IETF Logo Mail Archive

Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00

Aaron Parecki <aaron@parecki.com> Thu, 30 July 2020 21:17 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574F53A0CEC for <oauth@ietfa.amsl.com>; Thu, 30 Jul 2020 14:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5XL_uMzuyLz for <oauth@ietfa.amsl.com>; Thu, 30 Jul 2020 14:17:00 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59DC23A0CEA for <oauth@ietf.org>; Thu, 30 Jul 2020 14:17:00 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id t15so20792562iob.3 for <oauth@ietf.org>; Thu, 30 Jul 2020 14:17:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GvSZgreZQfNfRy1Ha1rX0bNauuZRkaSB6Hd2C2qPtcs=; b=LHXIrVodw6KO34dKs8r0qKfC4dP5ogjtf2BpNR/KPQh9EmIE9X6RQ+x8qXgA8s0C1q Dy6fV5Kc3g68DpBDgw1p+JJydNYyMljU1H5e7DhWtiwlbt4HGrCuQNXrEqkS98VImrPI oarGUc/51/JnALIgIcTmz++ZMXf1wlOaPhHxtv2xGb8fcbWzRgU9XtX3cFrKvoRJ7dc3 NbAKcoJdB/Q9sAQhTHkzmTeOJjqzH0V7F540KnlLD6z+Q8jR74vJDFYGdoVzu49vbfv8 x2XDFPNjGgr1F0+RkBpHJJM49ZMcx+3dUyPK1KuxMqYcSlOlV2jmIU3mICiedmkUtxWM qvwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GvSZgreZQfNfRy1Ha1rX0bNauuZRkaSB6Hd2C2qPtcs=; b=Ar6Pdtuz7iIDnfhHycTQFVUZBr26vWrpos/lEUQ3XLBgaaJpYPZQeW7RsC1Vy0coyZ 1F04yCgNzKJrjtTw7oyQWHJtJY5jflSPcC4kNIU7unthOI1qB/KaSfkzxAvciSpFLnmr YjTwV4l2unj7TorFXwtf+aH9lUtfsZhcN7MqXh4zCXQs7DAFDB9mVOshGfwXuahmfltu JjgJe9S1Y6N00130J44dFjm05rLshAEb2olUj9t0BDlaSormfqD3Jw84a4X0IunMY9gZ yDKVo+MKuAWYRSTjKHCBzOkpdGZ7cGYVU27Rvl7RB3MeLETaQcdf6FE3gsyouI/qR5RD iSVw==
X-Gm-Message-State: AOAM532Fpxo9+fexZdWSFDB0APy52uF08kEObK6CuTflPGnrhmukgC4K U6XvR5p6+AoNubuyjmnJW7afYlwnL1k=
X-Google-Smtp-Source: ABdhPJwETC3vfH9+53T7MW8O+9wl+bUEbtfG+6wP/QgjX892atCP2yKWf4qJssxqrOdpiYre+oHfuQ==
X-Received: by 2002:a05:6638:2401:: with SMTP id z1mr1308244jat.97.1596143818686; Thu, 30 Jul 2020 14:16:58 -0700 (PDT)
Received: from mail-il1-f179.google.com (mail-il1-f179.google.com. [209.85.166.179]) by smtp.gmail.com with ESMTPSA id t7sm2907110ili.2.2020.07.30.14.16.57 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 14:16:57 -0700 (PDT)
Received: by mail-il1-f179.google.com with SMTP id p16so12910174ile.0 for <oauth@ietf.org>; Thu, 30 Jul 2020 14:16:57 -0700 (PDT)
X-Received: by 2002:a05:6e02:c21:: with SMTP id q1mr556189ilg.28.1596143817533; Thu, 30 Jul 2020 14:16:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uUeX2fKxz=Cn0ea2vcec-rEsGvjTRsYJgCcVrqQf8H3A@mail.gmail.com> <1842CB01-E0DE-4121-AFAF-B3BE749E55F0@manicode.com> <CAD9ie-uYefVfBv_aNu2jnsu3q=uv8=Dir-nLKGEbaPH37hhnmw@mail.gmail.com>
In-Reply-To: <CAD9ie-uYefVfBv_aNu2jnsu3q=uv8=Dir-nLKGEbaPH37hhnmw@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 30 Jul 2020 14:16:46 -0700
X-Gmail-Original-Message-ID: <CAGBSGjoXd-0WKCQoniwoRBBjOn-jfRBZMke=97B9LtNYu4wTjg@mail.gmail.com>
Message-ID: <CAGBSGjoXd-0WKCQoniwoRBBjOn-jfRBZMke=97B9LtNYu4wTjg@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Jim Manico <jim@manicode.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000412f5d05abaf31d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pZwlmQ5uvK7nNJiMYHt0nH0R7Pc>
Subject: Re: [OAUTH-WG] Clarifying Bearer token usage OAuth 2.1 draft-ietf-oauth-v2-1-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 21:17:04 -0000

