Re: [OAUTH-WG] Re-creation of Access Token on Single Page Application
Tatsuya Karino <kokuban.kumasan@gmail.com> Mon, 15 March 2021 02:36 UTC
Return-Path: <kokuban.kumasan@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BC053A109A for <oauth@ietfa.amsl.com>; Sun, 14 Mar 2021 19:36:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.087
X-Spam-Level:
X-Spam-Status: No, score=-7.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3OzKMtQCn4MM for <oauth@ietfa.amsl.com>; Sun, 14 Mar 2021 19:36:57 -0700 (PDT)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 851D43A1094 for <oauth@ietf.org>; Sun, 14 Mar 2021 19:36:57 -0700 (PDT)
Received: by mail-vk1-xa33.google.com with SMTP id d2so287823vke.5 for <oauth@ietf.org>; Sun, 14 Mar 2021 19:36:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kUB2080K0DmfmSVmdL+KATK/Ppvg5L34D0s6cJ9dowo=; b=G/Wn9VwlmZlvp56h5IiZ7CH0sUDr2UrVEscspZcz0XsCPq1PBwGRuW8jqqRjRshxkQ IoiDb+BkputwTs2DF3B/vzwd0cN2S7QWzeqy13Z+he70JeqoUsqIhiRPYyC5OA8Wfsg+ tm3td9qqHw9vNX9TzX+0PwmlWktULtKgrWyNpzeiQ2fpV4fw0IhyQm9T52AeNSDsMsgP S1jVcNc7veTIok54uynXkv5SJKDZ90Pk9BQb+/birucsqE/uEl6NygJ8eXcLooTWRjpN mEtRA1cGuhPA8QfTtZPIBnqnhKISFmFDmS00McFPMWFlCoRUNBB87AF2eYorfIlLjIj0 7K+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kUB2080K0DmfmSVmdL+KATK/Ppvg5L34D0s6cJ9dowo=; b=DzgCWv1wlFehrUoyDRBcI/NfWgeUrIXnHhggzK9PoOkFZqT0Q9frZIzZLJbOoMH1pp IbZBMK7LtsDZGd8L8M5e9uIT+2MIlT+cPVpGkQrLr4Nj6yX8vofNpZMtWQZBgSLVESCJ 1Y7FiTJG/gBDWlUrpY6RFhC/409aCpdRoKGNm/hJDk7f1fXKiNGVSfwkiPeHoMY6+rL4 kEazMhyObhUmCFYSZvURf8tN5lSJBhKCnLfbmMFlc+awxtUKXDdOuoPUXEit5/6FSs5U mUpNVlR7pwjerKCsv3Dy5HlqOH0FQBP43uz0Z4ToUTIUM2NL1RocB7O+kutAiWxNaqdy slyA==
X-Gm-Message-State: AOAM530ycczbK2nOvMYwXl+JUkmcOhCSKcrCe5unoB04GY30S9NSX4OI I5HJ+l15Tg3BP/36YT7SbREQMttUysEbQIS0pL8=
X-Google-Smtp-Source: ABdhPJzc8U0U7sM1QygEeG7RWPtBMFfsJKLI87KKVYRl9QtP99ledslu2KopndI3D6ZgQ3gqkitR055B/jKZKT3BHkE=
X-Received: by 2002:a1f:aa43:: with SMTP id t64mr2385829vke.22.1615775815153; Sun, 14 Mar 2021 19:36:55 -0700 (PDT)
MIME-Version: 1.0
References: <CABOQBfsDpwFHbd5U+1YHDnRQUNZ7Mqqk6w+BA0cLrW7OqkuPvg@mail.gmail.com> <8A3477B3-7D17-4B66-9DEA-FF93974E6DBD@pragmaticwebsecurity.com>
In-Reply-To: <8A3477B3-7D17-4B66-9DEA-FF93974E6DBD@pragmaticwebsecurity.com>
From: Tatsuya Karino <kokuban.kumasan@gmail.com>
Date: Mon, 15 Mar 2021 11:36:44 +0900
Message-ID: <CABOQBftNpvMrCrzwzkCYr_KMwpTY6f1r6B63FXSSq6SOpe8tOw@mail.gmail.com>
To: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Cc: Nov Matake <matake@gmail.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007fbb7005bd8a1f11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/T1kbM_tVCbr6M4z9L0dU8qj4LsE>
Subject: Re: [OAUTH-WG] Re-creation of Access Token on Single Page Application
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 02:36:59 -0000
