Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
Phil Hunt <phil.hunt@oracle.com> Mon, 03 December 2018 01:16 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16CF9130DE1 for <oauth@ietfa.amsl.com>; Sun, 2 Dec 2018 17:16:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.759
X-Spam-Level:
X-Spam-Status: No, score=-5.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnSNf31zV5P0 for <oauth@ietfa.amsl.com>; Sun, 2 Dec 2018 17:16:45 -0800 (PST)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEFD11274D0 for <oauth@ietf.org>; Sun, 2 Dec 2018 17:16:44 -0800 (PST)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wB31ETqt179017; Mon, 3 Dec 2018 01:16:43 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=NlEXm6A2DGbKYPfT+16fvQlBLnxVeBdRaAiKsPx7FyM=; b=XEyTczq1gcmzSLMMRtppOKR0icXstCYMWIL8kwptbqYEjLaD/CjUAJnNClezlX5GbaDA 595QHfppRm2uTIX6x6S5jpx8iOXD2e2hAAA/dd6Jztw+IRQaahEaTOs+r53qJB7jcyPA 47VvEc2kVctQ6UBZt8jR9P3D01Y/noIF55pLQZTbsy+wH2yDKHhNUQbhqEjH9xyzUmR1 YO+dU3Q2Hovg3G+lHz3avKuP3SWt8O+YqSRDxETqqK77x4paoNpYaozpXrs0xi810GTd 4Dogbz0JxssPxQ6uJ7ilenwp4zf/ifIN09qfN51XvBCpkdZV/j4bfJ6SHcGheMzNv106 TA==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2120.oracle.com with ESMTP id 2p3j8q3ks6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 03 Dec 2018 01:16:43 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id wB31Ggj3019495 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 3 Dec 2018 01:16:42 GMT
Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wB31Gf8g007506; Mon, 3 Dec 2018 01:16:41 GMT
Received: from [10.0.1.20] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Dec 2018 01:16:41 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail-27C4B204-5E14-4D27-ACCE-BBA32ADDEF6F"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (16B92)
In-Reply-To: <CAGBSGjoVox6Ab274DbHfEBaXibk8OFeXy6g3SEXxRP1TauPBvQ@mail.gmail.com>
Date: Sun, 02 Dec 2018 17:16:39 -0800
Cc: torsten@lodderstedt.net, OAuth WG <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <450442E3-80FA-416D-9C25-DDFB95B11628@oracle.com>
References: <VI1PR0801MB211299BED6B61582DC33B873FACB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAGBSGjqHKVveZor-oKUWzsQ0Rg5Fk_d2dns_eQFqfvXJynyQaQ@mail.gmail.com> <9347fff8-f3b9-4ee9-84d3-5eebc8dd13f4@getmailbird.com> <309DAA7D-E9B9-4A89-B30E-5BE37DC6CC85@lodderstedt.net> <27627bee-aaab-44fd-9821-b58f7b33bc13@getmailbird.com> <7A852312-B129-4A0F-9914-8DC7E63FD12C@lodderstedt.net> <64a7f649-d2d8-4983-a564-5193adb4314a@getmailbird.com> <5B60008C-C6A7-44CC-B045-9A8C1248ED30@lodderstedt.net> <CA+k3eCTjRWo-OF+Q=KotOJzfBw1uSe7w_bHWDhDKi3WRjQsH9Q@mail.gmail.com> <VI1PR0801MB21121BCD21DE8ABAF055E603FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <E0F62B7E-9C58-493A-BEFD-91D7441BB5BF@lodderstedt.net> <0BD84A8F-0A71-45CC-BE20-89FBC8FF18D2@lodderstedt.net> <df7c80be-477e-bb4a-cc29-edb233571a2f@ve7jtb.com> <A6E974DC-59C2-43E2-9534-CAD2EE695941@lodderstedt.net> <CAGBSGjoVox6Ab274DbHfEBaXibk8OFeXy6g3SEXxRP1TauPBvQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9095 signatures=668686
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812030011
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vJtvvnaGtmhMqVRhduNKbl6eSpE>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 01:16:47 -0000
You may be placing undue confidence in that gateway acting as a confidential client but having no real security of its own and which could be easily duped. Phil > On Dec 2, 2018, at 3:43 PM, Aaron Parecki <aaron@parecki.com> wrote: > > In this type of deployment, as far as OAuth is concerned, isn't the backend web server a confidential client? Is there even anything unique to this situation as far as OAuth security goes? > > I wouldn't have expected an Angular app that talks to its own server backend that's managing OAuth credentials to fall under the umbrella of this BCP. > > ---- > Aaron Parecki > aaronparecki.com > > > >> On Sat, Dec 1, 2018 at 11:31 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: >> the UI is rendered in the frontend, UI control flow is in the frontend. just a different cut through the web app’s layering >> >> All Angular apps I have seen so far work that way. And it makes a lot of sense to me. The backend can aggregate and optimize access to the underlying services without the need to