IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Vittorio Bertocci <Vittorio@auth0.com> Thu, 06 December 2018 07:40 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 812CE1310FF for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 23:40:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JI9mAwWQn9xO for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 23:40:45 -0800 (PST)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93F58131103 for <oauth@ietf.org>; Wed, 5 Dec 2018 23:40:44 -0800 (PST)
Received: by mail-lj1-x241.google.com with SMTP id g11-v6so20768091ljk.3 for <oauth@ietf.org>; Wed, 05 Dec 2018 23:40:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ciX1tl53g5iOgJaXnP8uH782Rculf/kWJ/DZyufSL8s=; b=VoTgRMV7R7pnjOqypoMc1Yf9BO9Zg8HwoFHi0IIWZiu5vYMWGbUepak77g1heegLTI 5Er5h5at6QGXhopnZUpZzj2dwxNGiPZG/8GxAzn3wkDrJYbm6qvA1qlIL0F95Dnm8l2h zqvZ2nwYJHI3YZUcH+p1Jhsbsi7O2RitTYXwEVr6pNGlN8lmKxlMe8niicJT7B79SVWR nrbpHk8a6ZYhJ6qOKvoeuGV+/R67Mz5t/Fmz+Fu1vwWKf6R5RiX2sYQUcuRozY+j4U1S puLsn39DKICANpLpkSoDaL3qs49ruEAV86rm6ze3hcrUDIbHf9dBLsytH7szfyacfO08 mSvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ciX1tl53g5iOgJaXnP8uH782Rculf/kWJ/DZyufSL8s=; b=pD1wBJ3NJMicKqGDY4u6f4Vv09EDDv7WDiKsgchCZsrH2m7Y7oEBp0Z7WRujcNWJOK QZPscLY/kM+xVzJb73sf/lfgVfNZEtWURFJcs9KgQef2NW/TvjabM50jJ5KdoVjSZWk7 lCVhT/gRyJWeI8TDKj8Yu+hjCHDqVH2VIAFer3qmpGwyi3wpFo7z8VIy0rDy2ll6DemI 3Uf7rtjJePuLLzDL/0fDzrIPmNu/u6M0mlcDL/0C4cIeTeaMkEielxXnJ8gK9JXlRxbS PMlcP3d7285QgKtcMW8qs4wDmUgyngAQ2YpYPeKQvZCJ4Y0XoL9Lkns1Fs0Zf4383Uog Tx7Q==
X-Gm-Message-State: AA+aEWYf8/K0u9yoymmTEa7L08VI7LtZu6C8KWMnKOw9jlOyAE9u/9P0 P4weIsIIt9VDZWkiOMWJ21VFT7QGyxFYYpEqQCfe2g==
X-Google-Smtp-Source: AFSGD/W6ONCErCBZPwtmzXbSp8FT3SsZX3xa+ga5VscJVSO8ezGvrwO1uB9PdsuylJynpxJVO0ItrqJsuji4ZK5AoN8=
X-Received: by 2002:a2e:21a9:: with SMTP id h41-v6mr17297893lji.103.1544082042336; Wed, 05 Dec 2018 23:40:42 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net> <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com> <693F457E-3B0F-4612-AE3B-D18462055932@lodderstedt.net>
In-Reply-To: <693F457E-3B0F-4612-AE3B-D18462055932@lodderstedt.net>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Wed, 05 Dec 2018 23:40:31 -0800
Message-ID: <CAO_FVe7_CsqkTCRSPK5iT5dH5w_NmDuZ-g-2UJgHefUP2i3beQ@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Brian Campbell <bcampbell@pingidentity.com>, Daniel Fett <fett@danielfett.de>, IETF oauth WG <oauth@ietf.org>, Tomek Stojecki <tstojecki@yahoo.com>
Content-Type: multipart/alternative; boundary="000000000000a34d5f057c559d5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gbCn43NODR8zsKaNFSaMa4x04_8>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 07:40:50 -0000

Thank you!
On the RT, more questions:

- where would you save the RT? Iam thinking of the no-backend case in
particular. There’s a lot of heartburn in the community on where to save
access tokens already, given the larger scope of refresh tokens I would
expect objections there would be exacerbated. The user experience bar
(number of prompts, full page redirects) should be the one afforded by
implicit leveraging AS sessions via persistent cookies.

