Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

It's not a different threat profile. This is the same assumption people made when introducing HttpOnly cookies, which just led to attackers switching to proxy everything through the browser as per things like https://beefproject.com <https://beefproject.com/> . (This is actually nicer for the attacker as their requests then appear to come from the legitimate user, masking their true origin and allowing them to carry out attacks bypassing the corporate firewall). DPoP is not a protection against XSS and shouldn't be sold as such.

-- Neil

> On 22 Nov 2019, at 10:19, Aaron Parecki <aaron@parecki.com> wrote:
> 
> The main concern about token replay in a SPA is that the access token may be extracted from the app, such as via XSS. Using the Web Crypto API has the advantage of being able to generate a public private key pair where the JS code can't access the private key at all, it can only be used to sign things, making it impossible for an attacker to extract an access token and use it for anything. You might then say that if a JS app is vulnerable to XSS then the attacker could just call the signing API anyway, which is a concern, but that's a different threat profile. 
> 
> Aaron
> 
> 
> 
> 
> On Fri, Nov 22, 2019 at 6:08 PM Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote:
> On 22 Nov 2019, at 07:53, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote:
> > 
> > 
> > 
> >> On 22. Nov 2019, at 15:24, Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
> >> 
> >> I’m going to +1 Dick and Annabelle’s question about the scope here. That was the one major thing that struck me during the DPoP discussions in Singapore yesterday: we don’t seem to agree on what DPoP is for. Some (including the authors, it seems) see it as a quick point-solution to a specific use case. Others see it as a general PoP mechanism. 
> >> 
> >> If it’s the former, then it should be explicitly tied to one specific set of things. If it’s the latter, then it needs to be expanded. 
> > 
> > as a co-author of the DPoP draft I state again what I said yesterday: DPoP is a mechanism for sender-constraining access tokens sent from SPAs only. The threat to be prevented is token replay.
> 
> I think the phrase "token replay" is ambiguous. Traditionally it refers to an attacker being able to capture a token (or whole requests) in use and then replay it against the same RS. This is already protected against by the use of normal TLS on the connection between the client and the RS. I think instead you are referring to a malicious/compromised RS replaying the token to a different RS - which has more of the flavour of a man in the middle attack (of the phishing kind).
> 
> But if that's the case then there are much simpler defences than those proposed in the current draft:
> 
> 1. Get separate access tokens for each RS with correct audience and scopes. The consensus appears to be that this is hard to do in some cases, hence the draft.
> 2. Make the DPoP token be a simple JWT with an "iat" and the origin of the RS. This stops the token being reused elsewhere but the client can reuse it (replay it) for many requests.
> 3. Issue a macaroon-based access token and the client can add a correct audience and scope restrictions at the point of use.
> 
> Protecting against the first kind of replay attacks only becomes an issue if we assume the protections in TLS have failed. But if DPoP is only intended for cases where mTLS can't be used, it shouldn't have to protect against a stronger threat model in which we assume that TLS security has been lost.
> 
> -- Neil
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> -- 
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com/>
> @aaronpk <http://twitter.com/aaronpk>
> 