Re: [OAUTH-WG] best practices for implicit grant / token storage
Jim Manico <jim@manicode.com> Thu, 08 September 2016 22:51 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0278012B274 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 15:51:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lIF-wr-XJdYe for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 15:51:47 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57328128B44 for <oauth@ietf.org>; Thu, 8 Sep 2016 15:51:47 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id p64so22590677pfb.1 for <oauth@ietf.org>; Thu, 08 Sep 2016 15:51:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=+MAQrqC0lz/eWm0PAgY1P+crZe1xO3i7R0aQ37nbc1Q=; b=BAUwvTI7Zo/An7nMPBAMIyJYmMZkf4phKz7X4p/Yis6D2tjN4qEzKJkjmghsYoIadd ljkUb6ervi2ueErIyugiQKGKeQ5v+eRg24dfG/wbGQPWXvVEQNxscE2gd5V8/msWvZyA NOu0bEqmAuFxPtGf/hHIjOKKSM7gO/QIhlW/kW3UVEHD1r6izFEH3jIonXcP3HPa1UZu mKddI9ZCg14quqPJB61KKNf8AvRBKLk6rNCVa0E3hkOk69qoCXNGb4POJfQl9nU0JRHx EcKInLzCZUEaQOU3flAGCkFZ6N+/CrZ5wGDFIl63nQWh13G9K7ywCg1ichcAUSq2CVfy G3UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=+MAQrqC0lz/eWm0PAgY1P+crZe1xO3i7R0aQ37nbc1Q=; b=OdRsTLwFbkyv2BVmESbOSzwzKrdbWUoQwOQUJMI0FjmzzNcoLG9I77DSIaNEgxr+1p arDkUrMbiVB7z+saXulyyVVR8Gn1qMS8DQ+4Sg/Cu89U2wlCk/wguXs+OQq+0iB+ct4i yVg6eSLZdvDntuOXHoFRGEqrCIR3hL6BCIhhbZ50MA5Jme6HoDfNB2xhfNUlbMrxXDVu k6hVBHTcIEQ1OiIf5ZxoslEkcjEPqjPWnFMs7N64TX9kI6GQ/VGtEylxB20pA1QKHhnF epkYktRtirJZ2Kyh+iAm+PjxEht+nvYgbpgTDEejmnzJNZIFL2Jp9AUBZHROyIjxypoG 7Nmg==
X-Gm-Message-State: AE9vXwMGDtvp5pS/sPnImwf5Bl//oVvAoermNa1NrDWk5I2WiZfnm8yyYKy+Lz4GQhzcYg5Z
X-Received: by 10.98.29.8 with SMTP id d8mr730471pfd.142.1473375106544; Thu, 08 Sep 2016 15:51:46 -0700 (PDT)
Received: from heembo.local ([2605:e000:112b:c167:3ccb:e369:74b0:50fc]) by smtp.googlemail.com with ESMTPSA id vy9sm221593pab.22.2016.09.08.15.51.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Sep 2016 15:51:44 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com> <1013244548.1998164.1473366003274@mail.yahoo.com> <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com> <F9F2BE44-3977-4B37-857A-C9B4A2987FE1@ve7jtb.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <3be430fb-afe7-ab94-1369-7fcdfdedec0b@manicode.com>
Date: Thu, 08 Sep 2016 12:51:41 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <F9F2BE44-3977-4B37-857A-C9B4A2987FE1@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------CF5787419ED16CAF623550F6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u3zJ_SpJEY8Z8Z5YbgisrMFRsFc>
Cc: Oleg Gryb <oleg@gryb.info>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 22:51:50 -0000
+1000 on a OAuth Security Best Practices document. I'd be happy to review or help some. I think right now the answer is: keep away from implicit grants and do not store bearer tokens in the browser. Instead, use the authorization code grant which only exposes bearer tokens intra-server. For /*web apps*/, I feel the only good place to store authentication, session or token information is in a HTTPOnly flagged cookie to keep JS away from sensitive information. Aloha, Jim On 9/8/16 12:38 PM, John Bradley wrote: > It is an interesting discussion, indicating that perhaps a best > practices document is in order. > > I have had several people ask me about SPA using OAuth recently. > > Until we get the W3C to finish fetch and extend it for token binding, > we are going to have ongoing issues with bearer tokens in the browser > and where to store them. > > I don’t know that there is a perfect solution for bearer tokens, but > documenting the tradeoffs may be useful. > > John B. > >> On Sep 8, 2016, at 6:07 PM, Jim Manico <jim@manicode.com >> <mailto:jim@manicode.com>> wrote: >> >> +1 I think that's a very fair perspective. >> >> Putting sensitive data in LocalStorage is still a very bad idea. :) >> One XSS and gone. Maybe XSS is not a big deal in a native app, but >> it's death to Web apps. >> >> Aloha, Jim >> >> >> On 9/8/16 10:20 AM, Oleg Gryb wrote: >>> In SPA/REST env session ID is not very useful, so it's *an* auth >>> token or tokens (not necessary OAuth one) that are stored in a >>> cookie. It's used to get REST calls authenticated and yes, it >>> usually runs in a multi-domain envs (think about micro services >>> architecture). It makes me think that the