IETF Logo Mail Archive

Re: [OAUTH-WG] Recommendations for browser-based apps

Jim Manico <jim@manicode.com> Wed, 20 September 2017 07:22 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151A513307B for <oauth@ietfa.amsl.com>; Wed, 20 Sep 2017 00:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4GYljeWh6pw for <oauth@ietfa.amsl.com>; Wed, 20 Sep 2017 00:22:33 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54A28132025 for <oauth@ietf.org>; Wed, 20 Sep 2017 00:22:33 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id x78so1121119pff.10 for <oauth@ietf.org>; Wed, 20 Sep 2017 00:22:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hJwkOcEzMC3TlANBENJQVN1ZZqe5RPPXN6HApiOUgIs=; b=sh8n9udYPSIPBcc3qNqMNiEpLpZKiQtI11CBe1ZlM+Lv91aLzoDA1C40UgKYGEweBa Ar8OidoEkQ5fFJBGc0U//YIZRGk/dbPLZqinwGW3hfYo6HXwXseZ56Wq3tuRiHKdj1+C crmJ6jtCPAaEirY1lv/H/B0fYvc1k3lIBvN0tLCpxIJr73ZGkk/wARTQvTUmlj9YznGh 6ITSaejQC/SgVXzcVg+3I8Y+bjAKsa6bALrhuxSui+HebEolvgFJKR9QxQ4s7AuJpXUa pKe14H0GLChUB9C/YjJsOKvRJ76u81jpcXpaEnYabWJqA4MFJomdsEx4un6GYW545xkK l8rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hJwkOcEzMC3TlANBENJQVN1ZZqe5RPPXN6HApiOUgIs=; b=NJqkkt2TYH/wyRSmztckk0KtS3hMqlcy6Q/lSSK+A5Y1LtPQopckLMtS6BDmaG9FzT hiF1cLjDW23xLHkbFAHcSJE2002X86Akem8wQwoXbHBi7hdfDE54queVscWdlUaZFco8 TzSJweEuU2UeLIawLZt3q9u5RPafFqoSn5pjmVTUgxaCq2q1Atkm+g1adrNdZzHznstm NeGbp16wNyh4QGNZRgnjMEMVt2fuW9MeHgQEYIq5DUvodMJ2rvUlGwhmA3zXznHtdp3R ITcRVBSilBpiEiZRbPqxllqPXBBx1WWP7ex3uPZRQ+16/v7OIS290nSkqI38XQWWTg4V Decg==
X-Gm-Message-State: AHPjjUi/1J0onvaXCPCgExoafJo+pTFsCeYK8iRDuHkIt1axPY0YgzeM BF3O2PNO6BUsQQMvnnpRbSSTuxdPd+M=
X-Google-Smtp-Source: AOwi7QBm6ywB2oqnR69/iixegmzvhX0tCPM47SBBEbS7ON+6UlWdFLxA37AOxHRCmVg68GhlkvF0Hg==
X-Received: by 10.84.160.204 with SMTP id v12mr1173210plg.382.1505892152370; Wed, 20 Sep 2017 00:22:32 -0700 (PDT)
Received: from [172.19.248.94] ([104.153.224.167]) by smtp.gmail.com with ESMTPSA id s62sm6361260pfe.91.2017.09.20.00.22.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Sep 2017 00:22:31 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-B7029988-AF8C-4907-BBA0-503920696552"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manicode.com>
X-Mailer: iPhone Mail (14G60)
In-Reply-To: <555F5261-7F4B-4BFD-8911-A8BFD675EE3F@forgerock.com>
Date: Wed, 20 Sep 2017 15:22:21 +0800
Cc: Bill Burke <bburke@redhat.com>, OAuth WG <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <FC971100-7DF7-404A-AE08-A3FA3D80B76B@manicode.com>
References: <CAKAMr-Dws2RVRLv+xTa7j2zk+yhpCpYN-jUgxFos+j--Abv4uQ@mail.gmail.com> <CABRXCmwKDOSQQrDdCVBkDWSi85A7FL_R9d9sNzgdBTE_HyKDMw@mail.gmail.com> <14E11D6D-3CA4-4945-93B5-96F40D17463E@oracle.com> <CAOahYUwYT-mFrdN-FvZArNCmVMn8G6X8504Z9EFY_rZ7A328qA@mail.gmail.com> <7630385B-8366-4B11-A5CA-BEE18F96AB8B@ve7jtb.com> <5C40C2B2-A673-4940-8376-55D448271A4C@gmail.com> <CABRXCmwDQ_uZXDaaX6gxn_J_FnaCDucA-5uZwF6K1uHMQs6nzw@mail.gmail.com> <1A823C26-FC05-48C1-A2E1-7B2B6A2607BB@manicode.com> <555F5261-7F4B-4BFD-8911-A8BFD675EE3F@forgerock.com>
To: Neil Madden <neil.madden@forgerock.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zBQ8fntswB05YhgFI0Mk8SjDey0>
Subject: Re: [OAUTH-WG] Recommendations for browser-based apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2017 07:22:36 -0000

PS: The RFC for SameSite cookies has moved to here. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis

It's an approved standard and was rolled into the new cookie RFC.

Chrome support has a big impact on mobile and elsewhere. But I agree we need to see FireFox and Safari support and expect to see it within a year.

