Hi Mike,
thanks for the response. I am fine with your explanations.
Ciao
Hannes
On 09/03/2016 02:00 AM, Mike Jones wrote:
Thanks for your review, Hannes. Replies are inline...
-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesda
> "keep away from implicit grants and do not store bearer tokens in the
browser" - that would be practically impossible for the envs that I was
writing about and "best practices" that could not be enforced aren't
worth much. I can formulate it in stronger terms: if OAuth wouldn't
allow a JS client
"keep away from implicit grants and do not store bearer tokens in the browser"
- that would be practically impossible for the envs that I was writing about
and "best practices" that could not be enforced aren't worth much. I can
formulate it in stronger terms: if OAuth wouldn't allow a JS clien
Things have gotten so muddled not sure where to begin, the original goal of
this draft was to provide the function that we use in daily high volume
production of WS-Trust as we transition to Oauth. WS-Trust provided many
options, one was ActAs and the other was OnBehalfOf, these were 2 distinct
+1000 on a OAuth Security Best Practices document. I'd be happy to
review or help some.
I think right now the answer is: keep away from implicit grants and do
not store bearer tokens in the browser. Instead, use the authorization
code grant which only exposes bearer tokens intra-server.
For /*web
It is an interesting discussion, indicating that perhaps a best practices
document is in order.
I have had several people ask me about SPA using OAuth recently.
Until we get the W3C to finish fetch and extend it for token binding, we are
going to have ongoing issues with bearer tokens in the br
+1 I think that's a very fair perspective.
Putting sensitive data in LocalStorage is still a very bad idea. :) One
XSS and gone. Maybe XSS is not a big deal in a native app, but it's
death to Web apps.
Aloha, Jim
On 9/8/16 10:20 AM, Oleg Gryb wrote:
> In SPA/REST env session ID is not very usef
In SPA/REST env session ID is not very useful, so it's *an* auth token or
tokens (not necessary OAuth one) that are stored in a cookie. It's used to get
REST calls authenticated and yes, it usually runs in a multi-domain envs (think
about micro services architecture). It makes me think that the
> Since SPA is a new normal now, it becomes extremely difficult to
enforce HTTPOnly flag, because JS needs access to secrets including
those stored in cookies.
In a browser environment, this is only true when you need to make cross
domain requests or are using cookie data for something other than
Jim,
It's outdated a bit. Since SPA is a new normal now, it becomes extremely
difficult to enforce HTTPOnly flag, because JS needs access to secrets
including those stored in cookies. 5-10 years ago I would always enforce
HTTPOnly and now - I can't.
Thanks,Oleg.
From: Jim Manico
To: Ada
In the web world, cookies for session identifiers are much safer - since we can
use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is
not possible for localStorage. Overall, security folk say •keep sensitive data
out of localStorage• since one XSS and it's stolen. There
The initial working group draft of the OAuth Token Binding specification has
been published. It has the same content as draft-jones-oauth-token-binding-00,
but with updated references. This specification defines how to perform token
binding for OAuth access tokens and refresh tokens. Note tha
Hi,
The WG is currently putting together best practices for native apps. I
would like to better understand the best practices around ua-based-apps,
especially as it relates to token storage. I've read various blog posts
about the preference between storing tokens in cookies vs. Web Storage
(loc
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Token Binding
Authors : Michael B. Jones
John Bradley
Thanks Mike, "hwk" and "swk" would do. The actual auth method is indeed
proving key possession, whereas x.509 is mostly about formatting.
Vladimir
On 03/09/16 01:20, Mike Jones wrote:
> Thanks for your question, Vladimir. No, there is not currently an
> X.509-specific value defined. However,
15 matches
Mail list logo
