Re: [OAUTH-WG] best practices for implicit grant / token storage
Jim Manico <jim@manicode.com> Thu, 08 September 2016 21:07 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD0112B157 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 14:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvECeCt2-Y3l for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 14:07:40 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBFEF12B0B2 for <oauth@ietf.org>; Thu, 8 Sep 2016 14:07:39 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id w87so21788317pfk.2 for <oauth@ietf.org>; Thu, 08 Sep 2016 14:07:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=DRjL1pD2QwVAtzQxhHmQvvOenxvmt2366JKs23LaDKQ=; b=p53anCpWrNQhmHC1168sYlJ2wtOqve+6h9L0l1Ib+ucIu4BlZ81EYRvVxk34IQW2ab xgJum8PfKH4d9rBsm50QbUQ22S27ZCcn/wjUbzYnlpCRUiquBNiwUUnOCFLe7dltVbRA fnG6aGjO3cxqIDx21fUQKXhN7S9Lu/rFAi3aHDs9gCxYElao/1jpAv3btTToYwmrXC2M +ucECK4uQovb49FUcf4IkE1j3qpt0CS4f+4JrDzbIbmobPDKVY1aOKgKLBkJ6E6VeB1i CyXF506N6rTOVCp120Igz4IBKX5v5wG/xOPn9hnWZl8y5OydYFhgqvr2e/HZWYAqzOY+ bv0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=DRjL1pD2QwVAtzQxhHmQvvOenxvmt2366JKs23LaDKQ=; b=HY6KtY4orZ5SIQ+njaqdhCvQar3q75YVD/RZDYLjIGhEGG3OmspZ7bVaJNVlhPPpur S7onPlDsQLhkIkYSOeg0gNFjXCEaTOZJkWAIZPgFAQkpwRDgm6fG/Fpr9aupF82sVHSD 1wNaR0QQFgr9SVPZbEqNkziVD97U51zaLzjBVwk8qFTBEeVN2mqaFx6UyS+/vri8fwYu 2xv+52QLaEMExFXJVNHHGntJkI6sML0E0qlczF8djlRXn4Z8tBQ7y2Pg5M0hBz75Vj/8 pjnprTdYDqttGEDox1RuMWaeGsw+7Ej53brlEEbwlqnGr4PlgNSqLT4rOjUW8lxcQao7 MDIQ==
X-Gm-Message-State: AE9vXwNT11EcXTXQU+d2CT2i8sUlhiKWdBnuFakb9SCHbtkuJHOCJe1nuOwJUl9xsIyMob6m
X-Received: by 10.98.11.156 with SMTP id 28mr2974763pfl.165.1473368859167; Thu, 08 Sep 2016 14:07:39 -0700 (PDT)
Received: from heembo.local ([2605:e000:112b:c167:3ccb:e369:74b0:50fc]) by smtp.googlemail.com with ESMTPSA id d200sm13258pfd.3.2016.09.08.14.07.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Sep 2016 14:07:38 -0700 (PDT)
To: Oleg Gryb <oleg@gryb.info>, Adam Lewis <adam.lewis@motorolasolutions.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com> <1013244548.1998164.1473366003274@mail.yahoo.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com>
Date: Thu, 08 Sep 2016 11:07:36 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <1013244548.1998164.1473366003274@mail.yahoo.com>
Content-Type: multipart/alternative; boundary="------------82156CB9E1BF9C41EE261B0E"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UG8FlntATwyzSikWfiyuWaPOZhs>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 21:07:42 -0000
+1 I think that's a very fair perspective. Putting sensitive data in LocalStorage is still a very bad idea. :) One XSS and gone. Maybe XSS is not a big deal in a native app, but it's death to Web apps. Aloha, Jim On 9/8/16 10:20 AM, Oleg Gryb wrote: > In SPA/REST env session ID is not very useful, so it's *an* auth token > or tokens (not necessary OAuth one) that are stored in a cookie. It's > used to get REST calls authenticated and yes, it usually runs in a > multi-domain envs (think about micro services architecture). It makes > me think that the value of HTTPOnly will continue diminishing, while > the value of good cross-domain policies will increase. Just my opinion > coming from my experience. I don't have big (or small) data available > to confirm that. > > > ------------------------------------------------------------------------ > *From:* Jim Manico <jim@manicode.com> > *To:* Oleg Gryb <oleg@gryb.info>; Adam Lewis > <adam.lewis@motorolasolutions.com> > *Cc:* OAuth WG <oauth@ietf.org> > *Sent:* Thursday, September 8, 2016 12:51 PM > *Subject:* Re: [OAUTH-WG] best practices for implicit grant / > token storage > > > Since SPA is a new normal now, it becomes extremely difficult to > enforce HTTPOnly flag, because JS needs access to secrets > including those stored in cookies. > In a browser environment, this is only true when you need to make > cross domain requests or are using cookie data for something other > than session state. > If your current page origin and the page you are requesting are > the same, then your cookies can be HTTPOnly without impacting > functionality. If you need additional cookies for other things > that need to be accessed via JS, use a separate cookie. > So sure, there are a few workflows in OAuth where you need to > access "cookie data" from JS and HTTPOnly is not viable. But there > are a few where it is viable. I don't think it's as simple as "we > need to talk to cookie data via JS all the time.". > Aloha, Jim > On 9/8/16 8:15 AM, Oleg Gryb wrote: >> Jim, >> >> It's outdated a bit. Since SPA is a new normal now, it becomes >> extremely difficult to enforce HTTPOnly flag, because JS needs >> access to secrets including those stored in cookies. 5-10 years >> ago I would always enforce HTTPOnly and now - I can't. >> >> Thanks, >> Oleg. >> >> ------------------------------------------------------------------------ >> *From:* Jim Manico <jim@manicode.com> <mailto:jim@manicode.com> >> *To:* Adam Lewis <adam.lewis@motorolasolutions.com> >> <mailto:adam.lewis@motorolasolutions.com> >> *Cc:* OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org> >> *Sent:* Thursday, September 8, 2016 10:45 AM >> *Subject:* Re: [OAUTH-WG] best practices for implicit grant / >> token storage >> >> In the web world, cookies for session identifiers are much >> safer - since we can use HTTPOnly cookies to protect them >> from theft via XSS. The same mechanism is not possible for >> localStorage. Overall, security folk say •keep sensitive data >> out of localStorage• since one XSS and it's stolen. There is >> also a huge body of work underway to make secure cookies even >> more so. >> >> I'm not sure how this translates to native apps. >> >> -- >> Jim Manico >> @Manicode >> >> On Sep 8, 2016, at 3:02 AM, Adam Lewis >> <adam.lewis@motorolasolutions.com >> <mailto:adam.lewis@motorolasolutions.com>> wrote: >> >>> Hi, >>> >>> The WG is currently putting together best practices for >>> native apps. I would like to better understand the best >>> practices around ua-based-apps, especially as it relates to >>> token storage. I've read various blog posts about the >>> preference between storing tokens in cookies vs. Web >>> Storage (localStorage/sessionStorage). The current set of >>> specs are rather silent on the matter, as it is more of an >>> implementation issue (but that is where most mistakes are made). >>> >>> What is the WG's guidance on this? >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > -- > Jim Manico > Manicode Security > https://www.manicode.com <https://www.manicode.com/> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > -- Jim Manico Manicode Security https://www.manicode.com
- [OAUTH-WG] best practices for implicit grant / to… Adam Lewis
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … Oleg Gryb
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … Oleg Gryb
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … John Bradley
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … Oleg Gryb
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico