Re: [OAUTH-WG] Recommendations for browser-based apps

Back to the OP...Why would browser Javascript implementing Authz Code flow with public client be vulnerable? Not understanding how an XSS attack could work in such a scenario. On Wed, Sep 20, 2017 at 3:22 AM, Jim Manico wrote: > PS: The RFC for SameSite cookies has moved to here. > https://tools

Re: [OAUTH-WG] Recommendations for browser-based apps

PS: The RFC for SameSite cookies has moved to here. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis It's an approved standard and was rolled into the new cookie RFC. Chrome support has a big impact on mobile and elsewhere. But I agree we need to see FireFox and Safari support and expe

Re: [OAUTH-WG] Recommendations for browser-based apps

While we did see android support in January 2017, Chrome and Opera only offered support a few months ago. FireFox has a bug on this with notes suggesting it will be rolled out in a year or so. And while the original RFC expired, it's being rolled into the cookie RFC per my understanding. I also

Re: [OAUTH-WG] Recommendations for browser-based apps

Is this growing in support? It seems like a good idea, but when I reviewed it recently the draft had expired almost a year ago and still only Chrome and Opera had implemented it. From the outside it looks as if it has (inexplicably) died. Do you know if there is some activity happening behind th

Re: [OAUTH-WG] Recommendations for browser-based apps

Can anyone provide insight about what protection PKCE adds for browser based apps using the authorization code flow? The PKCE intro says that the specification is designed to mitigate an attack where: > the attacker intercepts the authorization code returned from the authorization endpoint within

Re: [OAUTH-WG] Recommendations for browser-based apps

you have redirect uri restriction there. nov > On Sep 20, 2017, at 9:44, Bill Burke wrote: > > Cookies are vulnerable to CXRF. > >> On Tue, Sep 19, 2017 at 7:48 PM, nov matake wrote: >> Why not using http-only cookies instead of refresh tokens? >> If the app can interact with AuthZ server thr

Re: [OAUTH-WG] Recommendations for browser-based apps

Not always, Bill. There is a new standard called "same site cookies" or "first party cookies" that allows you to programmatically remove this risk in some modern browsers, it's worth reviewing. https://tools.ietf.org/html/draft-west-first-party-cookies-07 It's live in Chrome and Opera and will

Re: [OAUTH-WG] Recommendations for browser-based apps

Cookies are vulnerable to CXRF. On Tue, Sep 19, 2017 at 7:48 PM, nov matake wrote: > Why not using http-only cookies instead of refresh tokens? > If the app can interact with AuthZ server through a hidden iframe with > prompt=none param, you shouldn’t need refresh tokens. > > If your SAP is runni

Re: [OAUTH-WG] Recommendations for browser-based apps

Why not using http-only cookies instead of refresh tokens? If the app can interact with AuthZ server through a hidden iframe with prompt=none param, you shouldn’t need refresh tokens. If your SAP is running on a different domain with the backend server, Safari’s Intelligent Tracking Prevention

Re: [OAUTH-WG] Recommendations for browser-based apps

Right, Refresh token is bearer for native apps, that is why we came up with PKCE to protect code. For Angular the code flow with PKCE is probably better than the token response type. However with bearer tokens it is still riskier than code with a confidential client so the AS should take t

Re: [OAUTH-WG] Recommendations for browser-based apps

Only for confidential clients. No authentication is required for public clients. On Tue, Sep 19, 2017 at 4:47 PM, Phil Hunt (IDM) wrote: > Except a refresh token is not purely bearer. The client is required to > authenticate to use it. > > Phil > > > On Sep 19, 2017, at 2:33 PM, Bill Burke wro

Re: [OAUTH-WG] Recommendations for browser-based apps

One of the reasons I see so many security folk discouraging implicit in web applications (like your Angular scenario) is because even though refresh tokens and similar require authentication, how do you store that info securely in a browser? One XSS and it's http://m.youtube.com/watch?v=dsx2vdn7

Re: [OAUTH-WG] Recommendations for browser-based apps

Except a refresh token is not purely bearer. The client is required to authenticate to use it. Phil > On Sep 19, 2017, at 2:33 PM, Bill Burke wrote: > > I'd be curious to the response to this too. > > Seems to me that refresh token has the same possible security risks in > an Angular app as

Re: [OAUTH-WG] Recommendations for browser-based apps

I'd be curious to the response to this too. Seems to me that refresh token has the same possible security risks in an Angular app as an access token, except the refresh token is valid longerStill, if you did the implicit flow, you'd have to have longer access token timeouts as it would be real

[OAUTH-WG] Recommendations for browser-based apps

Hi, there were some discussions in January regarding recommendations for browser-based apps ( https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html). I'd just like to ask if the Authorization Code Flow with PKCE is a valid option for Single-Page-Applications (in our case Angular), bec

Re: [OAUTH-WG] Recommendations for browser-based apps

the PKCE appAuth type flow in a SPA app if you have the > correct CORS setup. > > I however cant at this point say that you are getting improved security > for the extra work in that environment. > > > > John B. > > Sent from Mail <https://go.microsoft.com/fwlink/?Link

Re: [OAUTH-WG] Recommendations for browser-based apps

: January 25, 2017 3:12 PM To: OAuth WG Subject: [OAUTH-WG] Recommendations for browser-based apps Thanks to the new "OAuth 2.0 for Native Apps" and PKCE documents, we have a solid recommendation for how to do OAuth 2.0 for native apps.  Given that PKCE is intended for "public c

[OAUTH-WG] Recommendations for browser-based apps

Thanks to the new "OAuth 2.0 for Native Apps" and PKCE documents, we have a solid recommendation for how to do OAuth 2.0 for native apps. Given that PKCE is intended for "public clients" and not specifically native apps, I'm wondering where that leaves browser-based apps. The core spec still says