IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-10.txt

Brian Campbell <bcampbell@pingidentity.com> Thu, 29 November 2018 20:23 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58E64130ECA for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 12:23:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O37gCRXWlQEU for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 12:23:04 -0800 (PST)
Received: from mail-it1-x144.google.com (mail-it1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BAB4130EA9 for <oauth@ietf.org>; Thu, 29 Nov 2018 12:23:04 -0800 (PST)
Received: by mail-it1-x144.google.com with SMTP id h65so5793285ith.3 for <oauth@ietf.org>; Thu, 29 Nov 2018 12:23:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PTCxGf+USMNkZFeOFY2xdGlFA23miH3Urw/nyQkd/I4=; b=EIsSuNtBx4zQ1crFIJ16POG1BORMlnhPc7Y3zWUXYNq9bVd4NlY1O/HYmgtNypekde nfgOX7oMpkwB7coYO3pxemkyrdxttik5kTGykE0TzudeBA58uX2oCQatgTvLOvNtegee JpxNu5ZABBO4c2uAiGMqMGN1cisB+LlSyABAI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PTCxGf+USMNkZFeOFY2xdGlFA23miH3Urw/nyQkd/I4=; b=WAgjwNjN8m1x9e7+CopqcZFAUGGHbHZ8oehV0AkoLyaykUXOHYNCzVaPVdt+Lk6mT1 nJPMN13ZWR/JY+Qs5ws1eElFDr6t/mH4E0DMFyNQ5g/AVYRSO9DdlwqfX9r087IweSML GtaKUQwsvggo5LuhibxgIElOmQ3TE0yCwnRSd/vHJEoQspTkCtbNYOg8LEGZaXVcvv/J xXIEbb1J+B29T6zJzM91D/qz0IHzY7QHrHyLlRUlY+KppfI15WorQYNO7ElNMA5JiSRq Zy74pJTITCQlKpGOR9EaS/ApQ75Jndr0sdO8pd5zjo5aHQO2K/ogE5DXHOrZdtbBQYst K+Fw==
X-Gm-Message-State: AA+aEWZbeaMpoTAxDHO4mXq8BhKbdqgLLjCoUM/g41gm0OHH/NeEKbEZ nE2cjklxiIxzmMdmIfQ9/22MFBBrO/WCHCil4l8WhfqEczulIUTKVoVpf7uOVvWqEkqDfZFNaTH jgpFbTq2Pv0pRLw==
X-Google-Smtp-Source: AFSGD/W5Wl7sQanwqNqVSaVOiKsCTGaE9uGBDpATkt9xiUuK9iI5iuBUhYqp/l7X/bkgVFZPgsXSM+5Lx/2+ZderhrI=
X-Received: by 2002:a24:85d4:: with SMTP id r203-v6mr2795482itd.124.1543522983271; Thu, 29 Nov 2018 12:23:03 -0800 (PST)
MIME-Version: 1.0
References: <154274201815.29841.1388851667499826707@ietfa.amsl.com> <AD58D64B-292A-4DD1-BF73-8A89CD775343@lodderstedt.net> <554faba4-77c1-4b7c-693e-6a67367e85bb@aol.com> <34366F0A-D361-4C1E-847A-0C812E8D627B@lodderstedt.net> <b6c3193c-527d-7d10-1854-0b7109a75171@aol.com> <1198DA32-4E63-4966-89CA-398478226209@lodderstedt.net> <A191818F-FA7D-426A-8072-DB50E4163236@amazon.com> <8C2C26DF-68E1-4D09-91A5-B0165C2F4997@forgerock.com>
In-Reply-To: <8C2C26DF-68E1-4D09-91A5-B0165C2F4997@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 29 Nov 2018 13:22:36 -0700
Message-ID: <CA+k3eCTBMuRhX4H1sgESnet9u2yuR6RPbX3buWbi2dnJkhNwog@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: richanna=40amazon.com@dmarc.ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001ef8ad057bd3730a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VGCx7j7M2OniMlQjKRriOc1qQxA>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-10.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 20:23:07 -0000

Big +1 here. I'd be in favor of the document discussing the potential
benefits of tying the refresh token to a session in some situations but
very much agree that the spectrum of desired behaviors is much too wide to
normatively recommend any particular option.

