Re: [OAUTH-WG] Confusion on Implicit Grant flow

Bill Burke <bburke@redhat.com> Mon, 09 February 2015 22:32 UTC

Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7A91A8A63 for <oauth@ietfa.amsl.com>; Mon, 9 Feb 2015 14:32:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gc4_FVlM-joz for <oauth@ietfa.amsl.com>; Mon, 9 Feb 2015 14:32:24 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5830F1A8A52 for <oauth@ietf.org>; Mon, 9 Feb 2015 14:32:24 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t19MWNmP026426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 9 Feb 2015 17:32:23 -0500
Received: from [10.10.61.137] (vpn-61-137.rdu2.redhat.com [10.10.61.137]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t19MWMXA004847; Mon, 9 Feb 2015 17:32:23 -0500
Message-ID: <54D93578.9050105@redhat.com>
Date: Mon, 09 Feb 2015 17:32:24 -0500
From: Bill Burke <bburke@redhat.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <BLUPR04MB6918C7701D0DB90B0FA6B0D95380@BLUPR04MB691.namprd04.prod.outlook.com> <CANSMLKFMUQsBfOo=i0ki8PF_8PjRf7W3t=PiPo7qnftN9gUyWg@mail.gmail.com> <54D91317.9010101@redhat.com> <1E340378-2D34-4AC8-906C-415EF025068E@ve7jtb.com> <54D91D87.8040303@redhat.com> <FD337176-C292-4688-9CFA-A3C7DF40FCA2@ve7jtb.com> <54D92A3C.4060106@redhat.com> <32B26B45-FB75-47DF-8E34-42943B13F0E0@ve7jtb.com>
In-Reply-To: <32B26B45-FB75-47DF-8E34-42943B13F0E0@ve7jtb.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/yMAJwkJA9n0h6O4Q0QR34ubqZXc>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Confusion on Implicit Grant flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 22:32:26 -0000


On 2/9/2015 5:03 PM, John Bradley wrote:
> OK, I don't know if the WG has discussed the issue of fragments in browser history.
>
> So you are trading off several round trips against the possibility of a token leaking in browser history or bookmark?
>

Yes, bookmarking tokens is a little scary, IMO, as we've already run 
into users bookmarking URLs with codes in them.

Also, wasn't there additional security vulnerabilities surrounding 
implicit flow?  Maybe these were just the product of incorrect 
implementations, I don't remember, it was a while ago.

> One extension that Connect introduced was a "code id_token" response type that is fragment encoded.  That would let you pass the code directly to the JS saving two legs.
>

It looks like OIDC added a "response_mode" parameter where you can 
specify "query" or "fragment".  Thanks for pointing this out!


Thanks for all the help.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com