OAuth 2.0 for Native Apps
draft-ietf-oauth-native-apps-12

[Ballot comment]
A couple of nits:

8.2.  OAuth Implicit Grant Authorization Flow

  The OAuth 2.0 implicit grant authorization flow as defined in
  Section 4.2 of OAuth 2.0 [RFC6749] generally works with the practice
  of performing the authorization request in the browser, and receiving
  the authorization response via URI-based inter-app communication.
  However, as the Implicit Flow cannot be protected by PKCE (which is a
  required in Section 8.1), the use of the Implicit Flow with native
  apps is NOT RECOMMENDED.

NOT RECOMMENDED is not actually a construct allowed by RFC 2119, I think you should reword it using "SHOULD NOT".

It would be good to add RFC reference for HTTPS URIs.

[Ballot comment]
Document: draft-ietf-oauth-native-apps-11.txt

S 7.
  To fully support this best practice, authorization servers MUST
  support the following three redirect URI options.  Native apps MAY
  use whichever redirect option suits their needs best, taking into
  account platform specific implementation details.

It's not entirely clear from this text what "support" means. Would
just echoing whatever redirect URI the client provided count as
support?


S 7.2.

  App-claimed HTTPS redirect URIs have some advantages in that the
  identity of the destination app is guaranteed by the operating
  system.  For this reason, they SHOULD be used in preference to the
  other redirect options for native apps where possible.

You should probably be clearer on who this guarantee is provided to.
And I assume this SHOULD is directed to app authors?

  Claimed HTTPS redirect URIs function as normal HTTPS redirects from
  the perspective of the authorization server, though as stated in
  Section 8.4, it is REQUIRED that the authorization server is able to
  distinguish between public native app clients that use app-claimed
  HTTPS redirect URIs and confidential web clients.

S 8.4 doesn't seem clear on how one makes this distinction. Is
it just a matter of remembering what the app author told you?


S 8.1.
  As most forms of inter-app URI-based communication send data over
  insecure local channels, eavesdropping and interception of the
  authorization response is a risk for native apps.  App-claimed HTTPS
  redirects are hardened against this type of attack due to the
  presence of the URI authority, but they are still public clients and
  the URI is still transmitted over local channels with unknown
  security properties.

I'm probably missing something, but I'm not sure what this last
sentence means. Is the channel here the one that kicks off the
native app with the HTTPS URI as the target?

[Ballot comment]
I agree with Adam's general sentiment about detection of bad behavior vs asking people not to be bad.

-8 and it's children: There seems to be a lot of duplication (including duplication of normative language) between the security considerations and the rest of the document.

- 8.7: This section seems to argue against using in-app browser tabs in the first place. If there is no good way for the user to tell the difference between that and an imbedded UA, then maybe we should train users to be suspicious of any in-app presentation of the authorization request? The last paragraph seems to be founded on a mismatch between user needs and typical user sophistication.

[Ballot comment]
General
=======
The thesis of this document seems to be that bad actors can access authentication information that gives them broader or more durable authorization than is intended; and appears to want to mitigate this predominantly with a single normative statement in a BCP telling potential bad actors to stop doing the one thing that enables their shenanigans.  For those familiar with the animated series "The Tick," it recalls the titular character yelling "Hey! You in the pumps! I say to you: stop being bad!" -- which, of course, is insufficient to achieve the desired effect.

I see that there is nevertheless "strong consensus" to publish the document; in which case, I would encourage somewhat more detail around what the rest of the ecosystem -- and the authentication server in particular -- can do to mitigate the ability of such bad actors. Specifically, section 8.1 has a rather hand-wavy suggestion that authorization endpoints "MAY take steps to detect and block authorization requests in embedded user agents," without offering up how this might be done. The problem is that that the naïve ways of doing this (UA strings?) are going to be easy to circumvent, and the more advanced ones (say, instructing users to log in using a non-OAuth flow if the auth endpoint detects absolutely no cookies associated with its origin) will have interactions that probably warrant discussion in this document. (For example, such an approach -- while potentially effective -- would interact very poorly with the "SSO mode" described in section B.3; although I think that recommending the use of "SSO mode" should be removed for other reasons, described below).

________

Specific comments follow

The terminology section makes distinctions about cookie handling and content access in generic definitions (embedded versus external UAs, for example) but doesn't do the same for specific technologies. It is probably worthwhile noting that the "in-app browser tab" prevents apps from accessing cookies and content, while the "web-view" does not (I had to infer these facts from statements much later in the document).

Section 7.3 gives examples of IPv4 and IPv6 addresses for loopback. While I'm sympathetic to the deployment challenges inherent in getting entire network paths to upgrade to IPv6, this text discusses loopback exclusively, which means that only the local operating system needs to support IPv6. Since all modern operating systems have supported IPv6 for well over a decade, I suggest that the use of IPv4 addresses for this purpose should be explicitly deprecated, so as to avoid unnecessary transition pain in the future. Minimally, the example needs to be replaced or supplemented with an IPv6 example, as per : "We recommend that existing standards be reviewed to ensure they... use IPv6 examples."

Section 8.1 makes the statement that "Loopback IP based redirect URIs may be susceptible to interception by other apps listening on the same loopback interface." That's not how TCP listener sockets work: for any given IP address, they guarantee single-process access to a port at any one time. (Exceptions would include processes with root access, but an attacking process with that level of access is going to be impossible to defend against). While mostly harmless, the statement appears to be false on its face, and should be removed or clarified.

