IETF Logo Mail Archive

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Philippe De Ryck <philippe@pragmaticwebsecurity.com> Mon, 15 February 2021 11:09 UTC

Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489073A1167 for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 03:09:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b=gyep3Y3q; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wXlrbKVq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZGj9oD2QDfy for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 03:09:44 -0800 (PST)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9757C3A1166 for <oauth@ietf.org>; Mon, 15 Feb 2021 03:09:44 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 177A0307; Mon, 15 Feb 2021 06:09:43 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 15 Feb 2021 06:09:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=from:message-id:content-type :mime-version:subject:date:in-reply-to:cc:to:references; s=fm3; bh=AYpA/BKHgsc0N1/Yyi7bWe2xWiqAo6AvUnsgY90Nqp4=; b=gyep3Y3qo6l5 T5uVU5JITFMD31v4J1rw1+DyO2KPEqRGgFD8OP9ER24IjJShb2viG35SOdXdxbp/ zXsYSyhssBIvrxB2XZulaviX3mKQCHzq8aCC5utCZa7QktVqwY7ljbcn/9Shh4dA JRqglVi4lgUyGI3gr71Pti5uxVfEe8YNUnjvjNhX/wHsuSWUFhRxEG5/yUv4XqF4 Qj20DYOsJwsYD0lAHItA92AtUJLbDxYHta/7WC2VBSJKXp/Nj7ByGEiNEUQT6NRV 7O6n7lp8APlRPdAhU/PnmBiwoMQn0ZpK1gJrXFfxw8wPdNO5cj0NDpvxruNWqKR+ 3KGEDjklAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=AYpA/B KHgsc0N1/Yyi7bWe2xWiqAo6AvUnsgY90Nqp4=; b=wXlrbKVqSjc84gzfDgo7v3 AdgG9XyU4TlF9jrSSSjiIbPtK+VhrpoiQ+Ic76oqEuECDuzO2rz5nKlFB1poj0sQ m3dsph3GFeyIXciEgZ3NtRVhsDEceuCzoikG/KyPpHbMk7VFkkPkQwZHc3wSclKX Huz/52QryUsB7WuuFHaeoo/ErKMsm3z/NuysJhe/e8RwRoYpZKtUK/IwdLDqG45h CHhkGDdme5+xqFiHr+ueckRTrJH+h3lIltLH7de5bKCamdOi9c8Scc4qGLPeWse+ 9NLiMCrGf+wYXO7sskspBFtw3rIsjfa5ZCAKW+kD9jiMDpjAOJs8QCERU5wklqvA ==
X-ME-Sender: <xms:dlYqYIfCu8XWEh9zTCpqaH6PH3fUzssIeGa7sZmId6azMwnr4Q_EEQ> <xme:dlYqYKKeoLC94qNN_B2FnJXUTYs_tZLZOLyr4jYiYGzDC6PMaBIYcWJQeHPda_nij uWwxpqL-xkOqgJMdg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrieekgddvudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeenucfhrhhomheprfhhihhlihhp phgvucffvgcutfihtghkuceophhhihhlihhpphgvsehprhgrghhmrghtihgtfigvsghsvg gtuhhrihhthidrtghomheqnecuggftrfgrthhtvghrnhepgeeugeelteeifefhgeffledu gedvudehtdefjeehffdthfettedulefhgefhheejnecuffhomhgrihhnpegurghnihgvlh hfvghtthdruggvnecukfhppeekuddrudeigedruddvledrleehnecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpphgvsehprhgrgh hmrghtihgtfigvsghsvggtuhhrihhthidrtghomh
X-ME-Proxy: <xmx:dlYqYGYMZt00s-g8Ew_iuk4NzyWBT3d21yvuODvwjQArsWC3J4g28Q> <xmx:dlYqYFvYSZdUVzottBTKud3ymxhHPP260y2CVsx4FHP-NifCAcYoAg> <xmx:dlYqYDvqtS8SnGbuM06cCa70EWlavR4NBkkGGgmI-0PCKHkhaYFqdQ> <xmx:dlYqYNMz_YmJ4bnvw-UvPQIpBKScOZ552xzz4FV7HrDgcUacKMKGCg>
Received: from [192.168.1.23] (d51a4815f.access.telenet.be [81.164.129.95]) by mail.messagingengine.com (Postfix) with ESMTPA id 88BC2240064; Mon, 15 Feb 2021 06:09:41 -0500 (EST)
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Message-Id: <8B710018-3605-483D-B4A8-191A5BBFFEBC@pragmaticwebsecurity.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_861401FD-A88C-4EDF-9995-5BB918AB1EEF"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Mon, 15 Feb 2021 12:09:10 +0100
In-Reply-To: <072DEFFF-134E-4946-9CAD-35EA12DEC802@forgerock.com>
Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>, oauth@ietf.org
To: Neil Madden <neil.madden@forgerock.com>
References: <2FBBB341-B8FB-4CAA-B1F1-5CC16AB47857@pragmaticwebsecurity.com> <072DEFFF-134E-4946-9CAD-35EA12DEC802@forgerock.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sb4irvVv5DJHD04oWq8mYUDGsFk>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 11:09:46 -0000

> 
> On 15 Feb 2021, at 11:50, Neil Madden <neil.madden@forgerock.com> wrote:
> 
>> On 15 Feb 2021, at 10:26, Philippe De Ryck <philippe@pragmaticwebsecurity.com> wrote:
>> 
>>> On 15 Feb 2021, at 11:14, Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote:
>>> 
>>>> On 15 Feb 2021, at 08:32, Philippe De Ryck <philippe@pragmaticwebsecurity.com <mailto:philippe@pragmaticwebsecurity.com>> wrote:
>>>> 
>>>> [...]
>>>> 
>>>> Compared to using a worker for handling RTs, I believe the TMI-BFF only adds a single security benefit: an attacker is no longer able to run a silent flow to obtain a fresh set of tokens (since the client is now a confidential client). 
>>> 
>>> But they can just call the bff-token endpoint to do the same. If there is a security advantage, IMO it is as a defence in depth against open redirects, unicode normalisation attacks (ie not validating the redirect_uri correctly at the AS), etc. 
>> 
>> A Web Worker and the TMI-BFF both encapsulate the RT and only expose the (short-lived) AT.
> 
> I don’t think this distinction matters at all from a security point of view. It’s the AT that attackers are after - why bother with a RT if I can just call the bff-token endpoint to get a new AT every time?

Getting an AT from the BFF (or a worker) is an “online” attack, which only works as long as the application/malicious code is loaded in the browser of the user. 

Stealing a working refresh token (e.g., with a silent flow) is an “offline” attack, which gives long-term access (lifetime of the RT), independent of the state of the application in the user’s browser.

There is a clear distinction, but whether that matters is a different discussion. It depends on how the application used, and how token lifetimes are configured. FWIW, the DPoP threat model makes the same distinction ("Stolen token (XSS)” vs “XSS (Victim is online)”) here: https://danielfett.de/2020/05/04/dpop-attacker-model/ <https://danielfett.de/2020/05/04/dpop-attacker-model/>

Philippe

v2.23.0 | Report a Bug | By Email