IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 27 November 2018 19:30 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254C2124D68 for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 11:30:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cS2Ihu5Jh7y6 for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 11:30:53 -0800 (PST)
Received: from smtprelay07.ispgateway.de (smtprelay07.ispgateway.de [134.119.228.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00FFE128DFD for <oauth@ietf.org>; Tue, 27 Nov 2018 11:30:52 -0800 (PST)
Received: from [91.13.153.47] (helo=[192.168.71.123]) by smtprelay07.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1gRj4K-0001ha-Re; Tue, 27 Nov 2018 20:30:48 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <327B68FD-9449-4809-A3B8-BC79C5B1D42C@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_D7ED3932-6335-4DB7-8AEF-A83EDB1DD124"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Tue, 27 Nov 2018 20:30:45 +0100
In-Reply-To: <CABzCy2AW0dvmEqfHgd=-ULdYSxnUXwrz6jiCBpKw7MQSu-YFbA@mail.gmail.com>
Cc: Jim Manico <jim@manicode.com>, "openid-specs-ab@lists.openid.net Ab" <openid-specs-ab@lists.openid.net>, oauth@ietf.org
To: Nat Sakimura <sakimura@gmail.com>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <5494f764-2d14-089a-8fe8-132a65e32d5e@manicode.com> <8935ff0f-aeab-c773-5e2d-6fedcc29119d@connect2id.com> <CABzCy2D0JAr-C1-jTcodpBdoUNx1We3JDg-PMcsOBL1Ga_m-Hw@mail.gmail.com> <2297d085-28f2-15dd-6dba-937dce9f2122@manicode.com> <CABzCy2AW0dvmEqfHgd=-ULdYSxnUXwrz6jiCBpKw7MQSu-YFbA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.101.1)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Tbb5vPI25PYnHnPLLgLeVYbJWwU>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 19:30:57 -0000

Hi Nat, 

I understand you are saying your draft could provide clients with an application level mechanism to sender constrain access tokens. That’s great! 

But I don’t see a binding to response type „token id_token“. Why do you want to expose the tokens via the URL to attackers? 

You could easily use your mechanism with code. That would also give you the chance to really authenticate the confidential client before you issue the token.

kind regards,
Torsten.

> Am 27.11.2018 um 16:57 schrieb Nat Sakimura <sakimura@gmail.com>:
> 
> I am not talking about SPA. 
> The client is a regular confidential client that is running on a server. 
> 
> Best, 
> 
> Nat Sakimura
> 
> 
> 2018年11月27日(火) 16:55 Jim Manico <jim@manicode.com>:
> Nat,
> 
> How is proof of possession established in a modern web browser in the implicit flow?
> 
> My understanding is that token binding was removed from Chrome recently effectively killing browser-based PoP tokens.
> 
> https://identiverse.com/2018/10/31/chrome-puts-token-binding-in-a-bind/
> 
> Am I missing something?
> 
> Aloha, Jim
> 
> 
> 
> On 11/27/18 9:00 PM, Nat Sakimura wrote:
>> I am actually -1. 
>> 
>> +1 for public client and the tokens that are not sender/key constrained. 
>> 
>> Just not being used right now does not mean that it is not useful.. In fact, I see it coming. 
>> Implicit (well, Hybrid “token id_token” really) is very useful in certain cases. 
>> Specifically, when the client is confidential (based on public key pair), and uses sender constrained (key-constrained) token such as the one explained in https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04#section-5, it is very useful. 
>> (Key-constrained token is the remaining portion of this draft that did not get incorporated in the MTLS draft. )
>> In fact it is the only viable method for Self-Issued OpenID Provider. 
>> 
>> So, the text is generally good but it needs to be constrained like “Unless the client is confidential and the access token issued is key constrained, ... “
>> 
>> Best, 
>> 
>> Nat Sakimura
>> 
>> 
>> 2018年11月27日(火) 16:01 Vladimir Dzhuvinov <vladimir@connect2id.com>:
>> +1 to recommend the deprecation of implicit.
>> 
>> I don't see a compelling reason to keep implicit when there is an
>> established alternative that is more secure.
>> 
>> Our duty as WG is to give developers the best and most sensible practice.
>> 
>> CORS adoption is currently at 94% according to
>> https://caniuse.com/#feat=cors
>> 
>> Vladimir
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> -- 
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat..sakimura.org/
>> @_nat_en
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> 
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> -- 
> Jim Manico
> Manicode Security
> 
> https://www.manicode.com
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email