- how would we advise developers about handling distributed sign out? If
the session cookie with the AS is no longer  the only artifact representing
the effective session, it looks like we should be prescriptive on what
signals an app should listen for (OIDC checkSession?) and what the expected
actions are (e.g. remove the cached RTs). I realize this isn’t strictly
OAuth2, but it remains an important difference in end to end scenarios
people use implicit for today

Thx
V.

On Wed, Dec 5, 2018 at 23:27 Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

>
>
> Am 06.12.2018 um 02:31 schrieb Vittorio Bertocci <
> vittorio.bertocci@auth0.com>:
>
> Hey Torsten/Tomek,
> Can I ask a clarification on the below?
> Torsten, you mentioned that an AS doesn't need to issue a RT- the browser
> code can just repeat an authorization request. Did I get it right?
> But in order to preserve the user experience, that cannot really happen as
> a full page redirect; right? That wouldn't fly for any kind of background
> update, or for retrieving new ATs for different resources based on the same
> session. So would we now use a hidden frame to retrieve a code in the same
> way in which we used fragments to get new ATs?
>
>
> That’s what I meant. I also think the RT-based approach is better suited
> in terms of UX and security.
>
> Thx
> V.
>
> On Wed, Dec 5, 2018 at 7:17 AM Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>> Hi Tomek,
>>
>> > Am 05.12.2018 um 15:27 schrieb Tomek Stojecki <tstojecki@yahoo.com>:
>> >
>> > Hi Torsten,
>> >
>> > On Wednesday, December 5, 2018, 1:17:08 PM GMT+1, Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>> >
>> >
>> > >> So if I am putting myself in the shoes of somebody who sets out to
>> do that - switch an existing SPA client (no backend)
>> >
>> > > I would like to ask you a question: how many SPAs w/o a backend have
>> you seen in your projects?
>> >
>> > SPA (html+js) utilizing a 3rd party api that requires authorization?
>> > If you do have a backend, aren't you better of handling the token
>> request on the backend as pointed out here
>> >
>> https://github.com/aaronpk/oauth-browser-based-apps/blob/master/oauth-browser-based-apps.md#javascript-app-with-a-backend-component
>>
>> I agree.
>>
>> > My point of putting (no backend) in parenthesis was to not derail this
>> discussion and of course it had the opposite effect.
>> >
>>
>> You know, I you says „don’t look at the green car“ will cause everyone
>> looking for it :-) It asked just out of curiosity.
>>
>> > >> Is that fair or is that too much of a shortcut? I am familiar with
>> the specs you've referenced and have looked at them again, but dealing with
>> a SPA, some of the recommendations are not feasible (can't authenticate the
>> client,
>> >
>> > > You could using dynamic registration (see other thread). The
>> protection would only differ from refresh token rotation if you would use
>> public key crypto for client authentication.
>> >
>> > Good point. How well is dynamic registration supported across AS?
>>
>> I leave that to the vendors :-)
>>
>> >
>> > >> confidentiality in storage? - not sure how to read that in the
>> context of a browser)
>> >
>> > > How do you ensure confidentiality of session cookies?
>> >
>> > All I am trying to say is that I think context is important here. So
>> when you point out these best practices, some of them will get people
>> confused as far as what it means in the browser based app scenario.
>>
>> That’s why we have the more general Security BCP and client-specific
>> BCPs, like for native apps (https://tools.ietf.org/html/rfc8252) and the
>> new BCP for SPAs Aaron started to work on.
>>
>> > Maybe it is just me :)
>>
>> thanks for raising the question! We need this kind of input to govern the
>> development of our specs.
>>
>> kind regards,
>> Torsten.
>>
>> >
>> > >
>> > > On Tuesday, December 4, 2018, 2:08:55 PM GMT+1, Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>> > >
>> > >
>> > > Hi Tomek,
>> > >
>> > > > Am 04.12.2018 um 09:50 schrieb Tomek Stojecki <tstojecki=
>> 40yahoo.com@dmarc.ietf.org>:
>> > > >
>> > > > I agree with Vittorio, Dominick et al.
>> > > >
>> > > >> I disagree.
>> > > >
>> > > >> Existing deployments that have not mitigated against the concerns
>> with implicit should be ripped up and updated.
>> > > >
>> > > > Yes, just like future deployments that will not mitigate against
>> the concerns of code in the browser should be a concern.
>> > >
>> > > I agree. That’s why I pointed point yesterday that the Security BCP
>> also defines obligations for clients using code.
>> > >
>> > >
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1
>> > >
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1
>> > >
>> > > >
>> > > > Can somebody on the other side of the argument (and I hate to make