But that should not stop folks from using it today. It's backwards compatible with existing cookie behavior and is quite beautiful in it's
simplicity and power to defend against CSRF.

Aloha,
Jim

> On Sep 20, 2017, at 1:21 PM, Neil Madden <neil.madden@forgerock.com> wrote:
> 
> Is this growing in support? It seems like a good idea, but when I reviewed it recently the draft had expired almost a year ago and still only Chrome and Opera had implemented it. From the outside it looks as if it has (inexplicably) died. Do you know if there is some activity happening behind the scenes?
> 
> -- Neil
> 
>> On 20 Sep 2017, at 02:31, Jim Manico <jim@manicode.com> wrote:
>> 
>> Not always, Bill. There is a new standard called "same site cookies" or "first party cookies" that allows you to programmatically remove this risk in some modern browsers, it's worth reviewing. 
>> 
>> https://tools.ietf.org/html/draft-west-first-party-cookies-07
>> 
>> It's live in Chrome and Opera and will only grow in support. http://caniuse.com/#search=samesite
>> 
>> Jim
>> 
>> 
>>> On Sep 20, 2017, at 8:44 AM, Bill Burke <bburke@redhat.com> wrote:
>>> 
>>> Cookies are vulnerable to CXRF.
>>> 
>>>> On Tue, Sep 19, 2017 at 7:48 PM, nov matake <matake@gmail.com> wrote:
>>>> Why not using http-only cookies instead of refresh tokens?
>>>> If the app can interact with AuthZ server through a hidden iframe with
>>>> prompt=none param, you shouldn’t need refresh tokens.
>>>> 
>>>> If your SAP is running on a different domain with the backend server,
>>>> Safari’s Intelligent Tracking Prevention will break the hidden iframe way
>>>> though.
>>>> 
>>>> On Sep 20, 2017, at 7:32, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>> 
>>>> Right,  Refresh token is bearer for native apps, that is why we came up with
>>>> PKCE to protect code.
>>>> 
>>>> For Angular the code flow with PKCE is probably better than the token
>>>> response type.
>>>> 
>>>> However with bearer tokens it is still riskier than code with a confidential
>>>> client so the AS should take that into account and not allow refresh tokens
>>>> to live forever.
>>>> 
>>>> One future way to protect refresh tokens and perhaps Access tokens is to use
>>>> token binding to bind the tokens to the user agent.   You could do that now
>>>> for refresh tokens in Edge (Chrome has TB off by default still).
>>>> 
>>>> I think more work needs to be done to come up with a best practice for SPA.
>>>> 
>>>> John B.
>>>> 
>>>> On Sep 19, 2017, at 7:02 PM, Adam Lewis <adam.lewis@motorolasolutions.com>
>>>> wrote:
>>>> 
>>>> Only for confidential clients.  No authentication is required for public
>>>> clients.
>>>> 
>>>> On Tue, Sep 19, 2017 at 4:47 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
>>>> wrote:
>>>>> 
>>>>> Except a refresh token is not purely bearer. The client is required to
>>>>> authenticate to use it.
>>>>> 
>>>>> Phil
>>>>> 
>>>>>> On Sep 19, 2017, at 2:33 PM, Bill Burke <bburke@redhat.com> wrote:
>>>>>> 
>>>>>> I'd be curious to the response to this too.
>>>>>> 
>>>>>> Seems to me that refresh token has the same possible security risks in
>>>>>> an Angular app as an access token, except the refresh token is valid
>>>>>> longer....Still, if you did the implicit flow, you'd have to have
>>>>>> longer access token timeouts as it would be really annoying for the
>>>>>> user to have to login again and again in a long session with your
>>>>>> Angular app.
>>>>>> 
>>>>>> We have a javascript adapter that does Authz Code Flow with PKCE for
>>>>>> our Angular app.  It also does CORS checks on the code to token XHR
>>>>>> request just in case on the IDP side.
>>>>>> 
>>>>>>> On Tue, Sep 19, 2017 at 9:27 AM, Stefan Büringer <sbueringer@gmail.com>
>>>>>>> wrote:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> there were some discussions in January regarding recommendations for
>>>>>>> browser-based apps
>>>>>>> (https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html).
>>>>>>> 
>>>>>>> I'd just like to ask if the Authorization Code Flow with PKCE is a
>>>>>>> valid
>>>>>>> option for Single-Page-Applications (in our case Angular), because
>>>>>>> Implicit
>>>>>>> Flow cannot be used in our scenario.
>>>>>>> 
>>>>>>> Authorization Code Flow with PKCE eliminates the necessity for client
>>>>>>> secrets, but our concern is that exposing the refresh token to the SPA
>>>>>>> might
>>>>>>> be a security risk, compared to the Implicit Flow were no refresh token
>>>>>>> is
>>>>>>> exposed.
>>>>>>> 
>>>>>>> What's your take on this?
>>>>>>> 
>>>>>>> Kind regards,
>>>>>>> Stefan Büringer
>>>>>>> 
>>>>>>> P.S. I couldn't find that much on the internet regarding Authorization
>>>>>>> Code
>>>>>>> Flow with PKCE in SPAs, if you have some recommendations for good blog
>>>>>>> posts
>>>>>>> I would be grateful.
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Bill Burke
>>>>>> Red Hat
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Bill Burke
>>> Red Hat
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email