IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

William Denniss <wdenniss@google.com> Thu, 29 November 2018 18:49 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E953F130E96 for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 10:49:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.959
X-Spam-Level:
X-Spam-Status: No, score=-18.959 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuxVelqFiRD3 for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 10:49:42 -0800 (PST)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7484130E74 for <oauth@ietf.org>; Thu, 29 Nov 2018 10:49:41 -0800 (PST)
Received: by mail-it1-x12f.google.com with SMTP id i145so4373674ita.4 for <oauth@ietf.org>; Thu, 29 Nov 2018 10:49:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ouu4u2TEGOUSrJ2CODNv7pSBV/cM8ZO2XwFRqTk13u8=; b=e+wvinE4eWPZ0pcbYWy8px/O+hNmcoJitgKBtHsqSjWjV3X4Og7vQO5zrHRXeFcGCV OBCwb58AfvOEAN2hscYZRLPvg12EtpbO0dnZzGMXgaMRR+j8sjpFb8VtjSzJAzpO/ZPj vhWAJwRxFtMvCpsS/MBf/uciYmG7jKAtaHp2SAGMQdF67xfSm6I5gfjMQb7GAkdkSsHs rFfcXPUzDboOGzyK3TCzYIzXLEiWEGbA2aqS57kOzHFWldcPvMAea3KUiYw2bySw/eBQ 5OseqgG1zuStdev6gikCjZ+iIJ+dH/tT/H8u/S+D6Vys327eP+IQBI0XOFKFniSD4xOr K6jQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ouu4u2TEGOUSrJ2CODNv7pSBV/cM8ZO2XwFRqTk13u8=; b=l6c2c8v0F1QliQhDG6hrGcUSP+ZP/K7VyZox3DJeiyhX2irJmFmRPV06wfpvDuMzxu pfEQTuZJ/jGAPb/LdKq8qziS0HVsW74ENaff8jGGAnpLOCjkA2Y8omDpgG07FHsEXota G5QsHMDr4KjO49ZsPjDd15ZudTvo9fb82uiwG+ih3h8HvTSTfwMhTJAkQ9FMF9la5nMu o64hf9nJ4Lp1XV1DqoW6S7HhwxuR8zRQi535Mz1kKBsiMpnKjbFjp3wrGwkRADKma77H 4qsTY/NJBHfLRPxLVzjvaNR1VSHqkr1wkMbpDI22gTX9rPH26wLS82ujBgbLw3mKJdSb 7M7A==
X-Gm-Message-State: AA+aEWZB+vheJwTrsTTBgPpoYli87Bt5DfjdS8BQ1/HPGc5K5f9nA2+W oGfejPPdflKTPigzJopAaIDiQdKJogfdzbUe+XDYpSr2spQ=
X-Google-Smtp-Source: AFSGD/V/qmIbQNCKDcrnrbnyCR4mYN+/WCNjgQVzyVy59OmIvKtRfM0DAjOtYZNgSz82XR43IVDsV0Gs7GifwPfG1ak=
X-Received: by 2002:a24:97c3:: with SMTP id k186mr2756409ite.125.1543517380553; Thu, 29 Nov 2018 10:49:40 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAANoGhK-NM8TAJcWWEyJoKv_53D29Tk4zH7MB+oJvUZCP41BRA@mail.gmail.com> <OSBPR01MB28696549CFF704BFDEA6A6EFF9D20@OSBPR01MB2869.jpnprd01.prod.outlook.com>
In-Reply-To: <OSBPR01MB28696549CFF704BFDEA6A6EFF9D20@OSBPR01MB2869.jpnprd01.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 29 Nov 2018 10:49:27 -0800
Message-ID: <CAAP42hDhXoBN3T6-MR0Pde+eNUm8geCKfqq6=Xn8PEDqj4sr3A@mail.gmail.com>
To: Nat Sakimura <n-sakimura@nri.co.jp>
Cc: John Bradley <ve7jtb@ve7jtb.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, fett@danielfett.de, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002c79a5057bd2258e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xRO3yd_03R_Pjys9l_jqst2jlsM>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 18:49:45 -0000

+1

On Thu, Nov 29, 2018 at 10:43 AM n-sakimura <n-sakimura@nri.co.jp> wrote:

> +1
>
> Nat Sakimura / n-sakimura@nri.co.jp / +81-90-6013-6276
>
>
> このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、誠に申し訳ございませんが、送信者までお知らせ頂き、また受信されたメールは削除してくださいますようお願い申し上げます。
>
> PLEASE READ :This e-mail is confidential and intended for the named
> recipient only.
