[OAUTH-WG] Re: Call for adoption - First Party Apps

Neil Madden <neil.e.madden@gmail.com> Tue, 10 September 2024 10:59 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DEC0C14F6FF for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 03:59:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.216
X-Spam-Level:
X-Spam-Status: No, score=-1.216 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bezQWbl3ir2f for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 03:59:11 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91DA2C14F6E9 for <oauth@ietf.org>; Tue, 10 Sep 2024 03:59:11 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-a8a7929fd64so695093266b.0 for <oauth@ietf.org>; Tue, 10 Sep 2024 03:59:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725965950; x=1726570750; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=f6qbl3mP8jvV/hxGVuZOg/SDi4nBaZd1pdkLHBUjIc8=; b=nLOAUV6UYIUzEEegiJn9MEtw4bUnCAaRSkMzkEk2xufYAEr9uxKjpHOFGfzv+2PuvK kZLcH34f1QsK57vojuC69V423B9w2srfCZsqFW5pcSbipvFukUI2aoBWxskdAlH25KL1 d54Mgr11Sb6LTNAr716dYBl3pclz0goTD/82nV2R3+xQr6Zf6xLOvE/JDYXE3tp7OCep Z3MyrXVlNYW+JPL1D8bUsW9yZ5EDqxZN6nUiKBmTDhIPDV6JQQ5FzLWmFgvfAGRcsblA fkBHi8vtkVbN9wfHxG2u/UddZM5tblZhr6CEqsxLk3xPC/q78z3kTtY+WcP9cB5kVXLk xwkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725965950; x=1726570750; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f6qbl3mP8jvV/hxGVuZOg/SDi4nBaZd1pdkLHBUjIc8=; b=Xw0XibAJ7QjDx7hsKBvpL9Svjw21GFCiuWXDmd1xMCSeeU0mkC2KBDydcVhiX90GQZ 0aL9hDFiozSfJmL/3ptKfJVXPDSqBrrQVOLSBfZHlSA8GrN93TUw0VnusDzspprXkroX NU7sp8jkUBtJQYQMGaLMwA/9zZ+TABl4/bPivGRXv8h/+ZJPp3VSz+0YmjvTfnVdxwTr NbIB0g7F/TGqPfZgNI44Lju1OTplhhbrn6/hGTw6tMNkU7viDHLzqRrqeVafpCMaWWjE AfxTFpkBEVp2VlyMD5tqiF/LJJCSKwk+ebhlZc6ewS5Mqo04yRDW0TKfKBkzj1WFbzim 8ddg==
X-Forwarded-Encrypted: i=1; AJvYcCVKcrYEdFAozcNNSWVDY718SnNNMRRq+q1Qjm/xwBSFgWeuaMsZSlwSqU6Sk6y4p7oj2JYDTQ==@ietf.org
X-Gm-Message-State: AOJu0YzzHHaAvBnuaxyXQeGt2+Ek/hvkpMJHLBmxjLEq+bgawB0EQ1cX XcZO8uOMJfpMIem8sXqeqTQS/NCmRLBtv9QNkL9cBqAHzbhMS+vg
X-Google-Smtp-Source: AGHT+IE06N7Le3K4NhzyzcBnOnST9H2r1miSmKrdzmPCLfg52/iblin2j9nS5FvxGWg9AdpCm7ndYw==
X-Received: by 2002:a17:907:97ce:b0:a8a:9054:8392 with SMTP id a640c23a62f3a-a8ffa8651d4mr32896966b.0.1725965949100; Tue, 10 Sep 2024 03:59:09 -0700 (PDT)
Received: from smtpclient.apple ([2a00:23ee:10b8:922:f56e:917f:5776:426a]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8d25c61240sm464547566b.133.2024.09.10.03.59.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Sep 2024 03:59:08 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-399208DA-A7EA-438C-9C89-30EBC7C0D68E"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Tue, 10 Sep 2024 11:58:57 +0100
Message-Id: <F68A8B14-8511-49E6-A06F-5BBE5EE549CC@gmail.com>
References: <CAD9ie-uur2NSN+BBMFfhv9UcfZtmQsByUhpyr1huvQiC+5PX8g@mail.gmail.com>
In-Reply-To: <CAD9ie-uur2NSN+BBMFfhv9UcfZtmQsByUhpyr1huvQiC+5PX8g@mail.gmail.com>
To: Dick.Hardt@gmail.com
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: 7E4ADITN2T3MPFBLVXT4OLV3JSWZPDLY
X-Message-ID-Hash: 7E4ADITN2T3MPFBLVXT4OLV3JSWZPDLY
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ya5sUYyVLljZ4szD-TmraGRfTvQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I know that apps that accept credentials directly are common place. But the direction of travel has so far been to discourage that: eg deprecating ROPC, requiring use of an external vs embedded user-agent etc. (Sorry, I misremembered: it’s BCP 212 that requires this, not the security BCP — and it has a lot of good rationale for that decision). 

