[OAUTH-WG] Re: Call for adoption - First Party Apps

Kristina Yasuda <yasudakristina@gmail.com> Wed, 11 September 2024 09:53 UTC

Return-Path: <yasudakristina@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 155B2C151080 for <oauth@ietfa.amsl.com>; Wed, 11 Sep 2024 02:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rLZ08FWiQc2 for <oauth@ietfa.amsl.com>; Wed, 11 Sep 2024 02:53:20 -0700 (PDT)
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21615C14F683 for <oauth@ietf.org>; Wed, 11 Sep 2024 02:53:20 -0700 (PDT)
Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-6db449f274fso49211877b3.2 for <oauth@ietf.org>; Wed, 11 Sep 2024 02:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726048399; x=1726653199; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uhIl3kPRFr0i5lBIO1wIDWPdvXtLX4Fjoaf9h/LKYLc=; b=glezbP7LHWt2tgBVYBBQpiWzWmwG5ihxWc58Q8BKFtjojeuRbDc93NnBt23Gtl4b6O Oy96M19aHjhqxYQPWoHrUQuZCDphX9X9Wo6EEZKcLUmBvces1dYF/BBiFjDCjFlnVWn8 1qx5xbnd6vYQfrGLb/5p7HrqHnYjsXm3Q2W2MfOrQ7LWiMbAnDFoEq8/esZY1/scqA90 HA5ROvPutoMtzDvdU+x8kIcEGzz0PVbG9tL+10UuII4WEbzfx7q4IQJ+ssbfQCi9vhOJ Hq+LQr8kcc/veAtixDdsurotn8fz07v+gp/vvCLAGY43aBwgWnjcqlPRcfxAZYT3RlMS CEsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726048399; x=1726653199; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uhIl3kPRFr0i5lBIO1wIDWPdvXtLX4Fjoaf9h/LKYLc=; b=V8Hb7Geh93q9nHZzLmhnNPfJ6As71oxAqIA1w+40ptCfv1nTbVvTq4RVnWvl4g2siD 0bubWiSjGhjQpGHcnAgEwAL40n6wud7m/yBqVyh43WIJ6QwP9C4SZVbtIFKZUgsM7kyM CFlK8OwS9tJy2xXdD/CJtiabuPKcdD+XIaWJlg7ZZY7iMcVixSYyUEtevx+xrDccmqn6 G7c1kk/GHTWmEYnZ4VfKJZ2rEYY924Li+5f8VEsdmRXE78ZOQaz5Dm0o/4MkCW/E/8+j wBvOMA8PabPG8ozey3CYVy1GXL6iW80waPbbU2S+h5oy0GwFqdnAOQCeW+2TvZ7jz4Qz Ka0g==
X-Forwarded-Encrypted: i=1; AJvYcCXO1c+XYgUUpguUsqVuIeeRBAMwa4FrI4JFK0sIMxd6RUZXENT+goQPTkg0wA93at2A6N5dNg==@ietf.org
X-Gm-Message-State: AOJu0YzJUHQoC5+LT8SPoAItZT9zR7PLk2MKn6C89Ou1O97gKTHRPmrp 99oFM2b/YCbC6T9CfAjpDip+gxK4PY8d41Qgagevcfab0sUxdAFsEo2Vv+Jij5XcVSOSlNkftgG E12zcNtZLX9J6mPyVZ9dxiWCyZmY=
X-Google-Smtp-Source: AGHT+IFQ4RlpRu3Bd9V+znCk4UIHJZwhbawBa4ZuZRuBWkK5z2serCoAD9LJknb6CEgsV7a7wV1LHMZz7lUqr42yHhY=
X-Received: by 2002:a05:690c:290d:b0:6d3:9129:575f with SMTP id 00721157ae682-6db45272fe4mr137754947b3.38.1726048398899; Wed, 11 Sep 2024 02:53:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uur2NSN+BBMFfhv9UcfZtmQsByUhpyr1huvQiC+5PX8g@mail.gmail.com> <F68A8B14-8511-49E6-A06F-5BBE5EE549CC@gmail.com> <CAGBSGjr8S+LixUpEMgNDbcvRgF0nef+01HLfa0yvxxjDaqKS1w@mail.gmail.com> <F7ECC695-67FF-4EFE-8ACB-731292028282@gmail.com> <CAGBSGjrEUBa7jT1XrCcq9p8u_jV9n=87gEwq1OSyLow0V_P2-w@mail.gmail.com>
In-Reply-To: <CAGBSGjrEUBa7jT1XrCcq9p8u_jV9n=87gEwq1OSyLow0V_P2-w@mail.gmail.com>
From: Kristina Yasuda <yasudakristina@gmail.com>
Date: Wed, 11 Sep 2024 11:53:07 +0200
Message-ID: <CAFje9Pg5vi012R4TwxcRkwKvDLYHhmFDE5mM7+Nh6yTPF74TyA@mail.gmail.com>
To: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae83c70621d4f588"
Message-ID-Hash: RSFMYJ3JPGAWCTD67KVJEJ3OYYKZZ4M2
X-Message-ID-Hash: RSFMYJ3JPGAWCTD67KVJEJ3OYYKZZ4M2
X-MailFrom: yasudakristina@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VpfNdIUreu6C0FNI0i_yIrd1U1o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I support adoption of this draft.
