Re: [OAUTH-WG] Confusion on Implicit Grant flow
"Reddick, Anwar" <Anwar.Reddick@gtri.gatech.edu> Mon, 09 February 2015 22:42 UTC
Return-Path: <Anwar.Reddick@gtri.gatech.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90C41A8A25 for <oauth@ietfa.amsl.com>; Mon, 9 Feb 2015 14:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ss97FC8-BiZ1 for <oauth@ietfa.amsl.com>; Mon, 9 Feb 2015 14:42:15 -0800 (PST)
Received: from relay2.gtri.gatech.edu (relay2.gtri.gatech.edu [130.207.199.168]) by ietfa.amsl.com (Postfix) with ESMTP id 4BED31A8A1D for <oauth@ietf.org>; Mon, 9 Feb 2015 14:42:14 -0800 (PST)
X-ASG-Debug-ID: 1423521729-0768e41c96482000001-2rbJmR
Received: from APATLISDMAIL02.core.gtri.org (apatlisdmail02.core.gtri.org [10.41.31.66]) by relay2.gtri.gatech.edu with ESMTP id mLvovngso9GFRQIi; Mon, 09 Feb 2015 14:42:09 -0800 (PST)
X-Barracuda-Envelope-From: Anwar.Reddick@gtri.gatech.edu
Received: from APATLISDMAIL02.core.gtri.org (10.41.31.66) by APATLISDMAIL02.core.gtri.org (10.41.31.66) with Microsoft SMTP Server (TLS) id 15.0.995.29; Mon, 9 Feb 2015 17:42:09 -0500
Received: from APATLISDMAIL02.core.gtri.org ([fe80::3826:8bd1:e211:9431]) by APATLISDMAIL02.core.gtri.org ([fe80::3826:8bd1:e211:9431%18]) with mapi id 15.00.0995.028; Mon, 9 Feb 2015 17:42:09 -0500
From: "Reddick, Anwar" <Anwar.Reddick@gtri.gatech.edu>
To: Bill Burke <bburke@redhat.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Confusion on Implicit Grant flow
X-ASG-Orig-Subj: Re: [OAUTH-WG] Confusion on Implicit Grant flow
Thread-Index: AdBCU7lczcAZFshKSMOM30KEynNz8AAK7+GAAJOOJYAAAFyJAAABMaCAAABwzQAAAXPvAAAArQCAAAD/jgD//67mmA==
Date: Mon, 09 Feb 2015 22:42:08 +0000
Message-ID: <e293564ad29d42bfab7e521afbd20a83@APATLISDMAIL02.core.gtri.org>
References: <BLUPR04MB6918C7701D0DB90B0FA6B0D95380@BLUPR04MB691.namprd04.prod.outlook.com> <CANSMLKFMUQsBfOo=i0ki8PF_8PjRf7W3t=PiPo7qnftN9gUyWg@mail.gmail.com> <54D91317.9010101@redhat.com> <1E340378-2D34-4AC8-906C-415EF025068E@ve7jtb.com> <54D91D87.8040303@redhat.com> <FD337176-C292-4688-9CFA-A3C7DF40FCA2@ve7jtb.com> <54D92A3C.4060106@redhat.com> <32B26B45-FB75-47DF-8E34-42943B13F0E0@ve7jtb.com>, <54D93578.9050105@redhat.com>
In-Reply-To: <54D93578.9050105@redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_e293564ad29d42bfab7e521afbd20a83APATLISDMAIL02coregtrio_"
MIME-Version: 1.0
X-Barracuda-Connect: apatlisdmail02.core.gtri.org[10.41.31.66]
X-Barracuda-Start-Time: 1423521729
X-Barracuda-URL: http://130.207.199.168:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at gtri.gatech.edu
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.15088 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hEW0KLh5ALg3Y4eeNyg4t7mLedo>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confusion on Implicit Grant flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 22:42:18 -0000
Hi Bill, I'm not sure if I have permission to post to the OAuth list. Anyway, if your page that does the OAuth processing includes third party scripts, then those scripts will probably have access to the code, client secret, and access token. I believe this concern is addressed in the security section of RFC 6749. E. Anwar Reddick Research Scientist Georgia Tech Research Institute ----- Reply message ----- From: "Bill Burke" <bburke@redhat.com> To: "John Bradley" <ve7jtb@ve7jtb.com> Cc: "oauth@ietf.org" <oauth@ietf.org> Subject: [OAUTH-WG] Confusion on Implicit Grant flow Date: Mon, Feb 9, 2015 5:33 PM On 2/9/2015 5:03 PM, John Bradley wrote: > OK, I don't know if the WG has discussed the issue of fragments in browser history. > > So you are trading off several round trips against the possibility of a token leaking in browser history or bookmark? > Yes, bookmarking tokens is a little scary, IMO, as we've already run into users bookmarking URLs with codes in them. Also, wasn't there additional security vulnerabilities surrounding implicit flow? Maybe these were just the product of incorrect implementations, I don't remember, it was a while ago. > One extension that Connect introduced was a "code id_token" response type that is fragment encoded. That would let you pass the code directly to the JS saving two legs. > It looks like OIDC added a "response_mode" parameter where you can specify "query" or "fragment". Thanks for pointing this out! Thanks for all the help. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Josh Mandel
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- [OAUTH-WG] Confusion on Implicit Grant flow Adam Lewis
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Prateek Mishra
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Reddick, Anwar
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Sergey Beryozkin
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Brian Campbell
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Adam Lewis
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Prateek Mishra
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Antonio Sanso