IETF Logo Mail Archive

Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security Topics -- Recommend authorization code instead of implicit

John Bradley <ve7jtb@ve7jtb.com> Tue, 27 November 2018 19:54 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D73124408 for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 11:54:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhLxROAXEEcr for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 11:54:30 -0800 (PST)
Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF1451241F6 for <oauth@ietf.org>; Tue, 27 Nov 2018 11:54:29 -0800 (PST)
Received: by mail-wm1-x344.google.com with SMTP id s11so261047wmh.1 for <oauth@ietf.org>; Tue, 27 Nov 2018 11:54:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xDahITsc/6i0pzwJqXyu+++Esc+hxQkM8M+wetJmIt0=; b=iWKWlTumpNGcTes6rukRAFaAAnO0XNSPsQhzGl6laAg9+hFLIfF4WDL15bTSMr5HkA GM+cSblVab+m6fKfqeteq5Cu6fR01fhk1Tl0VA1947F++IuvtRALnpEtCr56TVvkA1n1 ipNM0EWvPq1kPe687eFrVAwdCxOGZ+SJ1/cvEbsObco3E3Slkrnmx1K0hmS6App6Sj7H KhPJhH6fwSAkGQ3lXFItDzauQmmi7hNuZrpWNg0GVsBjyjsN1oT7XFWCJJcexmDcyD54 z/s6fwzHZdYPzAxrAXaH1WBsE1Crtzem8OXxWedOr20qJ3odmC9Vyac2PJWftUld7ds2 DsHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xDahITsc/6i0pzwJqXyu+++Esc+hxQkM8M+wetJmIt0=; b=AzyHlozCotc/1JgztA7p0mLQqj0wxBCrSne8AavkCa+u3BqoQN+8SmICofMvSg7/t6 3N49DkeDBCBnpYl+iyyTI8D1FdIUmXqwl491CVHnEa9okuMHS7eU1q0L9rQ1W0DAXG1W vBS253z7pCYenhiWFFnky6ZQDHcrUMf22FyKT4u64NDXKjJK9Lws2GQyTb+X/XHzzgVl NNMqX5wdGuuZZp6fT4Hq8aDSnxHo6gqhrCpS/XKdBwSGs8K5ex3l6yhFrC4KF0yWH+th N+X/7WLJNcLotfKpBdlpNtkIleSTghCuK1yDdDN94ZLnfkUTbZtGyONBklknQBbs0hez 3WSA==
X-Gm-Message-State: AA+aEWaOGdt5GAzqaQHhBR51tMGWlM7FMYi/eSHBJLGocKZBFvD/4BdQ 1ul3bkC6gWAiHcofwI5NKTeGEGJpZvxg4YJf50InVA==
X-Google-Smtp-Source: AFSGD/XGHgKsFT0pbkcdlehPwme0Ubxe6fuSYm90BlGNf/GXzik53aLFhs1x/hvurRSuUMGXNxbyVVd9MqeoEA65KVA=
X-Received: by 2002:a7b:c1d6:: with SMTP id a22mr239237wmj.48.1543348467472; Tue, 27 Nov 2018 11:54:27 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <5494f764-2d14-089a-8fe8-132a65e32d5e@manicode.com> <8935ff0f-aeab-c773-5e2d-6fedcc29119d@connect2id.com> <CABzCy2D0JAr-C1-jTcodpBdoUNx1We3JDg-PMcsOBL1Ga_m-Hw@mail.gmail.com> <2297d085-28f2-15dd-6dba-937dce9f2122@manicode.com> <CABzCy2AW0dvmEqfHgd=-ULdYSxnUXwrz6jiCBpKw7MQSu-YFbA@mail.gmail.com> <327B68FD-9449-4809-A3B8-BC79C5B1D42C@lodderstedt.net>
In-Reply-To: <327B68FD-9449-4809-A3B8-BC79C5B1D42C@lodderstedt.net>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Tue, 27 Nov 2018 16:54:15 -0300
Message-ID: <CAANoGhK9cYS8NFrpwczVsifz7pdraqOZpBoDHFZkg_qKdj4Vqg@mail.gmail.com>
To: "openid-specs-ab@lists.openid.net Ab" <openid-specs-ab@lists.openid.net>
Cc: Nat Sakimura <sakimura@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, oauth@ietf.org, Jim Manico <jim@manicode.com>
Content-Type: multipart/alternative; boundary="0000000000002b37f9057baad17f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/duiC38RD7cxNyqpfab9ZqDIK-4w>
Subject: Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 19:54:33 -0000

I talked to Nat about this a bit today.

