[OAUTH-WG] Conclusion ... OAuth Security Topics -- Recommend authorization code instead of implicit
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 17 December 2018 20:59 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4CC129AB8 for <oauth@ietfa.amsl.com>; Mon, 17 Dec 2018 12:59:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHHlpNHiZo4n for <oauth@ietfa.amsl.com>; Mon, 17 Dec 2018 12:59:07 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40048.outbound.protection.outlook.com [40.107.4.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55C81126F72 for <oauth@ietf.org>; Mon, 17 Dec 2018 12:59:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CI70eZFEW3rEyp3rvB6hWKzNidgy2PPvHnACvUYkmnY=; b=FQgB9zX9blxvL9+n6GrbIguS5a2nCkmU0h13wxAaS7jlkMDOKQm/xXnrBpPV3mUl+E57hEPz8iMV0gEWUPDqY7ATQrpPTarjQBFeYjAc0CyN88CiPiUHvAhCg4Nz28Ze2WUE0c2MtvdWDFTnVd+v4D5t6s5cobMBlnrfkzDNEas=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1728.eurprd08.prod.outlook.com (10.168.67.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.20; Mon, 17 Dec 2018 20:59:04 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8%3]) with mapi id 15.20.1425.021; Mon, 17 Dec 2018 20:59:04 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: oauth <oauth@ietf.org>
Thread-Topic: Conclusion ... OAuth Security Topics -- Recommend authorization code instead of implicit
Thread-Index: AdSWSzJyGDZIjF5pR62PcCDRCOzeTA==
Date: Mon, 17 Dec 2018 20:59:04 +0000
Message-ID: <VI1PR0801MB2112029552C678D8D75C327AFABC0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.114.221]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1728; 6:FABxggHPeBmc34RNElShC32Y63D5Yq4PfI/ziVsrPGQDzTFL/oTbF8pXFLm8GFT6LarPYF6o4DxyMECcnLjxzpbQVGxoNO5G4YF+6p30SUHsmo9Swes8G31J6bEo3jCzXyy9qV+eRifeWMIAkOVCTsJ72QZnGEm9I1HyFBXmFw4w3w+IIF2SQyj56tjgpnp39YmcqIjJ7fngwxmkfa+KT7qZC2B1zO2sETy059un96fpDS1t4ek4szoqTBI68c2Tq2Z6GcESrbse0e4cYmlplGzNA2F+LkzKEj5NtlaK4ovZcwLv1hO/ArI2m2Xj5N4zT+mn/bm62no6kPsaulfMQ205PH03tR0NQ/wZOzfwdMIydcIw2jTnp75WhyMNM8rIFm+1xNUkOzyjUuY2MCIRQMQyTmuHu+I1d83F2cOszIzPDf6ObpXyZFqzdAcd5u0rPBiaokR12+BVIuCR0eMQ9w==; 5:QyjWcCTgkJQvOssGaVn03S5HWckpTcK7Kkqawccs2i/ssFAfgBBNv1dqznthGtgWYapewFdDyba8jYgAyiyf20mAb919La+GD08h0D7HdzxyqS9sX+CB7BL4GtVUDP7dT7NolxbFRTIidR8F5fkTxnajzrE+F03t6Hcwt/HN0PM=; 7:pxfZoRLucPh+X6Elrd9u9V3RrgrHtG2/qbr47DjSSzsFcAvz9/KeOoAEFnOnEN+HPa6E1FJSZDf+X8U/iHg+fhoHYsEMbbm7Ual144zTQuCngp2yu8qKiSa+VIXokN93BcC+3Wwhq+md0RveU0QPqQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 4a771e2d-db6c-4281-8b4e-08d664627a65
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1728;
x-ms-traffictypediagnostic: VI1PR0801MB1728:
x-microsoft-antispam-prvs: <VI1PR0801MB172869C1D336E6C016A83478FABC0@VI1PR0801MB1728.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231475)(944501520)(52105112)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123564045)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1728; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1728;
x-forefront-prvs: 08897B549D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(366004)(346002)(396003)(39860400002)(376002)(53754006)(40434004)(189003)(199004)(68736007)(10710500007)(7696005)(2906002)(71190400001)(790700001)(99286004)(3846002)(6116002)(6306002)(9686003)(74316002)(5024004)(236005)(486006)(14454004)(81156014)(7110500001)(53936002)(54896002)(8676002)(966005)(478600001)(5660300001)(97736004)(6436002)(606006)(8936002)(256004)(102836004)(316002)(561944003)(33656002)(81166006)(2420400007)(476003)(72206003)(15650500001)(55016002)(14444005)(7736002)(6916009)(6506007)(53546011)(71200400001)(26005)(66066001)(105586002)(186003)(86362001)(66574012)(25786009)(106356001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1728; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: tfwXbt+qBdMZ4aACvcZKnst4/kAYwJsAqmF0sL9Ng2BFJlDolJsuLO5fOq9HrsaTuqZXwaNCXU0Gk+pyxDjD6PRdAbslxR76/t4tEtWodyWjmeIE0bDqezGan+Kzc6AzFNCrtKuIRBHv8Q84cVsHVdPa7uHyprEokeTCUKLYNvFO0JppfBG3DT5sjRgSISREsb8aKqkm2ksWRnu8jh2BXOtvzTgJ71UqE8p5E7a9WropdAgcRpHZ5uXpQms7ANJxRsbQYIQUpaMHSCePNRohkhkYPD4QBq5UFP69CoZ3ePZnP0/M131B7W+EkC4AWRpx