>> it sound like there are two sides, because we're on the same side as far as
>> Implicit's AT in front-channel is a real issue) address Dominic's comment:
>> > > >
>> > > >> Also - simply saying “implicit is evil - switch to code” means for
>> most people also using refresh token - so we are treating access tokens in
>> the URL with refresh tokens in session storage (over simplified - but you
>> get the idea).
>> > > >
>> > > > Does the group agree|disagree that a recommendation to switch to
>> code should be made as long as it is followed by an explanation and
>> guidance on what to do with RTs? The ideas that were floated around
>> > > > - Token bound RTs (even though it was pointed out that token
>> binding is still considered an emerging standard). So should the
>> recommendation than say "switch to code and MUST use token bound RTs"?
>> > > > - Have AS not release RTs. "Switch to code and DO NOT request RTs"?
>> Or switch to code and configure AT to not release RTs for this type of
>> client (not sure what that even looks like in a form of a 3rd party
>> clients)?
>> > > > - RTs short lived and bound to a session - "Switch to code as long
>> as AT can bind and revoke RTs when you log out“
>> > >
>> > > Basically, the AS does not need to issue refresh tokens. If the AS
>> does not issue refresh tokens, the integration pattern for SPAs does not
>> change (beside the code exchange). If the client needs a new access token,
>> it will perform another authorization request.
>> > >
>> > > If it does, this adds another layer of security because it allows the
>> client to frequently obtain new access tokens, which can be short-lived and
>> scope restricted.
>> > >
>> > > The refresh tokens should be replay protected by issuing new refresh
>> tokens with every refresh and detect replay for refresh tokens belonging to
>> the same grant.
>> > >
>> > > The AS may additionally bind refresh tokens to AS sessions, but as it
>> was pointed out by Annabelle and others, there are some implications to be
>> understood and managed in that context.
>> > >
>> > > You may find more text about refresh tokens in the Security BCP
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-3.12
>> > >
>> > > kind regards,
>> > > Torsten.
>> > >
>> > >
>> > > >
>> > > > Sorry if I have missed an important detail from the list above,
>> people who have proposed these ideas, feel free to clarify.
>> > >
>> > > >
>> > > > On Monday, December 3, 2018, 10:51:00 PM GMT+1, Dick Hardt <
>> dick.hardt@gmail.com> wrote:
>> > > >
>> > > > I disagree.
>> > > >
>> > > > Existing deployments that have not mitigated against the concerns
>> with implicit should be ripped up and updated.
>> > > >
>> > > > For example, at one time, I think it was Instagram that had
>> deployed implicit because it was easier to do. Once the understood the
>> security implications, they changed the implementation.
>> > > >
>> > > > BCPs are rarely a response to a new threat, their are capturing
>> Best Current Practices so that they become widely deployed.
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell=
>> 40pingidentity.com@dmarc.ietf.org> wrote:
>> > > >> FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are
>> saying here. And that was kind of behind the comment I made, or tired to
>> make, about this in Bangkok, which was (more or less) that I don't think
>> the WG should be killing implicit outright but rather that it should begin
>> to recommend against it.
>> > > >>
>> > > >> I'm not exactly sure what that looks like in this document but
>> maybe toning down some of the scarier language a bit, favoring SHOULDs vs.
>> MUSTs, and including language that helps a reader understand the
>> recommendations as being more considerations for new
>> applications/deployments than as a mandate to rip up existing ones.
>> > > >>
>> > > >>
>> > > >>
>> > > >> On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7jtb@ve7jtb.com>
>> wrote:
>> > > >>>
>> > > >>> We just need to be sensitive to the spin on this.
>> > > >>>
>> > > >>
>> > > >> CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any file
>> attachments from your computer. Thank
>> you._______________________________________________
>> > > >> OAuth mailing list
>> > > >> OAuth@ietf.org
>> > > >> https://www.ietf.org/mailman/listinfo/oauth
>> > > >>
>> > > > _______________________________________________
>> > > > OAuth mailing list
>> > > > OAuth@ietf.org
>> > > > https://www.ietf.org/mailman/listinfo/oauth
>> > > >
>> > > > _______________________________________________
>> > > > OAuth mailing list
>> > > > OAuth@ietf.org
>> > > > https://www.ietf.org/mailman/listinfo/oauth
>> > > _______________________________________________
>> > > OAuth mailing list
>> > > OAuth@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/oauth
>>
>>

v2.23.0 | Report a Bug | By Email