IETF Logo Mail Archive

Re: [OAUTH-WG] Binding Access Tokens is not enough!

"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 30 November 2018 00:22 UTC

Return-Path: <prvs=865e39015=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F49412D4F0 for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 16:22:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.961
X-Spam-Level:
X-Spam-Status: No, score=-15.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-v5Mqq4VCIh for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 16:22:08 -0800 (PST)
Received: from smtp-fw-9101.amazon.com (smtp-fw-9101.amazon.com [207.171.184.25]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 902A112D4E7 for <oauth@ietf.org>; Thu, 29 Nov 2018 16:22:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1543537328; x=1575073328; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=3Hy51B/TMrnvjdue0T9rlz90WKKPY6lLbX6qU412qR4=; b=ThJdOjuJ/gkO6mgk69Lu4AjkdyNgmpbA50ttLn7w0l8dYtmkEZERaKr2 eAiP3qlzZCRE5QlRZKAVfa8iXTR0WfPQp1oKJFiVMiuJU6wu0jeUXYXyM 8aiwZUtIih80IsLii31Z+AnIa5CLjAx3Y1gWOYaCYabBsc6IdyO5kOu31 8=;
X-IronPort-AV: E=Sophos;i="5.56,253,1539648000"; d="scan'208";a="773247672"
Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO email-inbound-relay-1e-27fb8269.us-east-1.amazon.com) ([10.47.22.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Nov 2018 00:22:05 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162]) by email-inbound-relay-1e-27fb8269.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id wAU0Lx0e104623 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 30 Nov 2018 00:22:04 GMT
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 30 Nov 2018 00:22:04 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 30 Nov 2018 00:22:04 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Fri, 30 Nov 2018 00:22:03 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Neil Madden <neil.madden@forgerock.com>
CC: Daniel Fett <danielf+oauth@yes.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Binding Access Tokens is not enough!
Thread-Index: AQHUgnGyRzIZ9vJFBUG3HfeCInd9AKVdYxUAgAN2XYCAAOragIAAHa6AgAOXIoCAAOHvAIAAn2SA
Date: Fri, 30 Nov 2018 00:22:03 +0000
Message-ID: <C9218417-5B5C-457C-9776-DEE95E9DFC8B@amazon.com>
References: <c3e42d96-ab4f-c9dc-de08-e55c40a95414@yes.com> <AB16D92C-E134-4058-9EFB-6A8C2BD6598E@forgerock.com> <15ECD17C-C2E3-487B-B61D-E67E5A060DE4@lodderstedt.net> <f997bffc-db34-723e-25d3-b2751681a9c8@yes.com> <584108B8-3293-48D4-9FD6-86DCF6CC34A3@forgerock.com> <21B0104D-F7B7-4F94-AC55-A7172037A669@amazon.com> <0CB2E55D-231D-4783-89FD-9216F902595A@forgerock.com>
In-Reply-To: <0CB2E55D-231D-4783-89FD-9216F902595A@forgerock.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.0.180812
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.162.175]
Content-Type: text/plain; charset="utf-8"
Content-ID: <24AF6F34FF26534591224C5FB73863B5@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RWwsh4WhWRwKRC7HBWPEzmw9eAI>
Subject: Re: [OAUTH-WG] Binding Access Tokens is not enough!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 00:22:11 -0000

Sure. But given that TLS token binding is often put forth as a mitigation against token theft and replay, it's worth noting that on its own it does not address this risk when the replay is coming from the same browser, and the RS needs to support CORS.

-- 
Annabelle Richard Backman
AWS Identity
 

On 11/28/18, 10:51 PM, "Neil Madden" <neil.madden@forgerock.com> wrote:

    My intent wasn’t to suggest that tokens *must* be origin constrained, just to point out if you are using TLS-based sender constrained tokens then you may also want to consider that aspect. 
    
    In some cases you may be comfortable that protections against in-browser token theft are adequate without any sender/origin constraint. Sometimes a plain old bearer token is fine. 
    
