IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Nov Matake <matake@gmail.com> Sat, 08 December 2018 15:55 UTC

Return-Path: <matake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86D50130E27 for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 07:55:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQqkO6DwlRH7 for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 07:55:31 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D95130E23 for <oauth@ietf.org>; Sat, 8 Dec 2018 07:55:30 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id g189so3029964pgc.5 for <oauth@ietf.org>; Sat, 08 Dec 2018 07:55:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bSfDF2WyRVHx5O+9sMpo2PAmOn6NyCKqbj2jE5U8auU=; b=NdYWt5QD1oOjIaiyJYFD40dpbxox42kARp7N/3uZRigl3VfkBKxa7JospzDNjz/kMG foDNsxNcVWpJmJgTzeyqBEZIj3Ch+fnwvr+fEd9RsuWOv1N+LeRQVbQg8/tFyNFLWXfC 47jNO+fLvoYAoNLlhipCl84k0xKT8AlSL5V502P/tDrgZpvql3cf58KK1bJYa6nj67MC GxjmYPx9g/aJc4eNQPW7a19dWd/1B2G37LjqwvxNeTbs2HfY9FsdN5sIpQPKUDYhJz1Y UDIXQNyxrAs19S1eJpPhv1g0G3xKOfmeM9JIf95x8ha6pIHWljFH80IG+Er5zvQhUmQM vEvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bSfDF2WyRVHx5O+9sMpo2PAmOn6NyCKqbj2jE5U8auU=; b=p2eNnnNm/XJrZp35N5eP6GPklirpQJXtDj37EUDEyzwHa7NXscWsJ/GpT2RtOYwN9n ZuSYkbmfHgRNAfcy0HHAjXlOY5zJD0VALDRzX+qgtrw9vGVhxyGrkkWxgMorpsYqk/+X Lvwwd7j58MC9D3GmfteJwSohxGMtE9bywJhpRbOih7PQ/nkGxLEHc0YNykacgjIlFIBm T06YZxZPcmeXfG5QFVUob1TFYKuLiJ35p9uJVSWxxv+l+BDSJpaxq6ckuCNQZ8upBEPV UneKEZF6lgrLq2grGYs6zbdsHSr8J1GobspbLWIw2WZ7iMhkoRDVX68jPTOaDSuAVZFC qZBQ==
X-Gm-Message-State: AA+aEWbTbSzZC4szisdwRub8slimxzaQkQi3uTfGPxmqTWKg5rnDiRCt LnXidYnQqnfHvxuDIr3zA2n3Fm/B
X-Google-Smtp-Source: AFSGD/VBHZ8ltYs+6metX4mH+qgCq0hFaUCqxfIYZtfjlDBn8dRUDVDtNCKJPEvyP52SkblDFrvAgQ==
X-Received: by 2002:a65:4142:: with SMTP id x2mr5356656pgp.356.1544284529823; Sat, 08 Dec 2018 07:55:29 -0800 (PST)
Received: from [172.16.80.121] (122x210x153x65.ap122.ftth.ucom.ne.jp. [122.210.153.65]) by smtp.gmail.com with ESMTPSA id v14sm13651476pgf.3.2018.12.08.07.55.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Dec 2018 07:55:29 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Nov Matake <matake@gmail.com>
In-Reply-To: <9A3744F9-B3D0-4AB3-95AB-7033A40BD51E@lodderstedt.net>
Date: Sun, 09 Dec 2018 00:55:26 +0900
Cc: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, Daniel Fett <fett@danielfett.de>, IETF oauth WG <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9AD1602D-9825-4970-B4DB-C0EECEF5442D@gmail.com>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net> <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com> <693F457E-3B0F-4612-AE3B-D18462055932@lodderstedt.net> <CAO_FVe7_CsqkTCRSPK5iT5dH5w_NmDuZ-g-2UJgHefUP2i3beQ@mail.gmail.com> <194886B0-D8C8-4489-B66B-7993C7FA0F63@lodderstedt.net> <CAO_FVe7QhqZEcqeSurPU5QxTN3Z1Lp9zY6XpVQxk1VdCGLMUhA@mail.gmail.com> <115824C4-61C1-4986-A30F-382A1AA563BB@gmail.com> <9A3744F9-B3D0-4AB3-95AB-7033A40BD51E@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/v0NZ5TzdHyTChYEL9FTffO8HYJU>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2018 15:55:34 -0000

Hi Torsten,

> On Dec 8, 2018, at 22:20, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> Hi Nov,
> 
>> Am 08.12.2018 um 00:20 schrieb Nov Matake <matake@gmail.com>:
>> 
>> For me,  it seems very hard to issue TB-bound token for JS app and MTLS-bound token for its backend server at same time.
> 
> Issuing TB tokens in case of implicit is anyway hard. You need to issue a HTTP redirect to the RS and the RS must respond by HTTP redirecting the user agent to the AS (including the referred TBID). This is a new flow requiring an additional security analysis. Obviously, the RS would see the state value and could modify the request. And the RS endpoint must be protected against open redirection. 

I understood.

But even using code flow, issuing TB-bound access token has same difficulty, doesn't it?
I don’t think this issue is relate to implicit flow.

>> Do someone has workable recommendation for such case?
> 
> Why do you need to issue access tokens to both parties, the frontend and the backend? I would assume a clear layering would either let the SPA or the backend perform the calls towards Resource EP.

My client wanted to access Facebook API both from SPA (for realtime use case) and its backend (for batch processing).
This is normal motivation for developers using "response_type=code+token" today.

Using backend server as the API gateway for all API calls causes performance issue.

> kind regards,
> Torsten. 
>

v2.23.0 | Report a Bug | By Email