I have a draft from a coworker that defines a cookie response mode and
cookie bearer token usage. It's something we've considered bringing to the
working group but haven't actually proposed yet. Is this the kind of thing
you're talking about?

https://github.com/jaredhanson/draft-oauth-cookie-response-mode/blob/master/spec.txt

This looks like a good starting point and I am happy to work with Jared on
refining this.

---
Aaron Parecki
https://aaronparecki.com
https://oauth2simplified.com

On Thu, Jul 30, 2020 at 1:55 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> I hear you Jim, but it is not so much rules, as expectations and
> expediency.
>
> There may be significant debate on how to do the feature. You would not
> want to hold up the OAuth 2.1 document for that would you? There are other
> documents already in flight -- which other ones should OAuth 2.1 wait for?
>
> Reducing the "20 standards" to one document was the goal of OAuth 2.1.
>
> Having said that, if members of the working group want to get working on
> this feature, and if it is completed quickly, it could be referenced or
> included in OAuth 2.1 depending on the relative timing.
>
> /Dick
>
>
>
>
> ᐧ
>
> On Thu, Jul 30, 2020 at 1:47 PM Jim Manico <jim@manicode.com> wrote:
>
>> I politely encourage the rules to be bent and to integrate this basic but
>> fundamental security control into the core standard.
>>
>> This is just basic security; we want as much basic security in the core
>> of any standard. Dev’s now need to read 20 standards to get OAuth2
>> basics... and that’s a barrier to entry.
>>
>> --
>> Jim Manico
>> @Manicode
>>
>> On Jul 30, 2020, at 3:21 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> 
>> One of the constraints of the OAuth 2.1 document that aligned the WG was
>> it would have no new features.
>>
>> I'd recommend a separate document for the cookie bearer token feature.
>>
>> ᐧ
>>
>> On Thu, Jul 30, 2020 at 12:15 PM Jim Manico <jim@manicode.com> wrote:
>>
>>> Yea to cookie configuration suggestions!
>>>
>>> I suggest SameSite=LAX at least, which is actually the default behavior
>>> in chrome if you do not set the samesite value. LAX will not break links
>>> that originate from emails, STRICT will.
>>>
>>> Point being is that CSRF defense is easy. XSS defense is brutally hard
>>> in apps with complex UI’s!
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>>
>>>
>>> On Jul 30, 2020, at 1:13 PM, Warren Parad <wparad@rhosys.ch> wrote:
>>>
>>> 
>>>
>>>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>>>> certainly a trade-off. But CSRF is much easier to defense against that XSS
>>>> and cookies are a better choice if the specific risk of having tokens
>>>> stolen via XSS matters to your threat model.
>>>
>>>
>>> I would assume if we included cookie language, it would explicitly
>>> specify *Secure; HttpOnly; SameSite=Strict* as the recommendation, and
>>> then neither XSS nor CSRF should be a problem (right?)
>>>
>>>
>>> OAuth 2.1 isn't supposed to add new features that don't already exist,
>>>> but this sounds like a good candidate to develop as an OAuth extension.
>>>
>>>
>>> Is this really a *new feature* though?
>>>
>>> Okay, I'll submit that RFC 6749 does state the cookie wouldn't be
>>> created by the AS.
>>>
>>>> 5.1.  Successful Response
>>>> <https://tools.ietf.org/html/rfc6749#section-5.1>
>>>> <https://tools.ietf.org/html/rfc6749#section-5.1>   The authorization
>>>> server issues an access token and optional refresh
>>>> <https://tools.ietf.org/html/rfc6749#section-5.1>   token, and
>>>> constructs the response by
>>>> *adding the following parameters*
>>>> <https://tools.ietf.org/html/rfc6749#section-5.1>*   to the
>>>> entity-body of the HTTP response* with a 200 (OK) status code:
>>>> <https://tools.ietf.org/html/rfc6749#section-5.1>
>>>
>>>
>>> However that wouldn't prevent a client using the password grant (I know
>>> I said a bad word) or authorization code flow from creating the cookie to
>>> contain that. Specifically
>>>
