IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

Oleg Gryb <oleg_gryb@yahoo.com> Fri, 09 September 2016 00:54 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1CA412B2F2 for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 17:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.227
X-Spam-Level:
X-Spam-Status: No, score=-4.227 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uzLefX4dmuCf for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 17:54:11 -0700 (PDT)
Received: from nm8-vm0.bullet.mail.bf1.yahoo.com (nm8-vm0.bullet.mail.bf1.yahoo.com [98.139.213.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B627C12B1BC for <oauth@ietf.org>; Thu, 8 Sep 2016 17:54:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1473382449; bh=mWwE18qs4MmBmLS3qbYxpCf+WnnA0D+tbcItE+hwHo0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=Bsc3o2Y8ugl5+stQLzwj6BVHy5MUKzCUqsFrApgQ3PrPYgSzPEHjCjHGEA3q8SBl6EweFF+CQf8D5wfXGlnK5jTeK3FqjhmAhDfwXcvJ9y65qOFEWgpqp3keX7av90EJ6sWC46A1Yvd7LYiPTZ4iF+QXp93DD5v3tQDtROAsCDbRQLf1XTJ7V9InZiACtfGtfkUqVgpZnjE3KQU3kIxHmulTIOIq7i5tcWRWelEH6aZhI1Bgb6+uyLKi92nYGnSfLmMTXXGURGprIT9bysEK5VDzb/TetyEPpR2aD7aIiqDXDMs52ub60KM24fNXrYdvgCTNMS2ntioUkiJzUJEwsg==
Received: from [66.196.81.173] by nm8.bullet.mail.bf1.yahoo.com with NNFMP; 09 Sep 2016 00:54:09 -0000
Received: from [98.139.212.218] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 09 Sep 2016 00:54:09 -0000
Received: from [127.0.0.1] by omp1027.mail.bf1.yahoo.com with NNFMP; 09 Sep 2016 00:54:09 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 753974.9648.bm@omp1027.mail.bf1.yahoo.com
X-YMail-OSG: q_Wh6U8VM1mhngxFc31IsbcHrxrMW0uHWU5LUNQzbqnBwf222hIMi466kCZclXn ciAXX6UTAr.c9mLgP1Klx.zF6sTQy_MopdiDNpWNtMVbh5gkRNc.MpZ6J5c0vhDXw1hpZ_EiRnz4 7ShMQS5m36LqAHKK8A9eKbyYXpyV66.6tKWF3hE_nYAp.dxNgUiDvtUr404H1AvKazu4XzPJ2LQx wOsixkJKD.U5kcqdXOzX_pyA8yYu2VctdzYR_k49XHmneb75pBX53uFqSpCX.JhTVmaS3QxEleap G3dIwGkoeAR3Dl8JiNCbK2tDc.DEKuyk39Q_I3vQoGaX0YjITBki6.TCRG8ENX9PKrrrDy3mfHpQ a.Zu06cnCRljv.esDBB9mOp2TC1HkTmmA4EFaLLgmAACYBxJPa2x9frj4xwBm5b1bVT92.46lRx6 iJ9v.i9cEbMtfWsgdPK52ctn5plsr3GKxXGilZj_jWTV55eciFaCqwJ5N6CaZbjty8PZkLxm0z1E 5LSvH6DGGD3LzVw_OeqrcT8GoGrr660NZgyBC
Received: from jws106189.mail.bf1.yahoo.com by sendmailws146.mail.bf1.yahoo.com; Fri, 09 Sep 2016 00:54:09 +0000; 1473382449.356
Date: Fri, 09 Sep 2016 00:54:08 +0000
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: Jim Manico <jim@manicode.com>, John Bradley <ve7jtb@ve7jtb.com>
Message-ID: <951244384.2140569.1473382448817@mail.yahoo.com>
In-Reply-To: <3be430fb-afe7-ab94-1369-7fcdfdedec0b@manicode.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com> <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com> <632483756.1929562.1473358500330@mail.yahoo.com> <49c750b1-83e4-cdd3-1bab-3ae005810e66@manicode.com> <1013244548.1998164.1473366003274@mail.yahoo.com> <9265cef3-7859-cb09-ffe1-5d73a72af03e@manicode.com> <F9F2BE44-3977-4B37-857A-C9B4A2987FE1@ve7jtb.com> <3be430fb-afe7-ab94-1369-7fcdfdedec0b@manicode.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2140568_1188358003.1473382448798"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/z58Jbri-qpT95oWPv6mtAfBCCQY>
Cc: Oleg Gryb <oleg@gryb.info>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 00:54:12 -0000

"keep away from implicit grants and do not store bearer tokens in the browser" - that would be practically impossible for the envs that I was writing about and "best practices"  that could not be enforced aren't worth much. I can formulate it in stronger terms: if OAuth wouldn't allow a JS client running in a browser its usability will be very low.

What could and should be improved in implicit grants is removing secrets from URL (fragment). That could be done as I've shown in the previous discussions.


