IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

Jim Manico <jim@manicode.com> Thu, 08 September 2016 21:07 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD0112B157 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 14:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvECeCt2-Y3l for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 14:07:40 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBFEF12B0B2 for <oauth@ietf.org>; Thu, 8 Sep 2016 14:07:39 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id w87so21788317pfk.2 for <oauth@ietf.org>; Thu, 08 Sep 2016 14:07:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=DRjL1pD2QwVAtzQxhHmQvvOenxvmt2366JKs23LaDKQ=; b=p53anCpWrNQhmHC1168sYlJ2wtOqve+6h9L0l1Ib+ucIu4BlZ81EYRvVxk34IQW2ab xgJum8PfKH4d9rBsm50QbUQ22S27ZCcn/wjUbzYnlpCRUiquBNiwUUnOCFLe7dltVbRA fnG6aGjO3cxqIDx21fUQKXhN7S9Lu/rFAi3aHDs9gCxYElao/1jpAv3btTToYwmrXC2M +ucECK4uQovb49FUcf4IkE1j3qpt0CS4f+4JrDzbIbmobPDKVY1aOKgKLBkJ6E6VeB1i CyXF506N6rTOVCp120Igz4IBKX5v5wG/xOPn9hnWZl8y5OydYFhgqvr2e/HZWYAqzOY+ bv0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=DRjL1pD2QwVAtzQxhHmQvvOenxvmt2366JKs23LaDKQ=; b=HY6KtY4orZ5SIQ+njaqdhCvQar3q75YVD/RZDYLjIGhEGG3OmspZ7bVaJNVlhPPpur S7onPlDsQLhkIkYSOeg0gNFjXCEaTOZJkWAIZPgFAQkpwRDgm6fG/Fpr9aupF82sVHSD 1wNaR0QQFgr9SVPZbEqNkziVD97U51zaLzjBVwk8qFTBEeVN2mqaFx6UyS+/vri8fwYu 2xv+52QLaEMExFXJVNHHGntJkI6sML0E0qlczF8djlRXn4Z8tBQ7y2Pg5M0hBz75Vj/8 pjnprTdYDqttGEDox1RuMWaeGsw+7Ej53brlEEbwlqnGr4PlgNSqLT4rOjUW8lxcQao7 MDIQ==
X-Gm-Message-State: AE9vXwNT11EcXTXQU+d2CT2i8sUlhiKWdBnuFakb9SCHbtkuJHOCJe1nuOwJUl9xsIyMob6m
X-Received: by 10.98.11.156 with SMTP id 28mr2974763pfl.165.1473368859167; Thu, 08 Sep 2016 14:07:39 -0700 (PDT)
Received: from heembo.local ([2605:e000:112b:c167:3ccb:e369:74b0:50fc]) by smtp.googlemail.com with ESMTPSA id d200sm13258pfd.3.2016.09.08.14.07.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Sep 2016 14:07:38 -0700 (PDT)
To: Oleg Gryb <oleg@gryb.info>, Adam Lewis <adam.lewis@motorolasolutions.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com> <1013244548.1998164.1473366003274@mail.yahoo.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com>
Date: Thu, 08 Sep 2016 11:07:36 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <1013244548.1998164.1473366003274@mail.yahoo.com>
Content-Type: multipart/alternative; boundary="------------82156CB9E1BF9C41EE261B0E"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UG8FlntATwyzSikWfiyuWaPOZhs>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 21:07:42 -0000

+1 I think that's a very fair perspective.

Putting sensitive data in LocalStorage is still a very bad idea. :) One
XSS and gone. Maybe XSS is not a big deal in a native app, but it's
death to Web apps.

Aloha, Jim


On 9/8/16 10:20 AM, Oleg Gryb wrote:
> In SPA/REST env session ID is not very useful, so it's *an* auth token
> or tokens (not necessary OAuth one) that are stored in a cookie. It's
> used to get REST calls authenticated and yes, it usually runs in a
> multi-domain envs (think about micro services architecture). It makes
> me think that the value of HTTPOnly will continue diminishing, while
> the value of good cross-domain policies will increase. Just my opinion
> coming from my experience. I don't have big (or small) data available
> to confirm that.  
>
>
>     ------------------------------------------------------------------------
>     *From:* Jim Manico <jim@manicode.com>
>     *To:* Oleg Gryb <oleg@gryb.info>; Adam Lewis
>     <adam.lewis@motorolasolutions.com>
>     *Cc:* OAuth WG <oauth@ietf.org>
>     *Sent:* Thursday, September 8, 2016 12:51 PM
>     *Subject:* Re: [OAUTH-WG] best practices for implicit grant /
>     token storage
>
>     > Since SPA is a new normal now, it becomes extremely difficult to
>     enforce HTTPOnly flag, because JS needs access to secrets
>     including those stored in cookies.
>     In a browser environment, this is only true when you need to make
>     cross domain requests or are using cookie data for something other
>     than session state.
>     If your current page origin and the page you are requesting are
>     the same, then your cookies can be HTTPOnly without impacting
>     functionality. If you need additional cookies for other things
>     that need to be accessed via JS, use a separate cookie.
>     So sure, there are a few workflows in OAuth where you need to
>     access "cookie data" from JS and HTTPOnly is not viable. But there
>     are a few where it is viable. I don't think it's as simple as "we
>     need to talk to cookie data via JS all the time.".
>     Aloha, Jim
>     On 9/8/16 8:15 AM, Oleg Gryb wrote:
>>     Jim,
>>
>>     It's outdated a bit. Since SPA is a new normal now, it becomes
>>     extremely difficult to enforce HTTPOnly flag, because JS needs
>>     access to secrets including those stored in cookies. 5-10 years
>>     ago I would always enforce HTTPOnly and now - I can't.
>>
>>     Thanks,
>>     Oleg.
>>
>>         ------------------------------------------------------------------------
>>         *From:* Jim Manico <jim@manicode.com> <mailto:jim@manicode.com>
>>         *To:* Adam Lewis <adam.lewis@motorolasolutions.com>
>>         <mailto:adam.lewis@motorolasolutions.com>
>>         *Cc:* OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org>
>>         *Sent:* Thursday, September 8, 2016 10:45 AM
>>         *Subject:* Re: [OAUTH-WG] best practices for implicit grant /
>>         token storage
>>
>>         In the web world, cookies for session identifiers are much
>>         safer - since we can use HTTPOnly cookies to protect them
>>         from theft via XSS. The same mechanism is not possible for
>>         localStorage. Overall, security folk say •keep sensitive data
>>         out of localStorage• since one XSS and it's stolen. There is
>>         also a huge body of work underway to make secure cookies even
>>         more so.
>>
>>         I'm not sure how this translates to native apps.
>>
>>         --
>>         Jim Manico
>>         @Manicode
>>
>>         On Sep 8, 2016, at 3:02 AM, Adam Lewis
>>         <adam.lewis@motorolasolutions.com
>>         <mailto:adam.lewis@motorolasolutions.com>> wrote:
>>
>>>         Hi,
>>>
>>>         The WG is currently putting together best practices for
>>>         native apps.  I would like to better understand the best
>>>         practices around ua-based-apps, especially as it relates to
>>>         token storage.  I've read various blog posts about the
>>>         preference between storing tokens in cookies vs.  Web
>>>         Storage (localStorage/sessionStorage).  The current set of
>>>         specs are rather silent on the matter, as it is more of an
>>>         implementation issue (but that is where most mistakes are made).
>>>
>>>         What is the WG's guidance on this?
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>     -- 
>     Jim Manico
>     Manicode Security
>     https://www.manicode.com <https://www.manicode.com/>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email