IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

Jim Manico <jim@manicode.com> Fri, 09 September 2016 00:58 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03ED12B313 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 17:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RQXd58lVQ0Z9 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 17:58:06 -0700 (PDT)
Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7110A12B312 for <oauth@ietf.org>; Thu, 8 Sep 2016 17:58:06 -0700 (PDT)
Received: by mail-pa0-x22e.google.com with SMTP id to9so22440503pac.1 for <oauth@ietf.org>; Thu, 08 Sep 2016 17:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=GoJCuI0+Pir2kO+Fc4RwFuWDUKbyGmHSMjtrTlXkpWg=; b=Ckv6dVYCeo7vDDwSvVKKoI38Ao1PM111E4cfApp20TykspEY1WN1k1eiSTOVMByGpG Vv5TaGdL5Fsl5x5k9nG3bO99maMzjNsHsDIDQ0sHuSEocNmg/ovOThHAb8olQtB3aTNP EGow33IFi07qW/yN0djJJYGOtkB2seq1P9gRsSgtYWslTYiRmlXe34ftsEO2AKA913UK EQrkXWUD40PADeSMmomwh9RKTt3wYu/q+RDn9N8eRW96zth5zexDVedeioh2rofbz0eO KKU4dwgsowT6rbT5dYdE5vYPJnnsjDoMN9XoUI3eJy+HOBp9CpAqpCcogBEKmmBQtYCN eQPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=GoJCuI0+Pir2kO+Fc4RwFuWDUKbyGmHSMjtrTlXkpWg=; b=O1C8PkK6V4s3lPJCZfOlkv+K+bksYd/HFuD0P4HyR0GVPKNGB0qNmqeiPe1okYFvFE BlVJB41AJFi1J/ZqdI6PG7n4I/DgAHVLHVOFdOfhiXmV//KJUEyk9Rh4ltDlX5lKydlf vIPw/LNUHXMnPZkIXonCaKrd/8rIvN97+UY+Ysxpw+0dEIYFHXCYa5e2tOH24GoQd1Zn JKgNaHAj4PkR5cRF1mBFKRVAj3+HKq/+zvMFZnusUcdzjXVRQZv4E6YJB7H5fXirnJnu oNmrb9YjUEPB1Fkz0+l1oHcX+7br887Dh00gT/GlwpOv+zJsWAugq+IPFoQsF/I0bjgR xsWg==
X-Gm-Message-State: AE9vXwOVD2BUXUSPPM8pwJnP07vQTfZIfn+6gcEdKq+CjknXdMcwPTk0ps5FeydNA8SPvFte
X-Received: by 10.66.85.196 with SMTP id j4mr1615570paz.40.1473382685779; Thu, 08 Sep 2016 17:58:05 -0700 (PDT)
Received: from heembo.local ([2605:e000:112b:c167:3ccb:e369:74b0:50fc]) by smtp.googlemail.com with ESMTPSA id f62sm491111pfj.75.2016.09.08.17.58.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Sep 2016 17:58:03 -0700 (PDT)
To: Oleg Gryb <oleg@gryb.info>, John Bradley <ve7jtb@ve7jtb.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com> <1013244548.1998164.1473366003274@mail.yahoo.com> <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com> <F9F2BE44-3977-4B37-857A-C9B4A2987FE1@ve7jtb.com> <3be430fb-afe7-ab94-1369-7fcdfdedec0b@manicode.com> <951244384.2140569.1473382448817@mail.yahoo.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <8dceec1a-8f32-7ab3-449f-0d2e5f303258@manicode.com>
Date: Thu, 08 Sep 2016 14:58:01 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <951244384.2140569.1473382448817@mail.yahoo.com>
Content-Type: multipart/alternative; boundary="------------6896E3AD1FDC0DE7F1AED19F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jq3ijcVy7-TY8PIDShsHZgwi7Lg>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 00:58:08 -0000

> "keep away from implicit grants and do not store bearer tokens in the
browser" - that would be practically impossible for the envs that I was
writing about and "best practices"  that could not be enforced aren't
worth much. I can formulate it in stronger terms: if OAuth wouldn't
allow a JS client running in a browser its usability will be very low.