On Wed, Nov 28, 2018 at 11:19 PM Neil Madden <neil.madden@forgerock.com>
wrote:

> Agreed. Consider also service account flows such as the JWT-bearer
> approach used by Google:
> https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests
>
> It’s not clear there is any session at all in these cases. (Although I
> don’t think there is a refresh token in this specific case).
>
> I think spectrum of desired behaviours is too wide to recommend any
> particular option. Perhaps tying the refresh token to a session could be
> included as a MAY just to document it as something to consider?
>
> — Neil
>
> On 29 Nov 2018, at 00:20, Richard Backman, Annabelle <
> richanna=40amazon.com@dmarc.ietf.org> wrote:
>
> I think we need to be very careful about prescribing behavior around
> refresh token lifetime, and setting expectations for what degree of
> consistency is attainable. Considering the terms "session", "authenticated
> session", "offline", "expiration", "termination", and "log out" can mean
> different things to different services (and those tiny nuances matter!) I
> am against text that makes binding refresh tokens to the authenticated
> session a "SHOULD." Rather, we should recommend that the AS provide the end
> user with a mechanism by which they may terminate refresh tokens. We can
> also describe session-bound refresh tokens as one such method that may or
> may not be appropriate depending on the use case.
>
> To back up my claim that consistency is Hard, here are a few scenarios to
> consider:
>
> 1)
> A mobile app loads the authorization request in an in-app browser tab that
> has an app-scoped cookie jar and is never presented by the app again after
> the flow is complete. How does the user sign out of that session? Should
> the AS kill the session due to inactivity? Won't that confuse the user when
> suddenly the integration between app and service stops working for no
> discernable reason? If this scenario sounds unlikely, it's not. This is the
> behavior of every app that integrated with the Safari in-app browser tab in
> iOS 9 and never updated to the authentication-oriented replacements
> introduced later, as well as that of every app that opens the authorization
> request in a web view (ugh).
>
> 2)
> A mobile app loads the authorization request in the external browser, but
> the user always uses the AS's app on their device instead of visiting their
> website (e.g., using the Gmail app instead of going to gmail.com in the
> browser), so their browser session quickly times out due to inactivity.
> Again, won't that confuse the user when the client mobile app stops working?
>
> 3)
> A set-top box uses the device flow, and the tokens it receives are bound
> to the user's session in the web browser on their laptop, where they
> completed the device flow. The user buys a new laptop, their session on
> their old laptop times out due to inactivity, and their set-top box can't
> stream videos anymore. ¯\_(ツ)_/¯
>
> --
> Annabelle Richard Backman
> AWS Identity
>
>
> On 11/28/18, 9:20 AM, "OAuth on behalf of Torsten Lodderstedt" <
> oauth-bounces@ietf.org on behalf of torsten@lodderstedt.net> wrote:
>
>
>
> Am 28.11.2018 um 16:53 schrieb George Fletcher <gffletch@aol.com>:
>
>
> On 11/28/18 5:11 AM, Torsten Lodderstedt wrote:
>
> Hi George,
>
>
> Am 20.11.2018 um 23:38 schrieb George Fletcher <gffletch@aol.com>:
>
>
> Thanks for the additional section on refresh_tokens. Some additional
> recommendations...
>
>
> 1. By default refresh_tokens are bound to the user's authenticated
> session. When the authenticated session expires or is terminated (whether
> by the user or for some other reason) the refresh_tokenis implicitly
> revoked.
>
> SHOULD or MUST? I would suggest to go with a SHOULD.
