Re: [OAUTH-WG] WebApp BCP thoughts
Yannick Majoros <yannick@valuya.be> Fri, 23 September 2022 20:43 UTC
Return-Path: <yannick@valuya.be>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EECECC1526E6 for <oauth@ietfa.amsl.com>; Fri, 23 Sep 2022 13:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=valuya.be
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJEMTNwXzxtP for <oauth@ietfa.amsl.com>; Fri, 23 Sep 2022 13:43:55 -0700 (PDT)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 817F1C14F728 for <oauth@ietf.org>; Fri, 23 Sep 2022 13:43:54 -0700 (PDT)
Received: by mail-pj1-x1030.google.com with SMTP id q35-20020a17090a752600b002038d8a68fbso7016291pjk.0 for <oauth@ietf.org>; Fri, 23 Sep 2022 13:43:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valuya.be; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=1w0ohQE/D/L5JDowJTomuTc4dT0JpHNsgbjtqmQ58Lc=; b=RybHvS3NGeNb5FFzF5vrRdj3JirqnNlQf2CH2PeFMjQzj2/UIPYg46PK9Sc3TlbuF1 r17MskAE0w97hviJYT2dvpb8QBD4B0LyUTQ9DcUos6pmo+pxvEPVS9Qk6vkeFsaGzRWR wH3OkPr8u4Gi0UBFGxIOIvRzMiFHpg75F3EMI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=1w0ohQE/D/L5JDowJTomuTc4dT0JpHNsgbjtqmQ58Lc=; b=l4wYg+2ENIsu+XrvlMUKt6qdEMPV8n1ZBLQ5PJUpjFb0aJgDqNRS2IjZd0OnnGf1JJ KCWIsFVskEnKDlfFgKdvn1EEwgq1/IhhKxeW6Ira9q/C9HLtSasBbx7cAG4KyS4XD02j smom3b0xr2reQ4AOW98iaWcZMdgi5Zupjmp60RcxvhYUFtiZXkpMOVxz27P8u6jzUCvm hUAFbCBsAORhMxp9RiqChrXkM/Z5uUpLCa3clxe2ap+QWVs4ofcT10BYM1LRgcfcJ2WM 1sSlvZ8pbfTm2hC31ykqvvokXEM3ptlzMOnOESw3FbFe8bLjRf0bcmxmlW7KoB2ug+Z4 rLYw==
X-Gm-Message-State: ACrzQf2A2EN7cTTqqrg6BcfBQpYdIl5PKGGJPxJXqqOum09iyKQ+LsUs o0cReFGl6JAkgpsGIc23M4PWfVo28QNsTmyfv+2J9g==
X-Google-Smtp-Source: AMsMyM4xjDO1zed7lG9rek0kW5Rv908iQ4kv5xY9ksOed41Pjtuotx+EWFMO9bCBkHA7WYvTdk57yG2dRrvaiIufltM=
X-Received: by 2002:a17:902:6542:b0:172:95d8:a777 with SMTP id d2-20020a170902654200b0017295d8a777mr10373200pln.61.1663965834042; Fri, 23 Sep 2022 13:43:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAO7Ng+v16tfeNJCw-K2OPE0fmFQgnejEo38_urNiTmi3pUUTAA@mail.gmail.com>
In-Reply-To: <CAO7Ng+v16tfeNJCw-K2OPE0fmFQgnejEo38_urNiTmi3pUUTAA@mail.gmail.com>
From: Yannick Majoros <yannick@valuya.be>
Date: Fri, 23 Sep 2022 22:43:41 +0200
Message-ID: <CALNQ_j+bNHX-RjeSKOKP7dKb2PtVTHHAYwkNzubMVGh+u1Zu1g@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000074f96b05e95e3cf8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vEv8hVDtyHFPMZiywQDaqIReEqc>
Subject: Re: [OAUTH-WG] WebApp BCP thoughts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2022 20:44:00 -0000
Hello Dominick and everyone, I contributed to the latest drafts. I do share some concerns about the organization of the document, which can be improved. OTOH, some care has been put in the latest drafts about consistency (naming patterns and parts of systems in a similar way through all parts of the documents), and documenting security considerations per architectural pattern, including some pros and cons. I do think that further documenting attacks, vulnerable architectures and their mitigations, would indeed help. Another opportunity for improvement could be to extract some reusable patterns, and adding some kind of overview, i.e. with a combination matrix. For example, off the top of my head, we have some aspects that could be mixed-and-matched into different architectural patterns: - client: A.backend/B.service worker/C.dom js - token storage/calling resource server: 1.backend 2.service worker 3.dom js (multiple subcases, e.g. local/session storage, web worker, closure) - refresh (token & flow): I. backend II. service worker III. no refresh token, prompt=none iframe at navigation A1I = BFF proxy A3I = Token Mediating Backend B2II or B2III = Service Worker client C3III = JS client none = single-domain app without oauth Each aspect brings its bunch of PROs and CONS which could be documented there (e.g. backends will typically open some CSS attack vector while local/session storage will open some token exfiltration in case of XSS). There are some other weird combinations, and they should also be explored (at least to document why they aren't recommended). I do think that whatever we do, this kind of document is difficult to read for someone with less experience in oauth. We can partly solve it, but we could also add some learning materials (cookbooks, security matrixes, ...). Do you have some examples of "jumping straight to conclusions without giving a good pro/con breakdown" which we could improve? Best regards, Yannick Le mar. 20 sept. 2022, 19:15, Dominick Baier <dbaier@leastprivilege.com> a écrit : > Hi Aaron et al, > > I re-read the latest version of the web app BCP. For me it has become > increasingly hard to follow, and so I’m concerned that it’s even harder for > the target audience this document is intended for. > > It seems that over time more and more content got accumulated which IMO > jumps straight to conclusions without giving a good pro/con breakdown. I > worry that it will be hard for someone with less experience to make the > right choices (or easy to do the wrong ones). > > Given we both (and others here on that list) attended Philippe de Rycks > presentations at the OSW, I wonder if it wouldn’t make sense to start this > document with the browser attacker model. This would make it very clear > what an attacker is potentially able to do in the browser. > > From there this would lead to various risks/attacks like > > • Session hijacking > • Access token exfiltration > • Refresh token exfiltration > • … > > ..and based on that there are different implementation/architecture > choices to make. Each implementation style helps in mitigating one or more > of the above attacks. None of them will solve them all of course. > > I think this approach would make this document more useful and maybe you > can consider such a re-design. > > Thanks > Dominick > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] WebApp BCP thoughts Dominick Baier
- Re: [OAUTH-WG] WebApp BCP thoughts Yannick Majoros