IETF Logo Mail Archive

Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

Filip Skokan <panva.ip@gmail.com> Thu, 11 January 2024 16:34 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 495E6C14F707 for <oauth@ietfa.amsl.com>; Thu, 11 Jan 2024 08:34:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZczIdkCJa9d for <oauth@ietfa.amsl.com>; Thu, 11 Jan 2024 08:34:49 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09696C14EB17 for <oauth@ietf.org>; Thu, 11 Jan 2024 08:34:49 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-50e78f1f41fso5833479e87.2 for <oauth@ietf.org>; Thu, 11 Jan 2024 08:34:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704990887; x=1705595687; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4huLPly6g0PWEBa9Lkfyc1whQwsGUmbqIFb/m7CQ69g=; b=l2ZVZXxSL/MwbjWDzXz5M8lkFG+oc/oifrsk0KUEGKz3xGRK14z3ArikN5cHffvtDK vH8eNEQTpUOHK/jS/3y4OpAf9YBHfe6qxL4lRw9kDMaCv8reP7nXB7P197F+Zb7UDAkk KvGFRNC64ifbWEPpwGydqgXgn5AcVs8APh+y3uIlB6LaFhFQvdQe1o56BO5q5rwyQNEy t//Gde6TeIDNfocVKhJSZdMmMom1eOUs9CussRVbCRSFByGk4LlPw95FYXhyUGLSclFt GjChZSPc5il1JboHbIuCPlS+qdwPQCaTH9xk7IWlor3s7csE4owWYHxfi40jm0p/Qssm haLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704990887; x=1705595687; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4huLPly6g0PWEBa9Lkfyc1whQwsGUmbqIFb/m7CQ69g=; b=lCvxkMpcTF1Ks6v82bOX2gB+Kye0sZIGN/PlbyJhxplv7kbEH23IukJdp4C9XUc7M6 xO87H9uObll4855YYzGEjCUco3xjXEnUKkcy4+zl6T3wAWea1imDPts+8UyyS9BQsZxZ OyqQPxf80U9KGwkiMfZR4d0Bg4MipLw4c2NZR1mjw2qsB75vAOwgtjm7o8iZKKmL/cC/ QXb0bEctFX1mUfHCJy43mge0gwmp3g3yKfVnwDUOIaoSzV7yD3g9sIBrX7ibMv/Fna4/ Nv+O7SWl9AewqB/7HGKc0wYVL5hoHQ/z97LeoM6Sd/341oJmCpY5UcFANy3Z6tPzIeCD QEzQ==
X-Gm-Message-State: AOJu0YxaPg91STHymN+p9AqDNZU/QnQvBol4JTsnnWSAAwJ/z3qh57uT dxBtlezBvEtQF86SziwhljC/YZGAv8u91MwYWQ==
X-Google-Smtp-Source: AGHT+IGJK48vbgGrPzMEIF5NPBEN9F4paabwhWaAmaXp+JxtqRnFyoVU+QU4VRBZiMSkOsLGfewBp3LxB8yHhrGuIeU=
X-Received: by 2002:ac2:4f86:0:b0:50e:7fa9:650e with SMTP id z6-20020ac24f86000000b0050e7fa9650emr646728lfs.22.1704990886794; Thu, 11 Jan 2024 08:34:46 -0800 (PST)
MIME-Version: 1.0
References: <ea11f400-45b4-4ef2-a926-f3f89697bca9@hackmanit.de> <bc5ccf22-47b3-4ca0-996e-c1cebcbe9a36@hackmanit.de> <CALAqi__ACWaAX_CoDQQ3wa_59Gnqr5KFMfgmffw0Gh4v878cjg@mail.gmail.com> <b367c755-07ea-4c19-9fb1-b63bb108e512@hackmanit.de> <CALAqi__SLUg1VztZ8CAfZOhd-m=uqgz=WPDvhfDU9P6KP1gn9A@mail.gmail.com> <CALAqi_8sKKhf2FZqw-8JkcsfKzg+wWkY+SXC1V+RrBk7LWs86A@mail.gmail.com> <8f18ce6f-41f1-41bb-b076-2d20e3be1fed@hackmanit.de>
In-Reply-To: <8f18ce6f-41f1-41bb-b076-2d20e3be1fed@hackmanit.de>
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 11 Jan 2024 17:34:10 +0100
Message-ID: <CALAqi_9cwo3ZFL4PeA09HJWsa+qJi62aVYmdD6s2WtPtTa-4OA@mail.gmail.com>
To: Karsten Meyer zu Selhausen | Hackmanit <karsten.meyerzuselhausen@hackmanit.de>
Cc: oauth <oauth@ietf.org>, Louis Jannett <louis.jannett@rub.de>, Christian Mainka <christian.mainka@hackmanit.de>
Content-Type: multipart/alternative; boundary="000000000000271d27060eae200b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sPYcxs4CNB1Zd11OXyaTBxIuUr0>
Subject: Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2024 16:34:53 -0000

You may be right. I no longer have the setup for this at hand but I believe
it depended on relaxing the domain settings through the now deprecated (and
in some browsers already removed or otherwise void) document.domain
property.

