Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Mon, 15 Feb 2021 03:09:59 -0800 

> 
> On 15 Feb 2021, at 11:50, Neil Madden <neil.mad...@forgerock.com> wrote:
> 
>> On 15 Feb 2021, at 10:26, Philippe De Ryck 
>> <phili...@pragmaticwebsecurity.com> wrote:
>> 
>>> On 15 Feb 2021, at 11:14, Neil Madden <neil.mad...@forgerock.com 
>>> <mailto:neil.mad...@forgerock.com>> wrote:
>>> 
>>>> On 15 Feb 2021, at 08:32, Philippe De Ryck 
>>>> <phili...@pragmaticwebsecurity.com 
>>>> <mailto:phili...@pragmaticwebsecurity.com>> wrote:
>>>> 
>>>> [...]
>>>> 
>>>> Compared to using a worker for handling RTs, I believe the TMI-BFF only 
>>>> adds a single security benefit: an attacker is no longer able to run a 
>>>> silent flow to obtain a fresh set of tokens (since the client is now a 
>>>> confidential client). 
>>> 
>>> But they can just call the bff-token endpoint to do the same. If there is a 
>>> security advantage, IMO it is as a defence in depth against open redirects, 
>>> unicode normalisation attacks (ie not validating the redirect_uri correctly 
>>> at the AS), etc. 
>> 
>> A Web Worker and the TMI-BFF both encapsulate the RT and only expose the 
>> (short-lived) AT.
> 
> I don’t think this distinction matters at all from a security point of view. 
> It’s the AT that attackers are after - why bother with a RT if I can just 
> call the bff-token endpoint to get a new AT every time?

Getting an AT from the BFF (or a worker) is an “online” attack, which only 
works as long as the application/malicious code is loaded in the browser of the 
user. 

Stealing a working refresh token (e.g., with a silent flow) is an “offline” 
attack, which gives long-term access (lifetime of the RT), independent of the 
state of the application in the user’s browser.

There is a clear distinction, but whether that matters is a different 
discussion. It depends on how the application used, and how token lifetimes are 
configured. FWIW, the DPoP threat model makes the same distinction ("Stolen 
token (XSS)” vs “XSS (Victim is online)”) here: 
https://danielfett.de/2020/05/04/dpop-attacker-model/ 
<https://danielfett.de/2020/05/04/dpop-attacker-model/>

Philippe
 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to