IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

Jim Manico <jim@manicode.com> Thu, 08 September 2016 22:51 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0278012B274 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 15:51:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lIF-wr-XJdYe for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 15:51:47 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57328128B44 for <oauth@ietf.org>; Thu, 8 Sep 2016 15:51:47 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id p64so22590677pfb.1 for <oauth@ietf.org>; Thu, 08 Sep 2016 15:51:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=+MAQrqC0lz/eWm0PAgY1P+crZe1xO3i7R0aQ37nbc1Q=; b=BAUwvTI7Zo/An7nMPBAMIyJYmMZkf4phKz7X4p/Yis6D2tjN4qEzKJkjmghsYoIadd ljkUb6ervi2ueErIyugiQKGKeQ5v+eRg24dfG/wbGQPWXvVEQNxscE2gd5V8/msWvZyA NOu0bEqmAuFxPtGf/hHIjOKKSM7gO/QIhlW/kW3UVEHD1r6izFEH3jIonXcP3HPa1UZu mKddI9ZCg14quqPJB61KKNf8AvRBKLk6rNCVa0E3hkOk69qoCXNGb4POJfQl9nU0JRHx EcKInLzCZUEaQOU3flAGCkFZ6N+/CrZ5wGDFIl63nQWh13G9K7ywCg1ichcAUSq2CVfy G3UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=+MAQrqC0lz/eWm0PAgY1P+crZe1xO3i7R0aQ37nbc1Q=; b=OdRsTLwFbkyv2BVmESbOSzwzKrdbWUoQwOQUJMI0FjmzzNcoLG9I77DSIaNEgxr+1p arDkUrMbiVB7z+saXulyyVVR8Gn1qMS8DQ+4Sg/Cu89U2wlCk/wguXs+OQq+0iB+ct4i yVg6eSLZdvDntuOXHoFRGEqrCIR3hL6BCIhhbZ50MA5Jme6HoDfNB2xhfNUlbMrxXDVu k6hVBHTcIEQ1OiIf5ZxoslEkcjEPqjPWnFMs7N64TX9kI6GQ/VGtEylxB20pA1QKHhnF epkYktRtirJZ2Kyh+iAm+PjxEht+nvYgbpgTDEejmnzJNZIFL2Jp9AUBZHROyIjxypoG 7Nmg==
X-Gm-Message-State: AE9vXwMGDtvp5pS/sPnImwf5Bl//oVvAoermNa1NrDWk5I2WiZfnm8yyYKy+Lz4GQhzcYg5Z
X-Received: by 10.98.29.8 with SMTP id d8mr730471pfd.142.1473375106544; Thu, 08 Sep 2016 15:51:46 -0700 (PDT)
Received: from heembo.local ([2605:e000:112b:c167:3ccb:e369:74b0:50fc]) by smtp.googlemail.com with ESMTPSA id vy9sm221593pab.22.2016.09.08.15.51.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Sep 2016 15:51:44 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com> <1013244548.1998164.1473366003274@mail.yahoo.com> <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com> <F9F2BE44-3977-4B37-857A-C9B4A2987FE1@ve7jtb.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <3be430fb-afe7-ab94-1369-7fcdfdedec0b@manicode.com>
Date: Thu, 08 Sep 2016 12:51:41 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <F9F2BE44-3977-4B37-857A-C9B4A2987FE1@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------CF5787419ED16CAF623550F6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u3zJ_SpJEY8Z8Z5YbgisrMFRsFc>
Cc: Oleg Gryb <oleg@gryb.info>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 22:51:50 -0000

+1000 on a OAuth Security Best Practices document. I'd be happy to
review or help some.

I think right now the answer is: keep away from implicit grants and do
not store bearer tokens in the browser. Instead, use the authorization
code grant which only exposes bearer tokens intra-server.

For /*web apps*/, I feel the only good place to store authentication,
session or token information is in a HTTPOnly flagged cookie to keep JS
away from sensitive information.

