[OAUTH-WG] Re: Call for adoption - First Party Apps

Paul Bastian <paul.bastian@posteo.de> Tue, 10 September 2024 15:01 UTC

Return-Path: <paul.bastian@posteo.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E13FC14F6FD for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 08:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.404
X-Spam-Level:
X-Spam-Status: No, score=-4.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YWht2b_6-Nl for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 08:01:23 -0700 (PDT)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73E2AC14F6BC for <oauth@ietf.org>; Tue, 10 Sep 2024 08:01:17 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 8185E240027 for <oauth@ietf.org>; Tue, 10 Sep 2024 17:01:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1725980475; bh=ZmE7CiDlGk5OQV8jBUUA5qRy+mkkZJ2qAWObPfBjqwI=; h=Date:From:To:Cc:Message-ID:Subject:MIME-Version:Content-Type: From; b=HVFKr1OTXx8g+2nbW4Gz9WLVIC+l8QBi+RMjLSg50Bl+hQsaSuHj0/c+0d9UBRt8P PeTONWnizRAhkqs+tAwyw6ycwvIAVqW9DoCcT5TYwhwqnDVD8m04j0sptcNU4xxDdI N3pmDvk3Cdtz9rhmLhabbKFb/MfqhjFb2pzxOXdk9a7C13W6KBmdePakW/dunKF0Ro f2NX1rA+pRR6FKhn3LmIyX1VxG3NpaM1rccAy6dd8/YrsZU9Y2BfYPfIZwaNCv/VXQ VmT4iqQr4eA2Kkc0nTGs0cRi0l5U0cMtl4ITrOIQRVS3sp3E00pgkT4e1lFX+xsUNl 3iMDn3XvvpjXA==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4X36NB4m1Sz6tvr; Tue, 10 Sep 2024 17:01:14 +0200 (CEST)
Date: Tue, 10 Sep 2024 15:01:15 +0000
From: Paul Bastian <paul.bastian@posteo.de>
To: Neil Madden <neil.e.madden@gmail.com>
Message-ID: <73cbb3b9-e032-4fc1-82b7-cba3bac36273@posteo.de>
In-Reply-To: <F7ECC695-67FF-4EFE-8ACB-731292028282@gmail.com>
References: <CAD9ie-uur2NSN+BBMFfhv9UcfZtmQsByUhpyr1huvQiC+5PX8g@mail.gmail.com> <F68A8B14-8511-49E6-A06F-5BBE5EE549CC@gmail.com> <CAGBSGjr8S+LixUpEMgNDbcvRgF0nef+01HLfa0yvxxjDaqKS1w@mail.gmail.com> <F7ECC695-67FF-4EFE-8ACB-731292028282@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_4_126230122.1725980475153"
X-Correlation-ID: <73cbb3b9-e032-4fc1-82b7-cba3bac36273@posteo.de>
Message-ID-Hash: ESQI7K32KM6TSQJLZRQK7WM7TAITP4QZ
X-Message-ID-Hash: ESQI7K32KM6TSQJLZRQK7WM7TAITP4QZ
X-MailFrom: paul.bastian@posteo.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SzEQZHKfZRMkcCGeJYApoceq0hs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I support this.
We have a use case that requires NFC to read an identity card from a wallet app which is not possible over the browser and we consider using this specification which matches better than traditional OAuth flows.

10 Sept 2024 15:48:54 Neil Madden <neil.e.madden@gmail.com>:

> Yes, I’ve watched the recordings. I have sat through many client meetings where UI designers insist that a “native experience” is absolutely essential, despite the clear security problems with it. But that native experience is normally actually worse for users, despite appearing to look better (eg no automatic SSO from existing web browser cookies etc). I’m yet to hear a genuine argument in favour of the “native experience” that doesn’t boil down to aesthetic preferences.
> 
> Limiting the endpoints to first party apps, via some strong client authentication method (attestation) helps with some of the security concerns, but it doesn’t really address the root issues. If we encourage users to enter credentials directly into apps, then phishing apps become a danger, exactly as RFC 8252 says (regarding in-app user-agents, but the same principles apply):
> 
>  "When all good actors are using external user-agents, the advantage is
>    that it is possible for security experts to detect bad actors, as
>    anyone faking an external user-agent is provably bad.  On the other
>    hand, if good and bad actors alike are using embedded user-agents,
>    bad actors don't need to fake anything, making them harder to detect.”
> 
> s/embedded user-agent/native UI/ and I think this argument very much applies to the current draft.
> 
> Even if you lock down the API so those other apps cannot login directly with those credentials, it is too late if the user has already entered their username and password. Use of a native UI, which is easily spoofed, bypasses all of the phishing protections that browsers have added over the years (eg warning about malicious sites, highlighting the origin, password manager origin checking before auto-filling, etc).
> 
> Secondly, locking down the API to first-party apps only sets a precedent that eg the official BlueSky/Twitter/Facebook app will always have a different/privileged login experience compared to third-party apps. This seems to run contrary to AIB statements like https://datatracker.ietf.org/doc/statement-iab-statement-on-the-risks-of-attestation-of-software-and-hardware-on-the-open-internet/ (a draft, admittedly).
> 
> — Neil
> 
>> On 10 Sep 2024, at 13:55, Aaron Parecki <aaron@parecki.com> wrote:
>> 
>> Neil, I don't know if you've seen the several presentations I did at the last few IETF meetings about this work, but a large part of the motivation of this work is because *currently* people are bending over backwards to provide a native user experience for their first party apps and doing so in a way that is not only not standard, but even worse than what could be done with a standardized method. Please go review those recordings for more of the background.
>> 
>> I am open to the discussion of how best to limit this to first party apps, maybe that part needs to be stricter than what is currently in the draft. But at the very least, the draft says in no unclear terms that this is not for use by third party apps.
>> 
>> Aaron
>> 
>> 
>> On Tue, Sep 10, 2024 at 3:59 AM Neil Madden <neil.e.madden@gmail.com> wrote:
>> I know that apps that accept credentials directly are common place. But the direction of travel has so far been to discourage that: eg deprecating ROPC, requiring use of an external vs embedded user-agent etc. (Sorry, I misremembered: it’s BCP 212 that requires this, not the security BCP — and it has a lot of good rationale for that decision). 
>> 
>> 3rd party apps follow where first-party apps lead. 
>> 
>> — Neil
>> 
>>> On 10 Sep 2024, at 11:14, Dick Hardt <dick.hardt@gmail.com> wrote:
>>> 
>>> 
>>> Neil
>>> 
>>> Users input credentials directly into apps all the time in OAuth -- it is at the AS. 
>>> 
>>> There are many deployments that use OAuth where the AS and RS are the same party. The objective of this draft (as I understand it) is to provide a simplified OAuth flow for this use case. The BCP does not address this use case.
>>> 
>>> Why would we not want to provide a best practice for deployments where the AS and RS are the same party? We will likely improve the security of those deployments over them making up their own protocol, won't we?
>>> 
>>> /Dick
>>> 
>>> 
>>> 
>>> On Tue, Sep 10, 2024 at 10:20 AM Neil Madden <neil.e.madden@gmail.com> wrote:
>>> The draft is motivated by allowing native apps to provide a login journey for OAuth rather than using the browser. This encourages people to input credentials directly into apps, which (a) directly contradicts the advice in the security BCP, and (b) opens up users to significantly more attack vectors (including that the phishing-resistance of FIDO is significantly weakened). We shouldn’t be encouraging this. 
>>> 
>>> — Neil
>>> 
>>>> …
>>>> …
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>