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB2112029552C678D8D75C327AFABC0VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a771e2d-db6c-4281-8b4e-08d664627a65
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2018 20:59:04.1770 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1728
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/11SzRT70WqBbdqsR1ymdePcOG5w>
Subject: [OAUTH-WG] Conclusion ... OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 20:59:11 -0000
Hi all, Rifaat and I went through the discussion in an effort to judge the outcome. First, we would like to thank you all for your input. Torsten, as the editor of the OAuth Security BCP, got lots of good feedback. Second, there is strong support recommending against the implicit grant and the response types "token id_token" and "code token id_token" for all future applications. For already deployed applications please do your threat analysis and make your own judgement. Here is a proposal for the new text in Section 2.1.2 of the Security BCP: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10 ---- 2.1.2. Implicit Grant The implicit grant (response type "token") and other response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage and access token replay as described in Section 3.1, Section 3.2, Section 3.3, and Section 3.6. Moreover, no viable mechanism exists to cryptographically bind access tokens issued in the authorization response to a certain client as it is recommended in Section 2.2. This makes replay detection for such access tokens at resource servers impossible. In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or any other response type issuing access tokens in the authorization response, such as "token id_token" and "code token id_token", unless the issued access tokens are sender-constrained and access token injection in the authorization response is prevented. A sender constrained access token scopes the applicability of an access token to a certain sender. This sender is obliged to demonstrate knowledge of a certain secret as prerequisite for the acceptance of that token at the recipient (e.g., a resource server). Clients SHOULD instead use the response type "code" (aka authorization code grant type) as specified in Section 2.1.1 or any other response type that causes the authorization server to issue access tokens in the token response. This allows the authorization server to detect replay attempts and generally reduces the attack surface since access tokens are not exposed in URLs. It also allows the authorization server to sender-constrain the issued tokens. ---- There was a lot of feedback for advice on how to implement OAuth with single-page applications. Aaron has been working on a draft and we are planning to start a call for adoption. This document will be a natural home for describing solutions. Here is the link to the draft: https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02 Ciao Hannes & Rifaat PS: We would like to remind you about the upcoming OAuth Security Workshop in Stuttgart/Germany (March 20-22, 2019) where we will speak about the above-mentioned topics and much more. Here is the link: https://sec.uni-stuttgart.de/events/osw2019 From: Hannes Tschofenig Sent: Montag, 19. November 2018 11:34 To: oauth <oauth@ietf.org> Subject: OAuth Security Topics -- Recommend authorization code instead of implicit Hi all, The authors of the OAuth Security Topics draft came to the conclusion that it is not possible to adequately secure the implicit flow against token injection since potential solutions like token binding or JARM are in an early stage of adoption. For this reason, and since CORS allows browser-based apps to send requests to the token endpoint, Torsten suggested to use the authorization code instead of the implicit grant in call cases in his presentation (see https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01). A hum in the room at IETF#103 concluded strong support for his recommendations. We would like to confirm the discussion on the list. Please provide a response by December 3rd. Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] Conclusion ... OAuth Security Topics -… Hannes Tschofenig