[OAUTH-WG] Additional WGLC review of OAuth 2.0 Security Best Current Practice by an AAD developer
Mike Jones <Michael.Jones@microsoft.com> Thu, 28 November 2019 00:13 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2877120BD9 for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 16:13:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wui6Zq8fOQ8w for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 16:13:00 -0800 (PST)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640115.outbound.protection.outlook.com [40.107.64.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57FC2120B8F for <oauth@ietf.org>; Wed, 27 Nov 2019 16:13:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dKJuk4XQeCxsV3lk1THoe9WUyfDdqnmijfZPDgaSwjQIxtNkbGt6gI0VdRu2RxRC3hHToDUv8xjV6TIn06fVOY3weP0NnJCSpGd/+38lzDQCUfnUhu5tJYfy1eUpSvO4srt3Pk7CFQBISjg83OtmYplV1UWooVjwdyySmjDWxppmulqPiNzlnGbsH70NQDjGdbXQ98tAY+j9FFIagfq4glyCpIhKmVcuMNTzjyz4Gu0SnO9BYj8rqIZuPCBo5LaFRnO+uSW60PvT5gw8xFhxmDuZsdUl+QkqwWyFr5y7DH2LCD/8psvUflJzymMzTBEWYNMLA2hu2o57KfoihoMIfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BP0Upl353FQ3pm7hjyY09yOcLzQrk9ETLySq8FQt0/4=; b=TzjMzHFXPKtNxvqjmJDdgj36rsKq2OhfoOmQSu97f3NRLJVxs/JmL+tosJQrnPODR5HhTay/c48sUwT6Z5/UoqRs6AP+ZahQYZse99jQ1qIG8Ysd4VrIuEKxeLisPWZPfWDoGnN91OiJDflJfwg+6waFMIhfqFB/XSWnhc2WV7pVljn5GdIHcorp7jX4+xT5Qtg4D8sYTcjPxbKvlwvVK0/dZPp2hpe3DIwINGaM510qaYV/fKh2McNa263xKqRH2Za5CVeRU8AApSXFV3w/owGy+3Un3PhzEyGdSI9vuF9NNj1mriibriDvz7cVgUxTHnC93/gXwma0pAB5BQ/trA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BP0Upl353FQ3pm7hjyY09yOcLzQrk9ETLySq8FQt0/4=; b=dBFznUCb5YuKHy7T2oh2+oowJitPFAUJRiHI1grW4qiw7XmQdUioSpnzisIsMdZQPk+FnAtwBTSilctS0ZlFVn08z5uNldQOUwKyGi8HWUm7wL0NPuqGWT8mNhSrFra+JRSVIqaU8prZ/0uDXKL6zjxDU2P1dPFMA1XrkSnPLSM=
Received: from DM6PR00MB0572.namprd00.prod.outlook.com (20.179.51.15) by DM6PR00MB0749.namprd00.prod.outlook.com (20.179.166.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2535.0; Thu, 28 Nov 2019 00:12:54 +0000
Received: from DM6PR00MB0572.namprd00.prod.outlook.com ([fe80::41c8:1ecf:fa37:fe35]) by DM6PR00MB0572.namprd00.prod.outlook.com ([fe80::41c8:1ecf:fa37:fe35%7]) with mapi id 15.20.2536.000; Thu, 28 Nov 2019 00:12:54 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
CC: "torsten@lodderstedt.net" <torsten@lodderstedt.net>, "ve7jtb@gmail.com" <ve7jtb@gmail.com>, Daniel Fett <fett@danielfett.de>, "isciurus@fb.com" <isciurus@fb.com>
Thread-Topic: Additional WGLC review of OAuth 2.0 Security Best Current Practice by an AAD developer
Thread-Index: AdWlgBjdExGYkpgnSi2uSxDOxh5hfg==
Date: Thu, 28 Nov 2019 00:12:54 +0000
Message-ID: <DM6PR00MB0572EE0273CC912EC73BEA05F5470@DM6PR00MB0572.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=e122abea-70aa-45d8-83f4-00009a28abf0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-28T00:07:36Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.84.162]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: f5a21a04-1adf-4ee5-d463-08d77397b74f
x-ms-traffictypediagnostic: DM6PR00MB0749:
x-microsoft-antispam-prvs: <DM6PR00MB074978ED0FDF61D0480E9278F5470@DM6PR00MB0749.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0235CBE7D0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(136003)(346002)(376002)(396003)(366004)(199004)(189003)(15650500001)(76116006)(2420400007)(2906002)(52536014)(5640700003)(7736002)(790700001)(6116002)(3846002)(66446008)(256004)(14444005)(66476007)(25786009)(64756008)(66556008)(66946007)(86362001)(6306002)(9686003)(71200400001)(71190400001)(8990500004)(55016002)(14454004)(4326008)(7110500001)(54896002)(7696005)(74316002)(316002)(22452003)(54906003)(8936002)(81166006)(81156014)(1730700003)(8676002)(26005)(99286004)(6506007)(6916009)(2351001)(186003)(102836004)(10090500001)(66066001)(66574012)(6436002)(10290500003)(2501003)(478600001)(5660300002)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0749; H:DM6PR00MB0572.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2Demrb181nXlrj4p25RLg815AdN43PTeScCaVE0JpomFYRPiB7cX36D9UTYl9/MIEbmjuxOSuq82tfvaiFTOFO4Fv8mMaECh0BNttb+YeZlx4oJSrVkys0GrRHWHkPOVktDqdOJNymHas2X9EkUcv0A+rjlaW+ytpQPGm0WQw9t4KlDaysexYebH0yAL0NKaeBpbMlce7px5uX98GYkgw0iJUj1NWm4UgKrCwYmc6f22Q3k2vXRudJHVH50ODSHVhDZRHqH9dopsOyPNGHXRToniImacGtnHCWfJLkda5uL6m2BGBKpE/5XGyET6iT3DQjr/nyq7CGE6BQCFkJygPJorNZFjVvyJv0RqoB42XEjnJya9FaaStgKgCOXHpdAtZFL90mjg86mRXXDJZAOWzGatvLZlXorrq1YLw4F2eS3t/HuqZKyhyIp76tpbkQ1K
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB0572EE0273CC912EC73BEA05F5470DM6PR00MB0572namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5a21a04-1adf-4ee5-d463-08d77397b74f
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Nov 2019 00:12:54.7093 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h7VTJHp2rnT17/M2x0Wtd8gHlxg5pWg8LvPeNGkpS4pbpnNMpwXLT/xcH3grRrcKUdra8DJkGuZqy3mvYoYMSg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0749
