IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Phil Hunt <phil.hunt@oracle.com> Thu, 06 December 2018 20:54 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F5AC130E68 for <oauth@ietfa.amsl.com>; Thu, 6 Dec 2018 12:54:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.759
X-Spam-Level:
X-Spam-Status: No, score=-5.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcjJbxq69A6j for <oauth@ietfa.amsl.com>; Thu, 6 Dec 2018 12:54:06 -0800 (PST)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 214E8130EDA for <oauth@ietf.org>; Thu, 6 Dec 2018 12:54:06 -0800 (PST)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wB6Ks4bG161200; Thu, 6 Dec 2018 20:54:04 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=corp-2018-07-02; bh=7nLLVKixEtSJq7eaSx11/V3TUU3gR22DUY9TbMd0zRE=; b=O2LZ586p88FafESIsDGyHKaZo2bygeuiq/sQoOQ5S36rcYgGY7pKK3zkBP12izrNOPlG RxRfqDTAJC0s5DCN50xU4O6z5lQMMvafUzlhHEB8Rd3RS/32BLLwM3/8qVQG1vaHSqyA 8S+ajR15SNRjhHy6Qa2WbsH0PeOMxeiYgdfufo7tmqLGzy3ssL9b+Iv5s3VQeHFlzFjR 9RF0vwDsktzwgiBS1yEnVfKkg6cSi+R8pHtptYOZDrzp65zI9eXF2/CCcJ+294AZ3my2 EE+dImzmoGU2bdUgkgfmbUmdfLIGbEcafSwei89rkiQ6lYd63QNRhf79fakbkeQxHXO+ ag==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2p3hquaj8h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 06 Dec 2018 20:54:03 +0000
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wB6Ks09b031456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 6 Dec 2018 20:54:00 GMT
Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wB6Ks0Uf023776; Thu, 6 Dec 2018 20:54:00 GMT
Received: from [192.168.1.19] (/70.70.142.148) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 06 Dec 2018 20:53:59 +0000
From: Phil Hunt <phil.hunt@oracle.com>
Message-Id: <8A2BC516-69AA-4CDB-A31E-5AF59FBA9CF0@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7FA2A710-3CA6-483E-AAAF-747524F409A3"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Thu, 06 Dec 2018 12:53:57 -0800
In-Reply-To: <9E0E2FD0-ECE7-4A71-870B-21938B8C267F@alkaline-solutions.com>
Cc: IETF oauth WG <oauth@ietf.org>
To: David Waite <david@alkaline-solutions.com>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CAANoGh+1w! Rzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net> <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com> <693F457E-3B0F-4612-AE3B-D18462055932@lodderstedt.net> <CAO_FVe7_CsqkTCRSPK5iT5dH5w_NmDuZ-g-2UJgHefUP2i3beQ@mail.gmail.com> <194886B0-D8C8-4489-B66B-7993C7FA0F63@lodderstedt.net> <CAO_FVe7QhqZEcqeSurPU5QxTN3Z1Lp9zY6XpVQxk1VdCGLMUhA@mail.gmail.com> <1D4D8636-9C50-4AA0-BF33-3427FCD0E938@oracle.com> <9E0E2FD0-ECE7-4A71-870B-21938B8C267F@alkaline-solutions.com>
X-Mailer: Apple Mail (2.3445.101.1)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9099 signatures=668679
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812060175
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pfNMBKK2E1gdIrBfIpOKQMdg_jw>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 20:54:09 -0000

How would the token endpoint detect login status of the user?

Phil

Oracle Corporation, Cloud Security and Identity Architect
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>

> On Dec 6, 2018, at 12:24 PM, David Waite <david@alkaline-solutions.com> wrote:
> 
> One benefit of moving to code flow is that the refresh token can be used to check the validity of the user session (or rather, it allows the AS another avenue to force authentication events if the AS considers the user session to be expired (or has a drop in confidence).
> 
> There are indeed several ASs which, possibly because of an interpretation of OIDC, assume refresh tokens mean offline access and are mutually exclusive with public clients.
> 
> The ability to have refresh tokens track a user session is an AS implementation detail, and something that these ASs could choose to change to over time. In the meantime, there shouldn’t be anything preventing a client from doing the iframe and prompt=none step that they are doing today with implicit. Even if the AS is implemented in terms of stateless sessions, such functionality can be implemented by encoding user session information into the “code token".
> 
> -DW
> 
>> On Dec 6, 2018, at 11:51 AM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>> 
>> While I generally agree with justin that moving everything to the back channel is good, I worry that checking user login state may be more important. 
>> 
>> What if upon refresh of a javascript client the AS would like to check the validity of the current user session?
>> 
>> Many implementers solve the user experience issue by using prompt none in the oidc authentication case. I seem to remember some oauth providers never implemented refresh and they were able to create a good experience. 
>> 
>> Phil
> 
> 
>> On Dec 6, 2018, at 7:47 AM, Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>> 
>> I support the move away from the implicit flow toward using the authorization code flow (with PKCE and CORS)  for JavaScript applications. The limitations and assumptions that surrounded the design of the implicit flow back when we started no longer apply today. It was an optimization for a different time. Technology and platforms have moved forward, and our advice should move them forward as well. Furthermore, the ease of using the implicit flow incorrectly, and the damage that doing so can cause, has driven me to telling people to stop using it. 
>> 
>> There are a number of hacks that can patch the implicit flow to be slightly better in various ways — if you tack on the “hybrid” flow from OIDC or JARM plus post messages and a bunch of other stuff, then it can be better. But if you’re doing all of that, I think you really need to ask yourself: why? What do you gain from jumping through all of those hoops when a viable alternative sits there? Is it pride? I don’t see why we cling to it. To me, it’s like saying “hey sure my leg gets cut off when I do this, but I can stitch it back on!”, when you could simply avoid cutting your leg off in the first place. The best cure is prevention, and what’s being argued here is prevention.
>> 
>> So many of OAuth’s problems in the wild come from over-use of the front channel, and any place we can move away from that is a good move. 
>> 
>> — Justin

v2.23.0 | Report a Bug | By Email