Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
David Waite <david@alkaline-solutions.com> Wed, 08 May 2019 20:55 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2CC1200F8 for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 13:55:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.436
X-Spam-Level: *
X-Spam-Status: No, score=1.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DkiYLIucWaSc for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 13:55:50 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id E6E0B1200EC for <oauth@ietf.org>; Wed, 8 May 2019 13:55:49 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:68de:4106:d669:7824] (unknown [IPv6:2601:282:202:b210:68de:4106:d669:7824]) by alkaline-solutions.com (Postfix) with ESMTPSA id 1F02531764; Wed, 8 May 2019 20:55:48 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <28AF8EF5-9CCF-44EB-B028-1FCFA892ECEB@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_196CF112-771E-4FE3-8398-7674474B01A1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 08 May 2019 14:55:47 -0600
In-Reply-To: <2125064.3GpWMRz4CO@papegaaij>
Cc: oauth@ietf.org
To: Emond Papegaaij <emond.papegaaij@gmail.com>
References: <11125817.AKI43N3Yza@papegaaij> <C0E40840-26FE-4BC9-8D13-B06D399E4A52@alkaline-solutions.com> <2125064.3GpWMRz4CO@papegaaij>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eS--_rE9-lnEjsXa0DV7gZVDDcM>
Subject: Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 20:55:52 -0000
> On May 8, 2019, at 1:37 AM, Emond Papegaaij <emond.papegaaij@gmail.com> wrote: > > On maandag 6 mei 2019 22:42:09 CEST David Waite wrote: >> On May 6, 2019, at 1:42 PM, Emond Papegaaij <emond.papegaaij@gmail.com> > >> You could also trigger re-authorization with a user click, thus allowing >> opening the AS in a new window or tab. Once back on the site via callback, >> the temporary/pop-up window can do things like exchange the code for an >> access token, persist it, postMessage the original window, do window.close, >> etc. > > This would work, but would really be a nuisance to the user. Especially with a > token timeout of just one hour. Also, most of the times there would be no > interaction, the user would just have to click a button. As a user I wouldn't > understand why I have to do that all the time. You do have this for native apps as well, however: app-auth-sso-ios-11-blog.png <https://www.pingidentity.com/content/dam/pic/images/managed/app-auth-sso-ios-11-blog.png> > >> On the other hand, refresh tokens IMHO are given quite a bit more fear in >> browser apps than warranted. It really depends on the AS - whether it can >> tie refresh tokens to the user’s authentication, or if they are tied to a >> long-term / persisted / "offline” authorization independent of an active >> user authentication. Currently, the latter is more common in >> implementations, and doesn’t make sense for browser applications. This >> doesn’t mean refresh tokens are automatically discounted for all >> environments. > > How would you tie a refresh token to a user session on the AS? This would > depend on the user visiting the AS on a regular basis and using a logout > button when done. Most people simply close their browser when they're done, > leaving the session open. Also, when making a call to the token endpoint to > refresh the access token, there is no way of knowing that this call is > actually initiated by the user, because it's done on a back channel. Perhaps > this can be solved with DPOP with a keypair per browser, but this would really > complicate the whole solution. Yes, there are still no standard solutions for session keep-alive. There’s also not AFAIK a clear solution by the browsers on how to do an implicit logout on browser closed, now that browsers may persist sessions cookies. I did pitch something about session keep-alive two years ago around this as part of DTVA (see https://bitbucket.org/openid/connect/src/f76ffe99c47d4698bc2995c32dc7a402dd6e8c47/distributed-token-validity-api.txt <https://bitbucket.org/openid/connect/src/f76ffe99c47d4698bc2995c32dc7a402dd6e8c47/distributed-token-validity-api.txt> ), which unfortunately didn’t go anyplace. For pure API apps participating in a session keep-alive system, a separate “user activity present” API to periodically poke is probably the best way to go. For managed devices running enterprise applications, you can just have a screen lock rather than tracking session activity at all. For handling browsers in shared user environments which lack non-persistent cookies, you typically have to rely on session keep-alive/inactivity timeout and logout (which in OAuth would map to a token revocation) >> Given the choice between an 8 hour access token, or a 10 minute access token >> and a refresh token that will expire at a maximum of 8 hours, the second >> provides quite a few more options to be more secure. (eg. checking backing >> user session and revocation, checking for updates to client blacklist, the >> rotation of the access token, rotating refresh tokens to prevent use by >> more than one client, expiring access on inactivity based on lag in >> refreshing, and so on). > > I agree with you on this, but the spec currently states clearly that the AS > should not issue refresh tokens to an SPA. Do you think this should be changed > to something like: Authorization servers SHOULD NOT issue *offline* refresh > tokens to browser-based applications. A refresh token should be tied to a user > session on the AS. I would like this language changed as well. It is complex due to so little existing token lifetime/policy guidance to reference. Previous conversations went a bit circular IMHO because of a lack of ground rules. -DW
- [OAUTH-WG] Recommendations for OAuth 2.0 with Bro… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Thomas Broyer
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… David Waite
- Re: [OAUTH-WG] Recommendations for OAuth 2.0 with… Emond Papegaaij