IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Tomek Stojecki <tstojecki@yahoo.com> Tue, 04 December 2018 18:13 UTC

Return-Path: <tstojecki@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3264130E95 for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2018 10:13:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPFrCakwDKrv for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2018 10:13:19 -0800 (PST)
Received: from sonic307-11.consmr.mail.ne1.yahoo.com (sonic307-11.consmr.mail.ne1.yahoo.com [66.163.190.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E49EA130E4D for <oauth@ietf.org>; Tue, 4 Dec 2018 10:13:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543947198; bh=P9X5T/iKbjie9ng4GtXVznPJ+zddOmVCs6HWBReK7p0=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=RzdpgTJKAxxDegAUZyQqn6QNApDwp3AleY8dEiT7Zf3AQT2ZQv4hrjPhpXVj4ZKD4BtZphPO/WjmTepcd9HAJBClV3f4FVTzWCnetHThMFynYK0/QkZ/XGyFm90mir9wCdgR8pjNLh0FHo9extknaVZ2KjKIg+ER5YEFXNaUSQgRRHDaoptfbwLkVMo0cSapfSlMuz3oQjgXAubziRboDfl23lqrtMK0TZwRcWruH2MM0fCg2juw6JhYl5ioFY7ceuSO5qO0KsbttNi/4pPpiXyV5s59jNxVkMPsTK52gb0MQ3sikAO7oz2hRGC6kb0BgoXkZUDEsi2yD8TjOA9ufw==
X-YMail-OSG: XNPNhlgVM1let5MPR0K7_H5iCvepimYDxFAn0ZiSfUhcmHZVwA_BwDXD9B3MlR0 Qtt6PiYtN12VvdkcbXw9WWsfxsgSc4otJkktRu9Mxlfx47Xj5Y82MRHeQB0QCoINQDT516nJ2O5b 2pvr0Wy32IHuRcuk98RH2qg0VIrM5HJaZpfkccOuGk.dWgjBgnYkm.NH5I0Aicqu0kbBev.8TMot ZFQMbFH_R5JiXSIyiqh7inF70ACIsADEHqlcG6SJgXhl9EAzQH3MsFxkyur8gtmD5G9DLGCWG1B8 ffm5JXWmKVHgsr3yM.uRgnaBdNkCbOwfumLj5BNk_B7eCTe1rawZ0fcu2bF8LNCs_qNs1ElRnPvC Y2rYYNvFalHxU0yjue2hd6lGlch47d6doG71mE8k1Yi31W6JxGqd14GbeCfDmqY8AdftcRgR7JSp gBxgzxxlHPo63LLrSLazUgfv76FNXIT5VawLekB0kV6dhugCe_0xuXjTklNd6VViaBlGu6e0UrAo FcLGpfiCkZXq3I4R3J4eDEJ2mfazIE5rv.3oC1AlZNRp75Oo4aQrBavVodTVwTzt5OvhazXbw9AO sA_OhSEHEYWCW95ZbTMCwXzGJuQez9NQ8TsmzZ9Gt_FOUbjreIprh7HuWLPBZrHs4gs4dXma8HNu RsP80l0l3KdfykKMj1i42rL_dZCKfi1yPRvq7vMw7gdVYx3UGMBpqcbjI4AeBTQAC.Zmon.TJVlv D2z1WQ1jZFb1aKyRJyEwE4QWu1BkBlquuhp3ARRXJUw9.xNEwmFBAoDmhE9UTugeKuRC9dOq5hTh hTVF1evrUkTeAl7lZ95wFpFUZOvalHABxxEMabSanT.wfOHEciUqJd_55Ar0PBpHMqg4rFglP5CR PBCVqazTy4ALn8SAauOkuipSy.zLoDjoSCNq7dDN_10xb3y8437W8CV_XZBeKCQCQLEslR_cEJRz Faqr_dHtKQv5ElBvpb_HE6d8jsv4Wdlzk0a1vsw9fKICP_2yq7_Hlz5jwSp1OkIl5SL9JED6t0fO dHObIpoZeeQ--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 4 Dec 2018 18:13:18 +0000
Date: Tue, 04 Dec 2018 18:03:01 +0000
From: Tomek Stojecki <tstojecki@yahoo.com>
To: Tomek Stojecki <tstojecki=40yahoo.com@dmarc.ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Daniel Fett <fett@danielfett.de>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth@ietf.org
Message-ID: <942315098.1664424.1543946581453@mail.yahoo.com>
In-Reply-To: <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <B857DECA-5457-4E62- A720-437832850680@lodderstedt.net> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1664423_1065979997.1543946581450"
X-Mailer: WebService/1.1.12827 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fkzS3AoBE1EXyJd3w9qDH1SYr3Q>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 18:13:21 -0000

