IETF Logo Mail Archive

Re: [OAUTH-WG] Google's use of Implicit Grant Flow

Jim Manico <jim@manicode.com> Fri, 17 February 2017 18:07 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43D11129B19 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 10:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.101
X-Spam-Level:
X-Spam-Status: No, score=0.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1kUymyHPR5rH for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 10:07:36 -0800 (PST)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53DED129631 for <oauth@ietf.org>; Fri, 17 Feb 2017 10:07:36 -0800 (PST)
Received: by mail-pg0-x234.google.com with SMTP id v184so17339121pgv.3 for <oauth@ietf.org>; Fri, 17 Feb 2017 10:07:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=ZWOSfqL0UZzPGiXO8Bvc56M8UFuTCvQ/WSaXvA+wASw=; b=Ba6LbOGy7ok6pxmPBsScxByod+I2F+EZRevFPfJJmvmUTLdXTaZ8YIlTHCp1+xcMcn 4dH0UXG+JplGgJJm/N2yGU12a4fXFvdzgUXz42YdbYd1MoBuSe73zdtAu5ONjtvrlAh8 Z2UhtdLgJE7DtrJIyAueYrHsJ+2wh4SS21suJiZghi/oRHQS0p2O3Ly7KXI2cu6pDUGt HUpYxNccqqqCQYCxyegxVQnGrGsWhDGdzmHu2jJM7Hhz4PMK70KDy6/4FPSAvRd5i1KE 0YpKCTEfY6iscuZkTOYsyL1mP1YmM0z/REf76JD1pj8Jw4NvPhJaXE6Ox1qNJ1XjYcwF vFwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=ZWOSfqL0UZzPGiXO8Bvc56M8UFuTCvQ/WSaXvA+wASw=; b=C9GjJt7WF4He7SHM2GVoyTJ+yVhNubRbL2Tio92g71eGCEgH/3xBID3FB1CGNCKpYm IofJQUnr8X1fP/VRxEAqOf8jfq2afsJPOJ1ebYMntDQxHdoH7ASgoP5UjbD1rOV3HjJy uel9caEzxXsRTlJrkeMWKdWyQpV8ayqJ4RMEduKCHP+aq0JTJOqzAQTWSF48HVaf7IdB nvoWV6myeT1k5jWEfQ72EWh6xSqMKGFQWsConnCZ59oZd/122z8CJTKl57MORM/kjdnk /DOgnEg8lm4I0CNp/8ZD/vh725T1d0RfbktTKv58c7ozhh8M4sV7gxXqvVuZxYEXe0IB bKWQ==
X-Gm-Message-State: AMke39kamKL75vZkJwjKPUzCEJl7PJICWytPshH7xBTXn1euDl4fb9rvK8Az5GiaYZUwfUYv
X-Received: by 10.84.232.134 with SMTP id i6mr13005035plk.101.1487354855800; Fri, 17 Feb 2017 10:07:35 -0800 (PST)
Received: from heembo.local ([2605:e000:112b:c167:3519:b801:95b1:4955]) by smtp.googlemail.com with ESMTPSA id s3sm20996547pgn.55.2017.02.17.10.07.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Feb 2017 10:07:35 -0800 (PST)
To: Aaron Parecki <aaron@parecki.com>, Dominick Baier <dbaier@leastprivilege.com>
References: <1e63222f-1d3b-59cc-a7c3-f9f3aa14e9df@manicode.com> <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com> <600a2fe3fbc147588baedb557e6e5938@HE105717.emea1.cds.t-internal.com> <9f795a60-5345-61b6-356a-cc871164ba8d@manicode.com> <CAOahYUyR3pG_Ae7OH-XVevh-STSz5Z_7EvBv+NQ58Lw5cOLvEg@mail.gmail.com> <CAO7Ng+uDJ8CoxMN3XsgFCMpwvsN+_yBZ3GkDBquH6wcmtPs5Gw@mail.gmail.com> <CAGBSGjrfehZdAzWdEVLzBr+kMv83ZtCZzGD+BEZuHPnLrt2UGQ@mail.gmail.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <94d7c3a8-af15-a454-4c05-341bbe92cd3d@manicode.com>
Date: Fri, 17 Feb 2017 08:07:33 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CAGBSGjrfehZdAzWdEVLzBr+kMv83ZtCZzGD+BEZuHPnLrt2UGQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D799B2DA72C85A021072A02B"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bu6W5iplMw5V7ZAQ8Cq6wK7v6lI>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's use of Implicit Grant Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 18:07:38 -0000

+1 I'm with you Aaron. I am not as well versed as other members of this
standard body in OAuth but I would be happy to help build this document
if folks with more experience would help.

