Re: [OAUTH-WG] Recommendations for browser-based apps

Bill Burke <bburke@redhat.com> Thu, 21 September 2017 21:06 UTC

Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 551BA132F2E for <oauth@ietfa.amsl.com>; Thu, 21 Sep 2017 14:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.42
X-Spam-Level:
X-Spam-Status: No, score=-1.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1mSicbmNXTG for <oauth@ietfa.amsl.com>; Thu, 21 Sep 2017 14:06:10 -0700 (PDT)
Received: from mail-ua0-f174.google.com (mail-ua0-f174.google.com [209.85.217.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACF85133044 for <oauth@ietf.org>; Thu, 21 Sep 2017 14:06:10 -0700 (PDT)
Received: by mail-ua0-f174.google.com with SMTP id k23so4391627uaf.4 for <oauth@ietf.org>; Thu, 21 Sep 2017 14:06:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=JuGMtLGFUOIaryPsRCVOSfeOfbB9lRpG3GXwF+eI+xM=; b=SCwJ9x9De+T3+HzB8f3BRXoCA13F+9pJYmOpBfEU34rrqhULWVDsk7S2f/6cHA2szF 1RMD3wRHJKPDCyap4zhLuLMexxHhseRO2qKsslDS+rKvB7BR96Eq9D1SND064l/mQDN8 SS6BO4O/EUEBL9cMQuVPp84Q7MME9ENA9DLqAdB69fnOG0F0Ue1LpaOcgPN47iXtt2Vh ErQEqnHBGYWuuIlGgeT2HnA9cWWYxKDB9deEdG/IqOswcOmcc57b0L06mAqqiIbs9UQn /rpBPyzyUIG2SEPPRUgiptpn3D8Nk3bYgH9gObW23exSOjc5t3llqvxqsV9VI0HFJ3Bb AHfg==
X-Gm-Message-State: AHPjjUhoQoV/GdHJpjpusWq1a/LVrBEP/gTDV9tOb4YQ/WTLw0SzvZNY cp76CmCVgKcQpwLauLGEdPSE6aE6in6vUJoxe/HwGw==
X-Google-Smtp-Source: AOwi7QBA/TeKVvadGNVXktqmScmqpukywjtwAaT1kdOP3uHJpMJl2cFdjxlO89zwoicfDs5L7rvRyTw9m03QyPKpqN4=
X-Received: by 10.176.19.231 with SMTP id n36mr3100877uae.68.1506027968921; Thu, 21 Sep 2017 14:06:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.55.79 with HTTP; Thu, 21 Sep 2017 14:06:08 -0700 (PDT)
In-Reply-To: <FC971100-7DF7-404A-AE08-A3FA3D80B76B@manicode.com>
References: <CAKAMr-Dws2RVRLv+xTa7j2zk+yhpCpYN-jUgxFos+j--Abv4uQ@mail.gmail.com> <CABRXCmwKDOSQQrDdCVBkDWSi85A7FL_R9d9sNzgdBTE_HyKDMw@mail.gmail.com> <14E11D6D-3CA4-4945-93B5-96F40D17463E@oracle.com> <CAOahYUwYT-mFrdN-FvZArNCmVMn8G6X8504Z9EFY_rZ7A328qA@mail.gmail.com> <7630385B-8366-4B11-A5CA-BEE18F96AB8B@ve7jtb.com> <5C40C2B2-A673-4940-8376-55D448271A4C@gmail.com> <CABRXCmwDQ_uZXDaaX6gxn_J_FnaCDucA-5uZwF6K1uHMQs6nzw@mail.gmail.com> <1A823C26-FC05-48C1-A2E1-7B2B6A2607BB@manicode.com> <555F5261-7F4B-4BFD-8911-A8BFD675EE3F@forgerock.com> <FC971100-7DF7-404A-AE08-A3FA3D80B76B@manicode.com>
From: Bill Burke <bburke@redhat.com>
Date: Thu, 21 Sep 2017 17:06:08 -0400
Message-ID: <CABRXCmyYyWMOXKs0zfsjuoPfDXL63pw5aVe_jWQ8joO4AX2+hg@mail.gmail.com>
To: Jim Manico <jim@manicode.com>
Cc: Neil Madden <neil.madden@forgerock.com>, OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/faWgtxIuh-Zy-1MbLOY9ENVK3js>
Subject: Re: [OAUTH-WG] Recommendations for browser-based apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Sep 2017 21:06:13 -0000

Back to the OP...Why would browser Javascript implementing Authz Code
flow with public client be vulnerable?  Not understanding how an XSS
attack could work in such a scenario.

