IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

William Denniss <wdenniss@google.com> Wed, 28 November 2018 23:16 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E326131056 for <oauth@ietfa.amsl.com>; Wed, 28 Nov 2018 15:16:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.958
X-Spam-Level:
X-Spam-Status: No, score=-18.958 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aLA-KO-9RqrH for <oauth@ietfa.amsl.com>; Wed, 28 Nov 2018 15:16:26 -0800 (PST)
Received: from mail-it1-x12a.google.com (mail-it1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D3971277C8 for <oauth@ietf.org>; Wed, 28 Nov 2018 15:16:26 -0800 (PST)
Received: by mail-it1-x12a.google.com with SMTP id p197so717004itp.0 for <oauth@ietf.org>; Wed, 28 Nov 2018 15:16:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SwPYxmeb9EY8U8K6iXHcmeyjYcqHRPk/YW5TWzdR/c0=; b=B+Uc6GQmgs4zf1F9Aen/d3MjlHEzVaAFd3hYn2woFjMTHvH9eDURVWvEW4Z3rjwrtV rIB55oAl5yrBteGQsz/Gi9KjQsWRToEwjsy1/jGiAJFHpMe9H2iAyTQ4leDl4DYkz0Zu bBux+KXKEgJyv23cqa7K36s3MzCJgRD7X4SeF+gMTpvVV2efzz4C5i2fG6hCQy9AlI0x dLAqkdMj37weZj28Tj86UptryCEmtoJlrSICPGSPNu5aIlwRhdEen3wiXtj48seTQCkF aSTetQD2krWiG+snLuKxqWheekamkpB5Dde/CxEcJLhJYr+2VbE79sscL3SShe0Plpf4 PLZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SwPYxmeb9EY8U8K6iXHcmeyjYcqHRPk/YW5TWzdR/c0=; b=Ah7awkdpLvhU0CRCLYNw4v8tWjkbXiNRghyyYHh/J7zu+lQtaiB//RFrPRSnOiFKjG RhO2C+uS+/FawRZA2kcFuM2B0ewPqQYZjWxZcGDDmSo5F/6S7l7TES7dW2NkThqgt8aS /5tf8QgEHAiVhKisApTDw7WUFQ5I88Dw7Bv5CXGdFcbCG8hYF0YWm2URjSioIpFdwobp sWzsDhDNlMegBPv93sLqfpZLynQAkMvO14VJIWRalYq8gi7z24dyl3rw29AG+LH0BbtN Dm4CWW/HnvHrFHzZnlp78TRzv2dFPLM/mNh5ux594gMaD3lfL4JkCUmXmgKKvDa4em3v YtJQ==
X-Gm-Message-State: AA+aEWZnA+9mHj4kNQSEChkpGmIy1BU6bll7wVJsqKifMeJIrpoZ7xVt GRYnE0M1GdIKNEz32wJnJd0Q+4j5Hug/51hd8Hz6XvR0W8Lysw==
X-Google-Smtp-Source: AFSGD/XAcLF5cozZfuTYkQBXbbmYxUaDbQYCbJnXQAiizggS+aHZRiEbujFbk8F0nCfOHneOnehwsz0eJYUTGLIwdHk=
X-Received: by 2002:a24:97c3:: with SMTP id k186mr5169820ite.125.1543446985324; Wed, 28 Nov 2018 15:16:25 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com>
In-Reply-To: <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 28 Nov 2018 15:16:13 -0800
Message-ID: <CAAP42hCApAP1zig1fV0fm0J9e-s+y1esiYpO7RJ3E7qaCww5Mg@mail.gmail.com>
To: Nat Sakimura <n-sakimura@nri.co.jp>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004ac31a057bc1c1f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/p_LmXiUbBNd_SsAf005dPYbIBqU>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2018 23:16:30 -0000

On Wed, Nov 28, 2018 at 2:51 PM n-sakimura <n-sakimura@nri.co.jp> wrote:

> That works.
>
> In fact, I would further go and say MUST NOT but that probably is too much
> for a security consideration.
>
>
Personally I think it's fine for a MUST NOT to appear in a security
consideration section of a BCP. If you break it, then you're not following
the BCP.

We did exactly this in BCP 212:

"This best current
   practice requires that native apps MUST NOT use embedded user-agents
   to perform authorization requests
"

William

Nat Sakimura / n-sakimura@nri.co.jp / +81-90-6013-6276
>
>
> このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、誠に申し訳ございませんが、送信者までお知らせ頂き、また受信されたメールは削除してくださいますようお願い申し上げます。
>
> PLEASE READ :This e-mail is confidential and intended for the named
> recipient only.
> If you are not an intended recipient, please notify the sender and delete
> this e-mail.
>
> ------------------------------
> *差出人:* Torsten Lodderstedt <torsten@lodderstedt.net>
> *送信日時:* 水曜日, 11月 28, 2018 11:38 午後
> *宛先:* n-sakimura
> *Cc:* Dick Hardt; Hannes Tschofenig; oauth@ietf.org
> *件名:* Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization
> code instead of implicit
>
> Hi Nat,
>
> Am 28.11.2018 um 21:10 schrieb n-sakimura <n-sakimura@nri.co.jp>:
>
> I would support
>
> 1) clearly defining Implicit as the flow that returns access token from
> the authorization endpoint ( some people confuses implicit as the flow that
> returns ID Token in the front channel)
>
>
> That’s the current text:
>
> In order to avoid these issues, Clients SHOULD NOT use the implicit
>    grant or any other response type causing the authorization server to
>    issue an access token in the authorization response.
>
> What would you like to modify?
>
>
> 2) Banning the returning of the access token that are not sender
> constrained from the authorization endpoint
>
>
> In order to avoid these issues, Clients SHOULD NOT use the implicit
>    grant or any other response type causing the authorization server to
>    issue an access token in the authorization response*, if this access
> tokens is not sender-constraint.*
>
> What about this?
>
> kind regards,
> Torsten.
>
>
> Best,
>
> Nat
>
>
> Outlook for iOS を入手
>
> 差出人: OAuth <oauth-bounces@ietf.org> (Dick Hardt <dick.hardt@gmail.com>
> の代理)
> 送信日時: 水曜日, 11月 28, 2018 8:58 午後
> 宛先: Hannes Tschofenig
> Cc: oauth@ietf.org
> 件名: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code
> instead of implicit
>
> +1
>
> While there are various mechanisms to alleviate some of the issues of
> implicit, I don't think we can recommend specifics, and there may be future
> ones in the future. I think we all agree that implicit without any
> mitigation is problematic.
>
> How about we recommend against using implicit alone?
>
>
> On Mon, Nov 19, 2018 at 2:34 AM Hannes Tschofenig <
> Hannes.Tschofenig@arm.com> wrote:
> Hi all,
>
> The authors of the OAuth Security Topics draft came to the conclusion that
> it is not possible to adequately secure the implicit flow against token
> injection since potential solutions like token binding or JARM are in an
> early stage of adoption. For this reason, and since CORS allows
> browser-based apps to send requests to the token endpoint, Torsten
> suggested to use the authorization code instead of the implicit grant in
> call cases in his presentation (see
> https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01
> ).
>
> A hum in the room at IETF#103 concluded strong support for his
> recommendations. We would like to confirm the discussion on the list.
>
> Please provide a response by December 3rd.
>
> Ciao
>
> Hannes & Rifaat
>
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email