[OAUTH-WG] Re: Call for adoption - First Party Apps

Neil Madden <neil.e.madden@gmail.com> Wed, 04 September 2024 22:27 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2588BC1CAF32 for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 15:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 608L4iH3vY-R for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 15:27:14 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64411C1CAE8F for <oauth@ietf.org>; Wed, 4 Sep 2024 15:27:14 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-5c3ca32974fso169186a12.3 for <oauth@ietf.org>; Wed, 04 Sep 2024 15:27:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725488832; x=1726093632; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=6LmB/4xFLWj2lSHd3vlwp85OFbffLg/KUvPzxEaZ+P8=; b=kFBc9C/puRX0NAv9z3MAQJdBlrELcLRGpiSWXTQ1hw2ltdFqLH9YuDVOVWyJIc7zY0 T+GzpQZBv7wnpLx80A+hse+IQt4/Zgk6xrXD3ACxsc2eyQJmhEH7FbE+7hmQv/Q7mKub nYz/IlFz9jdyDe0MxjeChqrG7BDDXE+pimZE2fGvhhQsZlDENmVo6d+JhGFpLD81YJaT yFu09/Aa3JZcvWcsfvJKAJ+ZQzQ+Nb2XtnfYk3mO2m3gmJ5afNy3hloXWsliOmgM9KzN oHdB4XGF/Wa4lSLFN0MI6hfEsrmEDHA6tXCruoc2jO551lN6BLkEt/6urh2Jp24y7bJX xy4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725488832; x=1726093632; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6LmB/4xFLWj2lSHd3vlwp85OFbffLg/KUvPzxEaZ+P8=; b=bIO7iqFGYFn03dyts6Pous8ZIu4MmrZF5dipJRl7TO2tgPAS+JEVOiDwqT0wvUT9G1 VwZvxoHULjCKFoQpXpOswZo5VGaoYB4/X07SNqwNZNnO+2pdwHhOf8Y2mKQoSyHt4gvu In8AWhlG/ueMesKn07t00JujvsmiSDBkrkxiC25OrK91+rg4ZDlqw6JfanenaksHQkVs r/8xeiUxh0TJ5LLdpf8S9R/VyMpixVSeF+GOU9/c+ATF3/bb/pu3TwE0U7FIqgVYtvTs 4863hvGAP3z+0FzCUbcdtInSx9p7ICEjIJR/rbt+QEhXX+slLdHERYPrLDvWs/Auez7c xmAg==
X-Forwarded-Encrypted: i=1; AJvYcCUGKtxpBBehk7LOQk6lGOW2pw2COvgU6IyWiXbZWJoyxLx4IKXoQOBjT963JefKVPr4ihrtSA==@ietf.org
X-Gm-Message-State: AOJu0Yy1oeue8wIZ5HF4KXJ5tsoTGHoGdQoX8q40HmqjdwjjR0dgiGm7 nLbmGxQKJHxiBfonPmarU8SkagThsJky94AArnfDc2xRPgEeu1Jx
X-Google-Smtp-Source: AGHT+IFufs48I+6yTNS1dHwqqtVBoqspFllNrioLRebQkbwznGEwRb9qWUe7yQcYR3NmW//GnRLixA==
X-Received: by 2002:a17:907:1c9f:b0:a8a:18f9:269f with SMTP id a640c23a62f3a-a8a18f92a81mr695537866b.60.1725488831934; Wed, 04 Sep 2024 15:27:11 -0700 (PDT)
Received: from smtpclient.apple ([2a00:23ee:2280:3abf:5465:eb2a:59f8:b0e4]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8a6236d527sm46060566b.135.2024.09.04.15.27.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Sep 2024 15:27:11 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Wed, 04 Sep 2024 23:27:00 +0100
Message-Id: <A454CC94-115D-470B-A1B1-34E03EE15E41@gmail.com>
References: <CACsn0cnBjvEZrxFrfa2TBwRo5uwqz=Pd3zph98PjBos6k+Y5xw@mail.gmail.com>
In-Reply-To: <CACsn0cnBjvEZrxFrfa2TBwRo5uwqz=Pd3zph98PjBos6k+Y5xw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: 2B4PTESAXJ6V3U7PRO5IYI5BXB76EHVE
X-Message-ID-Hash: 2B4PTESAXJ6V3U7PRO5IYI5BXB76EHVE
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/X8j4FOp27BsDmHoCwYu2yYdQqAo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

On 4 Sep 2024, at 22:48, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> On Wed, Sep 4, 2024 at 2:46 PM Neil Madden <neil.e.madden@gmail.com> wrote:
>> 
>> 
>> 
>> On 4 Sep 2024, at 21:31, Tim Cappalli <tim.cappalli@okta.com> wrote:
>> 
>> 
>>> 
>>> Thanks, that’s good to know. Does it preserve phishing resistance? Ie the app cannot spoof the rpId?
>> 
>> 
>> The WebAuthn client for native apps is the app platform. The app platform, aka the OS, handles origin binding using existing app to web domain association methods (Android Asset Links, Apple Associated Domains) . This is used for both embedded WebViews and native app platform APIs. For System WebView, the WebAuthn client is the web platform, just like a browser (WebView details: Android, iOS, macOS).
>> 
>> 
>> I can see how that works for iOS and Android, where apps are sandboxed. But can’t a macos/Windows/Linux app bypass the “official” WebAuthn API and just talk CTAP directly to a USB authenticator? (You used to even be able to do this from the browser: https://www.yubico.com/support/security-advisories/ysa-2018-02/)
>> 
>> Or is the intent to limit the spec to sandboxed apps? (If so, some kind of attestation to ensure the app actually is sandboxed seems a good idea).
> 
> I can always grab the cookie jar off the user browser if I have that
> level of access.

USB access is not privileged, but that’s beside the point. 

Put another way, the phishing-resistance of WebAuthn only really makes sense in a world of sandboxed apps: web apps, mobile apps. Any spec that encourages the use of OAuth auth flows outside of such sandboxed environments, as this one potentially does, is going to make defending against phishing harder. 

(I’d also question why first-party apps need a standardised API for this anyway: they can do whatever they like using proprietary APIs already). 

— Neil