In the EU, this draft is expected to help with authenticating the user
using PID during EAA issuance, too.
Best,
Kristina

On Tue, Sep 10, 2024 at 5:44 PM Aaron Parecki <aaron=
40parecki.com@dmarc.ietf.org> wrote:

> Please remember that not having this draft will not stop people from
> building native login experiences into apps.
>
> This is particularly a problem for companies that build authorization
> server products that are used by people building apps, since the result is
> then that they end up building proprietary APIs for building native login
> experiences, and if these companies are large enough it turns in to a
> de-facto standard anyway.
>
> > I’m yet to hear a genuine argument in favour of the “native experience”
> that doesn’t boil down to aesthetic preferences.
>
> "aesthetic preferences", also known as "user experience", is absolutely a
> valid concern for many people.
>
> > locking down the API to first-party apps only sets a precedent that eg
> the official BlueSky/Twitter/Facebook app will always have a
> different/privileged login experience compared to third-party apps
>
> This has very much been in line with the goals of OAuth from the
> beginning, giving third-party apps a different experience from first-party
> apps. I don't see this as a problem. This is also becoming more relevant
> with the prevalence of the pattern of using a first-party native app *as*
> the authorization server for other native apps on the device. (e.g. a
> health tracker app wants to get access to your Strava data, it starts an
> OAuth flow to the Strava native app, where the user has to log in and
> approve the request. It would be very weird for the Strava app to then do a
> web OAuth flow to the Strava website. Instead, I have seen a number of apps
> that build out the authorization approval screen in the native app, so
> there is never even a browser involved in the third party OAuth flow at
> all.)
>
> Also please note that the current draft never mentions passwords as an
> authentication mechanism. The first example given is passkey login, which
> as Tim mentioned earlier in this thread is phishing-resistant on mobile
> devices since it's handled by the operating system rather than the app.
>
> Aaron
>
> On Tue, Sep 10, 2024 at 6:47 AM Neil Madden <neil.e.madden@gmail.com>
> wrote:
>
>> Yes, I’ve watched the recordings. I have sat through many client meetings
>> where UI designers insist that a “native experience” is absolutely
>> essential, despite the clear security problems with it. But that native
>> experience is normally actually worse for users, despite appearing to look
>> better (eg no automatic SSO from existing web browser cookies etc). I’m yet
>> to hear a genuine argument in favour of the “native experience” that
>> doesn’t boil down to aesthetic preferences.
>>
>> Limiting the endpoints to first party apps, via some strong client
>> authentication method (attestation) helps with some of the security
>> concerns, but it doesn’t really address the root issues. If we encourage
>> users to enter credentials directly into apps, then phishing apps become a
>> danger, exactly as RFC 8252 says (regarding in-app user-agents, but the
>> same principles apply):
>>
>> "When all good actors are using external user-agents, the advantage is
>>
>>    that it is possible for security experts to detect bad actors, as
>>    anyone faking an external user-agent is provably bad.  On the other
>>    hand, if good and bad actors alike are using embedded user-agents,
>>    bad actors don't need to fake anything, making them harder to detect.”
>>
>>
>> s/embedded user-agent/native UI/ and I think this argument very much applies to the current draft.
>>
>>
>> Even if you lock down the API so those other apps cannot login directly
>> with those credentials, it is too late if the user has already entered
>> their username and password. Use of a native UI, which is easily spoofed,
>> bypasses all of the phishing protections that browsers have added over the
>> years (eg warning about malicious sites, highlighting the origin, password
>> manager origin checking before auto-filling, etc).
>>
>> Secondly, locking down the API to first-party apps only sets a precedent
>> that eg the official BlueSky/Twitter/Facebook app will always have a
>> different/privileged login experience compared to third-party apps. This
>> seems to run contrary to AIB statements like
>> https://datatracker.ietf.org/doc/statement-iab-statement-on-the-risks-of-attestation-of-software-and-hardware-on-the-open-internet/ (a
>> draft, admittedly).
>>
>> — Neil
>>
>> On 10 Sep 2024, at 13:55, Aaron Parecki <aaron@parecki.com> wrote:
>>
>> Neil, I don't know if you've seen the several presentations I did at the
>> last few IETF meetings about this work, but a large part of the motivation
>> of this work is because *currently* people are bending over backwards to
>> provide a native user experience for their first party apps and doing so in
>> a way that is not only not standard, but even worse than what could be done
>> with a standardized method. Please go review those recordings for more of
>> the background.
>>
>> I am open to the discussion of how best to limit this to first party
>> apps, maybe that part needs to be stricter than what is currently in the
>> draft. But at the very least, the draft says in no unclear terms that this
>> is not for use by third party apps.
