IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Browser-based Apps

Philippe De Ryck <philippe@pragmaticwebsecurity.com> Fri, 11 August 2023 05:11 UTC

Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72841C13AE41 for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 22:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b="HTnemHnf"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="G6B1B/Nr"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80JlQfpSIL3T for <oauth@ietfa.amsl.com>; Thu, 10 Aug 2023 22:11:01 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1880BC140675 for <oauth@ietf.org>; Thu, 10 Aug 2023 22:11:00 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id F2D7A5C014D; Fri, 11 Aug 2023 01:10:59 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Fri, 11 Aug 2023 01:10:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=cc:cc:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1691730659; x=1691817059; bh=8MUdpQgk9AWnnC4NBGk0YcnV1Ylf/SameO1 lnn80OkE=; b=HTnemHnf6cnTeiBHg6lbT8Kpl+m6+V+P5NKAESt+xgCa6D0zYpR ip+QE7qVG8EIAMBCXC/7v+m9vE99TYK6cvb2SHFn/pA6d/AQE3GioQPq+mFI1tnS HabBTcjhJyX9n5hwKln+C2QfBnqedpKGOLV6dV5ZSncjXE02IrKzL+tlsPTTt/iG d1bE5p+jpmSiVR7cWIrA1i5Bvq6nuIuSWH6axAJMClaxTzaqk9STeY941JJA9kLh n5IDKVHLcKdqITPZhwNJUFfXq+uOdJIK3DCKwijDS/qK4VB/YYHN5SuVi6kUeDb+ 2L0X45IHYvlLhK5QjxfU9TO4YK7PcoH+hdg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1691730659; x=1691817059; bh=8MUdpQgk9AWnn C4NBGk0YcnV1Ylf/SameO1lnn80OkE=; b=G6B1B/NrzG52/Zab1vHwm/uqh7xtK 6SGHu32+SgLd12GDXQGD+OKuU6MlHBVI7Wny07mRYe7XK0JG+hpMw3G++U9EbpOU 86V+WENBQexmqFuIRaMi84NhBiGSyVvvhXvO4vQ42HjQLXWefxBeUm9pVSC9trz3 RXc618iZI8do75Elt2Z1X5NikiMGtiL+i0M3Y4AoYvpUsSNP//t8ERSS35X7Pujg QGkFeQELR3Uw5gvnzX86M1v+PTbZZQkOsFh4Kk184Jm4lQZmKATvq/II+K0KQBgk OXsZbBPK781ysgByyTxXwJLOgN7dpNGk+pSxkdZCK+qy/o6UVC7RQqbuw==
X-ME-Sender: <xms:48LVZBw2TpOoYZPkw0XcK7OgGpKgSDGdOFYovHl687U2rWzdSfSIwg> <xme:48LVZBROsG4Z8LN2lpbxIszTu4vRv-791fCMSN4JMJpHa_2akcX9vvkgDjKwwUze9 rpKTlnFxv7PpLc4VQ>
X-ME-Received: <xmr:48LVZLWOB9EsvdKi39LWsL7TRKM56VXdXVOAUoEUOpB1llw1fzc-NLdO19LNY--tS-SEzDQj-01Nx2o-MAH7jVdGtGSfL90>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrleejgdeklecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhephffktgggufffjgevvfhfofesrgdtmh erhhdtjeenucfhrhhomheprfhhihhlihhpphgvucffvgcutfihtghkuceophhhihhlihhp phgvsehprhgrghhmrghtihgtfigvsghsvggtuhhrihhthidrtghomheqnecuggftrfgrth htvghrnhepuefhteejleeuiedvieegtdegudektddtteeuudevgfduffduteefkeduiedt hfelnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpshgvrhhvihgtvgifohhrkhgvrh hsrdhmugdpmhgvughiuhhmrdgtohhmpdhithhnvgigthdrihhopdhgrhgrsgihohdrtgho mhdpshgvtgifohhrkhhshhhophdrvghvvghnthhspdihohhuthhusggvrdgtohhmpddtgi dtfedquhhsihhnghdqrghsvhhsrdhmugdpphhrrghgmhgrthhitgifvggsshgvtghurhhi thihrdgtohhmpdhivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehphhhilhhiphhpvgesphhrrghgmhgrthhitgifvggsshgv tghurhhithihrdgtohhm
X-ME-Proxy: <xmx:48LVZDjNLZRAx-lKlN6TAUeQrB-NwoWYe4vRizClAWkS1oR0qawNLg> <xmx:48LVZDB1xDkoUYGrDDPgAMZHb2VRXaRQcPG2f84l1O3EdzrsJ64Eyw> <xmx:48LVZMKhFUMNeJ_7nhV843Thq9lWsls0oW6BRMxMZRTDGC4s3Y8K2A> <xmx:48LVZGrtEdcsVcJA9gO8eiQBp4aLduDoCok-0F25USqManoVyErFOA>
Feedback-ID: i21e1449f:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 11 Aug 2023 01:10:59 -0400 (EDT)
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Message-Id: <5570D43B-B477-44B6-B135-0F0C069129D1@pragmaticwebsecurity.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FBEC2F7B-A1CA-43D6-90DA-74A4EC2C3EB1"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Fri, 11 Aug 2023 07:10:56 +0200
In-Reply-To: <CAD9ie-sWpmHRVC_4BvhH4qHKfcLSh3VvhRSwR_FOOPEA4RQLnA@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Dick.Hardt@gmail.com
References: <CADNypP9gdt6NiaiMiqaM3mbjb44dRfECBnSgrkCg0DLa+w1fEg@mail.gmail.com> <899023C1-659D-47DB-808E-307F5B5F8FD5@pragmaticwebsecurity.com> <CAD9ie-sWpmHRVC_4BvhH4qHKfcLSh3VvhRSwR_FOOPEA4RQLnA@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zcz5MjOD87C8QUI3w3a5Q45Nkt4>
Subject: Re: [OAUTH-WG] WGLC for Browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2023 05:11:06 -0000

