Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?

David Waite <> Fri, 18 May 2018 17:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D61F712DA25 for <>; Fri, 18 May 2018 10:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uKR_IU8oToiL for <>; Fri, 18 May 2018 10:42:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A78E512DA06 for <>; Fri, 18 May 2018 10:42:38 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:b1c1:9dc5:ed80:9403] (unknown [IPv6:2601:282:202:b210:b1c1:9dc5:ed80:9403]) by (Postfix) with ESMTPSA id C1F2131544; Fri, 18 May 2018 17:42:37 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail=_DBDAF004-E118-4D0F-B1AF-17EF94248013"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: David Waite <>
X-Priority: 3
In-Reply-To: <>
Date: Fri, 18 May 2018 11:42:36 -0600
Cc: Brock Allen <>, Hannes Tschofenig <>, "" <>
Message-Id: <>
References: <> <> <> <,> <> <> <>
To: John Bradley <>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <>
Subject: Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 May 2018 17:42:42 -0000

I don’t believe code flow today with an equivalent token policy as you have with implicit causes any new security issues, and it does correct _some_ problems. The problem is that you immediately want to change token policy to get around hidden iframes and special parameters.

Once you start trying to alter token policy (such as adding refresh tokens), you start to have new security considerations because of the execution environment of javascript in the browser. Specifically token exfiltration from the browser origin, which can be mitigated via token binding or service workers.

You don’t need to exfiltrate a token for a third party to use a the associated access; they can inject behavior onto the page via XSS or a browser extension. This is not related to token lifetime policy, or the use of implicit vs code. This is the more immediate area where I see guidance being important - especially considering that token exfiltration becomes closer to a theoretical attack if the behavior of my app is controlled.


On May 18, 2018, at 10:47 AM, John Bradley <> wrote:
> There are lots of issues with the current implicit flow around fragment encoding as well.
> However moving the token used for refresh from being a HTTP only cookie to a refresh token available in the DOM makes me uncomfortable without having sufficient mitigations against XSS.
> The current flow is vulnerable to  XSS for the AT, however if that is short lived it restricts the damage.
> The better solution is token binding the AT and perhaps a RT. 
> We need to start talking about it.  There are issues around potentially using service workers etc as well.
> So we should start but I am not sure of what the correct answer is yet.
> John B.
> Sent from Mail <> for Windows 10
> From: Brock Allen <>
> Sent: Friday, May 18, 2018 6:36 PM
> To: John Bradley <>; David Waite <>; Hannes Tschofenig <>
> Cc: <>
> Subject: Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?
> It sounds to me as if you're hesitant to recommend code flow (at least for now) then for browser-based JS apps.
> -Brock