IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

Oleg Gryb <oleg_gryb@yahoo.com> Thu, 08 September 2016 18:15 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03E6712B20C for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 11:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.227
X-Spam-Level:
X-Spam-Status: No, score=-4.227 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bxq6XcLB2I19 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 11:15:16 -0700 (PDT)
Received: from nm27-vm1.bullet.mail.bf1.yahoo.com (nm27-vm1.bullet.mail.bf1.yahoo.com [98.139.213.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B6A312B206 for <oauth@ietf.org>; Thu, 8 Sep 2016 11:15:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1473358515; bh=D1VgaUeScxDF5e4x2nQTzL++uq3gV04x8q/NqABne0k=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=e9eY/1W8pfHuDSr25hIfRyf1GiPGtba9f7eFeUodT3tI1zV9qW6CFZCPuq7+eR6wZLL1PfMIU7Z6T9TyoBrrYUqQLBwWLO7hqipVqYGybWcoJKWMbESM683f3yTjLNYT15a0RgmuBVHr4hvUODPs08vEU+I/eLPTwvI+T1ndQ0rm42L/r95AHZoxSXDFFRIk/hgaR9dT07q04cs+u+s0DzGF1wE4R/B0fP5BQ1GxSj9JU2HCbkiPjk9w3jlW2aFxSV0afIgMtErDNFv2XvIkXj+iInA8mF+jYsR6nM6MlIFn3vbyYe+xXstgd4HL2Gxjha79nFIwJ1MDo8flWRREtw==
Received: from [98.139.170.180] by nm27.bullet.mail.bf1.yahoo.com with NNFMP; 08 Sep 2016 18:15:15 -0000
Received: from [98.139.212.242] by tm23.bullet.mail.bf1.yahoo.com with NNFMP; 08 Sep 2016 18:15:15 -0000
Received: from [127.0.0.1] by omp1051.mail.bf1.yahoo.com with NNFMP; 08 Sep 2016 18:15:15 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 255179.63159.bm@omp1051.mail.bf1.yahoo.com
X-YMail-OSG: i2ftQmMVM1lstY8Z9WN35kifrFMTl7NXkRsc9tvGwRDegw1oCcpATqeIQvL4ABE kmgtKPKacIEstit58LWh3ydDzGo2m0CRUvx.vdZ2GvxAhF.CLOqVLil6Xir2IGEhc0dAEKQL1uHV Ldc_4V93Df3xNAvqk3kabD71zsnR2GiWmN_l1NH8dcxYURoKA876PRUuddidXltJG9Eq78xbSi9w iRP5Hj92AwMZCur2wFaoOsrM.PCWRhctW8jz4P8oCQA3Vys4SAZD5pARYWmFT2ML72_rHZo31uBP _1ttDoLMhSy2qajtPxWVHazB.aBqqo9Os2UrEyIE4TahJkuyGD.WH2LHRH_HrXL7.yJmsxXlvB0W 1ZAPaMjzaA6mijifIL3krOK60DPP20oYVlrkhi_F_gdV02W3zyrmprPVQ4gcv_szVvSXj.cc5v5E qW5ilaZ.5hWJCGlGTLmlxJHJT3y6kSvFS3SkMJnw2pnGPuRdYf1JQ0XnhOmg4PtizhAca_kw.RS6 t4z3yUXY1lyRhLv7ZRX0PCL9VU9u9l9xZYhPc
Received: from jws10643.mail.bf1.yahoo.com by sendmailws169.mail.bf1.yahoo.com; Thu, 08 Sep 2016 18:15:14 +0000; 1473358514.750
Date: Thu, 08 Sep 2016 18:15:00 +0000
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: Jim Manico <jim@manicode.com>, Adam Lewis <adam.lewis@motorolasolutions.com>
Message-ID: <632483756.1929562.1473358500330@mail.yahoo.com>
In-Reply-To: <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1929561_2037331673.1473358500294"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xi6PoMWEHzjDj0OYm-l2WUFCsTc>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 18:15:18 -0000

Jim,
It's outdated a bit. Since SPA is a new normal now, it becomes extremely difficult to enforce HTTPOnly flag, because JS needs access to secrets including those stored in cookies. 5-10 years ago I would always enforce HTTPOnly and now - I can't.
Thanks,Oleg. 
      From: Jim Manico <jim@manicode.com>
 To: Adam Lewis <adam.lewis@motorolasolutions.com> 
Cc: OAuth WG <oauth@ietf.org>
 Sent: Thursday, September 8, 2016 10:45 AM
 Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
   
In the web world, cookies for session identifiers are much safer - since we can use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is not possible for localStorage. Overall, security folk say •keep sensitive data out of localStorage• since one XSS and it's stolen. There is also a huge body of work underway to make secure cookies even more so.
I'm not sure how this translates to native apps.

--Jim Manico@Manicode
On Sep 8, 2016, at 3:02 AM, Adam Lewis <adam.lewis@motorolasolutions.com> wrote:


Hi,
The WG is currently putting together best practices for native apps.  I would like to better understand the best practices around ua-based-apps, especially as it relates to token storage.  I've read various blog posts about the preference between storing tokens in cookies vs.  Web Storage (localStorage/sessionStorage).  The current set of specs are rather silent on the matter, as it is more of an implementation issue (but that is where most mistakes are made).
What is the WG's guidance on this?

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email