Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

[Aaron Parecki <aaron@parecki.com>]

The main concern about token replay in a SPA is that the access token may
be extracted from the app, such as via XSS. Using the Web Crypto API has
the advantage of being able to generate a public private key pair where the
JS code can't access the private key at all, it can only be used to sign
things, making it impossible for an attacker to extract an access token and
use it for anything. You might then say that if a JS app is vulnerable to
XSS then the attacker could just call the signing API anyway, which is a
concern, but that's a different threat profile.

Aaron




On Fri, Nov 22, 2019 at 6:08 PM Neil Madden <neil.madden@forgerock.com>
wrote:

> On 22 Nov 2019, at 07:53, Torsten Lodderstedt <torsten=
> 40lodderstedt.net@dmarc.ietf.org> wrote:
> >
> >
> >
> >> On 22. Nov 2019, at 15:24, Justin Richer <jricher@mit.edu> wrote:
> >>
> >> I’m going to +1 Dick and Annabelle’s question about the scope here.
> That was the one major thing that struck me during the DPoP discussions in
> Singapore yesterday: we don’t seem to agree on what DPoP is for. Some
> (including the authors, it seems) see it as a quick point-solution to a
> specific use case. Others see it as a general PoP mechanism.
> >>
> >> If it’s the former, then it should be explicitly tied to one specific
> set of things. If it’s the latter, then it needs to be expanded.
> >
> > as a co-author of the DPoP draft I state again what I said yesterday:
> DPoP is a mechanism for sender-constraining access tokens sent from SPAs
> only. The threat to be prevented is token replay.
>
> I think the phrase "token replay" is ambiguous. Traditionally it refers to
> an attacker being able to capture a token (or whole requests) in use and
> then replay it against the same RS. This is already protected against by
> the use of normal TLS on the connection between the client and the RS. I
> think instead you are referring to a malicious/compromised RS replaying the
> token to a different RS - which has more of the flavour of a man in the
> middle attack (of the phishing kind).
>
> But if that's the case then there are much simpler defences than those
> proposed in the current draft:
>
> 1. Get separate access tokens for each RS with correct audience and
> scopes. The consensus appears to be that this is hard to do in some cases,
> hence the draft.
> 2. Make the DPoP token be a simple JWT with an "iat" and the origin of the
> RS. This stops the token being reused elsewhere but the client can reuse it
> (replay it) for many requests.
> 3. Issue a macaroon-based access token and the client can add a correct
> audience and scope restrictions at the point of use.
>
> Protecting against the first kind of replay attacks only becomes an issue
> if we assume the protections in TLS have failed. But if DPoP is only
> intended for cases where mTLS can't be used, it shouldn't have to protect
> against a stronger threat model in which we assume that TLS security has
> been lost.
>
> -- Neil
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>