[OAUTH-WG] Re: Call for adoption - First Party Apps

Aaron Parecki <aaron@parecki.com> Tue, 10 September 2024 12:55 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F27ABC14F70F for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 05:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yayRTWwGC9kL for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 05:55:20 -0700 (PDT)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8370C14F68F for <oauth@ietf.org>; Tue, 10 Sep 2024 05:55:20 -0700 (PDT)
Received: by mail-vs1-xe33.google.com with SMTP id ada2fe7eead31-49bcfbc78a6so1847714137.3 for <oauth@ietf.org>; Tue, 10 Sep 2024 05:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1725972919; x=1726577719; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MfjfAnn3dnG1fGsPyyUgqF9KHn+3OudJ5Rvf0tmTK6k=; b=itsMyMN4DNY96oDkSV14bRlwkkPGEGDg0uwb9iGFMAt3tdsQXMEUYk29nRGN45bdJ/ ccY0GEWnrnwFG3ZBmUIO7yTveBWCHB+5jZFWv+sXFuwaFbs445zPiwfuKY7UkfFNw81M lC27CVQVMrW96OUklRRt4SMsSoIXWvUBabF2vJ81ExKEd+ho4wX/2UOPkuZS/ge19qI4 RUM17/94okJF70vo/mFeOZ959Jd6EJ5tRUUurzeM5UEe6bZstdKPgOE5tntnh0Uz+3qr 96McCi5W4Q4h5WiO9TYe3nLYNzanc0UHSa8ANXS0dG0LwRk56Wpx4ZXXOTHS5BhKMDjL Xc8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725972919; x=1726577719; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MfjfAnn3dnG1fGsPyyUgqF9KHn+3OudJ5Rvf0tmTK6k=; b=JaC3WDOOPXo0JjEc7xul4Hwplmx1NMONhecMQyFHsk5XFciOhL4F5pcBIfHF6rwhJg hEHlKtyYNgJisSNoFMEEgnJmiWWs/M+y9cy4XY7Fo3y3pTJt5lHNzU76ChevhOCN9KnQ bUkRh2w2Riw6wGEw7ynIRjU9Enjl1hPZN9mAC2i8IjzS0j5IH2U8hHNPEKJFobMaL+jW dnZsj9JE+S0AXWnL8xpN6V1Pm7KxxkUPGewXNL+03J3dQzWpRvFvHcxTb1fEQDjhTGGf JKZRAU5toOoaoZ2F7Ieodf8cbPicahxkIk8OkI9LZw3QyQYmzNkskoXZW5bfeEIfwM95 e1bQ==
X-Gm-Message-State: AOJu0Yz0nLWisCSF4coX6kHwac1chzQmV0nrUJ6R7OEIzg4WfICbdr3X LqfXwchGzo7JXZS7cc2YwFq2xw67kZcFQ93dJe66luQs6CWorBpbh3mmY+p7x7IiMkx8wezXHEc =
X-Google-Smtp-Source: AGHT+IGfO6GlGRWU2mhlXdb5V5nYuPjATRVaUW1QaeC0P5pHpg0WQW9m/9WhJ4fcsT/xE0vyNc3yOw==
X-Received: by 2002:a05:6102:32cd:b0:492:aaae:835d with SMTP id ada2fe7eead31-49bddee0da7mr17268056137.0.1725972918892; Tue, 10 Sep 2024 05:55:18 -0700 (PDT)
Received: from mail-ua1-f44.google.com (mail-ua1-f44.google.com. [209.85.222.44]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-8489adacf5fsm674250241.39.2024.09.10.05.55.18 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Sep 2024 05:55:18 -0700 (PDT)
Received: by mail-ua1-f44.google.com with SMTP id a1e0cc1a2514c-846c588fa63so1571104241.1 for <oauth@ietf.org>; Tue, 10 Sep 2024 05:55:18 -0700 (PDT)
X-Received: by 2002:a05:6102:2ac9:b0:492:aded:1914 with SMTP id ada2fe7eead31-49bde194993mr16219709137.10.1725972918021; Tue, 10 Sep 2024 05:55:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uur2NSN+BBMFfhv9UcfZtmQsByUhpyr1huvQiC+5PX8g@mail.gmail.com> <F68A8B14-8511-49E6-A06F-5BBE5EE549CC@gmail.com>
In-Reply-To: <F68A8B14-8511-49E6-A06F-5BBE5EE549CC@gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Tue, 10 Sep 2024 05:55:06 -0700
X-Gmail-Original-Message-ID: <CAGBSGjr8S+LixUpEMgNDbcvRgF0nef+01HLfa0yvxxjDaqKS1w@mail.gmail.com>
Message-ID: <CAGBSGjr8S+LixUpEMgNDbcvRgF0nef+01HLfa0yvxxjDaqKS1w@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000abbfe90621c362d4"
Message-ID-Hash: EUPQ6VRWOY47NWKRGYSBK5VYFSD7SYKV
X-Message-ID-Hash: EUPQ6VRWOY47NWKRGYSBK5VYFSD7SYKV
X-MailFrom: aaron@parecki.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YU3BpxtSOKKSAjQm0Q7cLfzAY7Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Neil, I don't know if you've seen the several presentations I did at the
last few IETF meetings about this work, but a large part of the motivation
of this work is because *currently* people are bending over backwards to
provide a native user experience for their first party apps and doing so in
a way that is not only not standard, but even worse than what could be done
with a standardized method. Please go review those recordings for more of
the background.