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Yzw0Mk4Ke3yyCH0Oo7MmatXA_tg>
Subject: [OAUTH-WG] Additional WGLC review of OAuth 2.0 Security Best Current Practice by an AAD developer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 00:13:03 -0000
Please also add these WGLC comments that a Microsoft Azure Active Directory (AAD) developer asked me to convey:
1. In 4.12, "Authorization servers MUST determine based on their risk assessment whether to issue refresh tokens to a certain client [...]" I'm not sure what this requirement requires in practice. AAD issues refresh_tokens to all clients upon request and user consent and applies different lifetime policies to different clients. We also routinely make risk assessments about all manner of things. Does AAD thereby comply with this guideline? Reading the whole paragraph, I think the paragraph is trying to encourage OAuth clients which use a RT when the RT is returned but use auth codes when the RT is not returned. That's fine, but the current text comes off as imposing a vague requirement on authorization servers. Edits inline - "Authorization servers MUST MAY dynamically determine based on their risk assessment whether to issue refresh tokens to a certain client. If the authorization server decides not to issue refresh tokens, the client may SHOULD refresh access tokens by utilizing other grant types, such as the authorization code grant type. In such a case, the authorization server may utilize cookies and persistent grants to optimize the user experience."
1. In 4.12, the heading says "Authorization server MUST utilize one of these methods to detect refresh token replay for public clients" - however, it doesn't quite specify why refresh token replay is bad. The second paragraph described the goal more precisely ("If an attacker is able to exfiltrate and successfully replay [RTs]") - it's refresh token exfiltration that we MUST mitigate, not refresh token replay. Browser based apps that desire multiple access token should be able to use sender-constrained refresh tokens on multiple simultaneous HTTP requests - and some AAD apps do exactly this today. In practice, it's also difficult and undesirable to lock access to MSAL's RT cache - individual reads and writes are serialized, but { read, http request, write } events are not serialized. Here, just replace "to detect refresh token replay" with "to mitigate refresh token exfiltration" and then under "refresh token rotation," explain that such ASes using RT rotation to mitigate refresh token exfiltration MUST also forbid / prevent RT replay.
1. In 4.12, *Sender-constrained refresh tokens:* - sender-constrained tokens are absolutely valuable from a security perspective. However, without authenticating the sender, it's not necessarily an adequate protection for XSS. Some sender-constrained implementations (such as AAD's WIP spec for RTs) use un-attested keys and permit silent rebinding. Indeed, I think this will be common in browser based apps - attested keys have privacy implications leading to undesirable UX and rebinding prompts also lead to undesirable UX. An XSS attacker in those scenarios could likely silently rebind to an attacker-controlled key. It'd be good for the spec to acknowledge these aspects of sender-constrained tokens and make recommendations.
* It's these things that make us wary of moving from the implicit flow to RTs. The damage from exfiltrated RTs is much more severe, but the mitigations are less-specified by the BCPs, and thus seem less well-understood. Frankly, I think each method of mitigation is worth of its own subsection with more discussion - 4.12.1, 4.12.2, etc.
1. In 4.12, *Refresh token rotation:* - in addition to Mike Jones' review comment. "The authorization server cannot determine which party submitted the invalid refresh token, but it can revoke the active refresh token" is the guidance given around revoking stolen RTs. I think this guidance should use an RFC2119 word in place of "can" - and that the guidance should be stronger, e.g. "SHOULD" or "MUST", w.r.t revoking the active refresh token. Rotating RTs doesn't do much any good as mitigation if the stolen RT remains valid.
1. In 4.12, we'd like to see fixed-expiry RTs of ~1 day added as "one of the methods to mitigate RT exfiltration for public clients" that ASes MUST utilize one of. This is what we're implementing; we think it's sound; and we'd like to see the draft say so, to remove all doubt.
-- Mike
- [OAUTH-WG] Additional WGLC review of OAuth 2.0 Se… Mike Jones
- Re: [OAUTH-WG] Additional WGLC review of OAuth 2.… Benjamin Kaduk