On Wed, Sep 20, 2017 at 3:22 AM, Jim Manico <jim@manicode.com> wrote:
> PS: The RFC for SameSite cookies has moved to here.
> https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis
>
> It's an approved standard and was rolled into the new cookie RFC.
>
> Chrome support has a big impact on mobile and elsewhere. But I agree we need
> to see FireFox and Safari support and expect to see it within a year.
>
> But that should not stop folks from using it today. It's backwards
> compatible with existing cookie behavior and is quite beautiful in it's
> simplicity and power to defend against CSRF.
>
> Aloha,
> Jim
>
> On Sep 20, 2017, at 1:21 PM, Neil Madden <neil.madden@forgerock.com> wrote:
>
> Is this growing in support? It seems like a good idea, but when I reviewed
> it recently the draft had expired almost a year ago and still only Chrome
> and Opera had implemented it. From the outside it looks as if it has
> (inexplicably) died. Do you know if there is some activity happening behind
> the scenes?
>
> -- Neil
>
> On 20 Sep 2017, at 02:31, Jim Manico <jim@manicode.com> wrote:
>
> Not always, Bill. There is a new standard called "same site cookies" or
> "first party cookies" that allows you to programmatically remove this risk
> in some modern browsers, it's worth reviewing.
>
> https://tools.ietf.org/html/draft-west-first-party-cookies-07
>
> It's live in Chrome and Opera and will only grow in support.
> http://caniuse.com/#search=samesite
>
> Jim
>
>
> On Sep 20, 2017, at 8:44 AM, Bill Burke <bburke@redhat.com> wrote:
>
> Cookies are vulnerable to CXRF.
>
> On Tue, Sep 19, 2017 at 7:48 PM, nov matake <matake@gmail.com> wrote:
>
> Why not using http-only cookies instead of refresh tokens?
>
> If the app can interact with AuthZ server through a hidden iframe with
>
> prompt=none param, you shouldn’t need refresh tokens.
>
>
> If your SAP is running on a different domain with the backend server,
>
> Safari’s Intelligent Tracking Prevention will break the hidden iframe way
>
> though.
>
>
> On Sep 20, 2017, at 7:32, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>
> Right,  Refresh token is bearer for native apps, that is why we came up with
>
> PKCE to protect code.
>
>
> For Angular the code flow with PKCE is probably better than the token
>
> response type.
>
>
> However with bearer tokens it is still riskier than code with a confidential
>
> client so the AS should take that into account and not allow refresh tokens
>
> to live forever.
>
>
> One future way to protect refresh tokens and perhaps Access tokens is to use
>
> token binding to bind the tokens to the user agent.   You could do that now
>
> for refresh tokens in Edge (Chrome has TB off by default still).
>
>
> I think more work needs to be done to come up with a best practice for SPA.
>
>
> John B.
>
>
> On Sep 19, 2017, at 7:02 PM, Adam Lewis <adam.lewis@motorolasolutions.com>
>
> wrote:
>
>
> Only for confidential clients.  No authentication is required for public
>
> clients.
>
>
> On Tue, Sep 19, 2017 at 4:47 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
>
> wrote:
>
>
> Except a refresh token is not purely bearer. The client is required to
>
> authenticate to use it.
>
>
> Phil
>
>
> On Sep 19, 2017, at 2:33 PM, Bill Burke <bburke@redhat.com> wrote:
>
>
> I'd be curious to the response to this too.
>
>
> Seems to me that refresh token has the same possible security risks in
>
> an Angular app as an access token, except the refresh token is valid
>
> longer....Still, if you did the implicit flow, you'd have to have
>
> longer access token timeouts as it would be really annoying for the
>
> user to have to login again and again in a long session with your
>
> Angular app.
>
>
> We have a javascript adapter that does Authz Code Flow with PKCE for
>
> our Angular app.  It also does CORS checks on the code to token XHR
>
> request just in case on the IDP side.
>
>
> On Tue, Sep 19, 2017 at 9:27 AM, Stefan Büringer <sbueringer@gmail.com>
>
> wrote:
>
> Hi,
>
>
> there were some discussions in January regarding recommendations for
>
> browser-based apps
>
> (https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html).
>
>
> I'd just like to ask if the Authorization Code Flow with PKCE is a
>
> valid
>
> option for Single-Page-Applications (in our case Angular), because
>
> Implicit
>
> Flow cannot be used in our scenario.
>
>
> Authorization Code Flow with PKCE eliminates the necessity for client
>
> secrets, but our concern is that exposing the refresh token to the SPA
>
> might
>
> be a security risk, compared to the Implicit Flow were no refresh token
>
> is
>
> exposed.
>
>
> What's your take on this?
>
>
> Kind regards,
>
> Stefan Büringer
>
>
> P.S. I couldn't find that much on the internet regarding Authorization
>
> Code
>
> Flow with PKCE in SPAs, if you have some recommendations for good blog
>
> posts
>
> I would be grateful.
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> --
>
> Bill Burke
>
> Red Hat
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> --
> Bill Burke
> Red Hat
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



-- 
Bill Burke
Red Hat