[OAUTH-WG] Browser-Based Applications - Document Shepherd Review

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Wed, 13 November 2024 14:27 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821DFC14F5EA for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 06:27:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6LmlnEtynWO for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 06:27:43 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C416C14F5EB for <oauth@ietf.org>; Wed, 13 Nov 2024 06:27:43 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-2fb4af0b6beso96817291fa.3 for <oauth@ietf.org>; Wed, 13 Nov 2024 06:27:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731508061; x=1732112861; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=j0zNvFdC3kAHw73OzLlMobNFhN2MzVxetvsjX3gUKa4=; b=HZIfJm9UddhfIGzwzsN23ZVeJoTVfY99yC3OW16fmAW15a6jIKZuc1VB3CuLdBshR4 lICJAOJXDgjy+NuonEjEOa98O+RklJA8VWBLBRaUwQMKdS28LsuraJ8CYVgCkqZOXzVS kSjtAuSx3v1AEUuD5HOEJCYC/m1X1mSwonh0NK7O40ydX+/vwBmZ9lD0bjOHP09EFR+K 5VRAqLnEoNaKUagClVr7MlDJqmD6z6YdgP9N/cMJq9Z9QsNDh59RVLeMvPaISUbEUCRN g7/eO4SkbA4qlPcGuO1xTP1sPFreKafRqeVvyKsklF+QU0CfqeTDAax+gLDHNk5sPAGN l8cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731508061; x=1732112861; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=j0zNvFdC3kAHw73OzLlMobNFhN2MzVxetvsjX3gUKa4=; b=p5O10HWN+T9V4q4fXrBkwP5v7eNXZ78vD7Pz5dD+RkaOe97iuKKEtxGvmwPemx7NUd Yi7dYPRbzHmNoxPG5nPlwc65jE3M9eyPTEhg8+GU2dGyyTRVbqMUjO1OjqxjQ4erIXDf HpwdmfIXCUNZFou2u5hlyYFG6gYfOYV5HIWYN4oxlXLmTCY1nJACoLDUnaBK9ZBb6hjp 6NLmwaLC5lQ/DQQtH/MeLgakZNiuGaXMD8md318dbu54iTu2g/o4yYAuiVZ8qNBaAaOI s4bUNmOBxa0zScCutvfQFnjSK1F/AukaA25tRPPQ80x0NJPGGMAvGX4YhJQoKprQ2Z+d mDLQ==
X-Gm-Message-State: AOJu0YzZRrF5IKVIC5a1IcI7FoyuF9OxPGalztfpey7XqRr/K+IaLx0b VX7U53Rhj2od80fzzo6hM78UNIL/NDm+rYGwXEUxVk4FxHg6RDdvkHXg8f+ejYrcj1zk84LX4B2 O0AsR6MvthmP6Ofn/s89yIryCW7OkfUWS
X-Google-Smtp-Source: AGHT+IEg1rO7rD5dlvEgn59cCZ1m0nSJyF0rfj55uhEGLdG1yZkKxuK1QnkfF0tiv9HIGwkq82GRGUi+PWAOPh164JY=
X-Received: by 2002:a05:651c:2112:b0:2fa:d84a:bda5 with SMTP id 38308e7fff4ca-2ff201638damr148431231fa.7.1731508059589; Wed, 13 Nov 2024 06:27:39 -0800 (PST)
MIME-Version: 1.0
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Wed, 13 Nov 2024 09:27:28 -0500
Message-ID: <CADNypP-jStnCi7n7MQ+EhVFwUOhDMmTcyh086FRVmY4hpWm1VA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d154350626cc2262"
Message-ID-Hash: ZGMMRFB25VJYMWX2SYKAPI5B2WCAXGCB
X-Message-ID-Hash: ZGMMRFB25VJYMWX2SYKAPI5B2WCAXGCB
X-MailFrom: rifaat.s.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Browser-Based Applications - Document Shepherd Review
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UdUEvAACFzlvliArtuv08xHA8m8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi,

As the shepherd for this document, I have reviewed the following version of
the Browser-based App draft:
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-19.html

I have the following comments/questions:

Section 6.1.1
“This response to the browser will also trigger the reloading of the
JavaScript application (H).”
I am assuming that there is a reason for this reload, but that is not clear
to me. Can you elaborate on why a reload is needed?

