Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]

Neil Madden <neil.madden@forgerock.com> Wed, 17 March 2021 08:15 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863F23A0BFF for <oauth@ietfa.amsl.com>; Wed, 17 Mar 2021 01:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esx4Vy_xHvg4 for <oauth@ietfa.amsl.com>; Wed, 17 Mar 2021 01:14:58 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 022E93A0BFD for <oauth@ietf.org>; Wed, 17 Mar 2021 01:14:57 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id dx17so1141153ejb.2 for <oauth@ietf.org>; Wed, 17 Mar 2021 01:14:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=jOU8u7d1omVAkTUrO6KS1GfoMG1jvFesJPgfVldxFD4=; b=CZGY5h6Ix7hNr0wcA2hQ/YnLElAR9oI8nfiXIM9yRaXbZ+fUMymHqZ6Lwy6/sEY+LR Qhv6TscgpAtjh/GZlftseCtAwBMU8xCEjfwCTcXI+5ghDoPRGrLARYdZpWdc4vITDIVL vIe4N/do1ZpqpEyuMAjAzg6bt0x0aqdH4+Dx0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=jOU8u7d1omVAkTUrO6KS1GfoMG1jvFesJPgfVldxFD4=; b=B6dJ0q4bKpcz0k8F6QuEOtM775hd75/GAzlUIxtjvQXmzLS57ny+o3fpInr6Tw6o8B 25yQDkbyIX/QsxPb2DJSVbzxKcPWcyhNYfMHsQKiE1PqWUsvAUgTSqIsjAvQEsM9KekI SL6ugdNGhOa/p9EHBoKuaEF3H1LJeDsba3puQXkr3weSk89eEJK0v4ja16d/RdeWHu/Z Gl1axAUXVmjfU4IW0TAXK8jWqBo8Q27bJsGNVZXQ3LHqWoXNLGJBb3CgvuJ/bEgNQNL2 pUtBozNQvUtmn2J8xOpOfpx//61by/PGmEoEsVeq2vl1X/T7lyFzEEHygXBY7dfqnWn4 o1aQ==
X-Gm-Message-State: AOAM533gJmhQFRaX0JZ+cilJQXDx2EgaAZWii3OvFzihf5wcV4X50zsD /mYHr+Ix7cqXYCGW+hA/Jyd/YMYruIuVs7MqBuhNVsYj9a7eof50o0+MV5OdKZksZPve3g8cYJX FLEfCzjNK64lVMhiRUAg/jdEkPdb9+zDMqUm7RQe3p9hNlPod6Tcw7mWk8P0IUKB7RqSl
X-Google-Smtp-Source: ABdhPJxAUAaidvtocGrZVoevpLiCb4ERAr+Xs/dLJqtvI7xhKuFTln+28cGzXXrL/D2AU3YwUIcvOg==
X-Received: by 2002:a17:906:a097:: with SMTP id q23mr28570337ejy.353.1615968891404; Wed, 17 Mar 2021 01:14:51 -0700 (PDT)
Received: from [10.0.0.2] (252.207.159.143.dyn.plus.net. [143.159.207.252]) by smtp.gmail.com with ESMTPSA id j14sm11718672edr.97.2021.03.17.01.14.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 17 Mar 2021 01:14:50 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 17 Mar 2021 08:14:49 +0000
Message-Id: <F079409D-8D3F-4FE8-A328-A8BE47275238@forgerock.com>
References: <AM0PR09MB2803BF0A50B14B1E2C5F22A4F36A9@AM0PR09MB2803.eurprd09.prod.outlook.com>
Cc: oauth@ietf.org
In-Reply-To: <AM0PR09MB2803BF0A50B14B1E2C5F22A4F36A9@AM0PR09MB2803.eurprd09.prod.outlook.com>
To: "SOMMER, DOMINIK" <dominik.sommer@milesandmore.com>
X-Mailer: iPhone Mail (18D52)
Content-Type: multipart/alternative; boundary="Apple-Mail-97A78C27-05F8-45F1-97C7-E02F0AB1FE59"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uStRaoWN4w6CoL6sSm2fnzvizU0>
Subject: Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 08:15:04 -0000

Right, but PKCE doesn’t stop an attack when the malicious app initiates the authorization flow. 

> On 17 Mar 2021, at 08:04, SOMMER, DOMINIK <dominik.sommer@milesandmore.com> wrote:
> 
> 
> I’d throw in PKCE as a means of assuring that the client who made the user follow the auth flow in the first place, is apparently the only one able to “redeem” the auth code returned to the redirect_uri.
>  
>  
> Von: OAuth <oauth-bounces@ietf.org> Im Auftrag von Om
> Gesendet: Mittwoch, 17. März 2021 06:17
> An: Neil Madden <neil.madden@forgerock.com>
> Cc: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>; oauth <oauth@ietf.org>; Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
> Betreff: Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]
>  
> If I read this correctly, https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-10 the 2.1 draft already addresses this under best practices.
>  
> On Mon, Mar 15, 2021 at 3:31 PM Neil Madden <neil.madden@forgerock.com> wrote:
> I want to come back to this topic as a new thread.
>  
> As I understand things, the difference on Android is that any app can claim to be a generic web browser and so claim to handle all URIs. Whereas on iOS only specifically vetted apps can claim to be web browsers. Is that correct?
>  
> If so, this does seem like a quite large hole in security of OAuth on Android. Should we be considering a new draft recommending alternative measures (such as attestation) on Android? Presumably the same issue is also true on most desktop OS?
>  
> — Neil
> 
> 
> On 23 Feb 2021, at 15:20, George Fletcher <gffletch@aol.com> wrote:
>  
> Unfortunately, in the mobile app world this isn't sufficient. On iOS using Universal Links will bind the https redirect_url to your app in a secure way but it doesn't work the same way on Android with App Links. There is still a problem with "mobile app impersonation". If you have an app that you want to ensure is "your" app then the most secure way is to look at "app attestation". This is however, way off topic for this thread :)
> 
> On 2/14/21 9:28 AM, Neil Madden wrote:
> Public clients are implicitly authenticated by their ownership of the registered redirect_uri. This why it’s important to use a redirect_uri for which ownership can be reasonably established, such as HTTPS endpoints with exact URI matching. 
>  
> There are more things that can go wrong with that (see the security BCP), but it can be made reasonably secure. 
>  
> — Neil
>  
> On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.sleptsov@gmail.com> wrote:
>  
> 
> I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS",
> with the objective to verify if they are valid.
>  
> I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example).
> If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication.
>  
> Or is it considered a bad practice to do that?
>  
> Regards,
> Stoycho.
> 
> Sitz der Gesellschaft / Corporate Headquarters: Miles & More GmbH, Frankfurt am Main, Registereintragung / Registration: Amtsgericht Frankfurt am Main HRB 116409
> Geschaeftsfuehrung / Management Board: Sebastian Riedle, Dr. Oliver Schmitt
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>  
>  
> 
> ForgeRock values your Privacy_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> --
> - Regards,
> Omkar Khair
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>