Hi Dick,

The solutions you list here focus on using a service worker to intercept an outgoing call to a resource server. During interception, the service worker attaches the access token. This pattern is mainly used to avoid inserting access token logic into the application code. The SW attaches the access token, and if it has a refresh token, it can even run the RT flow to get a new access token.

Note that the SW is used for convenience here, not for security. The Browser-Based Apps draft recently added a SW pattern as a security mechanism (section 6.4.2). The idea is that the SW not only augments calls to the RS, but also handles the communication with the authorization server. 

Based on my understanding, this pattern was specifically added to address an attack scenario I have described a while ago on this mailing list (and also demonstrate in the video linked in my previous mail). In this scenario, the attacker has the ability to run malicious JS code in the application’s origin. The attacker uses that ability to run a silent Authorization Code flow in an iframe, extracts the code, and exchanges it for a new set of tokens. 

The SW pattern in the spec aims to prevent the application from calling the AS directly, since all calls would be intercepted by the SW. This approach is ineffective, since an attacker can always unregister an existing service worker. The spec states that an unregistered worker remains active until the browsing context reloads (after which it would re-register the worker before the attacker’s code runs). However, after unregistering a worker, new contexts will no longer use this worker. As demonstrated in the video I linked to before, an attacker can unregister a worker and then run a flow in a frame without involving the worker. 

In essence, it boils down to Brock’s statement of “a false sense of security”. While someone may view this as sufficiently secure for their specific use cases, I really object to having this as one of the “recommended approaches” in an RFC.

Hope this helps

Philippe


> On 11 Aug 2023, at 02:56, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> 
> Philippe: would you expand on your comment:
> 
> On Wed, Aug 9, 2023 at 11:51 PM Philippe De Ryck <philippe@pragmaticwebsecurity.com <mailto:philippe@pragmaticwebsecurity.com>> wrote:
> - Remove unproven and overly complicated solutions (i.e., the service worker approach)
> 
> A quick Google on oauth service workers returned a number of articles and descriptions of using service workers:
> 
> https://github.com/ForgeRock/appAuthHelper/blob/master/service_workers.md
> 
> https://gaurav-techgeek.medium.com/re-architecting-authentication-with-service-workers-ff8fbbbfbdeb
> 
> https://itnext.io/using-service-worker-as-an-auth-relay-5abc402878dd
> 
> https://about.grabyo.com/service-workers-jwt-tokens/
> 
> 
> 
> On Wed, Aug 9, 2023 at 11:51 PM Philippe De Ryck <philippe@pragmaticwebsecurity.com <mailto:philippe@pragmaticwebsecurity.com>> wrote:
>> In my opinion, this document is not ready to be published as an RFC. 
>> 
>> In fact, I will be at the OAuth Security Workshop in two weeks to discuss exactly this (See "The insecurity of OAuth 2.0 in frontends" here: https://oauth.secworkshop.events/osw2023/agenda-thursday). My hope is that my presentation can spark the necessary discussion to identify a path forward to make the RFC useful for practitioners building browser-based apps.
>> 
>> I don't have the resources available to write a lengthy email detailing my objections. I just want to point out that I've raised these points on the mailing list in the past, and there have been a couple of threads on this very list suggesting how to move this document forward (e.g., identify concrete threat models). I've also given a talk at NDC Security earlier this year (https://www.youtube.com/watch?v=OpFN6gmct8c) about how the security mechanisms proposed in this document fall short. This video has been posted to this list before as well.
>> 
>> Here are a couple of suggestions that I believe would improve this document:
>> 
>> - Clearly identify the danger of malicious JS (exfiltrating existing tokens is only one threat, and the most trivial one at that)
>> - State the baseline achievable level of security in light of existing XSS vulnerabilities (i.e., session riding, where the attacker controls the frontend)
>> - Identify different desired levels of security for a client application (e.g., a "public recipe app" vs "eHealth"). Existing work can help, such as the OWASP ASVS levels (https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md)
>> - Define which levels of security certain mechanisms can offer (e.g., RTR for level 1, TMI-BFF for level 2, BFF for level 3)
>> - Remove unproven and overly complicated solutions (i.e., the service worker approach)
>> 
>> As stated before, I'll be at OSW in London in 2 weeks and would be happy to discuss this further.
>> 
>> Kind regards
>> 
>> Philippe
>> 
>> —
>> Pragmatic Web Security
>> Security for developers
>> https://pragmaticwebsecurity.com <https://pragmaticwebsecurity.com/>
>> 
>>> On 30 Jul 2023, at 17:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote:
>>> 
>>> All,
>>> 
>>> This is a WG Last Call for the Browser-based Apps draft.
>>> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-14.html
>>> 
>>> Please, review this document and reply on the mailing list if you have any comments or concerns, by August 11th.
>>> 
>>> Regards,
>>>  Rifaat & Hannes
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email