Re: [OAUTH-WG] Recommendations for browser-based apps
Bill Burke <bburke@redhat.com> Thu, 21 September 2017 21:06 UTC
Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 551BA132F2E
for <oauth@ietfa.amsl.com>; Thu, 21 Sep 2017 14:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.42
X-Spam-Level:
X-Spam-Status: No, score=-1.42 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id b1mSicbmNXTG for <oauth@ietfa.amsl.com>;
Thu, 21 Sep 2017 14:06:10 -0700 (PDT)
Received: from mail-ua0-f174.google.com (mail-ua0-f174.google.com
[209.85.217.174])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id ACF85133044
for <oauth@ietf.org>; Thu, 21 Sep 2017 14:06:10 -0700 (PDT)
Received: by mail-ua0-f174.google.com with SMTP id k23so4391627uaf.4
for <oauth@ietf.org>; Thu, 21 Sep 2017 14:06:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=JuGMtLGFUOIaryPsRCVOSfeOfbB9lRpG3GXwF+eI+xM=;
b=SCwJ9x9De+T3+HzB8f3BRXoCA13F+9pJYmOpBfEU34rrqhULWVDsk7S2f/6cHA2szF
1RMD3wRHJKPDCyap4zhLuLMexxHhseRO2qKsslDS+rKvB7BR96Eq9D1SND064l/mQDN8
SS6BO4O/EUEBL9cMQuVPp84Q7MME9ENA9DLqAdB69fnOG0F0Ue1LpaOcgPN47iXtt2Vh
ErQEqnHBGYWuuIlGgeT2HnA9cWWYxKDB9deEdG/IqOswcOmcc57b0L06mAqqiIbs9UQn
/rpBPyzyUIG2SEPPRUgiptpn3D8Nk3bYgH9gObW23exSOjc5t3llqvxqsV9VI0HFJ3Bb
AHfg==
X-Gm-Message-State: AHPjjUhoQoV/GdHJpjpusWq1a/LVrBEP/gTDV9tOb4YQ/WTLw0SzvZNY
cp76CmCVgKcQpwLauLGEdPSE6aE6in6vUJoxe/HwGw==
X-Google-Smtp-Source: AOwi7QBA/TeKVvadGNVXktqmScmqpukywjtwAaT1kdOP3uHJpMJl2cFdjxlO89zwoicfDs5L7rvRyTw9m03QyPKpqN4=
X-Received: by 10.176.19.231 with SMTP id n36mr3100877uae.68.1506027968921;
Thu, 21 Sep 2017 14:06:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.55.79 with HTTP; Thu, 21 Sep 2017 14:06:08 -0700 (PDT)
In-Reply-To: <FC971100-7DF7-404A-AE08-A3FA3D80B76B@manicode.com>
References: <CAKAMr-Dws2RVRLv+xTa7j2zk+yhpCpYN-jUgxFos+j--Abv4uQ@mail.gmail.com>
<CABRXCmwKDOSQQrDdCVBkDWSi85A7FL_R9d9sNzgdBTE_HyKDMw@mail.gmail.com>
<14E11D6D-3CA4-4945-93B5-96F40D17463E@oracle.com>
<CAOahYUwYT-mFrdN-FvZArNCmVMn8G6X8504Z9EFY_rZ7A328qA@mail.gmail.com>
<7630385B-8366-4B11-A5CA-BEE18F96AB8B@ve7jtb.com>
<5C40C2B2-A673-4940-8376-55D448271A4C@gmail.com>
<CABRXCmwDQ_uZXDaaX6gxn_J_FnaCDucA-5uZwF6K1uHMQs6nzw@mail.gmail.com>
<1A823C26-FC05-48C1-A2E1-7B2B6A2607BB@manicode.com>
<555F5261-7F4B-4BFD-8911-A8BFD675EE3F@forgerock.com>
<FC971100-7DF7-404A-AE08-A3FA3D80B76B@manicode.com>
From: Bill Burke <bburke@redhat.com>
Date: Thu, 21 Sep 2017 17:06:08 -0400
Message-ID: <CABRXCmyYyWMOXKs0zfsjuoPfDXL63pw5aVe_jWQ8joO4AX2+hg@mail.gmail.com>
To: Jim Manico <jim@manicode.com>
Cc: Neil Madden <neil.madden@forgerock.com>, OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/faWgtxIuh-Zy-1MbLOY9ENVK3js>
Subject: Re: [OAUTH-WG] Recommendations for browser-based apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
<mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
<mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Sep 2017 21:06:13 -0000
Back to the OP...Why would browser Javascript implementing Authz Code flow with public client be vulnerable? Not understanding how an XSS attack could work in such a scenario. On Wed, Sep 20, 2017 at 3:22 AM, Jim Manico <jim@manicode.com> wrote: > PS: The RFC for SameSite cookies has moved to here. > https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis > > It's an approved standard and was rolled into the new cookie RFC. > > Chrome support has a big impact on mobile and elsewhere. But I agree we need > to see FireFox and Safari support and expect to see it within a year. > > But that should not stop folks from using it today. It's backwards > compatible with existing cookie behavior and is quite beautiful in it's > simplicity and power to defend against CSRF. > > Aloha, > Jim > > On Sep 20, 2017, at 1:21 PM, Neil Madden <neil.madden@forgerock.com> wrote: > > Is this growing in support? It seems like a good idea, but when I reviewed > it recently the draft had expired almost a year ago and still only Chrome > and Opera had implemented it. From the outside it looks as if it has > (inexplicably) died. Do you know if there is some activity happening behind > the scenes? > > -- Neil > > On 20 Sep 2017, at 02:31, Jim Manico <jim@manicode.com> wrote: > > Not always, Bill. There is a new standard called "same site cookies" or > "first party cookies" that allows you to programmatically remove this risk > in some modern browsers, it's worth reviewing. > > https://tools.ietf.org/html/draft-west-first-party-cookies-07 > > It's live in Chrome and Opera and will only grow in support. > http://caniuse.com/#search=samesite > > Jim > > > On Sep 20, 2017, at 