IETF Logo Mail Archive

Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment

David Waite <david@alkaline-solutions.com> Sun, 09 December 2018 08:00 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61361130EF1 for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 00:00:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8a9XQ8JJ87B for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 00:00:23 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id 55B1813101E for <oauth@ietf.org>; Sun, 9 Dec 2018 00:00:23 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:d129:b249:15c0:63a8] (unknown [IPv6:2601:282:202:b210:d129:b249:15c0:63a8]) by alkaline-solutions.com (Postfix) with ESMTPSA id 5CB1A31682; Sun, 9 Dec 2018 08:00:22 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <F9914ABE-3C3F-4BCE-B623-AECF18E737F9@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3624627A-ADFE-47A6-AAED-B80E59A428B8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Sun, 09 Dec 2018 01:00:21 -0700
In-Reply-To: <d34d9d15-6b50-4b1e-8483-80f0ab709a98@getmailbird.com>
Cc: Aaron Parecki <aaron@parecki.com>, oauth@ietf.org
To: Brock Allen <brockallen@gmail.com>
References: <6d88c55a-a300-47ff-af77-8fdb7dcfbc25@getmailbird.com> <CAGBSGjrj95i97mVDJq7jDA0DsLH-NasiH+E0nqc+6XjL-mnt4Q@mail.gmail.com> <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com> <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com> <d34d9d15-6b50-4b1e-8483-80f0ab709a98@getmailbird.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/na7oO9LrKOVs7BSTf5R15AMOj9Y>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 08:00:26 -0000

I assume the original post meant response_mode, not response_type.

Fragments have their own data leakage problems, in particular they are preserved on 3xx redirects (per https://tools.ietf.org/html/rfc7231#section-7.1.2 <https://tools.ietf.org/html/rfc7231#section-7.1.2>). The form_post mode is the safest, but unfortunately was not defined in the original specifications so it doesn’t have as widespread support.

In the absence of a response_mode RFC, I would typically suggest both killing the code in the referrer as part of processing, and a server-wide Referrer Policy of never or origin (as those have reasonably broad support) as server-wide response headers are easier to operationally audit.

-DW

> On Dec 8, 2018, at 3:53 PM, Brock Allen <brockallen@gmail.com> wrote:
> 
> Not pure OAuth. This only came up as a question while I was implementing code flow/pkce for oidc-client-js.
> 
> I can appreciate not expanding the current OAuth2 behavior in the BCP, so that's fair. I only wanted to mention it in case it had not been considered.
> 
> Having said that, I think I will implement an optional response_type in my code flow/pkce to allow fragment, but default to query (as that's the default for pure code flow).
> 
> -Brock

v2.23.0 | Report a Bug | By Email