value of HTTPOnly will >>> continue diminishing, while the value of good cross-domain policies >>> will increase. Just my opinion coming from my experience. I don't >>> have big (or small) data available to confirm that. >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Jim Manico <jim@manicode.com> >>> *To:* Oleg Gryb <oleg@gryb.info>; Adam Lewis >>> <adam.lewis@motorolasolutions.com> >>> *Cc:* OAuth WG <oauth@ietf.org> >>> *Sent:* Thursday, September 8, 2016 12:51 PM >>> *Subject:* Re: [OAUTH-WG] best practices for implicit grant / >>> token storage >>> >>> > Since SPA is a new normal now, it becomes extremely difficult >>> to enforce HTTPOnly flag, because JS needs access to secrets >>> including those stored in cookies. >>> In a browser environment, this is only true when you need to >>> make cross domain requests or are using cookie data for >>> something other than session state. >>> If your current page origin and the page you are requesting are >>> the same, then your cookies can be HTTPOnly without impacting >>> functionality. If you need additional cookies for other things >>> that need to be accessed via JS, use a separate cookie. >>> So sure, there are a few workflows in OAuth where you need to >>> access "cookie data" from JS and HTTPOnly is not viable. But >>> there are a few where it is viable. I don't think it's as simple >>> as "we need to talk to cookie data via JS all the time.". >>> Aloha, Jim >>> On 9/8/16 8:15 AM, Oleg Gryb wrote: >>>> Jim, >>>> >>>> It's outdated a bit. Since SPA is a new normal now, it becomes >>>> extremely difficult to enforce HTTPOnly flag, because JS needs >>>> access to secrets including those stored in cookies. 5-10 years >>>> ago I would always enforce HTTPOnly and now - I can't. >>>> >>>> Thanks, >>>> Oleg. >>>> >>>> ------------------------------------------------------------------------ >>>> *From:* Jim Manico <jim@manicode.com> <mailto:jim@manicode.com> >>>> *To:* Adam Lewis <adam.lewis@motorolasolutions.com> >>>> <mailto:adam.lewis@motorolasolutions.com> >>>> *Cc:* OAuth WG <oauth@ietf.org> <mailto:oauth@ietf.org> >>>> *Sent:* Thursday, September 8, 2016 10:45 AM >>>> *Subject:* Re: [OAUTH-WG] best practices for implicit grant >>>> / token storage >>>> >>>> In the web world, cookies for session identifiers are much >>>> safer - since we can use HTTPOnly cookies to protect them >>>> from theft via XSS. The same mechanism is not possible for >>>> localStorage. Overall, security folk say •keep sensitive >>>> data out of localStorage• since one XSS and it's stolen. >>>> There is also a huge body of work underway to make secure >>>> cookies even more so. >>>> >>>> I'm not sure how this translates to native apps. >>>> >>>> -- >>>> Jim Manico >>>> @Manicode >>>> >>>> On Sep 8, 2016, at 3:02 AM, Adam Lewis >>>> <adam.lewis@motorolasolutions.com >>>> <mailto:adam.lewis@motorolasolutions.com>> wrote: >>>> >>>>> Hi, >>>>> >>>>> The WG is currently putting together best practices for >>>>> native apps. I would like to better understand the best >>>>> practices around ua-based-apps, especially as it relates >>>>> to token storage. I've read various blog posts about the >>>>> preference between storing tokens in cookies vs. Web >>>>> Storage (localStorage/sessionStorage). The current set of >>>>> specs are rather silent on the matter, as it is more of an >>>>> implementation issue (but that is where most mistakes are >>>>> made). >>>>> >>>>> What is the WG's guidance on this? >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>> >>> -- >>> Jim Manico >>> Manicode Security >>> https://www.manicode.com <https://www.manicode.com/> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> >> -- >> Jim Manico >> Manicode Security >> https://www.manicode.com >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > -- Jim Manico Manicode Security https://www.manicode.com
- [OAUTH-WG] best practices for implicit grant / to… Adam Lewis
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … Oleg Gryb
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … Oleg Gryb
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … John Bradley
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico
- Re: [OAUTH-WG] best practices for implicit grant … Oleg Gryb
- Re: [OAUTH-WG] best practices for implicit grant … Jim Manico