> If you are not an intended recipient, please notify the sender and delete
> this e-mail.
> ------------------------------
> *From:* OAuth <oauth-bounces@ietf.org> on behalf of John Bradley <
> ve7jtb@ve7jtb.com>
> *Sent:* Thursday, November 29, 2018 7:33:57 PM
> *To:* Torsten Lodderstedt
> *Cc:* Daniel Fett; IETF oauth WG
> *Subject:* Re: [OAUTH-WG] OAuth Security Topics -- Recommend
> authorization code instead of implicit
>
> +1
>
> On Thu, Nov 29, 2018, 3:06 PM Torsten Lodderstedt <torsten@lodderstedt.net
> wrote:
>
>> Hi all,
>>
>> based on your feedback on the list and off list, Daniel and I polished
>> the text. That’s our proposal:
>>
>> —
>> In order to avoid these issues, clients MUST NOT use the implicit
>> grant (response type "token") or any other response type issuing access
>> tokens in the authorization response, such as "token id_token" and "code
>> token id_token“,
>> unless the issued access tokens are sender-constrained and access token
>> injection in
>> the authorization response is prevented.
>> —
>>
>> Explantation:
>> - we wanted to have the right balance between a generic definition of the
>> response types we do not recommend/allow to be used and a
>> concrete/actionable list of the affected response types.
>> - we changed from SHOULD NOT to MUST NOT as suggested by Nat and
>> supported by William
>>
>> We look forward to seeing your feedback.
>>
>> kind regards,
>> Torsten.
>>
>> > Am 29.11.2018 um 15:15 schrieb John Bradley <ve7jtb@ve7jtb.com>:
>> >
>> > I am ok with that.
>> >
>> > On Wed, Nov 28, 2018, 8:03 PM Torsten Lodderstedt <
>> torsten@lodderstedt.net wrote:
>> >
>> > > Am 28.11.2018 um 23:50 schrieb n-sakimura <n-sakimura@nri.co..jp
>> <n-sakimura@nri.co.jp>>:
>> > >
>> > > That works.
>> >
>> > Good!
>> >
>> > I just realized this text has an issue with „token“ (only). It would
>> allow „token“ to be used if the token would sender constrained. This
>> completely ignores the fact implicit also shall be abandoned because of its
>> vulnerability for access token injection.
>> >
>> > I therefore propose a modified text:
>> >
>> >    In order to avoid these issues, Clients SHOULD NOT use the implicit
>> >    grant. Furthermore, clients SHOULD only use other response types
>> causing the authorization server to
>> >    issue an access token in the authorization response, if the
>> particular response type detects access token
>> >    injection and the issued access tokens are sender-constrained.
>> >
>> > Or we just state:
>> >
>> >   In order to avoid these issues, Clients SHOULD NOT use the response
>> type „token". The response types
>> > „token id_token“ and „code token id_token“ SOULD NOT be used, if the
>> issued access tokens are not
>> > sender-constrained.
>> >
>> > >
>> > > In fact, I would further go and say MUST NOT but that probably is too
>> much for a security consideration.
>> > >
>> >
>> > Mike suggested to go with a SHOULD NOT to get the message out but give
>> implementors time to move/change.
>> >
>> > > Best,
>> > >
>> > > Nat
>> > >
>> > > Nat Sakimura / n-sakimura@nri.co.jp / +81-90-6013-6276
>> > >
>> > >
>> このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、誠に申し訳ございませんが、送信者までお知らせ頂き、また受信されたメールは削除してくださいますようお願い申し上げます。
>> > >
>> > > PLEASE READ :This e-mail is confidential and intended for the named
>> recipient only.