>
> I would say that the AS SHOULD bind the refresh_token to the user's
> authentication. However, I'd lean more to MUST for session bound
> refresh_tokens being revoked when the session is terminated.
>
>
>    wfm
>
>    Anyone on the list wanting to object?
>
>
> 2. Clients that need to obtain a refresh_token that exists beyond the
> lifetime of the user's authentication session MUST indicate this need by
> requesting the "offline_access" scope (
> https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)..
> This provides for a user consent event making it clear to the user that the
> client is requesting access even when the user's authentication session
> expires. This then becomes the default for mobile apps as the refresh_token
> should not be tied to the web session used to authorize the app.
>
> Sounds reasonable, just the scope „offline_access“ is OIDC specific. Is it
> time to move it down the stack to OAuth?
>
> It may be if we want more consistency in the implementation of
> refresh_token policy across authorization servers.
>
>
>    Who has an opinion on that topic?
>
>
> 3. The AS MAY consider putting an upper bound on the lifetime of a
> refresh_token (e.g. 1 year). There is no real need to issue a refresh_token
> that is good indefinitely.
>
> I thought I had covered that in the last section. It’s now:
>
>
> Refresh tokens SHOULD expire if the client has been inactive for some time,
>
>        i.e. the refresh token has not been used to obtain fresh access
> tokens for
>
>        some time. The expiration time is at the discretion of the
> authorization server.
>
>        It might be a global value or determined based on the client policy
> or
>
>        the grant associated with the refresh token (and its sensitivity).
>
> This is slightly different but sufficient so +1 for the text :)
>
>
>    Ok, thanks.
>
>
> Proposals are welcome!
>
>
> kind regards,
>
> Torsten.
>
>
>
> This is in addition to the other best practices described.
>
>
> Thanks,
>
> George
>
>
> On 11/20/18 2:32 PM, Torsten Lodderstedt wrote:
>
> Hi all,
>
>
> the new revision contains the following changes:
>
>
> * added section on refresh tokens
>
> * additional justifications for recommendation for code
>
> * refactored 2.1 in order to distinguish CSRF, authz response replay and
> mix-up (based on feedback by Joseph Heenan)
>
> * added requirement to authenticate clients during code exchange (PKCE or
> client credential) to 2.1.1.
>
> * changed occurrences of SHALL to MUST
>
>
> As always: looking forward for your feedback.
>
>
> kind regards,
>
> Torsten.
>
>
>
> Am 20.11.2018 um 20:26 schrieb internet-drafts@ietf.org
>
> :
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>
>       Title           : OAuth 2.0 Security Best Current Practice
>
>       Authors         : Torsten Lodderstedt
>
>                         John Bradley
>
>                         Andrey Labunets
>
>                         Daniel Fett
>
>    Filename        : draft-ietf-oauth-security-topics-10.txt
>
>    Pages           : 38
>
>    Date            : 2018-11-20
>
>
> Abstract:
>
>  This document describes best current security practice for OAuth 2.0..
>
>  It updates and extends the OAuth 2.0 Security Threat Model to
>
>  incorporate practical experiences gathered since OAuth 2.0 was
>
>  published and covers new threats relevant due to the broader
>
>  application of OAuth 2.0.
>
>
>
> The IETF datatracker status page for this draft is:
>
>
> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
>
>
>
> There are also htmlized versions available at:
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10
>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-10
>
>
>
> A diff from the previous version is available at:
>
>
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-10
> <https://www..ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-10>
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
>
> until the htmlized version and diff are available at tools.ietf.org.
>
>
> Internet-Drafts are also available by anonymous FTP at:
>
>
> ftp://ftp.ietf.org/internet-drafts/
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
>
> OAuth@ietf.org
>
> https://www..ietf.org/mailman/listinfo/oauth
> <https://www.ietf.org/mailman/listinfo/oauth>
>
>
> _______________________________________________
>
> OAuth mailing list
>
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email