Section 8.4 indicates that loopback redirect URIs are allowed to vary from their registered value in port number only. If you decide not to deprecate the use of IPv4 loopback, I imagine that servers should also treat [::1] identical to 127.0.01 for this purpose as well.

Section 8.7 claims that users are likely to be suspicious of a sign-in request when they should have already been signed in, and goes on to claim that they will distinguish between completely-logged-out states and logged-in-but-needing-reauth states, and may even take evasive action based on associated suspicion. Based on what I know of user research for security indicators, the chances of these statements being true for any non-trivial portion of any user population is basically zero. I propose that this section simply highlight that this is effectively an intractable problem from the client end, without any illusions that users have the ability to distinguish between the two circumstances, and that authentication servers must be extra vigilant in detecting and avoiding these kinds of attacks.

Section 8.11, third paragraph talks about keystroke logging; in practice, the attack here is far easier than that, as I believe that applications that embed a web view can simply extract authentication-related material directly from the DOM.

Section B.2 uses the phrase "Android Implicit Intends" where I believe it means "Android Implicit Intents."

Section B.3 describes the use of a "Web Authentication Broker" in SSO mode, which provides an isolated authentication context. If the section 8.7 text regarding user detection of nefarious application behavior in the form of web-view embedding is not removed, this needs a very clear treatment of how users might be expected to distinguish between that behavior and the SSO mode behavior. On casual examination, it seems that there would be no way to do so. I'll note that this BCP also promotes the "already logged in" behavior as being a key benefit to OAuth (cf. the third paragraph of Section 4), which the described behavior seems to mostly defeat. I would strongly suggest either removing discussion of using this mode, or deprecating it in favor of the user's preferred web browser, so as to obtain the advantages described in section 4.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has reviewed draft-ietf-oauth-native-apps-10.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC: draft-ietf-oauth-native-apps@ietf.org, oauth-chairs@ietf.org, Kathleen.Moriarty.ietf@gmail.com, Hannes Tschofenig , Hannes.Tschofenig@gmx.net, oauth@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (OAuth 2.0 for Native Apps) to Best Current Practice


The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document:
- 'OAuth 2.0 for Native Apps'
  as Best Current Practice

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-05-16. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  OAuth 2.0 authorization requests from native apps should only be made
  through external user-agents, primarily the user's browser.  This
  specification details the security and usability reasons why this is
  the case, and how native apps and authorization servers can implement
  this best practice.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc6749: The OAuth 2.0 Authorization Framework (Proposed Standard - IETF stream)

Shepherd Write-Up for "OAuth 2.0 for Native Apps"


(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This specification is proposed as a 'Best Current Practice' document. The
type of RFC is indicated. The document summarizes the experience from
industry on how to use OAuth for native applications securely.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  OAuth 2.0 authorization requests from native apps should only be made
  through external user-agents, primarily the user's browser.  This
  specification details the security and usability reasons why this is
  the case, and how native apps and authorization servers can implement
  this best practice.

Working Group Summary

  The OAuth 2.0 authorization framework, documents two approaches for
  native apps to interact with the authorization endpoint: via an
  embedded user-agent, or an external user-agent.

  This document recommends external user-agents like in-app browser
  tabs as the only secure and usable choice for OAuth.

Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

There are high-quality libraries available following the
recommendations in this document:
- Android: http://openid.github.io/AppAuth-Android 
- iOS: http://openid.github.io/AppAuth-iOS 
- Windows: https://github.com/googlesamples/oauth-apps-for-windows

Google has deprecated support for WebView-based OAuth and
now requires the use of the practices defined in the BCP.
The pattern is documented at
https://developers.google.com/identity/protocols/OAuth2InstalledApp
for the Google OAuth server, and is also recommended by Android
for Work, see https://developer.android.com/work/guide.html#sso.

Ping Identity describes the pattern and has OAuth for Native Apps
compliant samples, see
https://www.pingidentity.com/en/blog/2016/03/10/using_appauth_to_enable_your_apps_with_mobile_sso.html
https://github.com/pingidentity/ios-appauth-sample-application
https://github.com/pingidentity/android-appauth-sample-application

Okta has published OAuth for Native Apps compliant samples:
https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android
https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-swift

The AppAuth library implements the BCP 100%, including honoring the
"NOT RECOMMENDED" advice.

In terms of review the document has received feedback from major OS
providers and the available code demonstrates the practical nature of
the recommended approach.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

Hannes Tschofenig is the document shepherd and the responsible area
director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The document shepherd was involved in the working group review process
and verified the document for correctness.

The shepherd has not contributed or worked with the above-mentioned
libraries. Hence, he has not verified the text in Appendix B "Operating
System Specific Implementation Details".

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed? 

There are no concerns regarding the document reviews.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

It would be great if reviewers with experience in native application
development (particularly on mobile OSs) could take a look at this document.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

The document shepherd has no concerns with the document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

The authors have confirmed full conformance with the provisions of BCP 78
and BCP 79:

William: https://www.ietf.org/mail-archive/web/oauth/current/msg16709.html
John: https://www.ietf.org/mail-archive/web/oauth/current/msg16677.html

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been filed for this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is solid consensus in the working group for publishing this
document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

Nobody threatened an appeal or expressed extreme discontent.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The shepherd checked the document.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

No formal review is needed.

(13) Have all references within this document been identified as
either normative or informative?

Yes. The references are split into normative and informative references.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

All normative references are published RFCs.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

There are no downward normative references.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

This document does not change the status of an existing RFC.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

This document does not request any actions by IANA.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

There is no text in formal languages in the document.