>>>> 7.  Accessing Protected Resources
>>>>    The client accesses protected resources by presenting the access
>>>>    token to the resource server.  The resource server MUST validate the
>>>>    access token and ensure that it has not expired and that its scope
>>>>    covers the requested resource.
>>>>
>>>>
>>>>
>>>> *The methods used by the resource   server to validate the access token
>>>> (as well as any error responses)   are beyond the scope of this
>>>> specification but generally involve an   interaction or coordination
>>>> between the resource server and the   authorization server*.
>>>>    The method in which the client utilizes the access token to
>>>>    authenticate with the resource server depends on the type of access
>>>>    token issued by the authorization server.
>>>> * Typically, it involves   using the HTTP "Authorization" request
>>>> header* field [RFC2617] with an
>>>>    authentication scheme defined by the specification of the access
>>>>    token type used, such as [RFC6750].
>>>
>>>
>>> So that's definitely some gray area. Although perhaps I'm missing a
>>> relevant section. If we are going to go so far to detail a list of possible
>>> RS bearer token possible locations (i.e. Header and Body), to what I assume
>>> is to implicitly say *Don't use a query parameter*. It also suggests *Don't
>>> use a cookie at all*, even with* SameSite=Strict*. Although maybe that
>>> is the point.
>>>
>>> For my reference, what makes a *new feature* and what makes *an OAuth
>>> extension?*
>>>
>>> Warren Parad
>>>
>>> Founder, CTO
>>> Secure your user data and complete your authorization architecture.
>>> Implement Authress <https://bit.ly/37SSO1p>.
>>>
>>>
>>> On Thu, Jul 30, 2020 at 6:46 PM Aaron Parecki <aaron@parecki.com> wrote:
>>>
>>>> I haven't seen any OAuth drafts that talk about sending OAuth access
>>>> tokens in HTTP cookies. OAuth 2.1 isn't supposed to add new features that
>>>> don't already exist, but this sounds like a good candidate to develop as an
>>>> OAuth extension.
>>>>
>>>> ---
>>>> Aaron Parecki
>>>> https://aaronparecki.com
>>>> https://oauth2simplified.com
>>>>
>>>> On Thu, Jul 30, 2020 at 9:35 AM Jim Manico <jim@manicode.com
>>>> <jim@manicode..com>> wrote:
>>>>
>>>>> In a browser, HTTPOnly cookies are the *only* location where an
>>>>> access (or other) token can be stored in a way where it *cannot be
>>>>> stolen from XSS*.
>>>>>
>>>>> It's a very strong place to store tokens from a security point of view.
>>>>>
>>>>> Cookie storage of tokens does leave one open to CSRF attacks so it's
>>>>> certainly a trade-off. But CSRF is much easier to defense against that XSS
>>>>> and cookies are a better choice if the specific risk of having tokens
>>>>> stolen via XSS matters to your threat model.
>>>>>
>>>>> - Jim
>>>>> On 7/30/20 11:43 AM, Warren Parad wrote:
>>>>>
>>>>>
>>>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-bearer-tokens
>>>>>
>>>>> It seems recently more and more common to pass the access_token to
>>>>> some RS via a cookie, yet 7.2.1 says it defines two methods. I think we
>>>>> need some RFC2119
>>>>> <https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html#RFC2119> keywords
>>>>> here, to suggest that either SHOULD use one of these two, or MUST. And then
>>>>> optionally state whether or not we recommend or reject the use of cookies
>>>>> as a place for access tokens. It's also possible that the language threw me
>>>>> off, because would an access token in a cookie be a bearer token, but no
>>>>> matter, if I'm having this thought, then surely others have it as well,
>>>>> right?
>>>>>
>>>>> <image.png>
>>>>>
>>>>>
>>>>> Warren Parad
>>>>>
>>>>> Founder, CTO
>>>>> Secure your user data and complete your authorization architecture.
>>>>> Implement Authress <https://bit.ly/37SSO1p>.
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> --
>>>>> Jim Manico
>>>>> Manicode Securityhttps://www.manicode..com <https://www.manicode.com>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email