BCP for public UA clients: * use the authorization code ... • Aaron Parecki

Adam Lewis https://twitter.com/lewiada • Apr 24
We do implement native apps per RFC8252 including code flow, custom tabs and PKCE, and we use OIDC for authentication to web apps. But doing ua-based-apps / SPAs right is ambiguous at best and I keep hoping for the @oauth_2 WG to begin work on an ua-based client BCP.

BCP for public UA clients:

• use the authorization code flow
• omit client secret
• strict redirect URI validation

Some citations and more info: https://aaronparecki.com/oauth-2-simplified/#single-page-apps

Portland, Oregon • 71°F

Tue, Apr 24, 2018 10:57am -07:00 #oauth2

3 likes 1 repost 6 replies
- Jim Manico
Have you written a response to this? Let me know the URL:
- Jim Manico manicode.com
  
  And even if you use HTTPOnly secure same-site cookies XSS can force a forged request of any nature: XSS is game over. Nothing today solves that issue. In the future maybe token binding will stop attackers from using stolen tokens... but not replaying them from the victims browser
  
  Tue, Apr 24, 2018 7:21pm +00:00 (via brid-gy.appspot.com)
- Jim Manico manicode.com
  
  tools.ietf.org/html/draft-iet…
  tools.ietf.org/html/draft-iet…
  tools.ietf.org/html/draft-iet…
  tools.ietf.org/html/draft-iet…
  openid.net/specs/openid-c…
  tools.ietf.org/html/draft-iet…
  
  Tue, Apr 24, 2018 7:18pm +00:00 (via brid-gy.appspot.com)
- Jim Manico manicode.com
  
  I agree. All browser storage methods can be abused by XSS. XSS is game over. You can try various techniques to verify different browser characteristics after theft but meh. Real answer is token binding standards of the future...
  
  Tue, Apr 24, 2018 7:18pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  Sadly there isn't a satisfying answer to that. Anything that your JS can use to store any token is vulnerable to XSS. The only secure option is cookies, but that won't work with OAuth. stormpath.com/blog/where-to-…
  
  Tue, Apr 24, 2018 7:07pm +00:00 (via brid-gy.appspot.com)
- Jim Manico manicode.com
  
  Aaron this is very well written. Thanks for passing this along!
  
  Tue, Apr 24, 2018 6:23pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  I agree it would be nice to see this written up properly though. In the mean time, I'm adding a section to my book about this.
  
  Tue, Apr 24, 2018 11:05am -07:00

Posted in /replies using quill.p3k.io