IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 for Browser-Based Apps

Phil Hunt <phil.hunt@oracle.com> Tue, 18 December 2018 22:15 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC1F1129BBF for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 14:15:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.365
X-Spam-Level:
X-Spam-Status: No, score=-4.365 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3dXkd1UoaAY for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 14:15:28 -0800 (PST)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE2DA12D84D for <oauth@ietf.org>; Tue, 18 Dec 2018 14:15:27 -0800 (PST)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wBIME15o024575; Tue, 18 Dec 2018 22:15:24 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=w4Cm8WhYk7Vr98bHKplG/7YFnG5HI0PljBnZfAGz/rU=; b=TIkQGDDy6StWzra1zMjn+8lbyatWeZp6phm6Tm3VFXOOjKK+gNxEwRaq3FMdcyJ2Fe99 VDeVwyLa09tdn3eII7U9/KUFLW8G6SefwIfcF+jKWDODCNFaXWAGhNJL1mKoL0T/aLnQ GEcqwm5rH0is32JWkZSLKUAyHx9dBKdfUm82P1jqAIfOSumOspbWRFioR6G+PGmXpC3S pTbkHZP7RgIqGaiI0O+3KFBNyD1uTO55RWibistUZVrlgA6w/W7OmBmJ3DqCLfs7XbJg e6vLiiEzsTVKuPyImKyQt+ZHHzUXFxWNRCPwvVqxJZDmbgHM+glcMFOc4ztjwuJxUOkp cQ==
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2130.oracle.com with ESMTP id 2pcs1tp57b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 18 Dec 2018 22:15:23 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wBIMFN9X007278 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 18 Dec 2018 22:15:23 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wBIMFMbS006996; Tue, 18 Dec 2018 22:15:22 GMT
Received: from [192.168.1.27] (/70.70.142.148) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 18 Dec 2018 14:15:22 -0800
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (16B92)
In-Reply-To: <DB715BEA-3C0D-4585-8FAB-B3D809430758@lodderstedt.net>
Date: Tue, 18 Dec 2018 14:15:21 -0800
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9DEFB4E-DF4E-4A31-9B83-04AC88CB61FE@oracle.com>
References: <VI1PR0801MB211211AA90A5B25505DDA9BAFABC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <DB715BEA-3C0D-4585-8FAB-B3D809430758@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9111 signatures=668680
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812180182
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fYIdyG_jQsPLRj-7YBIaeLmeQPk>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 for Browser-Based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 22:15:31 -0000

