf-oauth-security-topics-10.txt > (Torsten Lodderstedt) > 4. Re: Token Binding & implicit (Torsten Lodderstedt) > > > > ---------- Forwarded message ---------- > From: John Bradley <ve7jtb@ve7jtb.com> > To: oauth@ietf.org > Cc: > Bcc: > Date: Tue, 20 Nov 2018 12:47:22 -0300 > Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization > code instead of implicit > > Yes the at_hash protects the client from accepting an injected AT. > > Unfortunately it doesn't do anything to protect against leakage in logs or > redirects. > > So without the AT using some sort of POP mechanism it is hard to say > sending it in a redirect is a good security practice. > > John B. > On 11/20/2018 4:35 AM, Torsten Lodderstedt wrote: > > Hi Mike, > > I agree that OIDC hybrid flows offer additional security over the OAuth implicit grant and are used in the wild. On my slides and in the initial version of the new section, we had included the hybrid OIDC flows because of their known token injection countermeasures. > > I nevertheless feel very uncomfortable to recommend those flows and any flow issuing access tokens in the front channel. In the course of the detailed review of the new text we realized two issues: > > 1) Since the access token is exposed in the URL, such flows possess a significantly higher risk to leak the access token (e.g. through browser history, open redirection and even referrer headers) than the code grant. > 2) There is no viable way to sender constrain access tokens issued in the front channel. Given the WG decided to recommend use of sender constraint tokens (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2..2), it seems contradictory to recommend response types not supporting such an approach. > > kind regards, > Torsten. > > > Am 19.11.2018 um 23:13 schrieb Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> <Michael.Jones=40microsoft.com@dmarc.ietf.org>: > > This description of the situation is an oversimplification. OpenID Connect secures the implicit flow against token injection attacks by including the at_hash (access token hash) in the ID Token, enabling the client to validate that the access token was created by the issuer in the ID Token (which is also the OAuth Issuer, as described in RFC 8414). (Note that this mitigation was described in draft-ietf-oauth-mix-up-mitigation.) > > Given the prevalence of this known-good solution for securing the implicit flow, I would request that the draft be updated to describe this mitigation. At the same time, I’m fine with the draft recommending the code flow over the implicit flow when this mitigation is not used. > > Thank you, > -- Mike > > From: OAuth <oauth-bounces@ietf.org> <oauth-bounces@ietf.org> On Behalf Of Hannes Tschofenig > Sent: Monday, November 19, 2018 2:34 AM > To: oauth <oauth@ietf.org> <oauth@ietf.org> > Subject: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit > > Hi all, > > The authors of the OAuth Security Topics draft came to the conclusion that it is not possible to adequately secure the implicit flow against token injection since potential solutions like token binding or JARM are in an early stage of adoption. For this reason, and since CORS allows browser-based apps to send requests to the token endpoint, Torsten suggested to use the authorization code instead of the implicit grant in call cases in his presentation (seehttps://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01). > > A hum in the room at IETF#103 concluded strong support for his recommendations. We would like to confirm the discussion on the list. > > Please provide a response by December 3rd. > > Ciao > Hannes & Rifaat > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > > > ---------- Forwarded message ---------- > From: internet-drafts@ietf.org > To: <i-d-announce@ietf.org> > Cc: oauth@ietf.org > Bcc: > Date: Tue, 20 Nov 2018 11:26:58 -0800 > Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-10.txt > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 Security Best Current Practice > Authors : Torsten Lodderstedt > John Bradley > Andrey Labunets > Daniel Fett > Filename : draft-ietf-oauth-security-topics-10.txt > Pages : 38 > Date : 2018-11-20 > > Abstract: > This document describes best current security practice for OAuth 2.0. > It updates and extends the OAuth 2.0 Security Threat Model to > incorporate practical experiences gathered since OAuth 2.0 was > published and covers new threats relevant due to the broader > application of OAuth 2.0. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-10 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-10 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > > > > ---------- Forwarded message ---------- > From: Torsten Lodderstedt <torsten@lodderstedt.net> > To: oauth <oauth@ietf.org> > Cc: > Bcc: > Date: Tue, 20 Nov 2018 20:32:50 +0100 > Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-10.txt > Hi all, > > the new revision contains the following changes: > > * added section on refresh tokens > * additional justifications for recommendation for code > * refactored 2.1 in order to distinguish CSRF, authz response replay and > mix-up (based on feedback by Joseph Heenan) > * added requirement to authenticate clients during code exchange (PKCE or > client credential) to 2.1.1. > * changed occurrences of SHALL to MUST > > As always: looking forward for your feedback. > > kind regards, > Torsten. > > > Am 20.11.2018 um 20:26 schrieb internet-drafts@ietf.org: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Web Authorization Protocol WG of the > IETF. > > > > Title : OAuth 2.0 Security Best Current Practice > > Authors : Torsten Lodderstedt > > John Bradley > > Andrey Labunets > > Daniel Fett > > Filename : draft-ietf-oauth-security-topics-10.txt > > Pages : 38 > > Date : 2018-11-20 > > > > Abstract: > > This document describes best current security practice for OAuth 2.0. > > It updates and extends the OAuth 2.0 Security Threat Model to > > incorporate practical experiences gathered since OAuth 2.0 was > > published and covers new threats relevant due to the broader > > application of OAuth 2.0. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10 > > > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-10 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-10 > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > ---------- Forwarded message ---------- > From: Torsten Lodderstedt <torsten@lodderstedt.net> > To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> > Cc: oauth <oauth@ietf.org> > Bcc: > Date: Tue, 20 Nov 2018 20:36:39 +0100 > Subject: Re: [OAUTH-WG] Token Binding & implicit > I opt for (4) - Remove support/description of binding of access tokens > issued from the authorization endpoint > > I think the potential solution we worked out (slide 6) is to complex and > the security implications of the redirect via the resource servers are > still unclear. > > > Am 18.11.2018 um 13:32 schrieb Brian Campbell <bcampbell= > 40pingidentity.com@dmarc.ietf.org>: > > > > During the first OAuth session in Bangkok the question "what to do about > token binding & implicit?" was raised. There was some discussion but > session time was limited and we had to move on before any real consensus > was reached. > > > > So I thought I'd bring the question to the WG list to generate some more > discussion on the issue. It's also related, at least in part, to a couple > of the other ongoing threads on the list about browser based apps and > security practices. > > > > The slides from the session are linked below. Slides 5 & 6 try and > explain the awkwardness of doing Token Binding with implicit. While slide 7 > lays out some (not very good) options for how to proceed. > > > https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-token-binding-00 > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you._______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] OAuth Digest, Vol 121, Issue 45 Adam Cashion