> > On Safari, you have no workaround. > 3rd-party cookie is dead, and all JS-writable data is removed in 7 days > there. As you stated, option 1 does not work in cross-site scenarios in Safari & > Brave at the moment. Other browsers are likely to follow the same pattern > in the future. > Option 2 only works if there are already tokens available, which is > typically not the case at first load. Also, keeping long-lived refresh > tokens in a browser is not always the best idea. I see... Thank you. I understood that it is difficult to re-creation Access Token silently. As reading your workarounds, I felt handling AccessToken inside SPA is a little difficult. Generally speaking, preparing Backend Server looks better from a security and UIUX point of view. If there is a Backend Server for the SPA, we can use the Backend as a Confidential Client, and create a session and save it on http only cookie for the SPA. If we have a human resource to do so... Thank you for your help! 2021年3月13日(土) 17:21 Philippe De Ryck <philippe@pragmaticwebsecurity.com>: > On 13 Mar 2021, at 07:52, Tatsuya Karino <kokuban.kumasan@gmail.com> > wrote: > > By the way, I also wonder what is the better option to use OAuth2.0 on SPA > Client (3rd party) with good UIUX. > > In my understanding, there are two options to achieve it. > > 1. Using response_momde=web_message or 2.Using Refresh Token with fixed > maximum lifetime. > > But I have a concern on a practical use. > > For 1, Some browser could be restricted to send credential cookie to the > authorization server from iframe. > > For 2, The Refresh Token must be saved on the browser, but it could be > deleted on 7days in safari. > > Is there any workaround? or Is there any misunderstanding on my concerns? > > > As you stated, option 1 does not work in cross-site scenarios in Safari & > Brave at the moment. Other browsers are likely to follow the same pattern > in the future. > > Option 2 only works if there are already tokens available, which is > typically not the case at first load. Also, keeping long-lived refresh > tokens in a browser is not always the best idea. > > One workaround goes as follows: > 1. When the SPA loads the first time, check if it has token material. If > yes, done, if not, go to step 2. > 2. Redirect the browser to the authorization server to run a new > authorization code flow with PKCE, by setting prompt=none. This will > prevent any user interaction and immediately returns either an authz code > or an error. > 3. The SPA loads again with the autz code/error. If it is a code, it > exchanges it for tokens and all is good. If it is an error, the SPA simply > shows the unauthenticated state (here, the user can start a new flow with > interaction by clicking the login button) > > Note that step 2 will include cookies, so it can resume an existing > session between the browser and the authorization server. This cookie is > always present since a top-level redirect is not a third-party scenario, so > third-party cookie blocking does not apply. > > Hope this helps > > Philippe > > > -- Tatsuya Karino
- [OAUTH-WG] Re-creation of Access Token on Single … Tatsuya Karino
- Re: [OAUTH-WG] Re-creation of Access Token on Sin… Nov Matake
- Re: [OAUTH-WG] Re-creation of Access Token on Sin… Tatsuya Karino
- Re: [OAUTH-WG] Re-creation of Access Token on Sin… Nov Matake
- Re: [OAUTH-WG] Re-creation of Access Token on Sin… Philippe De Ryck
- Re: [OAUTH-WG] Re-creation of Access Token on Sin… Tatsuya Karino
- Re: [OAUTH-WG] Re-creation of Access Token on Sin… David Waite