 Thanks Torsten!So if I am putting myself in the shoes of somebody who sets out to do that - switch an existing SPA client (no backend) from Implicit to Code, the options to think through can be summed up more or less as following:
1. Do not use RTs2. If you're using RTs, rotate on every refresh AND implement RT token binding (is that stable enough?). Also consider binding RT to AS session.
Is that fair or is that too much of a shortcut? I am familiar with the specs you've referenced and have looked at them again, but dealing with a SPA, some of the recommendations are not feasible (can't authenticate the client, confidentiality in storage? - not sure how to read that in the context of a browser)
    On Tuesday, December 4, 2018, 2:08:55 PM GMT+1, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:  
 
 Hi Tomek,

> Am 04.12.2018 um 09:50 schrieb Tomek Stojecki <tstojecki=40yahoo.com@dmarc.ietf.org>:
> 
> I agree with Vittorio, Dominick et al. 
> 
>> I disagree. 
> 
>> Existing deployments that have not mitigated against the concerns with implicit should be ripped up and updated.
> 
> Yes, just like future deployments that will not mitigate against the concerns of code in the browser should be a concern.

I agree. That’s why I pointed point yesterday that the Security BCP also defines obligations for clients using code. 

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1

> 
> Can somebody on the other side of the argument (and I hate to make it sound like there are two sides, because we're on the same side as far as Implicit's AT in front-channel is a real issue) address Dominic's comment: 
> 
>> Also - simply saying “implicit is evil - switch to code” means for most people also using refresh token - so we are treating access tokens in the URL with refresh tokens in session storage (over simplified - but you get the idea).
> 
> Does the group agree|disagree that a recommendation to switch to code should be made as long as it is followed by an explanation and guidance on what to do with RTs? The ideas that were floated around 
> - Token bound RTs (even though it was pointed out that token binding is still considered an emerging standard). So should the recommendation than say "switch to code and MUST use token bound RTs"?
> - Have AS not release RTs. "Switch to code and DO NOT request RTs"? Or switch to code and configure AT to not release RTs for this type of client (not sure what that even looks like in a form of a 3rd party clients)?
> - RTs short lived and bound to a session - "Switch to code as long as AT can bind and revoke RTs when you log out“

Basically, the AS does not need to issue refresh tokens. If the AS does not issue refresh tokens, the integration pattern for SPAs does not change (beside the code exchange). If the client needs a new access token, it will perform another authorization request.  

If it does, this adds another layer of security because it allows the client to frequently obtain new access tokens, which can be short-lived and scope restricted. 

The refresh tokens should be replay protected by issuing new refresh tokens with every refresh and detect replay for refresh tokens belonging to the same grant. 

The AS may additionally bind refresh tokens to AS sessions, but as it was pointed out by Annabelle and others, there are some implications to be understood and managed in that context.

You may find more text about refresh tokens in the Security BCP https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-3.12

kind regards,
Torsten. 

> 
> Sorry if I have missed an important detail from the list above, people who have proposed these ideas, feel free to clarify. 

> 
> On Monday, December 3, 2018, 10:51:00 PM GMT+1, Dick Hardt <dick.hardt@gmail.com> wrote: 
> 
> I disagree. 
> 
> Existing deployments that have not mitigated against the concerns with implicit should be ripped up and updated.
> 
> For example, at one time, I think it was Instagram that had deployed implicit because it was easier to do. Once the understood the security implications, they changed the implementation. 
> 
> BCPs are rarely a response to a new threat, their are capturing Best Current Practices so that they become widely deployed.
> 
> 
> 
> 
> On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>> FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are saying here. And that was kind of behind the comment I made, or tired to make, about this in Bangkok, which was (more or less) that I don't think the WG should be killing implicit outright but rather that it should begin to recommend against it. 
>> 
>> I'm not exactly sure what that looks like in this document but maybe toning down some of the scarier language a bit, favoring SHOULDs vs. MUSTs, and including language that helps a reader understand the recommendations as being more considerations for new applications/deployments than as a mandate to rip up existing ones. 
>> 
>> 
>> 
>> On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7jtb@ve7jtb.com> wrote:
>>> 
>>> We just need to be sensitive to the spin on this.  
>>> 
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited...  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email