The thing he is concerned about is mostly around the self issued IDP that
doesn't have a token endpoint(atleast not easaly).

The main use case for that is the id_token response type where claims are
retuned in the id_token.

Because it is fragment encoded some people call that implicit.   That is
not what we are trying to stop.

In some cases in that flow there may be distributed claims returned with
access Token inside the id_token.    I think most people would agree that
those should be pop or sender constrained tokens.

In the case of self issued the RP would be a server and could do sender
constrained via some mechinisim that is yet to be defined.

So if someone wanted to return a access token in a id_token to do
distributed claims I don't think we have a problem with that as long as the
token is protected by being sender constrained in some reasonable way.

This is a touch hypothetical from the basic OAuth perspective, so I don't
know how deep we want to go into it.

I think the point is not to accidently prohibit something that could be
done in future.

I also think we should not conflate confidential clients that can
authenticate to the token endpoint with sender constrained/PoP clients that
can deal with bound tokens.   Yes both have keys but it is better to
describe them separately.

John B.

On Tue, Nov 27, 2018, 4:30 PM Torsten Lodderstedt via Openid-specs-ab <
openid-specs-ab@lists.openid.net wrote:

> Hi Nat,
>
> I understand you are saying your draft could provide clients with an
> application level mechanism to sender constrain access tokens. That’s
> great!
>
> But I don’t see a binding to response type „token id_token“. Why do you
> want to expose the tokens via the URL to attackers?
>
> You could easily use your mechanism with code. That would also give you
> the chance to really authenticate the confidential client before you issue
> the token.
>
> kind regards,
> Torsten.
>
> > Am 27.11.2018 um 16:57 schrieb Nat Sakimura <sakimura@gmail.com>:
> >
> > I am not talking about SPA.
> > The client is a regular confidential client that is running on a server.
> >
> > Best,
> >
> > Nat Sakimura
> >
> >
> > 2018年11月27日(火) 16:55 Jim Manico <jim@manicode.com>:
> > Nat,
> >
> > How is proof of possession established in a modern web browser in the
> implicit flow?
> >
> > My understanding is that token binding was removed from Chrome recently
> effectively killing browser-based PoP tokens.
> >
> > https://identiverse.com/2018/10/31/chrome-puts-token-binding-in-a-bind/
> >
> > Am I missing something?
> >
> > Aloha, Jim
> >
> >
> >
> > On 11/27/18 9:00 PM, Nat Sakimura wrote:
> >> I am actually -1.
> >>
> >> +1 for public client and the tokens that are not sender/key
> constrained.
> >>
> >> Just not being used right now does not mean that it is not useful.. In
> fact, I see it coming.
> >> Implicit (well, Hybrid “token id_token” really) is very useful in
> certain cases.
> >> Specifically, when the client is confidential (based on public key
> pair), and uses sender constrained (key-constrained) token such as the one
> explained in
> https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04#section-5, it is
> very useful.
> >> (Key-constrained token is the remaining portion of this draft that did
> not get incorporated in the MTLS draft. )
> >> In fact it is the only viable method for Self-Issued OpenID Provider.
> >>
> >> So, the text is generally good but it needs to be constrained like
> “Unless the client is confidential and the access token issued is key
> constrained, ... “
> >>
> >> Best,
> >>
> >> Nat Sakimura
> >>
> >>
> >> 2018年11月27日(火) 16:01 Vladimir Dzhuvinov <vladimir@connect2id.com>:
> >> +1 to recommend the deprecation of implicit.
> >>
> >> I don't see a compelling reason to keep implicit when there is an
> >> established alternative that is more secure.
> >>
> >> Our duty as WG is to give developers the best and most sensible
> practice.
> >>
> >> CORS adoption is currently at 94% according to
> >> https://caniuse.com/#feat=cors
> >>
> >> Vladimir
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >> --
> >> Nat Sakimura (=nat)
> >> Chairman, OpenID Foundation
> >> http://nat..sakimura.org/
> >> @_nat_en
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >>
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> > --
> > Jim Manico
> > Manicode Security
> >
> > https://www.manicode.com
> > --
> > Nat Sakimura (=nat)
> > Chairman, OpenID Foundation
> > http://nat.sakimura.org/
> > @_nat_en
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab@lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

v2.23.0 | Report a Bug | By Email