Are you sure you're not talking about OIDC or JWT's? The piece of advice
above is regarding using OAuth for delegation per the core spec. Advice
for Federation (OIDC) and advice for session management (putting JTW's
in cookies) would be different that recommending how to use OAuth for
delegation securely.

Fair?

- Jim


On 9/8/16 2:54 PM, Oleg Gryb wrote:
> "keep away from implicit grants and do not store bearer tokens in the
> browser" - that would be practically impossible for the envs that I
> was writing about and "best practices"  that could not be enforced
> aren't worth much. I can formulate it in stronger terms: if OAuth
> wouldn't allow a JS client running in a browser its usability will be
> very low.
>
> What could and should be improved in implicit grants is removing
> secrets from URL (fragment). That could be done as I've shown in the
> previous discussions.
>
>
>     ------------------------------------------------------------------------
>     *From:* Jim Manico <jim@manicode.com>
>     *To:* John Bradley <ve7jtb@ve7jtb.com>
>     *Cc:* Oleg Gryb <oleg@gryb.info>; Adam Lewis
>     <adam.lewis@motorolasolutions.com>; OAuth WG <oauth@ietf.org>
>     *Sent:* Thursday, September 8, 2016 3:51 PM
>     *Subject:* Re: [OAUTH-WG] best practices for implicit grant /
>     token storage
>
>     +1000 on a OAuth Security Best Practices document. I'd be happy to
>     review or help some.
>     I think right now the answer is: keep away from implicit grants
>     and do not store bearer tokens in the browser. Instead, use the
>     authorization code grant which only exposes bearer tokens
>     intra-server.
>     For /*web apps*/, I feel the only good place to store
>     authentication, session or token information is in a HTTPOnly
>     flagged cookie to keep JS away from sensitive information.
>
>     Aloha, Jim
>
>
>     On 9/8/16 12:38 PM, John Bradley wrote:
>     It is an interesting discussion, indicating that perhaps a best
>     practices document is in order.
>
>     I have had several people ask me about SPA using OAuth recently.
>
>     Until we get the W3C to finish fetch and extend it for token
>     binding, we are going to have ongoing issues with bearer tokens in
>     the browser and where to store them.
>
>     I don’t know that there is a perfect solution for bearer tokens,
>     but documenting the tradeoffs may be useful.
>
>     John B.
>
>>     On Sep 8, 2016, at 6:07 PM, Jim Manico <jim@manicode.com
>>     <mailto:jim@manicode.com>> wrote:
>>
>     +1 I think that's a very fair perspective.
>     Putting sensitive data in LocalStorage is still a very bad idea.
>     :) One XSS and gone. Maybe XSS is not a big deal in a native app,
>     but it's death to Web apps.
>     Aloha, Jim
>
>     On 9/8/16 10:20 AM, Oleg Gryb wrote:
>>     In SPA/REST env session ID is not very useful, so it's *an* auth
>>     token or tokens (not necessary OAuth one) that are stored in a
>>     cookie. It's used to get REST calls authenticated and yes, it
>>     usually runs in a multi-domain envs (think about micro services
>>     architecture). It makes me think that the value of HTTPOnly will
>>     continue diminishing, while the value of good cross-domain
>>     policies will increase. Just my opinion coming from my
>>     experience. I don't have big (or small) data available to confirm
>>     that.  
>>
>>
>>         ------------------------------------------------------------------------
>>         *From:* Jim Manico <jim@manicode.com> <mailto:jim@manicode.com>
>>         *To:* Oleg Gryb <oleg@gryb.info> <mailto:oleg@gryb.info>;
>>         Adam Lewis <adam.lewis@motorolasolutions.com>
>>         <mailto:adam.lewis@motorolasolutions.com>
>>         *Cc:* OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org>
>>         *Sent:* Thursday, September 8, 2016 12:51 PM
>>         *Subject:* Re: [OAUTH-WG] best practices for implicit grant /
>>         token storage
>>
>>         > Since SPA is a new normal now, it becomes extremely
>>         difficult to enforce HTTPOnly flag, because JS needs access
>>         to secrets including those stored in cookies.
