IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Vittorio Bertocci <Vittorio@auth0.com> Thu, 06 December 2018 20:42 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FF73131195 for <oauth@ietfa.amsl.com>; Thu, 6 Dec 2018 12:42:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdWmAr5Ow8tX for <oauth@ietfa.amsl.com>; Thu, 6 Dec 2018 12:42:35 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 900A3130F90 for <oauth@ietf.org>; Thu, 6 Dec 2018 12:42:34 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id s5-v6so1604513ljd.12 for <oauth@ietf.org>; Thu, 06 Dec 2018 12:42:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aQR8jynsYW7DJsTRHCT/yg1/sClZyPyGK1kTvgpDHjo=; b=hyqB6K5W2KYDQzSPc+9Jw/hZMtMNxhYMOf7T10T1nlgkwI7Pi1GwH0IED52m8AFrRw eV6vw2fq/q36i9KefgB2n+QS9VksnWMXDVGfpFG73OYFcvih0aivqZKoaL/rh1V01Ah6 hySeBleJSWWPVAzFrgRrPkj4N4216a7JK06wIze+sNlRx8nYQholuuntkBnMA4PlUhip /PJEvmD1n2K1uQVOMKG+R1siQFAR/jg8rP22Kok5+Yy1LF1k9ncVR4wjQAmPvLETg7kJ kniv0HP0BsH4A20ZcsTkM90RTDsUfFBSGu0xqxuNTbRpHEFV3AQbCNno+8eH3BZBr3Nh h8ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aQR8jynsYW7DJsTRHCT/yg1/sClZyPyGK1kTvgpDHjo=; b=V9VtV+ubFAFJjvhWLUbvRHeK+PwT0UMVaFJsRXW687F9L72t78r5hWzJ5rxCFwBad/ 5zM1BdvK6W4IKgDynbeW84xrOaEZKiFaIFl0S2RS7/mQIx58JcxE8DNud5z5zSeXvBhu fo5jllmpDXKH+GdgAmMFAeB1l6aXbdgFldbAYC+2tGjZsNyGnpWqJ5cH3y6j1hUnW1Eq WPxTke/Ge4R8zAr82tp/8RV4arcmqWnxpYp2jpZlCzILlWoBJZCRaR5zLYEVfP6aNs/q 872NTdexPjLumkiK9Nrvc2ppoi/XpNtL/LgcCdHOZyA0NlqnXK5UIdxQM/m/Mv547K41 6HWg==
X-Gm-Message-State: AA+aEWbvR5uby8OhWLpPzgB0bhyzVclT0xVH+3RSDeB6mxD679Cxwrgu FR7/3Jj1bPJOV0JeeSlv8XwPpquEk/BZKrZb2mlGsQ==
X-Google-Smtp-Source: AFSGD/VK8TPXr32usqfsTzuaF7O4wobQoRbT6UQgtl21ElYttONxQrwQIKv/QCb/qf6n30bWCuanXMUV45m+LCduOPc=
X-Received: by 2002:a2e:568b:: with SMTP id k11-v6mr19850169lje.105.1544128952558; Thu, 06 Dec 2018 12:42:32 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net> <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com> <693F457E-3B0F-4612-AE3B-D18462055932@lodderstedt.net> <CAO_FVe7_CsqkTCRSPK5iT5dH5w_NmDuZ-g-2UJgHefUP2i3beQ@mail.gmail.com> <194886B0-D8C8-4489-B66B-7993C7FA0F63@lodderstedt.net> <CAO_FVe7QhqZEcqeSurPU5QxTN3Z1Lp9zY6XpVQxk1VdCGLMUhA@mail.gmail.com> <1D4D8636-9C50-4AA0-BF33-3427FCD0E938@oracle.com> <9E0E2FD0-ECE7-4A71-870B-21938B8C267F@alkaline-solutions.com>
In-Reply-To: <9E0E2FD0-ECE7-4A71-870B-21938B8C267F@alkaline-solutions.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Thu, 06 Dec 2018 12:42:21 -0800
Message-ID: <CAO_FVe4eFcFhEp2ETZsMcKH9o9b4h5hhFcY9MLzDjrJeoPDJ8Q@mail.gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: phil.hunt@oracle.com, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b487ca057c608909"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tyLJXa84H5JlpZCH99g5AFwSBHI>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 20:42:38 -0000

> There are indeed several ASs which, possibly because of an interpretation
of OIDC, assume refresh tokens mean offline access and are mutually
exclusive with public clients.
AFAIK both Microsoft and Google do support RTs with public clients, but
their lifecycle is independent from the session with the AS (which is
represented by an artifact that is only indirectly accessible from
traditions public clients such as mobile and desktop apps).

As you say, the hidden iframe for retrieving a code via prompt=none remain
viable - and if at this time that is the only approach universally
available (forgetting ITP2 for a moment) that should be emphasized
accordingly in the document.

On Thu, Dec 6, 2018 at 12:24 PM David Waite <david@alkaline-solutions.com>
wrote:

> One benefit of moving to code flow is that the refresh token can be used
> to check the validity of the user session (or rather, it allows the AS
> another avenue to force authentication events if the AS considers the user
> session to be expired (or has a drop in confidence).
>
> There are indeed several ASs which, possibly because of an interpretation
> of OIDC, assume refresh tokens mean offline access and are mutually
> exclusive with public clients.
>
> The ability to have refresh tokens track a user session is an AS
> implementation detail, and something that these ASs could choose to change
> to over time. In the meantime, there shouldn’t be anything preventing a
> client from doing the iframe and prompt=none step that they are doing today
> with implicit. Even if the AS is implemented in terms of stateless
> sessions, such functionality can be implemented by encoding user session
> information into the “code token".
>
> -DW
>
> On Dec 6, 2018, at 11:51 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> While I generally agree with justin that moving everything to the back
> channel is good, I worry that checking user login state may be more
> important.
>
> What if upon refresh of a javascript client the AS would like to check the
> validity of the current user session?
>
> Many implementers solve the user experience issue by using prompt none in
> the oidc authentication case. I seem to remember some oauth providers never
> implemented refresh and they were able to create a good experience.
>
> Phil
>
>
> On Dec 6, 2018, at 7:47 AM, Justin Richer <jricher@mit.edu> wrote:
>
> I support the move away from the implicit flow toward using the
> authorization code flow (with PKCE and CORS)  for JavaScript applications.
> The limitations and assumptions that surrounded the design of the implicit
> flow back when we started no longer apply today. It was an optimization for
> a different time. Technology and platforms have moved forward, and our
> advice should move them forward as well. Furthermore, the ease of using the
> implicit flow incorrectly, and the damage that doing so can cause, has
> driven me to telling people to stop using it.
>
> There are a number of hacks that can patch the implicit flow to be
> slightly better in various ways — if you tack on the “hybrid” flow from
> OIDC or JARM plus post messages and a bunch of other stuff, then it can be
> better. But if you’re doing all of that, I think you really need to ask
> yourself: why? What do you gain from jumping through all of those hoops
> when a viable alternative sits there? Is it pride? I don’t see why we cling
> to it. To me, it’s like saying “hey sure my leg gets cut off when I do
> this, but I can stitch it back on!”, when you could simply avoid cutting
> your leg off in the first place. The best cure is prevention, and what’s
> being argued here is prevention.
>
> So many of OAuth’s problems in the wild come from over-use of the front
> channel, and any place we can move away from that is a good move.
>
> — Justin
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email