IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

Oleg Gryb <oleg_gryb@yahoo.com> Thu, 08 September 2016 20:20 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F17812B04C for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 13:20:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.227
X-Spam-Level:
X-Spam-Status: No, score=-4.227 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nw3jwVvomkVA for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 13:20:05 -0700 (PDT)
Received: from nm27-vm1.bullet.mail.bf1.yahoo.com (nm27-vm1.bullet.mail.bf1.yahoo.com [98.139.213.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49666128B38 for <oauth@ietf.org>; Thu, 8 Sep 2016 13:20:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1473366004; bh=5U/zWg3X+a8Gi8ij84mJd/G+qHUWvE7dc0le63X+1Y8=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=aKaJpOcOTO+9AbYyAnTgnJtLCl+GsQxXxjxAeJ7e/oe74ilb7cMT8QnTqp9IS0wuFJRQfsUS3sj18/LgXVikBnZT4Hn4hUEPG34SyIz5DKn2C7cVy1G8XVGiPM7g9Rb2Go6EsTVOUK9WFG1WJcgH+AgweCm9ECmaRzinfB2f7HzUII50tiLVrzU+aSrebBXaTJCxASiizcop6fWdzToZBFFDEpQfxGLII1Kbl7z0OmhqipxGnaznGT8DqAcCrAXWDVU9H2gtYfnrBK1Tni2J4w6mQ6kCriKyghAv/AQgDVTAnjpmma6bX6UlpC06xkLac8ahAZc77slTWXgpiBmobw==
Received: from [98.139.170.180] by nm27.bullet.mail.bf1.yahoo.com with NNFMP; 08 Sep 2016 20:20:04 -0000
Received: from [98.139.212.203] by tm23.bullet.mail.bf1.yahoo.com with NNFMP; 08 Sep 2016 20:20:04 -0000
Received: from [127.0.0.1] by omp1012.mail.bf1.yahoo.com with NNFMP; 08 Sep 2016 20:20:04 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 314710.95691.bm@omp1012.mail.bf1.yahoo.com
X-YMail-OSG: kA0hzYoVM1mWb8hd1J2evidxSRYf3.3PMzY4QIP8D4HsSeZGsTMQJIA5VlT1GP8 r4StA3FkAeIZw_yLAESwLVeohinucEu1CuV8SBC3Nl5A_Y3J16Hent16l_LpaoG9RJyGspC7Ahu_ b8SPa6UuchOuu06irtEdmNa5.eQ.CE9Z_Bw7QaYUy1dyxET0Ka0rfEjw.MKsOTqhCZxee3Sy9aBp CTj_o6BNhkkhFz3FDnDxH3Cq4ZQHQWc_PokhxRCxFeIpiZr.VY7QwgV0tUFZa1Jkd0P3Me14kp1H YNsosSP9eDAaHLqn4kgrwAK2Yvqyi29MF_bk4a8phlFWv1lAgKpknGZ5pj1KSSj_cbbdsYGlIkrM 1apLCN73qLECjLHcOR40Dfwj68OD4LEqmlncSMwxMq6aYqox_uVy5uFFvfDg4qWYxQMaWBAusUu1 KT7zGW9iALD2nnAtk9VDooofdnBQk436N9rgUHwyMUdSO1QUxeY.5Dh1dw6TinHf76hW1ddnmUCp Q64ct1tko6uRW6pNFYeQjqJ7uLESRM9Gh53Ij
Received: from jws106182.mail.bf1.yahoo.com by sendmailws136.mail.bf1.yahoo.com; Thu, 08 Sep 2016 20:20:03 +0000; 1473366003.853
Date: Thu, 08 Sep 2016 20:20:03 +0000
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: Jim Manico <jim@manicode.com>, Oleg Gryb <oleg@gryb.info>, Adam Lewis <adam.lewis@motorolasolutions.com>
Message-ID: <1013244548.1998164.1473366003274@mail.yahoo.com>
In-Reply-To: <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1998163_353565142.1473366003260"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ULbZlVOsUksA5wLhVrbkaUBAptE>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 20:20:07 -0000

In SPA/REST env session ID is not very useful, so it's *an* auth token or tokens (not necessary OAuth one) that are stored in a cookie. It's used to get REST calls authenticated and yes, it usually runs in a multi-domain envs (think about micro services architecture). It makes me think that the value of HTTPOnly will continue diminishing, while the value of good cross-domain policies will increase. Just my opinion coming from my experience. I don't have big (or small) data available to confirm that.   


 
      From: Jim Manico <jim@manicode.com>
 To: Oleg Gryb <oleg@gryb.info>; Adam Lewis <adam.lewis@motorolasolutions.com> 
Cc: OAuth WG <oauth@ietf.org>
 Sent: Thursday, September 8, 2016 12:51 PM
 Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
   
 > Since SPA is a new normal now, it becomes extremely difficult to enforce HTTPOnly flag, because JS needs access to secrets including those stored in cookies. In a browser environment, this is only true when you need to make cross domain requests or are using cookie data for something other than session state. If your current page origin and the page you are requesting are the same, then your cookies can be HTTPOnly without impacting functionality. If you need additional cookies for other things that need to be accessed via JS, use a separate cookie. So sure, there are a few workflows in OAuth where you need to access "cookie data" from JS and HTTPOnly is not viable. But there are a few where it is viable. I don't think it's as simple as "we need to talk to cookie data via JS all the time.". Aloha, Jim
  On 9/8/16 8:15 AM, Oleg Gryb wrote:
  
  Jim, 
  It's outdated a bit. Since SPA is a new normal now, it becomes extremely difficult to enforce HTTPOnly flag, because JS needs access to secrets including those stored in cookies. 5-10 years ago I would always enforce HTTPOnly and now - I can't. 
 Thanks, Oleg.  
      From: Jim Manico <jim@manicode.com>
 To: Adam Lewis <adam.lewis@motorolasolutions.com> 
 Cc: OAuth WG <oauth@ietf.org>
 Sent: Thursday, September 8, 2016 10:45 AM
 Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
  
   In the web world, cookies for session identifiers are much safer - since we can use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is not possible for localStorage. Overall, security folk say •keep sensitive data  out of localStorage• since one XSS and it's stolen. There is also a huge body of work underway to make secure cookies even more so. 
  I'm not sure how this translates to native apps.
 
 -- Jim Manico @Manicode   
 On Sep 8, 2016, at 3:02 AM, Adam Lewis <adam.lewis@motorolasolutions.com> wrote:
 
  
  Hi, 
  The WG is currently putting together best practices for native apps.  I would like to better understand the best practices around ua-based-apps, especially as it  relates to token storage.  I've read various blog posts about the preference between storing tokens in cookies vs.  Web Storage (localStorage/sessionStorage).  The current set of specs are rather silent on the matter, as it is more of an  implementation issue (but that is where most mistakes are made). 
  What is the WG's guidance on this?   
  
 _______________________________________________
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
  
   
 _______________________________________________
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
  
 
    
   
 
 -- 
Jim Manico
Manicode Security
https://www.manicode.com 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email