IETF Logo Mail Archive

Re: [OAUTH-WG] Suitable grant type for a Javascript use case

Justin Richer <jricher@mitre.org> Wed, 05 February 2014 19:29 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AFCC1A0138 for <oauth@ietfa.amsl.com>; Wed, 5 Feb 2014 11:29:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.735
X-Spam-Level:
X-Spam-Status: No, score=-4.735 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEjgvnpbNTZC for <oauth@ietfa.amsl.com>; Wed, 5 Feb 2014 11:29:30 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id BA8F51A00EB for <oauth@ietf.org>; Wed, 5 Feb 2014 11:29:29 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E85531F04DE; Wed, 5 Feb 2014 14:29:28 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id CFF672260053; Wed, 5 Feb 2014 14:29:28 -0500 (EST)
Received: from bvb-172-31-60-57.mitre.org (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 5 Feb 2014 14:29:28 -0500
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Justin Richer <jricher@mitre.org>
In-Reply-To: <52F283E4.50507@oracle.com>
Date: Wed, 05 Feb 2014 14:29:24 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <6BF381DC-791A-4220-9C95-F0ED0718190B@mitre.org>
References: <20140204161338.9A4007FC168@rfc-editor.org> <CAD9ie-tGtcBaXbJMkCDswMDhGHNbj+qbawaiXrHowPZFPxzUUQ@mail.gmail.com> <1391540170.23334.YahooMailNeo@web142801.mail.bf1.yahoo.com> <836226893590734FA88B31162359477F594D26C9@EXCHMBX01.fed.cclrc.ac.uk> <005701cf2265$b77bd120$26737360$@gmx.net> <52F283E4.50507@oracle.com>
To: Prateek Mishra <prateek.mishra@oracle.com>
X-Mailer: Apple Mail (2.1827)
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org list" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Suitable grant type for a Javascript use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 19:29:36 -0000

While you should always factor in an analysis of the security properties of your client, you should also realize that by hosting the client completely inside the browser, most of the benefits of the code flow go away. You're no longer able to separate the knowledge of different parts of the protocol, and so much of what you're protecting with the auth code doesn't actually apply anymore. 

Also, if the user is using a user agent that is not conformant or up to date, there's no need to sniff OAuth because it can just steal the primary credentials from the auth server connection directly -- so the counter argument is a bit of a red herring. Yes, it's a requirement for this to work properly, but it's a requirement for many other things to work properly also. 

 -- Justin

On Feb 5, 2014, at 1:33 PM, Prateek Mishra <prateek.mishra@oracle.com> wrote:

> Well, this means you are completely dependent on a security model that is based on a very specific property of HTTP
> redirects. The User agent MUST NOT forward any component of a fragment URI in a redirect - you are depending on the user having
> a conformant and uptodate user agent.
> 
> I would say that the authorization code grant has more robust security properties. From my perspective depending
> on this type of subtle and complex requirement on other layers of the protocol stack is a considerable risk.
> 
> So you should factor that in your analysis of the security properties of your client.
> 
> - prateek
>> Hi Phil,
>> 
>> the server won't see the access-code, cause it is returned within the hash
>> that stays at the client-site:
>> 	http://.../returnUri#access_code=ABCDE.
>> 
>> By definition, the returnURI has to be the URI that was registered for the
>> client. IMHO, you are only allowed to add additional URL-Parameters.
>> 
>> In my opinion, your use-case suits _very_ well to the implicit flow.
>> 
>> Wishes,
>> Manfred
>> 
>> 
>> 
>> 
>> 
>> -----Ursprüngliche Nachricht-----
>> Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von
>> philip.kershaw@stfc.ac.uk
>> Gesendet: Mittwoch, 5. Februar 2014 10:12
>> An: oauth@ietf.org
>> Betreff: [OAUTH-WG] Suitable grant type for a Javascript use case
>> 
>> Hi all,
>> 
>> I'm looking to apply OAuth for a particular use case with a Javascript
>> client and would like to get some guidance with this.  Bear with me as I'm
>> new to this list.
>> 
>> I have a Javascript client which needs to be deployed on a number of
>> different sites for which we don't have control over the server-side code.
>> The client needs to obtain an access token to submit data to another 3rd
>> party site on behalf of the user.
>> 
>> We've looked at the Implicit Grant type
>> (http://tools.ietf.org/html/rfc6749#section-4.2).  Our third party site
>> hosts an Authorisation server and Resource Server.  The client provides a
>> redirect URI to return the token to.  My understanding is that the redirect
>> URI is a security measure to ensure the token is returned to an endpoint
>> known to the Authorisation Server.
>> 
>> However, in my case it is only the Javascript client that needs the token.
>> I can see how the token can be passed to the Javascript via step E in figure
>> 4.  However, we have limited control over the site hosting the Javascript
>> ('Web-hosted Client Resource' in Figure 4).  We can host Javascript but we
>> can't easily alter any server-side code.  There's a danger that the
>> server-side code will choke when it receives the redirect the URI containing
>> the access token.  I'm wondering if there is a suitable workaround for this.
>> Can we dispense with the redirect URI or does this compromise security too
>> far?  Perhaps we should be looking at an implementing an alternative grant
>> type?
>> 
>> Any help much appreciated.
>> 
>> Cheers,
>> Phil--
>> Scanned by iCritical.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email