- Jim


On 2/17/17 8:05 AM, Aaron Parecki wrote:
> Can you describe the aspects that make a JS client library "solid"?
> This is what I think would be useful to see written up in a document
> like the Native Apps one.
>
> It's interesting to me that so many of you have independently opted to
> use the auth code flow for Javascript apps. I think that's a sign that
> it's a better recommendation than the implicit flow for JS apps.
>
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com>
> @aaronpk <http://twitter.com/aaronpk>
>
>
> On Fri, Feb 17, 2017 at 10:02 AM, Dominick Baier
> <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com>> wrote:
>
>     Given a solid client library for JS, I think implicit flow is OK
>     to use. 
>
>     But I agree that there are many “home grown” implementation out
>     there that are not secure - and the necessary JS code to write a
>     good client is not necessarily the “pit of success”.
>
>     You should give this lib a go (it’s also a certified RP):
>
>     https://github.com/IdentityModel/oidc-client-js
>     <https://github.com/IdentityModel/oidc-client-js>
>
>     Many people argue that handling the protocol and crypto pieces in
>     JS is problematic (and I agree if no proper lib is used for that)
>     - but at then end of the day the access token will end up in the
>     browser - and a sloppy developer (e.g. not using CSP) will always
>     write bad code that might lead to leaking a token.
>
>     -------
>     Dominick Baier
>
>     On 17 February 2017 at 18:43:25, Adam Lewis
>     (adam.lewis@motorolasolutions.com
>     <mailto:adam.lewis@motorolasolutions.com>) wrote:
>
>>     +1000
>>
>>     We are currently going through internal turmoil over the usage of
>>     implicit grant for ua-based apps.  The webapp case is well
>>     understood and the WG has work in progress to define best
>>     practices for native apps.  Having one for ua-based apps would be
>>     HUGELY beneficial
>>
>>
>>
>>     On Fri, Feb 17, 2017 at 11:40 AM, Jim Manico <jim@manicode.com
>>     <mailto:jim@manicode.com>> wrote:
>>
>>         Thank you to those answering my question on implicit for JS
>>         clients.
>>
>>         The responses so far seem to represent what the security
>>         world is saying  about the implicit grant - keep away from it
>>         other than for a few OIDC use cases.
>>
>>         Does anyone think it would be valuable to author a brief RFC
>>         to give clear OAuth 2 recommendations for JavaScript client
>>         developers?
>>
>>         I mean - the OAuth 2 body of work just needs a few more
>>         RFC's, right? :)
>>
>>         Aloha, Jim
>>
>>
>>
>>         On 2/17/17 6:03 AM, Sebastian.Ebling@telekom.de
>>         <mailto:Sebastian.Ebling@telekom.de> wrote:
>>>
>>>         Same for Deutsche Telekom. Our javascript clients also use
>>>         code flow with CORS processing and of course redirect_uri
>>>         validation.
>>>
>>>          
>>>
>>>         Best regards
>>>
>>>          
>>>
>>>         Sebastian
>>>
>>>          
>>>
>>>         *Von:* OAuth [mailto:oauth-bounces@ietf.org] *Im Auftrag
>>>         von* Bill Burke
>>>         *Gesendet:* Freitag, 17. Februar 2017 00:14
>>>         *An:* oauth@ietf.org <mailto:oauth@ietf.org>
>>>         *Betreff:* Re: [OAUTH-WG] Google's use of Implicit Grant Flow
>>>
>>>          
>>>
>>>         For our IDP [1], our javascript library uses the auth code
>>>         flow, but requires a public client, redirect_uri validation,
>>>         and also does CORS checks and processing.  We did not like
>>>         Implicit Flow because
>>>
>>>         1) access tokens would be in the browser history
>>>
>>>         2) short lived access tokens (seconds or minutes) would
>>>         require a browser redirect
>>>
>>>         I'd be really curious to hear other's thoughts though.
>>>
>>>         [1] http://keycloak.org
>>>         <https://urldefense.proofpoint.com/v2/url?u=http-3A__keycloak.org&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=YExyuyZO5YNpSvS3mEUG5pjKAjRXXVT8Xvk8hIb-Efw&e=>
>>>
>>>          
>>>
>>>          
>>>
>>>          
>>>
>>>         On 2/16/17 5:44 PM, Jim Manico wrote:
>>>
>>>             Hello Folks,
>>>
>>>             I noticed that Google supports the OAuth 2 Implicit flow
>>>             for third-party JavaScript applications.
>>>
>>>             https://developers.google.com/identity/protocols/OAuth2UserAgent
>>>             <https://urldefense.proofpoint.com/v2/url?u=https-3A__developers.google.com_identity_protocols_OAuth2UserAgent&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=_Mig-zmCt1y9dZpCece1dqby3VmcZVOu2JPcmAwzwKU&e=>
>>>
>>>             Isn't this generally discouraged from a security POV?
>>>             *Is there a better OAuth 2 flow for third party SPA
>>>             applications?*
>>>
>>>             Aloha,
>>>
>>>             -- 
>>>
>>>             Jim Manico
>>>
>>>             Manicode Security
>>>
>>>             https://www.manicode.com
>>>             <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=>
>>>
>>>
>>>
>>>
>>>             _______________________________________________
>>>
>>>             OAuth mailing list
>>>
>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>             <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=>
>>>
>>>          
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>         <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=>
>>         --  
>>         Jim Manico
>>         Manicode Security
>>         https://www.manicode.com
>>         <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=>
>>
>>         _______________________________________________ OAuth mailing
>>         list OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>         <https://www.ietf.org/mailman/listinfo/oauth> 
>>
>>     _______________________________________________ OAuth mailing
>>     list OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>     <https://www.ietf.org/mailman/listinfo/oauth> 
>     _______________________________________________ OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth> 
>
-- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email