IETF Logo Mail Archive

Re: [OAUTH-WG] best practices for implicit grant / token storage

Jim Manico <jim@manicode.com> Thu, 08 September 2016 17:45 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E64EB12B21F for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 10:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FPGnIqLQETA for <oauth@ietfa.amsl.com>; Thu, 8 Sep 2016 10:45:58 -0700 (PDT)
Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62F9312B2D1 for <oauth@ietf.org>; Thu, 8 Sep 2016 10:45:58 -0700 (PDT)
Received: by mail-pf0-x231.google.com with SMTP id p64so20412791pfb.1 for <oauth@ietf.org>; Thu, 08 Sep 2016 10:45:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ST278pPmCHs74epXvLEhF7Fz8PsKeY2URmFKdu9tCK0=; b=JIC0iFSOqUBovXJIPbnejhEGW8onb3A4Vn+Ydk7Ja/U55ho8vMJwKV++g4uW6n1LVC CEGcp25R2IUd6CZjTIbxfvWx8czC5DwYIClFCPWWU0KqTuDAGT1Gd2TpBA/pqljK4lW4 2Hnev15jeEuV953CdyynUZ98np1qajO6oAKi4mVOL1y82kz5yznDDBNt/w1SMu9ByKIx shnbTZNoQT5iQR8kWGAFdK4em+4xCZ4KApHtXgOkIJnDO+MmxvaQtUhqNVYgagKKJX9g 7ItqdmnIlmD3/hxwfQRdK5EuFukecRlw/BJ9EaQg913HmQWit8jD/S9TQxDXjrjcYcRv 9txQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ST278pPmCHs74epXvLEhF7Fz8PsKeY2URmFKdu9tCK0=; b=V36EzpFHjfc0A0XapdMi9u6mefdcDm2GJFnfWIC1CZ5RMXWkKdqK42JjEPZ+CIawdO MSeslghqsVde2QwbrafFGZSrenHGeowaWZiti0f93RtzUnt8IErehfr/DyXrU8R2NO+C 0cfztJe4TcvrbKer2T5mKv5wgUrsy9sMdE5ZKNvK7a0fGdPH7XilqZTmoG90SC7sJ54n 7ANn6w1U5MKgNEzYCTgJIvZwQkDjQGMfpuwRsD6TeCwNfNqV+QB21WWdYzAj01hiAto5 wz30XgFg4FXr3iunPA5YAjVPRY2GrtKBvZh8eLodmC8Bm/b2IG37rfNsva9VN1RLdNWG MzOg==
X-Gm-Message-State: AE9vXwMyEkTwqvUGneUCn4R8JqLXJHaZ6ewLPCQ7am+igMw0b/SVlZcuZrps3JlbIh9ubRTc
X-Received: by 10.98.219.198 with SMTP id f189mr1469061pfg.100.1473356756580; Thu, 08 Sep 2016 10:45:56 -0700 (PDT)
Received: from ?IPv6:2605:e000:112b:c167:4463:4989:40ce:9b10? ([2605:e000:112b:c167:4463:4989:40ce:9b10]) by smtp.gmail.com with ESMTPSA id d5sm57798349pfc.4.2016.09.08.10.45.55 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 08 Sep 2016 10:45:56 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-16AA2BDA-F134-4566-8DFE-F15C6F371C52"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manicode.com>
X-Mailer: iPhone Mail (13G36)
In-Reply-To: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com>
Date: Thu, 08 Sep 2016 07:45:54 -1000
Content-Transfer-Encoding: 7bit
Message-Id: <FB0A62F2-AD7E-4257-B993-C9E8D3BD989D@manicode.com>
References: <CAOahYUzu3zH3ZR2HTUmN6Jp6W5Oo1XvR7G=k=FRN7RAHda8m-g@mail.gmail.com>
To: Adam Lewis <adam.lewis@motorolasolutions.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zB6aToDLFDfu28AZETQQctFDzi4>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 17:46:00 -0000

In the web world, cookies for session identifiers are much safer - since we can use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is not possible for localStorage. Overall, security folk say •keep sensitive data out of localStorage• since one XSS and it's stolen. There is also a huge body of work underway to make secure cookies even more so.

I'm not sure how this translates to native apps.

--
Jim Manico
@Manicode

> On Sep 8, 2016, at 3:02 AM, Adam Lewis <adam.lewis@motorolasolutions.com> wrote:
> 
> Hi,
> 
> The WG is currently putting together best practices for native apps.  I would like to better understand the best practices around ua-based-apps, especially as it relates to token storage.  I've read various blog posts about the preference between storing tokens in cookies vs.  Web Storage (localStorage/sessionStorage).  The current set of specs are rather silent on the matter, as it is more of an implementation issue (but that is where most mistakes are made).
> 
> What is the WG's guidance on this?
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email