IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Browser-based Apps

Aaron Parecki <aaron@parecki.com> Thu, 10 August 2023 15:22 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD792C151094 for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 08:22:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ruWGFO_CypG for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 08:22:22 -0700 (PDT)
Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30AA8C14F736 for <oauth@ietf.org>; Thu, 10 Aug 2023 08:22:21 -0700 (PDT)
Received: by mail-ua1-x92b.google.com with SMTP id a1e0cc1a2514c-7996fe1c31bso353636241.3 for <oauth@ietf.org>; Thu, 10 Aug 2023 08:22:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1691680940; x=1692285740; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Jn7ei/ZFWSQjzIczIFGQFQwPk2hitYz256VSJDlvDxY=; b=E2nv77BTVPZ/2eqylc3IeRmVziwENP0eLnlP512iv8g2ZqPWfueIYojvpkz+EBI06E q4JS8XL+8SVe9hYgF28B+71Ij1yPybtSqmY5qTWcd+yhD26PlvNSjRHwDjzT0SU5Z8cp BglqwbX42Mo8OrVfK9by7NiRcjvQqDSffKXa7eP+KOGc1qdLwfP6dUD/PDFcxQx0ykK4 TjursrG9fE96hTKwK+cqcN8YmphrPbtn0hwHsQGKjQjyZUB5/E+qTTjmumgVt/CbaD8f OxSamUYNBRCb0B0H0ttb55aK52u4g3hBGI8SS5ZCzW6YBnqLtse+ZQdmaoqrXNSCtwYI 9LuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691680940; x=1692285740; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jn7ei/ZFWSQjzIczIFGQFQwPk2hitYz256VSJDlvDxY=; b=EnMMGqAeLTUaWgQdAdcNcKgiQwBW92sdhuk0/5jyUcWpu7JALc0oj6wGuu5e4DN1L+ OOODLIaRQyEgsZuEuNDwGm9nRSlUYn3iuU5TJEIDtKFvXverSnxJY8eRj6C/SZYt6KaK neQrzTsldCCeyMqhQLxe4+pZm1Euf0uo2PnwUYRlLb4e5uLKzIkU8Vb5kHft7xymZXLD IK+DSVZn+KX9RIE5p6B8jp5S3F7BgVIs5oBdOI4ECFAb2nscJcngOTPcyKoEvhcwAq6O FRoSPI68dmKgQOXBJoSuihUnvuTsav2L3bQBUg6ez+XsKJT0fA+0v3eipzH58OvkJ0Mt m/hw==
X-Gm-Message-State: AOJu0Ywp5zdNvxzf1oFCjuH8WWnXf/xtLlhdwYVZFOs7zdZkiHOu4j+z Xf2SCnSGnLkAWX9UUBcJYENMDWRHpwNpIuHWSJ0=
X-Google-Smtp-Source: AGHT+IE2eow7CJT5Kg4nOehRmdDfoXeY6ws9fmGfb4BPoJ3sCmBw3MN4LU04pGunz54w3GINhbuIbQ==
X-Received: by 2002:a67:bb17:0:b0:443:5bec:a2fd with SMTP id m23-20020a67bb17000000b004435beca2fdmr2169603vsn.18.1691680940225; Thu, 10 Aug 2023 08:22:20 -0700 (PDT)
Received: from mail-vk1-f176.google.com (mail-vk1-f176.google.com. [209.85.221.176]) by smtp.gmail.com with ESMTPSA id j23-20020a9f3097000000b0079b1546c63fsm239122uab.34.2023.08.10.08.22.19 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Aug 2023 08:22:19 -0700 (PDT)
Received: by mail-vk1-f176.google.com with SMTP id 71dfb90a1353d-48719fc6b18so414678e0c.1 for <oauth@ietf.org>; Thu, 10 Aug 2023 08:22:19 -0700 (PDT)
X-Received: by 2002:a05:6102:1d0:b0:447:55b0:bceb with SMTP id s16-20020a05610201d000b0044755b0bcebmr2040797vsq.0.1691680939451; Thu, 10 Aug 2023 08:22:19 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9gdt6NiaiMiqaM3mbjb44dRfECBnSgrkCg0DLa+w1fEg@mail.gmail.com> <899023C1-659D-47DB-808E-307F5B5F8FD5@pragmaticwebsecurity.com> <Mailbird-5be7989f-8d0b-49d9-afb7-b5dbdc4085fa@gmail.com>
In-Reply-To: <Mailbird-5be7989f-8d0b-49d9-afb7-b5dbdc4085fa@gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 10 Aug 2023 08:22:08 -0700
X-Gmail-Original-Message-ID: <CAGBSGjqoD+FAnm2n+rng9fKRPxN-LgKoJJYFGjYnvrA7qLhU_Q@mail.gmail.com>
Message-ID: <CAGBSGjqoD+FAnm2n+rng9fKRPxN-LgKoJJYFGjYnvrA7qLhU_Q@mail.gmail.com>
To: Brock Allen <brockallen@gmail.com>
Cc: Philippe De Ryck <philippe@pragmaticwebsecurity.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000782e1706029329b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pIIRbVbiXQrFaULG2amdGzTCk_U>
Subject: Re: [OAUTH-WG] WGLC for Browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 15:22:27 -0000