    — Neil
    
    > On 29 Nov 2018, at 01:22, Richard Backman, Annabelle <richanna@amazon.com> wrote:
    > 
    > In some cases, the resource server will need to support CORS in order to support SPA clients that are on different origins. In this case, the resource server must optimistically allow the CORS request to be made, then validate that the request origin is appropriate for the access token provided in the request. To my knowledge, I haven't seen "origin-constrained access tokens" raised as a requirement anywhere, but here we are.
    > 
    > -- 
    > Annabelle Richard Backman
    > AWS Identity
    > 
    > 
    > On 11/26/18, 2:34 AM, "OAuth on behalf of Neil Madden" <oauth-bounces@ietf.org on behalf of neil.madden@forgerock.com> wrote:
    > 
    >    I would perhaps clarify this a little, as it’s not really CORS that is doing the work here, but rather the same-origin policy (SOP) — which is actually *relaxed* by CORS. 
    > 
    >    It is the fact that there is a non-safe header (Authorization) on the request that triggers the SOP protections - and it would do so even in an old pre-CORS browser. Otherwise CORS wouldn’t even be involved as the request would be considered “safe”. For instance, if your (RS) API just requires an x-www-form-urlencoded POST body with the access token as one of the fields then I can always just create a form in a hidden iframe and submit it cross-origin with no problems, CORS or not. Adding the Authorization header prevents that - you can’t add a custom header to a form submission, and Ajax would not be allowed to make that request.
    > 
    >    What CORS changes is that things that would previously be blocked outright now produce a CORS preflight to allow the destination origin to override the SOP and allow a request to go ahead anyway.
    > 
    >    — Neil
    > 
    >> On 26 Nov 2018, at 08:46, Daniel Fett <danielf+oauth@yes.com> wrote:
    >> 
    >> Yes. Token Binding enforces that only the right browser can send the token; in this browser, CORS enforces that only the correct origin can send the token.
    >> 
    >>> Am 25.11.18 um 19:46 schrieb Torsten Lodderstedt:
    >>> Does this mean the RS effectively relies on the user agent to enforce the sender constraint (via CORS policy)?
    >>> 
    >>> 
    >>>> Am 23.11.2018 um 14:54 schrieb Neil Madden <neil.madden@forgerock.com>
    >>>> :
    >>>> 
    >>>> Thanks for doing this Daniel, I think the proposed text is good.
    >>>> 
    >>>> — Neil
    >>>> 
    >>>> 
    >>>>> On 22 Nov 2018, at 14:42, Daniel Fett <danielf+oauth@yes.com>
    >>>>> wrote:
    >>>>> 
    >>>>> Hi all,
    >>>>> 
    >>>>> I would like to discuss a text proposal for the security BCP.
    >>>>> 
    >>>>> Background:
    >>>>> 
    >>>>> Yesterday, Neil pointed out the following problem with binding access tokens using mTLS or token binding in SPAs:
    >>>>> 
    >>>>> "I am talking about scripts from places like ad servers that are usually included via an iframe to enforce the SOP and sandbox them from other scripts. If they get access to an access token - e.g. via document.referrer or a redirect or some other leak, then they still act within the same TLS context as the legitimate client."
    >>>>> 
    >>>>> The problem is that a browser's TLS stack will attach the proof of possession no matter which origin started a request.
    >>>>> 
    >>>>> (This seems like a real downside of token binding - why does it not have the "same site" option that cookies nowadays have?)
    >>>>> 
    >>>>> I prepared the following addition to the security BCP and would like to hear your opinions:
    >>>>> 
    >>>>> "It is important to note that constraining the sender of a token to a web browser (using a TLS-based method) does not constrain the origin of the script that uses the token (lack of origin binding). In other words, if access tokens are used in a browser (as in a single-page application, SPA) and the access tokens are sender-constrained using a TLS-based method, it must be ensured that origins other than the origin of the SPA cannot misuse the TLS-based sender authentication.
    >>>>> 
    >>>>> The problem can be illustrated using an SPA on origin A that uses an access token AT that is bound to the TLS connection between the browser and the resource server R. If AT leaks to an attacker E, and there is, for example, an iframe from E's origin loaded in the web browser, that iframe can send a request to origin R using the access token AT. This request will contain the proof-of-posession of the (mTLS or token binding) key. The resource server R therefore cannot distinguish if a request containing a valid access token originates from origin A or origin E.
    >>>>> 
    >>>>> If the resource server only accepts the access token in an Authorization header, then Cross-Origin Resource Sharing (CORS) will protect against this attack by default. If the resource server accepts the access tokens in other ways (e.g., as a URL parameter), or if the CORS policy of the resource server permits requests by origin E, then the TLS-based token binding only provides protection if the browser is offline."
    >>>>> 
    >>>>> 
    >>>>> The "summary" above this text reads as follows:
    >>>>> 
    >>>>> "If access tokens are sender-constrained to a web browser, the resource server MUST ensure that the access token can only be used by the origin to which the access token was issued (origin binding). One solution for the resource server to accomplish this is to only accept the access token in an Authorization header (as described in RFC 6750) and to ensure that the active CORS policy prevents third parties from sending Authorization headers. See <xref target="pop_tokens"/> for details."
    >>>>> 
    >>>>> What do you think?
    >>>>> 
    >>>>> -Daniel
    >>>>> 
    >>>>> _______________________________________________
    >>>>> OAuth mailing list
    >>>>> 
    >>>>> OAuth@ietf.org
    >>>>> https://www.ietf.org/mailman/listinfo/oauth
    >>>> _______________________________________________
    >>>> OAuth mailing list
    >>>> 
    >>>> OAuth@ietf.org
    >>>> https://www.ietf.org/mailman/listinfo/oauth
    >> 
    >> 
    > 
    >    _______________________________________________
    >    OAuth mailing list
    >    OAuth@ietf.org
    >    https://www.ietf.org/mailman/listinfo/oauth
    > 
    >

v2.23.0 | Report a Bug | By Email