>>         In a browser environment, this is only true when you need to
>>         make cross domain requests or are using cookie data for
>>         something other than session state.
>>         If your current page origin and the page you are requesting
>>         are the same, then your cookies can be HTTPOnly without
>>         impacting functionality. If you need additional cookies for
>>         other things that need to be accessed via JS, use a separate
>>         cookie.
>>         So sure, there are a few workflows in OAuth where you need to
>>         access "cookie data" from JS and HTTPOnly is not viable. But
>>         there are a few where it is viable. I don't think it's as
>>         simple as "we need to talk to cookie data via JS all the time.".
>>         Aloha, Jim
>>         On 9/8/16 8:15 AM, Oleg Gryb wrote:
>>>         Jim,
>>>
>>>         It's outdated a bit. Since SPA is a new normal now, it
>>>         becomes extremely difficult to enforce HTTPOnly flag,
>>>         because JS needs access to secrets including those stored in
>>>         cookies. 5-10 years ago I would always enforce HTTPOnly and
>>>         now - I can't.
>>>
>>>         Thanks,
>>>         Oleg.
>>>
>>>             ------------------------------------------------------------------------
>>>             *From:* Jim Manico <jim@manicode.com>
>>>             <mailto:jim@manicode.com>
>>>             *To:* Adam Lewis <adam.lewis@motorolasolutions.com>
>>>             <mailto:adam.lewis@motorolasolutions.com>
>>>             *Cc:* OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org>
>>>             *Sent:* Thursday, September 8, 2016 10:45 AM
>>>             *Subject:* Re: [OAUTH-WG] best practices for implicit
>>>             grant / token storage
>>>
>>>             In the web world, cookies for session identifiers are
>>>             much safer - since we can use HTTPOnly cookies to
>>>             protect them from theft via XSS. The same mechanism is
>>>             not possible for localStorage. Overall, security folk
>>>             say •keep sensitive data out of localStorage• since one
>>>             XSS and it's stolen. There is also a huge body of work
>>>             underway to make secure cookies even more so.
>>>
>>>             I'm not sure how this translates to native apps.
>>>
>>>             --
>>>             Jim Manico
>>>             @Manicode
>>>
>>>             On Sep 8, 2016, at 3:02 AM, Adam Lewis
>>>             <adam.lewis@motorolasolutions.com
>>>             <mailto:adam.lewis@motorolasolutions.com>> wrote:
>>>
>>>>             Hi,
>>>>
>>>>             The WG is currently putting together best practices for
>>>>             native apps.  I would like to better understand the
>>>>             best practices around ua-based-apps, especially as it
>>>>             relates to token storage.  I've read various blog posts
>>>>             about the preference between storing tokens in cookies
>>>>             vs.  Web Storage (localStorage/sessionStorage).  The
>>>>             current set of specs are rather silent on the matter,
>>>>             as it is more of an implementation issue (but that is
>>>>             where most mistakes are made).
>>>>
>>>>             What is the WG's guidance on this?
>>>>             _______________________________________________
>>>>             OAuth mailing list
>>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>             _______________________________________________
>>>             OAuth mailing list
>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>>         -- 
>>         Jim Manico
>>         Manicode Security
>>         https://www.manicode.com <https://www.manicode.com/>
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>     -- 
>     Jim Manico
>     Manicode Security
>     https://www.manicode.com <https://www.manicode.com/>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>     -- 
>     Jim Manico
>     Manicode Security
>     https://www.manicode.com <https://www.manicode.com/>
>
>
>

-- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email