IETF Logo Mail Archive

Re: [OAUTH-WG] Security concern for URI fragment as Implicit grant

John Bradley <ve7jtb@ve7jtb.com> Wed, 29 June 2016 15:10 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF9212DEF0 for <oauth@ietfa.amsl.com>; Wed, 29 Jun 2016 08:10:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y1fi2qszr1jl for <oauth@ietfa.amsl.com>; Wed, 29 Jun 2016 08:10:42 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D598C12DF21 for <oauth@ietf.org>; Wed, 29 Jun 2016 08:10:38 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id j2so37488458qkf.3 for <oauth@ietf.org>; Wed, 29 Jun 2016 08:10:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=taZWkaeW/N1bIhzIiUziRtVEIikg7iMVw3S3tPTwq4M=; b=iLrg5xxT/VQuKCI8dO6vdGmf01DPssaCHYnjAKAeyFne/msFl8UJRx2xOu27ptq2Lv p6JpZaOTEr75jx9DMhnr80wIZPYRQhh0ObSIH2tT9pdAH0SuMQZxe2sfwMVYDffc3QC1 jyrahlGPigAVOBiXbEXc1kpqVyUHv9TGb7ReROMAxsNRRICROUOBszlaAGheZombIiOf B0prhccgaCWlThcm0GSMTH4OthyQSzyCY9Viv4FPuKZXnECWKluPkRUqZNVKhEbYpVP7 YKJ9dFjTi5yQd5tXFRVb42o6cHlqcNRUvfrnVAuFsAU7oM6cd4mnGfoXVOujmeCvwNRT JSbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=taZWkaeW/N1bIhzIiUziRtVEIikg7iMVw3S3tPTwq4M=; b=aJTFVQ0XtNZxG/S4o1eh33eheRg6bQx6VigQqOtfdf1pbDl61Z1GbY9TMIt3S+27sU NrQldBUFHdMBTqbeDSBFEoeIMWKpRogZ1+AeX9nYz7eTOZhzHVvg+2zXcwrT4EL1xbJn F8kZKrqoLcP5d48Unk4EPM3AIfIJFmNQ3D9Is4Q5cYtc8lWzs62YAX6dov5sm7Uea9L5 9OskQlSWBTClwK5cdZPAnbDd+L7zv6u//HLT4eWQfcFSM+1mMYuptZd2aM1H1JfM0Tlx ZumSZhp/2Qivj1cMMjyLvg1Uo0ErTmU9XXxrzx/JcA+ajdZQBa/8d3yT1BTBSJnYs1BV uf0g==
X-Gm-Message-State: ALyK8tJdwIxIb273BU2rMvZbp9X1EzJm0rgp3ZJAdldKofJExYD8AKsC7QveGDDmCUp0Eg==
X-Received: by 10.55.168.137 with SMTP id r131mr11535754qke.24.1467213037833; Wed, 29 Jun 2016 08:10:37 -0700 (PDT)
Received: from [192.168.8.101] ([181.202.212.65]) by smtp.gmail.com with ESMTPSA id z65sm2082837qkd.36.2016.06.29.08.10.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 29 Jun 2016 08:10:37 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_B2BB5C95-BE89-42D1-B7C0-B52C437218F5"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B05EC2C3-536F-4C9E-BFF9-09E83D863771@mit.edu>
Date: Wed, 29 Jun 2016 11:10:33 -0400
Message-Id: <7281CBDE-5D9A-43A3-944C-DF5FDAC70505@ve7jtb.com>
References: <CAN7udULAerS=YDSjMamZ3pu-oVZr683LsjT5Q5Zzwm=bwEZAQA@mail.gmail.com> <B05EC2C3-536F-4C9E-BFF9-09E83D863771@mit.edu>
To: Justin Richer <jricher@MIT.EDU>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WQI86tDTSSrM_rNQsbjf4KQucP4>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, Liyu Yi <liyuyi@gmail.com>
Subject: Re: [OAUTH-WG] Security concern for URI fragment as Implicit grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 15:10:56 -0000

I agree with Justin.

You should be using the code flow if it is a server based client.

The OAuth WG is considering better alternatives to using fragment encoding for in browser JS clients as well.  
For the moment the only standard for the in browser client is fragment encoding.  In the future we hope to have more modern methods based on post message.

For people using openID Connect who want a id_token in the front channel (Hybrid flow) they should use the form post response mode
 https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>

Browsers now re-append  fragments across 302 redirects unless they are explicitly cleared this makes fragment encoding less safe than it was when originally specified.

John B.

> On Jun 29, 2016, at 10:30 AM, Justin Richer <jricher@MIT.EDU> wrote:
> 
> The implicit flow was designed for in-browser clients that don’t have a server back-end. In these cases, keeping the data inside the browser entirely is exactly the goal: you don’t want to use query or form parameters because those get sent by the browser back to the server. That was the idea anyway, except that now new versions of Chrome also send the fragment back (as I understand things) so we’re in a bit of a lurch with our assumed security model. 
> 
> Even so, you’re absolutely right that the fragment can leak all over the browser. There are a few tricks you can do to mitigate this, like messing about with the history, but they’re patches at best. This is why the implicit flow is considered fairly insecure by most people in the community, and it really needs to be used only in the very limited context of an in-browser application, with limited lifetime access tokens (perhaps even tied to a live session at the AS). What you’re doing with the implicit flow, when used properly, is really more like a cross-domain session sharing.
> 
>  — Justin
> 
>> On Jun 27, 2016, at 3:30 PM, Liyu Yi <liyuyi@gmail.com <mailto:liyuyi@gmail.com>> wrote:
>> 
>> While we are working on a project with OAuth2 implementation, one question arises from our engineers.
>> 
>> We noticed at https://tools.ietf.org/html/draft-ietf-oauth-v2-31#page-30 <https://tools.ietf.org/html/draft-ietf-oauth-v2-31#page-30>, it is specified that
>> 
>>   
>> (C)  Assuming the resource owner grants access, the authorization
>> 
>>         server redirects the user-agent back to the client using the
>> 
>>         redirection URI provided earlier.  The redirection URI includes
>> 
>>         the access token in the URI fragment.
>> 
>>  
>> For my understanding, the browser keeps the URI fragment in the history, and this introduces unexpected exposure of the access token. A user without authorization for the resource can get the access token as long as he has the access to the browser. This can happen in a shared computer in library, or for an IT staff who works on other employee’s computer.
>> 
>>  
>> Shouldn’t it be more secure if we change to use a post method for access token, similar to the SAML does?
>> 
>> I feel there might be something I missed here. Any advices will be appreciated.
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.46.0 | Report a Bug | By Email | System Status