Hi Philippe, I look forward to discussing this with you at the OAuth
Security Workshop later this month. Like I mentioned to you last year, I
want to make sure your concerns are adequately captured in the document.

The goal for this draft is not to present the one "best" architecture for
browser-based apps, since as you mentioned, there are many different ways
attacks can happen and different trade-offs with the different patterns.

As to Brock's comment, the point of this draft is to document the existing
established patterns *as well as their limitations* so that someone
implementing OAuth in browser-based apps knows the limits of the pattern
they are choosing. We are not saying that any given recommendation in this
draft has no possible attack vectors, since that's not the reality of the
world in browsers.

Aaron

On Thu, Aug 10, 2023 at 7:16 AM Brock Allen <brockallen@gmail.com> wrote:

> I agree with Philippe here.
>
> If there are already documented attack vectors working around the
> techniques presented in this document, then I worry it will give people a
> false sense of security if they follow the guidance contained therein.
>
> -Brock
>
> On 8/10/2023 2:51:35 AM, Philippe De Ryck <
> philippe@pragmaticwebsecurity.com> wrote:
> In my opinion, *this document is not ready to be published as an RFC*.
>
> In fact, I will be at the OAuth Security Workshop in two weeks to discuss
> exactly this (See "The insecurity of OAuth 2.0 in frontends" here:
> https://oauth.secworkshop.events/osw2023/agenda-thursday). My hope is
> that my presentation can spark the necessary discussion to identify a path
> forward to make the RFC useful for practitioners building browser-based
> apps.
>
> I don't have the resources available to write a lengthy email detailing my
> objections. I just want to point out that I've raised these points on the
> mailing list in the past, and there have been a couple of threads on this
> very list suggesting how to move this document forward (e.g., identify
> concrete threat models). I've also given a talk at NDC Security earlier
> this year (https://www.youtube.com/watch?v=OpFN6gmct8c) about how the
> security mechanisms proposed in this document fall short. This video has
> been posted to this list before as well.
>
> Here are a couple of suggestions that I believe would improve this
> document:
>
> - Clearly identify the danger of malicious JS (exfiltrating existing
> tokens is only one threat, and the most trivial one at that)
> - State the baseline achievable level of security in light of existing XSS
> vulnerabilities (i.e., session riding, where the attacker controls the
> frontend)
> - Identify different desired levels of security for a client application
> (e.g., a "public recipe app" vs "eHealth"). Existing work can help, such as
> the OWASP ASVS levels (
> https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md)
> - Define which levels of security certain mechanisms can offer (e.g., RTR
> for level 1, TMI-BFF for level 2, BFF for level 3)
> - Remove unproven and overly complicated solutions (i.e., the service
> worker approach)
>
> As stated before, I'll be at OSW in London in 2 weeks and would be happy
> to discuss this further.
>
> Kind regards
>
> Philippe
>
> —
> *Pragmatic Web Security*
> *Security for developers*
> https://pragmaticwebsecurity.com
>
> On 30 Jul 2023, at 17:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
> wrote:
>
> All,
>
> This is a *WG Last Call *for the* Browser-based Apps* draft.
> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-14.html
>
> Please, review this document and reply on the mailing list if you have any
> comments or concerns, by *August 11th*.
>
> Regards,
>  Rifaat & Hannes
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email