I am open to the discussion of how best to limit this to first party apps,
maybe that part needs to be stricter than what is currently in the draft.
But at the very least, the draft says in no unclear terms that this is not
for use by third party apps.

Aaron


On Tue, Sep 10, 2024 at 3:59 AM Neil Madden <neil.e.madden@gmail.com> wrote:

> I know that apps that accept credentials directly are common place. But
> the direction of travel has so far been to discourage that: eg deprecating
> ROPC, requiring use of an external vs embedded user-agent etc. (Sorry, I
> misremembered: it’s BCP 212 that requires this, not the security BCP — and
> it has a lot of good rationale for that decision).
>
> 3rd party apps follow where first-party apps lead.
>
> — Neil
>
> On 10 Sep 2024, at 11:14, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> 
>
> Neil
>
> Users input credentials directly into apps all the time in OAuth -- it is
> at the AS.
>
> There are many deployments that use OAuth where the AS and RS are the same
> party. The objective of this draft (as I understand it) is to provide a
> simplified OAuth flow for this use case. The BCP does not address this use
> case.
>
> Why would we not want to provide a best practice for deployments where the
> AS and RS are the same party? We will likely improve the security of those
> deployments over them making up their own protocol, won't we?
>
> /Dick
>
>
>
> On Tue, Sep 10, 2024 at 10:20 AM Neil Madden <neil.e.madden@gmail.com>
> wrote:
>
>> The draft is motivated by allowing native apps to provide a login journey
>> for OAuth rather than using the browser. This encourages people to input
>> credentials directly into apps, which (a) directly contradicts the advice
>> in the security BCP, and (b) opens up users to significantly more attack
>> vectors (including that the phishing-resistance of FIDO is significantly
>> weakened). We shouldn’t be encouraging this.
>>
>> — Neil
>>
>> On 5 Sep 2024, at 15:48, Tim Cappalli <tim.cappalli@okta.com> wrote:
>>
>> 
>> IMO, we're getting very off topic here. The WebAuthn text is not part of
>> the draft being called for adoption.
>>
>> On Thu, Sep 5, 2024 at 2:15 AM Neil Madden <neil.e.madden@gmail.com>
>> wrote:
>>
>>> On 5 Sep 2024, at 05:45, David Waite <david@alkaline-solutions.com>
>>> wrote:
>>> >
>>> > 
>>> >
>>> >> On Sep 4, 2024, at 4:27 PM, Neil Madden <neil.e.madden@gmail.com>
>>> wrote:
>>> >>
>>> >>> On 4 Sep 2024, at 22:48, Watson Ladd <watsonbladd@gmail.com> wrote:
>>> >>>
>>> >>> I can always grab the cookie jar off the user browser if I have that
>>> >>> level of access.
>>> >>
>>> >> USB access is not privileged, but that’s beside the point.
>>> >
>>> >>
>>> >> Put another way, the phishing-resistance of WebAuthn only really
>>> makes sense in a world of sandboxed apps: web apps, mobile apps. Any spec
>>> that encourages the use of OAuth auth flows outside of such sandboxed
>>> environments, as this one potentially does, is going to make defending
>>> against phishing harder.
>>> >
>>> > The client is not an identified/authenticated component in the
>>> architecture, so there is a user trust required in using a client - that
>>> the client actually is an agent acting in the user’s interest rather than
>>> acting maliciously.
>>> >
>>> > Platforms have the ability to provide specific API for these
>>> interactions to become a trustworthy client, and to block privileged access
>>> (including access to speak directly to hardware) behind audited
>>> entitlements to prevent from installed software acting as a malicious
>>> client.
>>>
>>> Right, this is what I mean by sandboxed.
>>>
>>> >
>>> > Note that some platforms also provide entitlements and heuristics for
>>> password manager access - however, as a knowledge-based system the platform
>>> cannot really prevent malicious applications from still attempting to
>>> manipulate their way to credential phishing.
>>> >
>>> >>
>>> >> (I’d also question why first-party apps need a standardised API for
>>> this anyway: they can do whatever they like using proprietary APIs already).
>>> >
>>> > I would struggle to come up with standards-track RFCs which would not
>>> be able to instead be accomplished with proprietary APIs. The editors and
>>> working groups found value in peer review and in interoperability.
>>>
>>> Standards are for promoting interoperability, not for getting free peer
>>> review of private APIs.
>>>
>>> >
>>> > I have seen the pitfalls of a proprietary approach to this and would
>>> say peer review is important. My primary concern is whether we can have a
>>> clients that authenticate against multiple implementing ASes based solely
>>> on this work. Profiling authentication methods like passkey-based
>>> authentication would go a long way toward alleviating that concern.
>>> >
>>> > -DW
>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>