8:44 AM, Bill Burke <bburke@redhat.com> wrote: > > Cookies are vulnerable to CXRF. > > On Tue, Sep 19, 2017 at 7:48 PM, nov matake <matake@gmail.com> wrote: > > Why not using http-only cookies instead of refresh tokens? > > If the app can interact with AuthZ server through a hidden iframe with > > prompt=none param, you shouldn’t need refresh tokens. > > > If your SAP is running on a different domain with the backend server, > > Safari’s Intelligent Tracking Prevention will break the hidden iframe way > > though. > > > On Sep 20, 2017, at 7:32, John Bradley <ve7jtb@ve7jtb.com> wrote: > > > Right, Refresh token is bearer for native apps, that is why we came up with > > PKCE to protect code. > > > For Angular the code flow with PKCE is probably better than the token > > response type. > > > However with bearer tokens it is still riskier than code with a confidential > > client so the AS should take that into account and not allow refresh tokens > > to live forever. > > > One future way to protect refresh tokens and perhaps Access tokens is to use > > token binding to bind the tokens to the user agent. You could do that now > > for refresh tokens in Edge (Chrome has TB off by default still). > > > I think more work needs to be done to come up with a best practice for SPA. > > > John B. > > > On Sep 19, 2017, at 7:02 PM, Adam Lewis <adam.lewis@motorolasolutions.com> > > wrote: > > > Only for confidential clients. No authentication is required for public > > clients. > > > On Tue, Sep 19, 2017 at 4:47 PM, Phil Hunt (IDM) <phil.hunt@oracle.com> > > wrote: > > > Except a refresh token is not purely bearer. The client is required to > > authenticate to use it. > > > Phil > > > On Sep 19, 2017, at 2:33 PM, Bill Burke <bburke@redhat.com> wrote: > > > I'd be curious to the response to this too. > > > Seems to me that refresh token has the same possible security risks in > > an Angular app as an access token, except the refresh token is valid > > longer....Still, if you did the implicit flow, you'd have to have > > longer access token timeouts as it would be really annoying for the > > user to have to login again and again in a long session with your > > Angular app. > > > We have a javascript adapter that does Authz Code Flow with PKCE for > > our Angular app. It also does CORS checks on the code to token XHR > > request just in case on the IDP side. > > > On Tue, Sep 19, 2017 at 9:27 AM, Stefan Büringer <sbueringer@gmail.com> > > wrote: > > Hi, > > > there were some discussions in January regarding recommendations for > > browser-based apps > > (https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html). > > > I'd just like to ask if the Authorization Code Flow with PKCE is a > > valid > > option for Single-Page-Applications (in our case Angular), because > > Implicit > > Flow cannot be used in our scenario. > > > Authorization Code Flow with PKCE eliminates the necessity for client > > secrets, but our concern is that exposing the refresh token to the SPA > > might > > be a security risk, compared to the Implicit Flow were no refresh token > > is > > exposed. > > > What's your take on this? > > > Kind regards, > > Stefan Büringer > > > P.S. I couldn't find that much on the internet regarding Authorization > > Code > > Flow with PKCE in SPAs, if you have some recommendations for good blog > > posts > > I would be grateful. > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > -- > > Bill Burke > > Red Hat > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > -- > Bill Burke > Red Hat > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Bill Burke Red Hat
- [OAUTH-WG] Recommendations for browser-based apps Stefan Büringer
- Re: [OAUTH-WG] Recommendations for browser-based … Bill Burke
- Re: [OAUTH-WG] Recommendations for browser-based … Phil Hunt (IDM)
- Re: [OAUTH-WG] Recommendations for browser-based … Jim Manico
- Re: [OAUTH-WG] Recommendations for browser-based … Adam Lewis
- Re: [OAUTH-WG] Recommendations for browser-based … John Bradley
- Re: [OAUTH-WG] Recommendations for browser-based … nov matake
- Re: [OAUTH-WG] Recommendations for browser-based … Bill Burke
- Re: [OAUTH-WG] Recommendations for browser-based … Jim Manico
- Re: [OAUTH-WG] Recommendations for browser-based … Nov Matake
- Re: [OAUTH-WG] Recommendations for browser-based … Josh Mandel
- Re: [OAUTH-WG] Recommendations for browser-based … Neil Madden
- Re: [OAUTH-WG] Recommendations for browser-based … Jim Manico
- Re: [OAUTH-WG] Recommendations for browser-based … Jim Manico
- Re: [OAUTH-WG] Recommendations for browser-based … Bill Burke