Re: [OAUTH-WG] Google's use of Implicit Grant Flow
Jim Manico <jim@manicode.com> Fri, 17 February 2017 18:06 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3168E129B19 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 10:06:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yc36LFCGtaM9 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2017 10:06:23 -0800 (PST)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D342A129B17 for <oauth@ietf.org>; Fri, 17 Feb 2017 10:06:23 -0800 (PST)
Received: by mail-pf0-x235.google.com with SMTP id 189so15145007pfu.3 for <oauth@ietf.org>; Fri, 17 Feb 2017 10:06:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=b1j+Ef3OSbdizmjMLFpX/bnvS4Z6RR8GFGSIaOzvxX4=; b=VLxr56brHezU5+VZE0FBVn4AlLLikp9QBJsWVg8MUX6nBd5BPsO7c67oEJ6yCCtCOg OODWMQ1FNMlYaoKF/oP1rMW9GniqRQxyQafmDaLHw3N228LkpQ7S3crh87lSxjHQxl6q 6Ri4IVQwRKHVmccnC4YyiPoi1YFMYGyDM8VdE8rnMSsr3fLyCu235088Db/zxdX4iCcy EkojAxKEgBl6AAHH1iYbesIxJykLadBOT5uGEc49yyLiq9bwgu4YNtjsmga6dYlV9drL MOWa1ATXq9qGkKzOXl+1rAP33Rodpm9M+VFfsKuM+LYqVElzNW6tGhVIKSps7rPBnQjg sRSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=b1j+Ef3OSbdizmjMLFpX/bnvS4Z6RR8GFGSIaOzvxX4=; b=n/3n4vMU4y7BopPvk06doEl/JChbU59S1h/YvaB5vpuM5KtabxcrV7MSYQmw+CxMn2 sdKEs5BNKQK6gh7h/J5dMyJPU0s1r7zCUhIGCLfQ8i5QgyK9jgviLBsLcCl7YI1JAeez CABPuJSHmwktIswGokGgE2rnkXdLGqep/xd72ewDwz7waBafxiVon9UsJRyJ9rZcw7Yy gwCwJjpSVGOs9RaI/XMYnlst/ae55XE+hXyR/9eq0KinV430Z8QtxZU0VE6wU3xl0isr Zgjwc9cpggbPsaW2RNHPukglQXsyH4iJBqhtxho+qxECflgCFB2X9OIg7S4q+v+OLz2P D8VA==
X-Gm-Message-State: AMke39nX11ViYg4e7alYV71pzwOF+Ew4vFjrgLL0ofin8AP6waenviEEnvmNjJthK/yURzsa
X-Received: by 10.84.160.197 with SMTP id v5mr13023556plg.161.1487354783219; Fri, 17 Feb 2017 10:06:23 -0800 (PST)
Received: from heembo.local ([2605:e000:112b:c167:3519:b801:95b1:4955]) by smtp.googlemail.com with ESMTPSA id a24sm20887175pfh.33.2017.02.17.10.06.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Feb 2017 10:06:22 -0800 (PST)
To: Dominick Baier <dbaier@leastprivilege.com>, Adam Lewis <adam.lewis@motorolasolutions.com>
References: <1e63222f-1d3b-59cc-a7c3-f9f3aa14e9df@manicode.com> <5d69eb72-b99a-1605-b58b-b7f33bb5db60@redhat.com> <600a2fe3fbc147588baedb557e6e5938@HE105717.emea1.cds.t-internal.com> <9f795a60-5345-61b6-356a-cc871164ba8d@manicode.com> <CAOahYUyR3pG_Ae7OH-XVevh-STSz5Z_7EvBv+NQ58Lw5cOLvEg@mail.gmail.com> <CAO7Ng+uDJ8CoxMN3XsgFCMpwvsN+_yBZ3GkDBquH6wcmtPs5Gw@mail.gmail.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <1beba8d4-2979-03e1-44a3-da5ee2f00b93@manicode.com>
Date: Fri, 17 Feb 2017 08:06:20 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CAO7Ng+uDJ8CoxMN3XsgFCMpwvsN+_yBZ3GkDBquH6wcmtPs5Gw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------C961F416ED28AF25DB1F5EBA"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eVUae2m_iGnFvqWdB1OOHZ5iZkg>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's use of Implicit Grant Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 18:06:26 -0000
> Given a solid client library for JS, I think implicit flow is OK to use. If you can, can you dig deeper here? What is it about this particular library that makes its use of the OAuth 2 implicit flow secure? Signed messages? Only supports registered clients? Something else? Aloha, Jim On 2/17/17 8:02 AM, Dominick Baier wrote: > Given a solid client library for JS, I think implicit flow is OK to use. > > But I agree that there are many “home grown” implementation out there > that are not secure - and the necessary JS code to write a good client > is not necessarily the “pit of success”. > > You should give this lib a go (it’s also a certified RP): > > https://github.com/IdentityModel/oidc-client-js > > Many people argue that handling the protocol and crypto pieces in JS > is problematic (and I agree if no proper lib is used for that) - but > at then end of the day the access token will end up in the browser - > and a sloppy developer (e.g. not using CSP) will always write bad code > that might lead to leaking a token. > > ------- > Dominick Baier > > On 17 February 2017 at 