Aloha, Jim


On 9/8/16 12:38 PM, John Bradley wrote:
> It is an interesting discussion, indicating that perhaps a best
> practices document is in order.
>
> I have had several people ask me about SPA using OAuth recently.
>
> Until we get the W3C to finish fetch and extend it for token binding,
> we are going to have ongoing issues with bearer tokens in the browser
> and where to store them.
>
> I don’t know that there is a perfect solution for bearer tokens, but
> documenting the tradeoffs may be useful.
>
> John B.
>
>> On Sep 8, 2016, at 6:07 PM, Jim Manico <jim@manicode.com
>> <mailto:jim@manicode.com>> wrote:
>>
>> +1 I think that's a very fair perspective.
>>
>> Putting sensitive data in LocalStorage is still a very bad idea. :)
>> One XSS and gone. Maybe XSS is not a big deal in a native app, but
>> it's death to Web apps.
>>
>> Aloha, Jim
>>
>>
>> On 9/8/16 10:20 AM, Oleg Gryb wrote:
>>> In SPA/REST env session ID is not very useful, so it's *an* auth
>>> token or tokens (not necessary OAuth one) that are stored in a
>>> cookie. It's used to get REST calls authenticated and yes, it
>>> usually runs in a multi-domain envs (think about micro services
>>> architecture). It makes me think that the value of HTTPOnly will
>>> continue diminishing, while the value of good cross-domain policies
>>> will increase. Just my opinion coming from my experience. I don't
>>> have big (or small) data available to confirm that.  
>>>
>>>
>>>     ------------------------------------------------------------------------
>>>     *From:* Jim Manico <jim@manicode.com>
>>>     *To:* Oleg Gryb <oleg@gryb.info>; Adam Lewis
>>>     <adam.lewis@motorolasolutions.com>
>>>     *Cc:* OAuth WG <oauth@ietf.org>
>>>     *Sent:* Thursday, September 8, 2016 12:51 PM
>>>     *Subject:* Re: [OAUTH-WG] best practices for implicit grant /
>>>     token storage
>>>
>>>     > Since SPA is a new normal now, it becomes extremely difficult
>>>     to enforce HTTPOnly flag, because JS needs access to secrets
>>>     including those stored in cookies.
>>>     In a browser environment, this is only true when you need to
>>>     make cross domain requests or are using cookie data for
>>>     something other than session state.
>>>     If your current page origin and the page you are requesting are
>>>     the same, then your cookies can be HTTPOnly without impacting
>>>     functionality. If you need additional cookies for other things
>>>     that need to be accessed via JS, use a separate cookie.
>>>     So sure, there are a few workflows in OAuth where you need to
>>>     access "cookie data" from JS and HTTPOnly is not viable. But
>>>     there are a few where it is viable. I don't think it's as simple
>>>     as "we need to talk to cookie data via JS all the time.".
>>>     Aloha, Jim
>>>     On 9/8/16 8:15 AM, Oleg Gryb wrote:
>>>>     Jim,
>>>>
>>>>     It's outdated a bit. Since SPA is a new normal now, it becomes
>>>>     extremely difficult to enforce HTTPOnly flag, because JS needs
>>>>     access to secrets including those stored in cookies. 5-10 years
>>>>     ago I would always enforce HTTPOnly and now - I can't.
>>>>
>>>>     Thanks,
>>>>     Oleg.
>>>>
>>>>         ------------------------------------------------------------------------
>>>>         *From:* Jim Manico <jim@manicode.com> <mailto:jim@manicode.com>
>>>>         *To:* Adam Lewis <adam.lewis@motorolasolutions.com>
>>>>         <mailto:adam.lewis@motorolasolutions.com>
>>>>         *Cc:* OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org>
>>>>         *Sent:* Thursday, September 8, 2016 10:45 AM
>>>>         *Subject:* Re: [OAUTH-WG] best practices for implicit grant
>>>>         / token storage
>>>>
>>>>         In the web world, cookies for session identifiers are much
>>>>         safer - since we can use HTTPOnly cookies to protect them
>>>>         from theft via XSS. The same mechanism is not possible for
>>>>         localStorage. Overall, security folk say •keep sensitive
>>>>         data out of localStorage• since one XSS and it's stolen.
>>>>         There is also a huge body of work underway to make secure
>>>>         cookies even more so.
>>>>
>>>>         I'm not sure how this translates to native apps.
>>>>
>>>>         --
>>>>         Jim Manico
>>>>         @Manicode
>>>>
>>>>         On Sep 8, 2016, at 3:02 AM, Adam Lewis
>>>>         <adam.lewis@motorolasolutions.com
>>>>         <mailto:adam.lewis@motorolasolutions.com>> wrote:
>>>>
>>>>>         Hi,
>>>>>
>>>>>         The WG is currently putting together best practices for
>>>>>         native apps.  I would like to better understand the best
>>>>>         practices around ua-based-apps, especially as it relates
>>>>>         to token storage.  I've read various blog posts about the
>>>>>         preference between storing tokens in cookies vs.  Web
>>>>>         Storage (localStorage/sessionStorage).  The current set of
>>>>>         specs are rather silent on the matter, as it is more of an
>>>>>         implementation issue (but that is where most mistakes are
>>>>>         made).
>>>>>
>>>>>         What is the WG's guidance on this?
>>>>>         _______________________________________________
>>>>>         OAuth mailing list
>>>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>         _______________________________________________
>>>>         OAuth mailing list
>>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>
>>>     -- 
>>>     Jim Manico
>>>     Manicode Security
>>>     https://www.manicode.com <https://www.manicode.com/>
>>>
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>> -- 
>> Jim Manico
>> Manicode Security
>> https://www.manicode.com
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email