3rd party apps follow where first-party apps lead. 

— Neil

On 10 Sep 2024, at 11:14, Dick Hardt <dick.hardt@gmail.com> wrote:


Neil

Users input credentials directly into apps all the time in OAuth -- it is at the AS. 

There are many deployments that use OAuth where the AS and RS are the same party. The objective of this draft (as I understand it) is to provide a simplified OAuth flow for this use case. The BCP does not address this use case.

Why would we not want to provide a best practice for deployments where the AS and RS are the same party? We will likely improve the security of those deployments over them making up their own protocol, won't we?

/Dick



On Tue, Sep 10, 2024 at 10:20 AM Neil Madden <neil.e.madden@gmail.com> wrote:
The draft is motivated by allowing native apps to provide a login journey for OAuth rather than using the browser. This encourages people to input credentials directly into apps, which (a) directly contradicts the advice in the security BCP, and (b) opens up users to significantly more attack vectors (including that the phishing-resistance of FIDO is significantly weakened). We shouldn’t be encouraging this. 

— Neil

On 5 Sep 2024, at 15:48, Tim Cappalli <tim.cappalli@okta.com> wrote:


IMO, we're getting very off topic here. The WebAuthn text is not part of the draft being called for adoption.

On Thu, Sep 5, 2024 at 2:15 AM Neil Madden <neil.e.madden@gmail.com> wrote:
On 5 Sep 2024, at 05:45, David Waite <david@alkaline-solutions.com> wrote:
>
> 
>
>> On Sep 4, 2024, at 4:27 PM, Neil Madden <neil.e.madden@gmail.com> wrote:
>>
>>> On 4 Sep 2024, at 22:48, Watson Ladd <watsonbladd@gmail.com> wrote:
>>>
>>> I can always grab the cookie jar off the user browser if I have that
>>> level of access.
>>
>> USB access is not privileged, but that’s beside the point.
>
>>
>> Put another way, the phishing-resistance of WebAuthn only really makes sense in a world of sandboxed apps: web apps, mobile apps. Any spec that encourages the use of OAuth auth flows outside of such sandboxed environments, as this one potentially does, is going to make defending against phishing harder.
>
> The client is not an identified/authenticated component in the architecture, so there is a user trust required in using a client - that the client actually is an agent acting in the user’s interest rather than acting maliciously.
>
> Platforms have the ability to provide specific API for these interactions to become a trustworthy client, and to block privileged access (including access to speak directly to hardware) behind audited entitlements to prevent from installed software acting as a malicious client.

Right, this is what I mean by sandboxed.

>
> Note that some platforms also provide entitlements and heuristics for password manager access - however, as a knowledge-based system the platform cannot really prevent malicious applications from still attempting to manipulate their way to credential phishing.
>
>>
>> (I’d also question why first-party apps need a standardised API for this anyway: they can do whatever they like using proprietary APIs already).
>
> I would struggle to come up with standards-track RFCs which would not be able to instead be accomplished with proprietary APIs. The editors and working groups found value in peer review and in interoperability.

Standards are for promoting interoperability, not for getting free peer review of private APIs.

>
> I have seen the pitfalls of a proprietary approach to this and would say peer review is important. My primary concern is whether we can have a clients that authenticate against multiple implementing ASes based solely on this work. Profiling authentication methods like passkey-based authentication would go a long way toward alleviating that concern.
>
> -DW

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org