18:43:25, Adam Lewis > (adam.lewis@motorolasolutions.com > <mailto:adam.lewis@motorolasolutions.com>) wrote: > >> +1000 >> >> We are currently going through internal turmoil over the usage of >> implicit grant for ua-based apps. The webapp case is well understood >> and the WG has work in progress to define best practices for native >> apps. Having one for ua-based apps would be HUGELY beneficial >> >> >> >> On Fri, Feb 17, 2017 at 11:40 AM, Jim Manico <jim@manicode.com >> <mailto:jim@manicode.com>> wrote: >> >> Thank you to those answering my question on implicit for JS clients. >> >> The responses so far seem to represent what the security world is >> saying about the implicit grant - keep away from it other than >> for a few OIDC use cases. >> >> Does anyone think it would be valuable to author a brief RFC to >> give clear OAuth 2 recommendations for JavaScript client developers? >> >> I mean - the OAuth 2 body of work just needs a few more RFC's, >> right? :) >> >> Aloha, Jim >> >> >> >> On 2/17/17 6:03 AM, Sebastian.Ebling@telekom.de >> <mailto:Sebastian.Ebling@telekom.de> wrote: >>> >>> Same for Deutsche Telekom. Our javascript clients also use code >>> flow with CORS processing and of course redirect_uri validation. >>> >>> >>> >>> Best regards >>> >>> >>> >>> Sebastian >>> >>> >>> >>> *Von:* OAuth [mailto:oauth-bounces@ietf.org] *Im Auftrag von* >>> Bill Burke >>> *Gesendet:* Freitag, 17. Februar 2017 00:14 >>> *An:* oauth@ietf.org <mailto:oauth@ietf.org> >>> *Betreff:* Re: [OAUTH-WG] Google's use of Implicit Grant Flow >>> >>> >>> >>> For our IDP [1], our javascript library uses the auth code flow, >>> but requires a public client, redirect_uri validation, and also >>> does CORS checks and processing. We did not like Implicit Flow >>> because >>> >>> 1) access tokens would be in the browser history >>> >>> 2) short lived access tokens (seconds or minutes) would require >>> a browser redirect >>> >>> I'd be really curious to hear other's thoughts though. >>> >>> [1] http://keycloak.org >>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__keycloak.org&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=YExyuyZO5YNpSvS3mEUG5pjKAjRXXVT8Xvk8hIb-Efw&e=> >>> >>> >>> >>> >>> >>> >>> >>> On 2/16/17 5:44 PM, Jim Manico wrote: >>> >>> Hello Folks, >>> >>> I noticed that Google supports the OAuth 2 Implicit flow for >>> third-party JavaScript applications. >>> >>> https://developers.google.com/identity/protocols/OAuth2UserAgent >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__developers.google.com_identity_protocols_OAuth2UserAgent&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=_Mig-zmCt1y9dZpCece1dqby3VmcZVOu2JPcmAwzwKU&e=> >>> >>> Isn't this generally discouraged from a security POV? *Is >>> there a better OAuth 2 flow for third party SPA applications?* >>> >>> Aloha, >>> >>> -- >>> >>> Jim Manico >>> >>> Manicode Security >>> >>> https://www.manicode.com >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> OAuth mailing list >>> >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=jAjifWdP3vqnDgWricLE62R9_d0BQReWRUitqM5S1JU&e=> >> -- >> Jim Manico >> Manicode Security >> https://www.manicode.com >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.manicode.com&d=DwMD-g&c=q3cDpHe1hF8lXU5EFjNM_A&r=hS3A5qzQnW1hxYBhPrxNW10ESeDiiiRwR8H84JHIXTI&m=IfM1P0zp986kOQNk7-NwlgfRZMq5MppK0kISXhIOF_s&s=H8pXLA4TE27vW-gz5Sbr9VOUP-KZMmd-gQ-okH4ohMU&e=> >> >> _______________________________________________ OAuth mailing >> list OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> >> >> _______________________________________________ OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Bill Burke
- [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Josh Mandel
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Sebastian.Ebling
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Adam Lewis
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Aaron Parecki
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Jim Manico
- Re: [OAUTH-WG] Google's use of Implicit Grant Flow Dominick Baier