Aaron Parecki

alianora https://cybre.space/@nightpool • May 2
@aaronpk isn't the section you linked to just as much of a concern under the authorization code flow as the implicit flow? since javascript clients are public clients no matter what?

Nope because PKCE solves the problem of the thing being stolen during the redirect.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 3:39pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 2
What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...

Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.

If you are going to issue refresh tokens to JS, definitely rotate them after every use.

Sunnyvale, California • 49°F

1 like

Thu, May 2, 2019 3:32pm -07:00
Sebastian Lasse https://mastodon.social/@sl007 • May 2
@aaronpk This could save you 4 characters ;))
return btoa(encodeURIComponent(str)
.replace(/%([0-9A-F]{2})/g, (m, p1) => String.fromCharCode(parseInt(('0x'+p1), 16))));

hah clever!

Sunnyvale, California • 49°F

Thu, May 2, 2019 3:31pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk sure, but a malicious browser could also save the entire js state to disk in exactly the same way (and some do a limited version of this for caching purposes). so it's hard for me to think of that as a security benefit? this is only more secure if everyone along the line behaves exactly in the way you expect it to

Security is never about stopping 100% of attacks, since that's impossible. It's about mitigating risk, and reducing the attack surface.

It's worth reading this whole document even if it is a bit terse. Here's a good example of an unexpected attack on the Implicit flow: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-4.1

Sunnyvale, California • 49°F

2 replies

Thu, May 2, 2019 3:30pm -07:00
Eve Maler https://twitter.com/xmlgrrl

#IIW today is obv going to start with a bang. @justin__richer

Mountain View, California • 49°F

Thu, May 2, 2019 4:06pm +00:00 (liked on Thu, May 2, 2019 10:14am -07:00) #IIW
alianora https://cybre.space/@nightpool • May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better

Think of it from the PoV of the thing sending the access token. It wants to make sure the AT ends up in the client and isn't stolen along the way. It can't trust the browser's address bar because the browser isn't the thing it's sending the token to, the code in the browser is.

Mountain View, California • 49°F

Thu, May 2, 2019 10:13am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better

Here's one: The access token is sent in the address bar, so it becomes part of the browser history. This will be written to disk, and possibly even synced to the browser's "cloud" and then even synced down to other devices.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 10:07am -07:00
Taxi

3.70mi
Distance

102:40
Duration

7:40am
Start

9:22am
End

Mountain View, California • 49°F

Thu, May 2, 2019 9:22am -07:00
Chris https://twitter.com/gonji96

PKCE is on my list to implement when no one is watching

Mountain View, California • 49°F

Thu, May 2, 2019 3:54pm +00:00 (liked on Thu, May 2, 2019 9:04am -07:00)
alianora https://cybre.space/@nightpool • May 2
@aaronpk sorry I guess I should have specified "with https". doesn't https' security model encompass this one?

Nope because the browser is still an unknown there, at least from the point of view of the sender of the sensitive data.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 9:03am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

Think of it this way: The server is trying to send some sensitive data to the application, but has no direct communication channel, and instead has to trust some other piece of software (the browser) to deliver it.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 8:40am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

An easy example to see is captive wifi portals where the network intercepts DNS requests and returns a different answer.

Mountain View, California • 49°F

Thu, May 2, 2019 8:33am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

That's the classic problem with the front-channel (sending data over HTTP redirects in a browser). The sender has no way to know if the receiver got the data, and has no way to tell if it was stolen or copied.

Mountain View, California • 49°F

Thu, May 2, 2019 8:31am -07:00
Browser APIs have gotten so much better lately! Way easier to do @oauth_2 PKCE in a browser now:

✅ good random number generators
✅ secure hashing functions

Just missing a good base64 encoding function. (Check out the ugly hack in the post.)

https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead#begin-the-pkce-request

Mountain View, California, USA • 49°F

5 likes 1 repost 5 replies

Thu, May 2, 2019 8:25am -07:00 #oauth #javascript #pkce
at Computer History Museum

Mountain View, California • Thu, May 2, 2019 7:54am

37.414456 -122.0775

Mountain View, CA, United States

1 Coin

Thu, May 2, 2019 7:54am -07:00
Contributions from: Germany, India, Switzerland, United States

Thu, May 2, 2019 7:40am -07:00
at Hotel Vue

Mountain View, California • Thu, May 2, 2019 7:29am

37.381403 -122.074277

Mountain View, CA, United States • 49°F

10 Coins

Thu, May 2, 2019 7:29am -07:00
Contributions from: Germany, India, United Kingdom, United States

Thu, May 2, 2019 7:26am -07:00
Contributions from: Germany, India, United States

Thu, May 2, 2019 7:09am -07:00
10:25pm
Asleep

6:28am
Awake

8h 03m
Slept

23m
Awake for

Mountain View, California, USA

Thu, May 2, 2019 6:28am -07:00

older