If the flow is unrecoverable it makes no sense to spend effort on keeping
it around.

S pozdravem,
*Filip Skokan*


On Thu, 11 Jan 2024 at 16:07, Karsten Meyer zu Selhausen | Hackmanit <
karsten.meyerzuselhausen@hackmanit.de> wrote:

> That's an interesting use-case for relay mode and might be a reason to
> cover it.
>
> However, we believe the current code for the relay mode in
> draft-sakimura-oauth-wmrm-01 does not work. The same-origin policy should
> prevent this line from working:
>
> messageTargetWindowReference =
> e.source.document.getElementById(web_message_target);
>
> "e.source" references the main window (e.g., client.example.com). This
> means the (un)authenticated window (e.g., as.example.com) tries to access
> "document.getElementById" for the cross-origin main window.
> Due to the SOP the browser should throw a DOMException ("Failed to read a
> named property 'document' from 'Window': Blocked a frame with origin
> "https://as.example.com" <https://as.example.com> from accessing a
> cross-origin frame.")
>
> As I said in the other response, we would be really interested in taking a
> look at existing implementations of draft-sakimura-oauth-wmrm-01 to see
> how they solve this problem.
>
>
> Best regards,
> Karsten
>
>
> On 10.01.2024 10:15, Filip Skokan wrote:
>
> We do not consider the relay mode. The relay mode is motivated by the use
>> of the implicit grant which is discouraged nowadays.
>
>
> Motivation aside, if my memory serves right (and that's a big IF in this
> case), the relay mode was not limited to implicit responses and was useful
> regardless of the response type, e.g. in cases where the authorization
> request was triggered from an eTLD+1 top level window but the target was
> authenticating a service that ran on its subdomain, a landing page with a
> CTA to login sort of setup.
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Wed, 10 Jan 2024 at 09:47, Filip Skokan <panva.ip@gmail.com> wrote:
>
>> our draft covers and is compatible to what's called "simple mode" (both
>>> with and without prompt) in draft-sakimura-oauth-wmrm-00/-01.
>>
>>
>> So a client that's using a simple mode with web_message today could,
>> without change, utilize your draft as well? That doesn't seem likely given
>> the message structure is not the same as in draft-sakimura-oauth-wmrm. Is
>> that an omission or intentional?
>>
>> S pozdravem,
>> *Filip Skokan*
>>
>>
>> On Wed, 10 Jan 2024 at 09:37, Karsten Meyer zu Selhausen | Hackmanit <
>> karsten.meyerzuselhausen@hackmanit.de> wrote:
>>
>>> Hello Filip,
>>>
>>> our draft covers and is compatible to what's called "simple mode" (both
>>> with and without prompt) in draft-sakimura-oauth-wmrm-00/-01.
>>>
>>> We do not consider the relay mode. The relay mode is motivated by the
>>> use of the implicit grant which is discouraged nowadays.
>>>
>>> The main differences to draft-sakimura-oauth-wmrm-01 can be summarized
>>> as follows:
>>>
>>>    - In general we do not focus on "modes" but instead on the actual
>>>    communication using the postMessage API. Our draft contains examples for
>>>    the format/structure for the messages sent using the postMessage API.
>>>    - Our draft enables iframe flows with user interaction while draft-sakimura-oauth-wmrm-01
>>>    only covers iframe flows without user interaction.
>>>    - Our draft contains security considerations describing threats and
>>>    giving recommendations to address them.
>>>    - Our draft briefly discusses the implications of the 3rd party
>>>    cookie phaseout for iframes.
>>>
>>> Our main motivation is the belief that there is a need for a
>>> specification defining how to securely use the postMessage API for OAuth
>>> auth. responses. The research of my co-authors underlines this need [1].
>>>
>>> As I said, at the last OSW there was agreement that it would be a good
>>> idea to write an RFC for a postMessage-based response mode. draft-sakimura-oauth-wmrm-00
>>> was expired years ago and seemed to be inactive when we started to work on
>>> our own draft. In our opinion it is not a great option to rely on an
>>> expired draft. As for customers I work with this is not an option at all;
>>> they want to implement and use final RFCs whenever possible.
