IETF Logo Mail Archive

Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]

Om <omkarkhair@gmail.com> Wed, 17 March 2021 05:17 UTC

Return-Path: <omkarkhair@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0608D3A1AD1 for <oauth@ietfa.amsl.com>; Tue, 16 Mar 2021 22:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ik2_VrPMJKVn for <oauth@ietfa.amsl.com>; Tue, 16 Mar 2021 22:17:22 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BF0F3A1AD0 for <oauth@ietf.org>; Tue, 16 Mar 2021 22:17:17 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id h82so39206717ybc.13 for <oauth@ietf.org>; Tue, 16 Mar 2021 22:17:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EsriIgKXPnkHkPfOrgkbz5QjUyWSkBXelNb46gflano=; b=Zu6ahcS0DL6N5r2UdrltH6cFiEEw2CGMk65IRuQLWPUR00HJ2vfj5YsZHqKuTremZm P44N6+4aEypG0c5ZXn91F5Q2uRpi3PYNj7wSDSKqexeba6B3SVc0tg1l8B7yM216XucD +48nWnPLf3bCUAddzx9bBYCg/hULIbLI2vEnacidi+C072ZtxcG2UDQymkPdzrsAwPkP 31+feI0Leze9NSMC/znkb5j61pU1ovr714glHqL38YH6x73C03iFtBDZf3pbb/Umk7UC RtUj0QLXVRn6eK0+OApT2Xmt9pF9wknEB7/FB7Dxzu2Utk7nhNJDEkarpWZ7z9URXvJj Zw7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EsriIgKXPnkHkPfOrgkbz5QjUyWSkBXelNb46gflano=; b=EyynePFUQfZLgmCiUMSo/8OAUBulWdKr7IuHagEqOUu26UaqqQb12sTPZC2TxVin+l g4p5rbMI5/t0BCbmrKlOGoOIE3dr/Jnc+csPGG5t7d6dUh5vjlmZknTJDDSLD0Fmh4SZ J/nRB2CiYMCRJW88GVsf7A7vub/Iz+WSz2FM8YBLs9O/HiHZZkvTubIUE7NSUfGo0Yk+ 0doMettGtFgCaF02YyYo+1DtXcnKBTaLjakEMtIn/ihsCpQTWfoDWfbE9j1cORR8DJUC k/G7O1hICjWg6tpcEk0FpYrdPQfqh4Rcum9sQ/h9oRkcZov3JfvPPRQVyrZNptk7tIwx B+Lw==
X-Gm-Message-State: AOAM530mmDy/xDXTKJPoy2Fdb6H++mQn5zJmLfPYAhwk2ZCzKCgSmbrX N8PzZXEcmD7PNpuWxa3RZqWxA8Ppnxfin24eZF0=
X-Google-Smtp-Source: ABdhPJzAfUQ4F83zif43MBfL3uyGGry51epl9LM49pi2XHuupIkSf+Ln4F4pphLBT7qZ77YK+PzYZA5+4awX+eRhOEE=
X-Received: by 2002:a25:cb41:: with SMTP id b62mr2331433ybg.284.1615958235176; Tue, 16 Mar 2021 22:17:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL0X-qvLz=gG06Q3mL5yNs5f-eqSwxO-g=K=cDKdmC8VP+UEg@mail.gmail.com> <AE8B3F28-D7B3-4A70-8E0D-2F673970E008@forgerock.com> <8b0b9840-1a80-d06f-316b-8a5273ad2124@aol.com> <C63FB3A1-CAEE-491C-8589-127A878559F9@forgerock.com>
In-Reply-To: <C63FB3A1-CAEE-491C-8589-127A878559F9@forgerock.com>
From: Om <omkarkhair@gmail.com>
Date: Wed, 17 Mar 2021 10:47:03 +0530
Message-ID: <CAJTOVTbXpU5HmeXUY90kcM4qe5gOQAhdT6RrZTZ8qPLykeJsWQ@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: George Fletcher <gffletch@aol.com>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth <oauth@ietf.org>, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000946b0905bdb498c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RtIEicqYzPmfDFOXtkcgdasnt9U>
Subject: Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 05:17:24 -0000

If I read this correctly,
https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-10 the 2.1
draft already addresses this under best practices.

On Mon, Mar 15, 2021 at 3:31 PM Neil Madden <neil.madden@forgerock.com>
wrote:

> I want to come back to this topic as a new thread.
>
> As I understand things, the difference on Android is that any app can
> claim to be a generic web browser and so claim to handle all URIs. Whereas
> on iOS only specifically vetted apps can claim to be web browsers. Is that
> correct?
>
> If so, this does seem like a quite large hole in security of OAuth on
> Android. Should we be considering a new draft recommending alternative
> measures (such as attestation) on Android? Presumably the same issue is
> also true on most desktop OS?
>
> — Neil
>
> On 23 Feb 2021, at 15:20, George Fletcher <gffletch@aol.com> wrote:
>
> Unfortunately, in the mobile app world this isn't sufficient. On iOS using
> Universal Links will bind the https redirect_url to your app in a secure
> way but it doesn't work the same way on Android with App Links. There is
> still a problem with "mobile app impersonation". If you have an app that
> you want to ensure is "your" app then the most secure way is to look at
> "app attestation". This is however, way off topic for this thread :)
>
> On 2/14/21 9:28 AM, Neil Madden wrote:
>
> Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching.
>
> There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure.
>
> — Neil
>
>
> On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.sleptsov@gmail.com> <stoycho.sleptsov@gmail.com> wrote:
>
> 
> I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS",
> with the objective to verify if they are valid.
>
> I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example).
> If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication.
>
> Or is it considered a bad practice to do that?
>
> Regards,
> Stoycho.
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
- Regards,
Omkar Khair

v2.23.0 | Report a Bug | By Email