Yes, I’ve argued against this distinction for DPoP too. Since the first days of
HttpOnly attackers learnt to proxy requests through the browser (as you know of
course). This is not only to bypass the restrictions but it’s also just much
better for the attacker because it hides their traffic and origin. People are
online all the time now, so this is at best a mild inconvenience.
— Neil
> On 15 Feb 2021, at 11:09, Philippe De Ryck
> <phili...@pragmaticwebsecurity.com> wrote:
>
>
>>
>>> On 15 Feb 2021, at 11:50, Neil Madden <neil.mad...@forgerock.com> wrote:
>>>
>>>> On 15 Feb 2021, at 10:26, Philippe De Ryck
>>>> <phili...@pragmaticwebsecurity.com> wrote:
>>>
>>>>> On 15 Feb 2021, at 11:14, Neil Madden <neil.mad...@forgerock.com> wrote:
>>>>>
>>>>>> On 15 Feb 2021, at 08:32, Philippe De Ryck
>>>>>> <phili...@pragmaticwebsecurity.com> wrote:
>>>>>>
>>>>> [...]
>>>>>
>>>>> Compared to using a worker for handling RTs, I believe the TMI-BFF only
>>>>> adds a single security benefit: an attacker is no longer able to run a
>>>>> silent flow to obtain a fresh set of tokens (since the client is now a
>>>>> confidential client).
>>>>
>>>> But they can just call the bff-token endpoint to do the same. If there is
>>>> a security advantage, IMO it is as a defence in depth against open
>>>> redirects, unicode normalisation attacks (ie not validating the
>>>> redirect_uri correctly at the AS), etc.
>>>
>>> A Web Worker and the TMI-BFF both encapsulate the RT and only expose the
>>> (short-lived) AT.
>>
>> I don’t think this distinction matters at all from a security point of view.
>> It’s the AT that attackers are after - why bother with a RT if I can just
>> call the bff-token endpoint to get a new AT every time?
>
> Getting an AT from the BFF (or a worker) is an “online” attack, which only
> works as long as the application/malicious code is loaded in the browser of
> the user.
>
> Stealing a working refresh token (e.g., with a silent flow) is an “offline”
> attack, which gives long-term access (lifetime of the RT), independent of the
> state of the application in the user’s browser.
>
> There is a clear distinction, but whether that matters is a different
> discussion. It depends on how the application used, and how token lifetimes
> are configured. FWIW, the DPoP threat model makes the same distinction
> ("Stolen token (XSS)” vs “XSS (Victim is online)”) here:
> https://danielfett.de/2020/05/04/dpop-attacker-model/
>
> Philippe
>
>
--
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