>>>
>>> We are looking for feedback from the WG and are open to collaborate with
>>> the authors of draft-sakimura-oauth-wmrm if they want to join the efforts.
>>>
>>>
>>> Best regards,
>>> Karsten
>>>
>>> [1] https://distinct-sso.com/
>>> On 04.01.2024 12:10, Filip Skokan wrote:
>>>
>>> Hello Karsten,
>>>
>>> Can you summarize in what ways is your draft compatible
>>> with draft-sakimura-oauth-wmrm-00? Which of the described modes in Nat's
>>> document does it cover?
>>>
>>> There are existing implementations (both partial and full)
>>> of draft-sakimura-oauth-wmrm-00 so if your draft is not compatible I would
>>> recommend not using the same response mode name/identifier in your proposal.
>>>
>>> What prompted you to start a new draft rather than
>>> using draft-sakimura-oauth-wmrm-00?
>>>
>>> S pozdravem,
>>> *Filip Skokan*
>>>
>>>
>>> On Thu, 4 Jan 2024 at 12:04, Karsten Meyer zu Selhausen | Hackmanit <
>>> karsten.meyerzuselhausen@hackmanit.de> wrote:
>>>
>>>> Hi all,
>>>>
>>>> we would like to ask again for feedback on our draft for the
>>>> "web_message" response mode:
>>>> *https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/
>>>> <https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/>
>>>> *
>>>>
>>>> We think it would be very helpful for implementers and developers to
>>>> specify a secure standard for a postMessage API-based response mode.
>>>>
>>>> Best regards,
>>>> Karsten
>>>> On 23.11.2023 10:11, Karsten Meyer zu Selhausen | Hackmanit wrote:
>>>>
>>>> Hi everyone,
>>>>
>>>> at the last OSW the topic of a response mode based on the postMessage
>>>> API came up. This approach is already used by multiple parties (e.g.,
>>>> Google) but lacks standardization.
>>>>
>>>> There was some sense of agreement that it would be a good idea to
>>>> create an RFC defining this response mode to counter security flaws in
>>>> individual implementations and improve interoperability.
>>>>
>>>> Because the efforts in the past were long expired (draft -00 of
>>>> https://datatracker.ietf.org/doc/draft-sakimura-oauth-wmrm/ expired in
>>>> 2016) we took the initiative and started to work on a new ID for the
>>>> "web_message" response mode.
>>>>
>>>> *We would like to to ask the members of the working group for feedback
>>>> on our draft:
>>>> https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/
>>>> <https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/>*
>>>>
>>>>
>>>> I see that "draft-sakimura-oauth-wmrm" has been recently updated.
>>>> However, there have not been any changes to its contents. What are the
>>>> plans of the authors for this draft?
>>>>
>>>> Best regards
>>>> Karsten
>>>>
>>>> --
>>>> Karsten Meyer zu Selhausen
>>>> Senior IT Security Consultant
>>>> Phone:	+49 (0)234 / 54456499
>>>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>>>
>>>> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
>>>> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>>>>
>>>> Hackmanit GmbH
>>>> Universitätsstraße 60 (Exzenterhaus)
>>>> 44789 Bochum
>>>>
>>>> Registergericht: Amtsgericht Bochum, HRB 14896
>>>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>>>>
>>>> --
>>>> Karsten Meyer zu Selhausen
>>>> Senior IT Security Consultant
>>>> Phone:	+49 (0)234 / 54456499
>>>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>>>
>>>> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
>>>> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>>>>
>>>> Hackmanit GmbH
>>>> Universitätsstraße 60 (Exzenterhaus)
>>>> 44789 Bochum
>>>>
>>>> Registergericht: Amtsgericht Bochum, HRB 14896
>>>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> --
>>> Karsten Meyer zu Selhausen
>>> Senior IT Security Consultant
>>> Phone:	+49 (0)234 / 54456499
>>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>>
>>> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
>>> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>>>
>>> Hackmanit GmbH
>>> Universitätsstraße 60 (Exzenterhaus)
>>> 44789 Bochum
>>>
>>> Registergericht: Amtsgericht Bochum, HRB 14896
>>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>>>
>>> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>
>

v2.23.0 | Report a Bug | By Email