IETF Logo Mail Archive

Re: [OAUTH-WG] Recommendations for browser-based apps

John Bradley <ve7jtb@ve7jtb.com> Tue, 19 September 2017 22:32 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0635134390 for <oauth@ietfa.amsl.com>; Tue, 19 Sep 2017 15:32:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyjQCicGtIvK for <oauth@ietfa.amsl.com>; Tue, 19 Sep 2017 15:32:55 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 040D513301C for <oauth@ietf.org>; Tue, 19 Sep 2017 15:32:54 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id o3so125951qte.6 for <oauth@ietf.org>; Tue, 19 Sep 2017 15:32:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=A7Tcd6lsRP7OYc8CHdOkSIR/guXbmKcph8o6UUw3u7I=; b=jKAukIpsLq5bXTKJFQrPH6VLG1YG3jTFUFJLw+ZQBmjyIi6GnWwG0WusJ15LElqQc5 umnKtYX28aZF/a7kq2kRVbla+cByplgJyU8tQ60Ib2fFWWEfe/il7IsTHI0KX6asSqVA oEuzsvWvTZP2+dzlriNZpe/OQNHDihkq+dmQHH5fcq/you0uEBVu0NNnBDtjM5ZLpL7r nXYtThscPYtphM9FWMxygat752TZ/c2OLyi4VITJmubH8WmxSiqIJZVHdECDNwvteNPX FMzBY4b1vUldwbT9atIxOd7yZ/cm+fx4MFe7fWLYsWAc93UkN8xxsb/1hObdjF6BJ9vL seeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=A7Tcd6lsRP7OYc8CHdOkSIR/guXbmKcph8o6UUw3u7I=; b=gd6gdjJ1E8PyQYQKYUYXeRcd1pvloQjrqdCWHZ/SkOZojmrpv2773CVp0IdL9WSXgE cEv0kOrXERogaVHe7p4H0Z8gzNUfJAgObuYQNJMiEkwy/HnWKK245Du3AQT503KMjI6a 97QV7D/VRkgIZfsdqmoPYlHhJYrn1B/Zglmg8c8e+YXvFTpQhjAQRVfcckiAB+myzeg/ i+C36k064QiUGzWaoKPfUj9wjXNJzN9IOpN7o8xJAiIKV+uC4Qa6O2QXcccAk13X4JvJ 5ZJaUq16qND8M8nQwYM8w6EJ7GomOmm6wuVw5/SFhz2TedZoViMSIhRAftPl5gOlSLlU 6ANw==
X-Gm-Message-State: AHPjjUhZ9pGt4p0zPp8I5+Hj5n2hS08Rl8XXHl/4U5IIrsNTnxUlc4XP XgGOvYMaTkhxLpFFODiUtQz7But7vPc=
X-Google-Smtp-Source: AOwi7QBI6EMsjd/lmPORzChVvIc1Wr7JLQVyE93sMYmfVUkVHNB+7dEinsa1wYBVwil1c+1YmjmbHg==
X-Received: by 10.237.34.118 with SMTP id o51mr4436935qtc.36.1505860373588; Tue, 19 Sep 2017 15:32:53 -0700 (PDT)
Received: from [192.168.8.100] ([181.201.64.103]) by smtp.gmail.com with ESMTPSA id i124sm278570qkf.84.2017.09.19.15.32.51 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Sep 2017 15:32:52 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 19 Sep 2017 19:32:42 -0300
References: <CAKAMr-Dws2RVRLv+xTa7j2zk+yhpCpYN-jUgxFos+j--Abv4uQ@mail.gmail.com> <CABRXCmwKDOSQQrDdCVBkDWSi85A7FL_R9d9sNzgdBTE_HyKDMw@mail.gmail.com> <14E11D6D-3CA4-4945-93B5-96F40D17463E@oracle.com> <CAOahYUwYT-mFrdN-FvZArNCmVMn8G6X8504Z9EFY_rZ7A328qA@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
In-Reply-To: <CAOahYUwYT-mFrdN-FvZArNCmVMn8G6X8504Z9EFY_rZ7A328qA@mail.gmail.com>
Message-Id: <7630385B-8366-4B11-A5CA-BEE18F96AB8B@ve7jtb.com>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a113a6848ae49a0055992708d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/W11tTIRmfejzpoqOTYKptZcxy-c>
Subject: Re: [OAUTH-WG] Recommendations for browser-based apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 22:32:58 -0000

Right,  Refresh token is bearer for native apps, that is why we came up with PKCE to protect code.

For Angular the code flow with PKCE is probably better than the token response type.   

However with bearer tokens it is still riskier than code with a confidential client so the AS should take that into account and not allow refresh tokens to live forever.

One future way to protect refresh tokens and perhaps Access tokens is to use token binding to bind the tokens to the user agent.   You could do that now for refresh tokens in Edge (Chrome has TB off by default still).  

I think more work needs to be done to come up with a best practice for SPA.

John B.

> On Sep 19, 2017, at 7:02 PM, Adam Lewis <adam.lewis@motorolasolutions.com> wrote:
> 
> Only for confidential clients.  No authentication is required for public clients.
> 
> On Tue, Sep 19, 2017 at 4:47 PM, Phil Hunt (IDM) <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
> Except a refresh token is not purely bearer. The client is required to authenticate to use it.
> 
> Phil
> 
> > On Sep 19, 2017, at 2:33 PM, Bill Burke <bburke@redhat.com <mailto:bburke@redhat.com>> wrote:
> >
> > I'd be curious to the response to this too.
> >
> > Seems to me that refresh token has the same possible security risks in
> > an Angular app as an access token, except the refresh token is valid
> > longer....Still, if you did the implicit flow, you'd have to have
> > longer access token timeouts as it would be really annoying for the
> > user to have to login again and again in a long session with your
> > Angular app.
> >
> > We have a javascript adapter that does Authz Code Flow with PKCE for
> > our Angular app.  It also does CORS checks on the code to token XHR
> > request just in case on the IDP side.
> >
> >> On Tue, Sep 19, 2017 at 9:27 AM, Stefan Büringer <sbueringer@gmail.com <mailto:sbueringer@gmail.com>> wrote:
> >> Hi,
> >>
> >> there were some discussions in January regarding recommendations for
> >> browser-based apps
> >> (https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html <https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html>).
> >>
> >> I'd just like to ask if the Authorization Code Flow with PKCE is a valid
> >> option for Single-Page-Applications (in our case Angular), because Implicit
> >> Flow cannot be used in our scenario.
> >>
> >> Authorization Code Flow with PKCE eliminates the necessity for client
> >> secrets, but our concern is that exposing the refresh token to the SPA might
> >> be a security risk, compared to the Implicit Flow were no refresh token is
> >> exposed.
> >>
> >> What's your take on this?
> >>
> >> Kind regards,
> >> Stefan Büringer
> >>
> >> P.S. I couldn't find that much on the internet regarding Authorization Code
> >> Flow with PKCE in SPAs, if you have some recommendations for good blog posts
> >> I would be grateful.
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org <mailto:OAuth@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> >>
> >
> >
> >
> > --
> > Bill Burke
> > Red Hat
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email