Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Jim Manico
dley > *Cc:* Oleg Gryb ; Adam Lewis > ; OAuth WG > *Sent:* Thursday, September 8, 2016 3:51 PM > *Subject:* Re: [OAUTH-WG] best practices for implicit grant / > token storage > > +1000 on a OAuth Security Best Practices document. I'd be happy to >

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Oleg Gryb
Cc: Oleg Gryb ; Adam Lewis ; OAuth WG Sent: Thursday, September 8, 2016 3:51 PM Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage +1000 on a OAuth Security Best Practices document. I'd be happy to review or help some. I think right now the answer is: keep awa

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Jim Manico
vailable to confirm that. >>> >>> >>> -------------------- >>> *From:* Jim Manico >>> *To:* Oleg Gryb ; Adam Lewis >>> >>> *Cc:* OAuth WG >>> *Sent

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread John Bradley
: Oleg Gryb <mailto:o...@gryb.info>; Adam Lewis >> <mailto:adam.le...@motorolasolutions.com> >> Cc: OAuth WG <mailto:oauth@ietf.org> >> Sent: Thursday, September 8, 2016 12:51 PM >> Subject: Re: [OAUTH-WG] best practices for implicit grant / token

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Jim Manico
-- > *From:* Jim Manico > *To:* Oleg Gryb ; Adam Lewis > > *Cc:* OAuth WG > *Sent:* Thursday, September 8, 2016 12:51 PM > *Subject:* Re: [OAUTH-WG] best practices for implicit grant / > token storage > > > Sinc

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Oleg Gryb
OAuth WG Sent: Thursday, September 8, 2016 12:51 PM Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage > Since SPA is a new normal now, it becomes extremely difficult to enforce > HTTPOnly flag, because JS needs access to secrets including those stored in &g

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Jim Manico
s enforce HTTPOnly and now - I can't. > > Thanks, > Oleg. > > > *From:* Jim Manico > *To:* Adam Lewis > *Cc:* OAuth WG > *Sent:* Thursday, September 8, 2016 10:45 AM > *Subject:* Re: [OAUTH-WG] best practices for implicit gra

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Oleg Gryb
anico To: Adam Lewis Cc: OAuth WG Sent: Thursday, September 8, 2016 10:45 AM Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage In the web world, cookies for session identifiers are much safer - since we can use HTTPOnly cookies to protect them from theft via XSS

Re: [OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Jim Manico
In the web world, cookies for session identifiers are much safer - since we can use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is not possible for localStorage. Overall, security folk say •keep sensitive data out of localStorage• since one XSS and it's stolen. There

[OAUTH-WG] best practices for implicit grant / token storage

2016-09-08 Thread Adam Lewis
Hi, The WG is currently putting together best practices for native apps. I would like to better understand the best practices around ua-based-apps, especially as it relates to token storage. I've read various blog posts about the preference between storing tokens in cookies vs. Web Storage (loc