+1

Phil

> On Dec 18, 2018, at 10:14 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> Hi Hannes, 
> 
> while I think the current text needs some substantial work, I support the adoption of this draft as a working group document. I also think we need to carefully define the boundaries between the Security BCP and the SPA BCP in order to prevent unnecessary duplications and inconsistencies.
> 
> Here are my review comments:
> 
> "OAuth 2.0 authorization requests from apps running entirely in a
>   browser are unable to use a Client Secret during the process, since
>   they have no way to keep a secret confidential.“
> 
> Although I think that’s an important aspect I’m wondering why the draft starts with it? I don’t think this is the most important message. If the intend is to align with https://tools.ietf.org/html/rfc8252, I would propose something like
> 
> „OAuth 2.0 authorization requests from browser based apps should only be made
>   using the code flow. …"
> 
> Section 3
> 
> "Browser-based application":  An application that runs entirely in a
>      web browser, usually written in JavaScript, where the source code
>      is downloaded from a domain prior to execution.  Also sometimes
>      referred to as a "single-page application", or "SPA“.
> 
> I think this definition is too narrow, which also limits applicability of this draft. I would argue a browser based application runs portions of its logic in the browser but not necessarily the entire app. Most browser based apps have a backend in the same way as mobile apps have a backend. I think for the purpose of this draft the fact that the UI is controlled from within the browser, uses browser APIs and underlies browser security mechanisms & restrictions is much more important. Moreover, the source code not even needs to be downloaded for every execution due to browser caching. 
> 
> My proposal:
> 
> "Browser-based application":  An application that is dynamically 
>      downloaded and executed in a web browser, usually written in 
>     JavaScript. Also sometimes referred to as a "single-page application", or "SPA“.
> 
> Section 4
> 
> "Require the OAuth 2.0 state parameter" -> "Use the the state parameter to carry one-time use CSRF tokens"
> 
> "...require the
>      hostname of the redirect URI match the hostname of the URL the app
>      was served from“ 
> 
> Are we sure there are no legit reasons to receive the redirect at another host? Is the AS supposed to determine the app's origin from the referrer header?
> 
> "Previously it was recommended that browser-based applications use the
>   OAuth 2.0 Implicit flow. …“
> 
> I suggest to mention broad adoption of CORS after publication of RFC 6749 as reason why the shift towards code is possible now.
> 
> Section 5
> 
> „To conform to this best practice, first-party applications using
>   OAuth or OpenID Connect MUST use an OAuth Authorization Code flow as
>   described later in this document or use the OAuth Password grant."
> 
> It does not feel well for me to read „MUST" and "Password grant“ in the same sentence. I'm in favor to just recommend 1st party apps to use code for reasons x, y, z and not mention password.
> 
> I also think the arguments are more dominante when formatted as bullet list.
> 
> Section 6
> 
> "In some cases, it may make sense to avoid the use of a strictly
>   browser-based OAuth application entirely, instead using an
>   architecture that can provide better security.“
> 
> Reads like OAuth implies degraded app security?
> 
> 6.1.
> 
> „For simple system architectures, such as when the JavaScript
>   application is served from the same domain as the API (resource
>   server) being accessed, it is likely a better decision to avoid using
>   OAuth entirely, and just use session authentication to communicate
>   with the API.“
> 
> What do you mean by same domain? same second level domain? same host? I'm not sure what this text want to convey.
> 
> Section 6.2.
> 
> 2nd paragraph „….The backend component essentially becomes a new authorization server“
> 
> I get the message, but the term "authorization server" misled me when I read the text for the first time. I was under the impression, your are proposing OAuth as communication protocol between an app's front and backend. This is possible but just one option. I suggest to remove the term. It does not really help.
> 
> 3rd paragraph „In this scenario, the backend component may be a confidential client
>   which is issued its own client secret. „
> 
> Confidential clients can use various authentication methods, „secret" misleads reader towards traditional client secrets. private_key_jwt and mTLS are possible (and better options). 
> 
> „Despite this, there are still
>   some ways in which this application is effectively a public client,
>   as the end result is the application's code is still running in the
>   browser and visible to the user.“
> 
> Why does this make the SPA a public client? I see the risk of a browser based app (and every kind of attacker) to access protected APIs through the backend. That's the reason why I think the backend should never directly expose (== just proxy) the underlying RS APIs. The interface between front and backend must be narrowed down to the specific use case AND the current state of the app. For example, if the app is in "check out" state it makes sense to initiate a payment but in no other state.  
> 
> General remark: I would suggest to restructure section 6 to describe the potential architectures this BCP has in mind. From my perspective these are:
> - "pure" SPA
> - SPA w/ backend
> - SPA w/o OAuth (as fallback)
> 
> Section 7.1
> 
> „Public browser-based apps MUST implement the Proof Key for Code extension to OAuth, and authorization
>   servers MUST support PKCE for such clients."
> 
> Any client MUST use PKCE (see Security BCP) - PKCE is used beyond interception prevention to detect injection. Please refer to section 2.1 of the security BCP it has all the details.
> 
> Section 7.2
> 
> „Authorization servers SHOULD require an exact match of a registered
>   redirect URI."
> 
> Please make it a MUST as stated in the Security BCP, Section 2.1
> 
> „  If an authorization server wishes to provide some flexibility in
>   redirect URI usage to clients, it MAY require that only the hostname
>   component of the redirect URI match the hostname of the URL the
>   application is served from.“
> 
> Why do you soften the Security BCP requirements? That's the road to open redirection!
> 
> Section 8
> 
> This section lacks a motivation for RT usage. In my opinion, there are two reasons: 
> (1) use RTs instead of refresh via authorization code flow (to cope with ITP2). 
> (2) be able to issue short lived and privilege restricted access tokens in order to limit the impact of access token leakage at resource servers.
> 
> Both are good reasons that deserve dedicated discussions. I therefore suggest to split & change Section 8 into two sections, „Access Token Refresh" and „Access Token Replay Mitigation".
> 
> The section on access token mitigation should discuss potential options, including 
> - Token Binding 
> - mTLS
> - RT rotation
> …
> 
> Section 9.1
> 
> This BCP describes different SPA design where such apps can be either public or confidential. So I would not preclude confidential clients.
> 
> Section 9.4
> 
> You might want to refer to the Security BCP as it has more details on this topic. 
> 
> I would also suggest to add use of CORS for CSRF protection in the browser (see https://www.ietf.org/mail-archive/web/oauth/current/msg18591.html) since it is SPA specific. 
> 
> Section 9.6. 
> 
> I would argue enabling CORS is not a security consideration but a functional requirement towards the AS.
> 
> 2nd paragraph
> 
> CORS and authorization of GET&POST requests plays a vital role in CSRF prevention if the access tokens are conveyed in a cookie as well as for any automatic way to add authorization headers to outbound requests (see above). So I think it must be managed properly.
> 
> Section 9.7
> 
> Why do you bind CSP to RTs or long living access tokens. Isn’t this anyway a good idea to prevent XSS?
> 
> Section 9.8.6
> 
> injection is neglected - I think you could just refer to the Security BCP for the discussion of the risks associated with implicit. If any threat is missing there, we can add it there. 
> 
> „In OpenID Connect, …“ 
> 
> Not clear to me what this text shall convey. Is it a statement in favor of issuing id tokens in the back channel in OIDC?
> 
> Section 9.8.7
> 
> I would put this text in a motivation section along with the explanation why CORS adoption allows code adoption for SPAs in the introduction of the BCP.
> 
> kind regards,
> Torsten. 
> 
> 
>> Am 17.12.2018 um 22:01 schrieb Hannes Tschofenig <Hannes.Tschofenig@arm.com>:
>> 
>> Hi all,
>> 
>> We would like to get a confirmation on the mailing list for the adoption of https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02 as a starting point for a BCP document about *OAuth 2.0 for Browser-Based Apps*.
>> 
>> Please, let us know if you support or object to the adoption of this document by Jan. 7th 2019.
>> 
>> Ciao
>> Hannes & Rifaat
>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email