fully expose them. >> >>> Am 02.12.2018 um 00:44 schrieb John Bradley <ve7jtb@ve7jtb.com>: >>> >>> How is that different from a regular server client with a web interface if the backed is doing the API calls to the RS? >>> >>> >>> >>>> On 12/1/2018 12:25 PM, Torsten Lodderstedt wrote: >>>> I forgot to mention another (architectural) option: split an application into frontend provided by JS in the browser and a backend, which takes care of the business logic and handles tokens and API access. Replay detection at the interface between SPA and backend can utilize standard web techniques (see OWASP). The backend in turn can use mTLS for sender constraining. >>>> >>>> Am 01.12.2018 um 15:34 schrieb Torsten Lodderstedt <torsten@lodderstedt.net>: >>>> >>>>> IMHO the best mechanism at hand currently to cope with token leakage/replay in SPAs is to use refresh tokens (rotating w/ replay detection) and issue short living and privilege restricted access tokens. >>>>> >>>>> Sender constrained access tokens in SPAs need adoption of token binding or alternative mechanism. mtls could potentially work in deployments with automated cert rollout but browser UX and interplay with fetch needs some work. We potentially must consider to warm up application level PoP mechanisms in conjunction with web crypto. Another path to be evaluated could be web auth. >>>>> >>>>> Am 01.12.2018 um 10:15 schrieb Hannes Tschofenig <Hannes.Tschofenig@arm.com>: >>>>> >>>>>> I share the concern Brian has, which is also the conclusion I came up with in my other email sent a few minutes ago. >>>>>> >>>>>> >>>>>> >>>>>> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell >>>>>> Sent: Friday, November 30, 2018 11:43 PM >>>>>> To: Torsten Lodderstedt <torsten@lodderstedt.net> >>>>>> Cc: oauth <oauth@ietf.org> >>>>>> Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Sat, Nov 17, 2018 at 4:07 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: >>>>>> >>>>>> > Am 15.11.2018 um 23:01 schrieb Brock Allen <brockallen@gmail.com>: >>>>>> > >>>>>> > So you mean at the resource server ensuring the token was really issued to the client? Isn't that an inherent limitation of all bearer tokens (modulo HTTP token binding, which is still some time off)? >>>>>> >>>>>> Sure. That’s why the Security BCP recommends use of TLS-based methods for sender constraining access tokens (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2..2) Token Binding for OAuth (https://tools.ietf.org/html/draft-ietf-oauth-token-binding-08) as well as Mutual TLS for OAuth (https://tools.ietf.org/html/draft-ietf-oauth-mtls-12) are the options available. >>>>>> >>>>>> >>>>>> >>>>>> Unfortunately even when using the token endpoint, for SPA / in-browser client applications, the potential mechanisms for sender/key-constraining access tokens don't work very well or maybe don't work at all. So I don't know that the recommendation is very realistic. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you. >>>>>> >>>>>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Hannes Tschofenig
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Joseph Heenan
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Simon Moffatt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Tomek Stojecki
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Daniel Fett
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Daniel Fett
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Daniel Fett
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… n-sakimura
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Tomek Stojecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hans Zandbelt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Jim Manico
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… George Fletcher
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hans Zandbelt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hannes Tschofenig
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… John Bradley
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Rob Otto
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Phil Hunt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Hans Zandbelt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… John Bradley
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki