-
-
Notifications
You must be signed in to change notification settings - Fork 657
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V51 OAuth: Add OAuth verifications for token management #2038
Comments
Is there any reason to open a separate issue or we can keep this discussion in #1963? |
We can keep it in #1963, should I add this issue text as a comment there? And then close this one? |
If here is no new perspective or reasoning, it's better to continue the discussion where it is already happening. |
Closing this thread as there is already a discussion in another issue mentioned above. |
I leave to @TobiasAhnoff to close to be sure all points and contents are transferred to another issue. |
"managed" is somewhat vague? What about something like: "Verify that tokens are not sent to components which do not strictly need them. For avoid having tokens accessible for the frontend when they are only needed by the backend. (L1, L2, L3)"
|
@randomstuff I like replacing the word "managed" and yes, this applies to refresh tokens as well (especially long lived tokens should be avoided in the frontend). How about this?
|
Based on the discussion in #2044 a suggestion is to modify/split
to also make it clear that client-authentication (for all confidential clients, including code and clients-credentials) must be sufficient for the level of security. Perhaps have two verifications like this (where the first one for all levels and the second only for L3):
I think this works, but then we have native mobile apps where it is common to have public clients (where all OAuth is done in the app). Some might use OIDC CIBA or integrate authorization for the app with other authentication protocols (in the Nordic countries this is often called BankID) which might not use OAuth at all, but sometimes this is also integrated with OAuth/OIDC. I think it is hard to capture this in verifications because it depends on context and threat models etc... I like having the L3 verification to say just:
And then (for L3 applications and maybe also L2?) you have to do your own risk assessment and mitigations (e g PKCE, Reference-tokens, DPoP) if you don´t follow this and introduce public client solutions or use other (weaker) client authentication methods. Or should we try and add something about native mobile apps to capture this? |
Instead of technical checklist I prefer to go with something abstract. For the context, we talk about machine-to-machine communication and mTLS authentication between services. It is away from the first level defense. We talk here about the likelihood component - what is the difference to reach to client credentials vs mTLS certificates. We also have requirement (the category is wrong for this, but this is a separate problem):
We also have requirements:
So do we have it already covered, just in in the OAuth context? |
@elarlang, I agree we have those mTLS and TLS matters covering the points raised by @TobiasAhnoff even if they are OAuth context. I think the requirement we have here is for: Right? Or am I missing something else? |
9.3.3 covers the mTLS parts of
but 9.3.3 does not address OAuth sender-constrained tokens and strong client authentication (without mTLS). A suggestion is to try and rewrite this (perhaps merge as one) in a more general way as @elarlang suggested, and also check for overlap with other suggested OAuth verifications like in #2040 |
I try to get the general "token scope" requirement in. We should have "positive" requirement to say, what must be achieved (instead of saying, what must not be done). So my proposal for this is:
Section: "Generic OAuth2 and OIDC security" |
@elarlang, Looks good to me. |
One requirement is now in the document as:
If there is need to have changes into this requirement, I prefer we open a separate issue for that. This issue stays open as here is another one or two requirements (#2038 (comment)) to discuss. |
With those I'm not technically that familiar (yet), but some feedback/questions. The "Note" part we can skip The point for the first one is to ask confidential OAuth client and strong authentication and the second, to use sender-constrained access tokens? If so, it seems that there can be some deduplication done from authentication part for the second requirement. I really don't like the idea to allow using public OAuth clients for web applications, the same idea was risen also by @TobiasAhnoff here #2038 (comment)
|
Yes, the authentication part can be removed from the second verification, since the original OAuth RFC states that "If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server" (see https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.3).
But note that sender-constrained does not require client authentication (and that is why the authentication part was present in the second verification to begin with). For L3 I think the two verification are clear, but it is not uncommon to allow native mobile apps (not web or hybrid apps) to be public clients, even for L3 applications, so maybe it is too strict and ASVS should address the native mobile apps exception?
|
I'm not so convinced that "native mobile" is such an exception compared to native apps in general. Moreover, if you allow web mobile apps to be public client, why couldn't you allow some web applications to do so (such as a local JupyterLab instance). Moreover, native apps could use dynamic client registration in order to be confidential. |
To address BCPs from https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-application-architecture-pa a suggestion is to add the following verifications. Note that this address (closes) #1963.
V51.1 Generic OAuth2 security
Verify that tokens are only managed by nodes where it's strictly needed, in example avoid having tokens accessible for JavaScript frontends. (L1, L2, L3)
V51.2 Authorization Server
Verify that all clients are confidential and configured to use strong client authentication methods, i. e. 'mTLS' or 'private-key-jwt'. Note that L1-L2 applications could also use client-secret authentication and allow public clients. (L3)
Verify that all token requests requires client authentication and that only sender-constrained (Proof-of-Posession) access-tokens are issued, either using 'mTLS certifcate binding' or 'DPoP'. (L3)
The text was updated successfully, but these errors were encountered: