IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Aaron Parecki <aaron@parecki.com> Mon, 25 November 2019 16:06 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF4B1208B0 for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 08:06:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FP7iCIsB6s8A for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 08:06:57 -0800 (PST)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 295E212013D for <oauth@ietf.org>; Mon, 25 Nov 2019 08:06:57 -0800 (PST)
Received: by mail-io1-xd32.google.com with SMTP id j13so16882068ioe.0 for <oauth@ietf.org>; Mon, 25 Nov 2019 08:06:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ME3xTuEVM+7uyDBYkEZepThBmDKNyBBDaD1tMsPhk4s=; b=mA93SyVwDYVeYmHYJHUU3IHFo4N7MsY1oyKgviqBrVmy0cVhZRsuA/jB9H51IZ/pjq eojtyENbxvhQ8KdAkiWwxoVeGhWncDGceMzi61JOWsxUg2fQ2G01em5LDzj3BwUr6SXL Nf/X0L/fP2HP7qYRtloE41EHaV2yI2FwA6/+IuJcN32H2aWXShNHDXKEc2KB6FkuEH7o j9t/jRm94t2lS+TUPQ21mAeaGdP2jadubR/04jfz6gSDmhYPYdZQkd6nOmc8c0UH8xP9 vTO8uKjV+0n5OKdUokh9ej8h2FRUdEtzwIf4w/8lpoPrSspC8uoqrykb6ntcWOMFHPJa ytZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ME3xTuEVM+7uyDBYkEZepThBmDKNyBBDaD1tMsPhk4s=; b=ogb/FaO5RtaUWFlOOzqLNoSJWk9pudK9WbyRYDjRPlq3l8pj6nPa8/OQfpx59JIR3h esDxCuhJOSLH5LkbBqLJB+EtQNjCnwDth0ItmEEe88KDdw4rAm8K2WPo2m7H6o+2o37+ 0wno/T7tjUIoguiO3IaXGoUK9mloSzsZ8M8XNSXgOiC2UIm6Y9fmKbXsdtuS/eU0toJ9 5SbMSmm/wnjrK3Isz5ld8y91SM09ykRTCFT16wJX8CXge0pdfAMibarQFSzNOWByLAbb fIIhG4/0FD+3rGqnO8biqk0iyLVAG/MXYsZkOKss+vL747B4oj90WUOEfhX5fHv84qXP pyCQ==
X-Gm-Message-State: APjAAAWc4ZV/3Cbiz63TphLvxwo/EhbDGb3tuYsfsLOrrirt3MZVlOQQ bD2cjKfFPC9kFjcY1ssAIeCjTEA9uP0=
X-Google-Smtp-Source: APXvYqznv8z7lONW95pklmMXbgbY6l/gKum9rx+XCyxhfjPDfONLqAbhNYwajsDrt8S/jt8NDbHn9A==
X-Received: by 2002:a02:aa14:: with SMTP id r20mr27768632jam.19.1574698016158; Mon, 25 Nov 2019 08:06:56 -0800 (PST)
Received: from mail-io1-f51.google.com (mail-io1-f51.google.com. [209.85.166.51]) by smtp.gmail.com with ESMTPSA id m4sm2314345ilf.18.2019.11.25.08.06.54 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Nov 2019 08:06:54 -0800 (PST)
Received: by mail-io1-f51.google.com with SMTP id j13so16881964ioe.0 for <oauth@ietf.org>; Mon, 25 Nov 2019 08:06:54 -0800 (PST)
X-Received: by 2002:a02:a995:: with SMTP id q21mr29353283jam.27.1574698014594; Mon, 25 Nov 2019 08:06:54 -0800 (PST)
MIME-Version: 1.0
References: <1561F036-BE65-45B7-B206-5702774B3DBF@lodderstedt.net> <E192E3A8-55BB-48AC-BCC3-F40EA9B04ABF@forgerock.com> <CAP-T6TR3xqZ+u_MRboz6XG5wxGAv3R8nUsgv4vXhzNVAr+=sqA@mail.gmail.com> <D3DF992C-88BB-428E-A539-140F7481F2EA@forgerock.com> <73A2D736-93F3-4DF2-975A-072729F0166F@lodderstedt.net> <C9F896F4-29A0-484B-BCFF-C569F74955BA@forgerock.com>
In-Reply-To: <C9F896F4-29A0-484B-BCFF-C569F74955BA@forgerock.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 25 Nov 2019 08:06:42 -0800
X-Gmail-Original-Message-ID: <CAGBSGjroZ0WXC3vthFwzzAdU4anLyySsXvP5cVjoyi4yrb1AXQ@mail.gmail.com>
Message-ID: <CAGBSGjroZ0WXC3vthFwzzAdU4anLyySsXvP5cVjoyi4yrb1AXQ@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9dd6b05982df30e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XsPuzXbPKHnh9qOIfTaIX0E391E>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2019 16:06:59 -0000

I agree, the Facebook issue had nothing to do with extracting access tokens
via a hack, it was entirely facebook’s fault for issuing access tokens
improperly in the first place. They posted some amazing details on what
happened on their website.

https://about.fb.com/news/2018/09/security-update/

If they couldn’t even get this right, it’s unlikely a sender constrained
token would have helped here, and may have been bypassed just like the
other three issues that led to the breach.

> I tend to agree with your assessment. The simplest way with current OAuth
is use of code+pkce+refresh tokens, narrowly scoped access tokens, and
resource indicators to mint RS-specific, privilege restricted, short lived
access tokens.
>
> Do you think we should spell this out in the SPA BCP?

I agree that this is probably the best advice we can give. Ultimately
people will still make mistakes like the ones that led to the Facebook
issue, so all we can do is point people in the right direction.

Aaron



On Mon, Nov 25, 2019 at 6:08 AM Neil Madden <neil.madden@forgerock.com>
wrote:

> On 25 Nov 2019, at 12:09, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
> >
> > Hi Neil,
> >
> >> On 25. Nov 2019, at 12:38, Neil Madden <neil.madden@forgerock.com>
> wrote:
> >>
> >> But for web-based SPAs and so on, I'm not sure the cost/benefit trade
> off is really that good. The biggest threat for tokens being stolen/misused
> is still XSS, and DPoP does nothing to protect against that. It also
> doesn't protect against many other ways that tokens leak in browsers - e.g.
> if a token leaks in your browser history then the threat is that the
> attacker is physically using your device, in which case they also have
> access to your DPoP keys. In the cases like the Facebook breach, where
> highly automated mass compromise was achieved, I think we're lacking
> evidence that PoP would help there either.
> >>
> >> The single most important thing we can do to protect web-based apps is
> to encourage the principle of least privilege. Every access token should be
> as tightly constrained as possible - in scope, in audience, and in expiry
> time. Ideally at the point of being issued ...
> >
> > I tend to agree with your assessment. The simplest way with current
> OAuth is use of code+pkce+refresh tokens, narrowly scoped access tokens,
> and resource indicators to mint RS-specific, privilege restricted, short
> lived access tokens.
> >
> > Do you think we should spell this out in the SPA BCP?
>
> I think that would certainly be a great start.
>
> -- Neil
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>

v2.23.0 | Report a Bug | By Email