>>
>> Aaron
>>
>>
>> On Tue, Sep 10, 2024 at 3:59 AM Neil Madden <neil.e.madden@gmail.com>
>> wrote:
>>
>>> I know that apps that accept credentials directly are common place. But
>>> the direction of travel has so far been to discourage that: eg deprecating
>>> ROPC, requiring use of an external vs embedded user-agent etc. (Sorry, I
>>> misremembered: it’s BCP 212 that requires this, not the security BCP — and
>>> it has a lot of good rationale for that decision).
>>>
>>> 3rd party apps follow where first-party apps lead.
>>>
>>> — Neil
>>>
>>> On 10 Sep 2024, at 11:14, Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>> 
>>>
>>> Neil
>>>
>>> Users input credentials directly into apps all the time in OAuth -- it
>>> is at the AS.
>>>
>>> There are many deployments that use OAuth where the AS and RS are the
>>> same party. The objective of this draft (as I understand it) is to provide
>>> a simplified OAuth flow for this use case. The BCP does not address this
>>> use case.
>>>
>>> Why would we not want to provide a best practice for deployments where
>>> the AS and RS are the same party? We will likely improve the security of
>>> those deployments over them making up their own protocol, won't we?
>>>
>>> /Dick
>>>
>>>
>>>
>>> On Tue, Sep 10, 2024 at 10:20 AM Neil Madden <neil.e.madden@gmail.com>
>>> wrote:
>>>
>>>> The draft is motivated by allowing native apps to provide a login
>>>> journey for OAuth rather than using the browser. This encourages people to
>>>> input credentials directly into apps, which (a) directly contradicts the
>>>> advice in the security BCP, and (b) opens up users to significantly more
>>>> attack vectors (including that the phishing-resistance of FIDO is
>>>> significantly weakened). We shouldn’t be encouraging this.
>>>>
>>>> — Neil
>>>>
>>>> On 5 Sep 2024, at 15:48, Tim Cappalli <tim.cappalli@okta.com> wrote:
>>>>
>>>> 
>>>> IMO, we're getting very off topic here. The WebAuthn text is not part
>>>> of the draft being called for adoption.
>>>>
>>>> On Thu, Sep 5, 2024 at 2:15 AM Neil Madden <neil.e.madden@gmail.com>
>>>> wrote:
>>>>
>>>>> On 5 Sep 2024, at 05:45, David Waite <david@alkaline-solutions.com>
>>>>> wrote:
>>>>> >
>>>>> > 
>>>>> >
>>>>> >> On Sep 4, 2024, at 4:27 PM, Neil Madden <neil.e.madden@gmail.com>
>>>>> wrote:
>>>>> >>
>>>>> >>> On 4 Sep 2024, at 22:48, Watson Ladd <watsonbladd@gmail.com>
>>>>> wrote:
>>>>> >>>
>>>>> >>> I can always grab the cookie jar off the user browser if I have
>>>>> that
>>>>> >>> level of access.
>>>>> >>
>>>>> >> USB access is not privileged, but that’s beside the point.
>>>>> >
>>>>> >>
>>>>> >> Put another way, the phishing-resistance of WebAuthn only really
>>>>> makes sense in a world of sandboxed apps: web apps, mobile apps. Any spec
>>>>> that encourages the use of OAuth auth flows outside of such sandboxed
>>>>> environments, as this one potentially does, is going to make defending
>>>>> against phishing harder.
>>>>> >
>>>>> > The client is not an identified/authenticated component in the
>>>>> architecture, so there is a user trust required in using a client - that
>>>>> the client actually is an agent acting in the user’s interest rather than
>>>>> acting maliciously.
>>>>> >
>>>>> > Platforms have the ability to provide specific API for these
>>>>> interactions to become a trustworthy client, and to block privileged access
>>>>> (including access to speak directly to hardware) behind audited
>>>>> entitlements to prevent from installed software acting as a malicious
>>>>> client.
>>>>>
>>>>> Right, this is what I mean by sandboxed.
>>>>>
>>>>> >
>>>>> > Note that some platforms also provide entitlements and heuristics
>>>>> for password manager access - however, as a knowledge-based system the
>>>>> platform cannot really prevent malicious applications from still attempting
>>>>> to manipulate their way to credential phishing.
>>>>> >
>>>>> >>
>>>>> >> (I’d also question why first-party apps need a standardised API for
>>>>> this anyway: they can do whatever they like using proprietary APIs already).
>>>>> >
>>>>> > I would struggle to come up with standards-track RFCs which would
>>>>> not be able to instead be accomplished with proprietary APIs. The editors
>>>>> and working groups found value in peer review and in interoperability.
>>>>>
>>>>> Standards are for promoting interoperability, not for getting free
>>>>> peer review of private APIs.
>>>>>
>>>>> >
>>>>> > I have seen the pitfalls of a proprietary approach to this and would
>>>>> say peer review is important. My primary concern is whether we can have a
>>>>> clients that authenticate against multiple implementing ASes based solely
>>>>> on this work. Profiling authentication methods like passkey-based
>>>>> authentication would go a long way toward alleviating that concern.
>>>>> >
>>>>> > -DW
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list -- oauth@ietf.org
>>>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>>>
>>>> _______________________________________________
>>>> OAuth mailing list -- oauth@ietf.org
>>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>
>> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>