IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Daniel Fett <danielf+oauth@yes.com> Wed, 21 November 2018 09:25 UTC

Return-Path: <danielf+oauth@yes.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2088C129AB8 for <oauth@ietfa.amsl.com>; Wed, 21 Nov 2018 01:25:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yes.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6c4e4i_BT4Fk for <oauth@ietfa.amsl.com>; Wed, 21 Nov 2018 01:25:52 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CEA812958B for <oauth@ietf.org>; Wed, 21 Nov 2018 01:25:52 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id y185so2796042wmd.1 for <oauth@ietf.org>; Wed, 21 Nov 2018 01:25:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yes.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=3ThQHNLIdUT38WnoGLcVDD5jcPvBnB0aO2ZydRtN7w0=; b=AaDRKRUasI+QDkpi57tbamEL4oqLpawdYF/KgHcJ20vMp5qiV/9dLyr15KSilAxwtH IWhR303CUqs3gNijFQp6GHFSadluOHJ/I0bnKSXiZyPOWtXYUTzEA50zrrjwiQRMpT1D aF5pQjq0K1Ef7/CxP+Dwpe7LluramiH8XtvIIPDUJwdtaPzrtoQ+11GyJshRl/5O9wPP sWVWER4IIHGvcdBAWxGmgXcHj54VecIJU2TAI23k1GU+3sbqhqTFvFrsR5DcbolUqTWu ApZc/0XMqUQlQ170D9CUZJ86jMXV4YNin38Bz/hn7DNWCeuG6c7EpC37XY2/3uYrtXmh zsVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=3ThQHNLIdUT38WnoGLcVDD5jcPvBnB0aO2ZydRtN7w0=; b=sBomnN0JoJEwsp+PHw07H070V9Lw9yltPCKK92PAPcWJp7lva91fHsyWI8ZDgTt9t1 uzvTbbKfqwLggLJvdCpc5J9OkcZWgId2W5SsOqVkGkkXAjI36Vz11PtuOAEPZUMJLWiV X6eAfTw+TZ5i1q+5A4bledi6Yk0TRr1w8dG8YFWhB+mHY1DrNSQBPtIDEyDsvcRwH46T poF57TG+VydFaWadOtGSxHhHk07lDKTGcCJXfSYVX8gO5dSZT3syGJpohs8WStnpAJHv YToVG3nqAigsdtj93cvRXyNGjQTVIG8WknMmaUG0+vvB7i30Esz7DRxDblvuilqDp9Ki Q0Cg==
X-Gm-Message-State: AA+aEWZnTKZ64hLZzFyHnCnx3+4YiqfJMXFE7V5KVE367ILXdMqzjivD gBDor/O6wZtZoC3x1ifRQXxeqH5aeD8=
X-Google-Smtp-Source: AFSGD/ULDw8qsw30MRpjZtNKWaOKV8Xc1OfdCZxgL+2y+x4lqmHgECz9qNDCwD4apIzjpvfRE+Vh+A==
X-Received: by 2002:a1c:2d57:: with SMTP id t84-v6mr5313549wmt.9.1542792350647; Wed, 21 Nov 2018 01:25:50 -0800 (PST)
Received: from [10.3.12.70] ([80.155.34.3]) by smtp.gmail.com with ESMTPSA id 82-v6sm261430wms.17.2018.11.21.01.25.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Nov 2018 01:25:50 -0800 (PST)
To: Neil Madden <neil.madden@forgerock.com>
Cc: oauth@ietf.org
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <BL0PR00MB029244CACC634E2D2E923B77F5D80@BL0PR00MB0292.namprd00.prod.outlook.com> <61A6D327-D4EE-4954-B57F-4FF42BB22E7E@lodderstedt.net> <3AA54AC6-BE0B-4535-AF1D-919236EF69B8@forgerock.com> <65005ad9-238e-9fe4-fb4b-ef54e93f84c3@yes.com> <92C3D667-E43E-4622-A688-689C216789BF@forgerock.com> <ccf62b34-5cd0-1473-ae7e-a7d166b28b80@yes.com> <3C8699BF-EE70-4299-91F2-87E8818E7464@forgerock.com>
From: Daniel Fett <danielf+oauth@yes.com>
Message-ID: <83034de5-cde8-8cd9-ff11-7ce22b61fee6@yes.com>
Date: Wed, 21 Nov 2018 10:25:49 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <3C8699BF-EE70-4299-91F2-87E8818E7464@forgerock.com>
Content-Type: multipart/alternative; boundary="------------504311A378A3D3E1B1218C20"
Content-Language: de-DE
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/So3NpfrAdwkBG1JQf4pb6U_dpII>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 09:25:54 -0000

Am 21.11.18 um 10:09 schrieb Neil Madden:
>> If a page from origin A includes a third-party script from origin B, that external script runs in origin A and has access to all cookies and the JavaScript context of the page.
>>
>> The SPA from origin A would be compromised. That is why we need things such as Subresource Integrity.
> I think we’re talking about different things. I am talking about scripts from places like ad servers that are usually included via an iframe to enforce the SOP and sandbox them from other scripts. If they get access to an access token - e.g. via document.referrer or a redirect or some other leak, then they still act within the same TLS context as the legitimate client.

Thanks for the clarification! I see that you highlight an important
point there.

The protection that would be required essentially boils down to
something similar to a CSRF protection for the resource server.

Luckily, CORS covers this: You can't set the Authorization header
cross-origin unless the appropriate CORS headers are set. So while the
third party origin would be able to send a request through the browser
using the TLS context, it would not be able to attach the access token.
(Unless, of course, that third party origin is whitelisted, or if the
bearer token is sent in a different way, e.g., as a URL parameter.)

As a side note, interestingly, this would leave an authorization code
unprotected, if the sender authentication would be mTLS or token
binding. PKCE on the other hand is fine.

v2.23.0 | Report a Bug | By Email