Section 6.1.2.1
• There are few places where the word “initialize” is used, but I guess you
meant to say “initiate”?
• “Initialization URI” should that be “authorization URI”?

Section 6.1.2.2
• “These steps are not shown in the diagram, but would occur between step J
and K. ”
Should the BFF mint a new access token as soon as the existing access token
has expired to allow for faster response to the request in step J?

• “Therefore, it is recommended to configure the lifetime of the
cookie-based session managed by the BFF to be equal to the maximum lifetime
of the refresh token. Additionally, when the BFF learns that a refresh
token for an active session is no longer valid, it is recommended to
invalidate the session.”
“recommended” -> “RECOMMENDED”?
Since this is a “recommended”, should there be some text to explain to the
implementers when this recommendation might be ignored?

Section 6.1.3.2
“
• The BFF SHOULD enable the SameSite=Strict flag for its cookies
• The BFF SHOULD set its cookie path to /
• The BFF SHOULD NOT set the Domain attribute for cookies
• The BFF SHOULD start the name of its cookies with the __Host- prefix
([CookiePrefixes])
”
The above statements use “SHOULD”, which implies that in some cases these
can be ignored. Section 6.1.3.3.1 then elaborates on the “sameSite” flag.
Should there be some text to elaborate on the others?

Section 6.1.3.3.2
I might be missing something here:
“For such requests, named "CORS-safelisted Requests", the browser will
simply send the request and prevent access to the response if the server
did not send the proper CORS headers.”
The above statement indicates that for these requests, the browser ignores
the response if it did not get a proper CORS from the server.

“The consequence of this behavior is that certain endpoints of the resource
server could become vulnerable to CSRF, even with CORS enabled as a
defense. For example, if the resource server is an API that exposes an
endpoint to a body-less POST request, there will be no preflight request
and no CSRF defense.”
This implies that just because there is no preflight request, that the
server is vulnerable; would not the browser just ignore the response as
indicated in the previous statement?

Section 6.2.1
“Note that an early draft ([tmi-bff]) already documented this concept,
although the draft is is currently expired and has not been proposed for
adoption to the OAuth Working Group.”
Is this paragraph really needed? How would that help the implementer?

Section 6.2.2.1
“The endpoint that initializes the Authorization Code flow (step C) is …”
“initializes” -> “initiates”?

Section 6.2.2.2
“Therefore, it is recommended to configure the lifetime of the cookie-based
session to be equal to the maximum lifetime of the refresh token if such
information is known upfront. Additionally, when the token-mediating
backend learns that a refresh token for an active session is no longer
valid, it is recommended to invalidate the session.”
“recommended” -> “RECOMMENDED”?
Since this is a “recommended”, should there be some text to explain to the
implementers when this recommendation might be ignored?

Section 6.3.2.2
• “using PKCE, and confirming that the authorization server supports PKCE”
How would the browser-based app “confirm” that the authorization server
supports PKCE?

Section 6.3.2.3
• “At this point, when the application attempts to use the refresh token
after 8 hours, the request will fail and the application will have to
re-initialize an Authorization Code flow that relies on the user's
authentication or previously established session”
“re-initialize” -> “re-initiate”?

Section 6.3.3.1

“For this reason, and those stated in Section 5.3.1 of [RFC6819], it is NOT
RECOMMENDED for authorization servers to require client authentication of
browser-based applications using a shared secret, as this serves no value
beyond client identification which is already provided by the client_id
parameter.”
Since this is considered a bad practice, should we be more forceful here
and try to change “NOT RECOMMENDED” to “MUST NOT”?

Section 6.3.4.2.3
“even when it is associated with a flow that was initialized by the
attacker.”
“initialized” -> “initiated”?

Section 7.2.4
“Performing OpenID Connect using the Authorization Code grant type provides
the benefit of the client not needing to verify the JWT signature, …”
With all kinds of middle boxes being used these days, should we encourage
people to verify the JWT signature even if it was obtained over an HTTPS
channel?


Regards,
 Rifaat