>> > > If you are not an intended recipient, please notify the sender and
>> delete this e-mail.
>> > >
>> > > 差出人: Torsten Lodderstedt <torsten@lodderstedt.net>
>> > > 送信日時: 水曜日, 11月 28, 2018 11:38 午後
>> > > 宛先: n-sakimura
>> > > Cc: Dick Hardt; Hannes Tschofenig; oauth@ietf.org
>> > > 件名: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization
>> code instead of implicit
>> > >
>> > > Hi Nat,
>> > >
>> > >> Am 28.11.2018 um 21:10 schrieb n-sakimura <n-sakimura@nri.co.jp>:
>> > >>
>> > >> I would support
>> > >>
>> > >> 1) clearly defining Implicit as the flow that returns access token
>> from the authorization endpoint ( some people confuses implicit as the flow
>> that returns ID Token in the front channel)
>> > >
>> > > That’s the current text:
>> > >
>> > > In order to avoid these issues, Clients SHOULD NOT use the implicit
>> > >    grant or any other response type causing the authorization server
>> to
>> > >    issue an access token in the authorization response.
>> > >
>> > > What would you like to modify?
>> > >
>> > >>
>> > >> 2) Banning the returning of the access token that are not sender
>> constrained from the authorization endpoint
>> > >
>> > > In order to avoid these issues, Clients SHOULD NOT use the implicit
>> > >    grant or any other response type causing the authorization server
>> to
>> > >    issue an access token in the authorization response, if this
>> access tokens is not sender-constraint.
>> > >
>> > > What about this?
>> > >
>> > > kind regards,
>> > > Torsten.
>> > >
>> > >>
>> > >> Best,
>> > >>
>> > >> Nat
>> > >>
>> > >>
>> > >> Outlook for iOS を入手
>> > >>
>> > >> 差出人: OAuth <oauth-bounces@ietf..org <oauth-bounces@ietf.org>> (Dick
>> Hardt <dick.hardt@gmail.com> の代理)
>> > >> 送信日時: 水曜日, 11月 28, 2018 8:58 午後
>> > >> 宛先: Hannes Tschofenig
>> > >> Cc: oauth@ietf.org
>> > >> 件名: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization
>> code instead of implicit
>> > >>
>> > >> +1
>> > >>
>> > >> While there are various mechanisms to alleviate some of the issues
>> of implicit, I don't think we can recommend specifics, and there may be
>> future ones in the future. I think we all agree that implicit without any
>> mitigation is problematic.
>> > >>
>> > >> How about we recommend against using implicit alone?
>> > >>
>> > >>
>> > >> On Mon, Nov 19, 2018 at 2:34 AM Hannes Tschofenig <
>> Hannes.Tschofenig@arm.com> wrote:
>> > >> Hi all,
>> > >>
>> > >> The authors of the OAuth Security Topics draft came to the
>> conclusion that it is not possible to adequately secure the implicit flow
>> against token injection since potential solutions like token binding or
>> JARM are in an early stage of adoption. For this reason, and since CORS
>> allows browser-based apps to send requests to the token endpoint, Torsten
>> suggested to use the authorization code instead of the implicit grant in
>> call cases in his presentation (see
>> https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01
>> ).
>> > >>
>> > >> A hum in the room at IETF#103 concluded strong support for his
>> recommendations. We would like to confirm the discussion on the list.
>> > >>
>> > >> Please provide a response by December 3rd.
>> > >>
>> > >> Ciao
>> > >>
>> > >> Hannes & Rifaat
>> > >>
>> > >>
>> > >>
>> > >> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>> > >> _______________________________________________
>> > >> OAuth mailing list
>> > >> OAuth@ietf.org
>> > >> https://www.ietf.org/mailman/listinfo/oauth
>> > >> _______________________________________________
>> > >> OAuth mailing list
>> > >> OAuth@ietf.org
>> > >> https://www.ietf.org/mailman/listinfo/oauth
>> > >
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email