 
      From: Jim Manico <jim@manicode.com>
 To: John Bradley <ve7jtb@ve7jtb.com> 
Cc: Oleg Gryb <oleg@gryb.info>; Adam Lewis <adam.lewis@motorolasolutions.com>; OAuth WG <oauth@ietf.org>
 Sent: Thursday, September 8, 2016 3:51 PM
 Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
   
 +1000 on a OAuth Security Best Practices document. I'd be happy to review or help some. 
  I think right now the answer is: keep away from implicit grants and do not store bearer tokens in the browser. Instead, use the authorization code grant which only exposes bearer tokens intra-server. For web apps, I feel the only good place to store authentication, session or token information is in a HTTPOnly flagged cookie to keep JS away from sensitive information.
 
 Aloha, Jim
 
 
 On 9/8/16 12:38 PM, John Bradley wrote:
  
 
 It is an interesting discussion, indicating that perhaps a best practices document is in order. 
  I have had several people ask me about SPA using OAuth recently. 
  Until we get the W3C to finish fetch and extend it for token binding, we are going to have ongoing issues with bearer tokens in the browser and where to store them. 
  I don’t know that there is a perfect solution for bearer tokens, but documenting the tradeoffs may be useful. 
  John B. 
  
 On Sep 8, 2016, at 6:07 PM, Jim Manico <jim@manicode.com> wrote: 
  
 +1 I think that's a very fair perspective. Putting sensitive data in LocalStorage is still a very bad idea. :) One XSS and gone. Maybe XSS is not a big deal in a native app, but it's death to Web apps.
  Aloha, Jim
  
 On 9/8/16 10:20 AM, Oleg Gryb wrote:
  
 In SPA/REST env session ID is not very useful, so it's *an* auth token or tokens (not necessary OAuth one) that are stored in a cookie. It's used to get REST calls authenticated and yes, it usually runs in a multi-domain envs (think about micro services architecture). It makes me think that the value of HTTPOnly will continue diminishing, while the value of good cross-domain policies will increase. Just my opinion coming from my experience. I don't have big (or small) data available to confirm that.   
 
 
   
      From: Jim Manico <jim@manicode.com>
 To: Oleg Gryb <oleg@gryb.info>; Adam Lewis <adam.lewis@motorolasolutions.com> 
 Cc: OAuth WG <oauth@ietf.org>
 Sent: Thursday, September 8, 2016 12:51 PM
 Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
  
   > Since SPA is a new normal now, it becomes extremely difficult to enforce HTTPOnly flag, because JS needs access to secrets including those stored in cookies. In a browser environment, this is only true when you need to make cross domain requests or are using cookie data for something other than session state. If your current page origin and the page you are requesting are the same, then your cookies can be HTTPOnly without impacting functionality. If you need additional cookies for other things  that need to be accessed via JS, use a separate cookie. So sure, there are a few workflows in OAuth where you need to access "cookie data" from JS and HTTPOnly is not viable. But there are a few where it is viable. I don't think it's as simple as "we  need to talk to cookie data via JS all the time.". Aloha, Jim
   On 9/8/16 8:15 AM, Oleg Gryb wrote:
  
  Jim, 
  It's outdated a bit. Since SPA is a new normal now, it becomes extremely difficult to enforce HTTPOnly flag, because JS needs access to secrets including those stored  in cookies. 5-10 years ago I would always enforce HTTPOnly and now - I can't. 
 Thanks, Oleg.  
       From: Jim Manico <jim@manicode.com>
 To: Adam Lewis <adam.lewis@motorolasolutions.com> 
 Cc: OAuth WG <oauth@ietf.org>
 Sent: Thursday, September 8, 2016 10:45 AM
 Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
  
   In the web world, cookies for session identifiers are much safer -  since we can use HTTPOnly cookies to protect them from theft via XSS. The same  mechanism is not possible for localStorage. Overall, security folk say •keep  sensitive data out of localStorage• since one XSS and it's stolen.  There is also a huge body of work underway to make secure cookies even more so. 
  I'm not sure how this translates to native apps.
 
 -- Jim Manico @Manicode   
 On Sep 8, 2016, at 3:02 AM, Adam Lewis <adam.lewis@motorolasolutions.com> wrote:
 
  
  Hi, 
  The WG is currently putting together best practices for  native apps.  I would like to better understand the best practices around  ua-based-apps, especially as it relates totoken storage.  I've read various blog posts about the preference between storing tokens in cookies vs.  Web Storage (localStorage/sessionStorage).  The current set of specs are rather silent on the matter, as it  is more of an implementation issue (but that is where most mistakes  are made). 
  What is the WG's guidance on this?   
  
 _______________________________________________
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
  
   
 _______________________________________________
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
  
 
    
   
  
 -- 
Jim Manico
Manicode Security
https://www.manicode.com   
 _______________________________________________
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
  
 
    
   
 
 -- 
Jim Manico
Manicode Security
https://www.manicode.com  _______________________________________________
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth
 
 
 -- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email