| Internet-Draft | oauth-web-message-response-mode | November 2023 |
| Meyer zu Selhausen, et al. | Expires 26 May 2024 | [Page] |
This specification defines the web message response mode that authorization servers use for transmitting authorization response parameters via the user-agent's postMessage API to the client. This mode is intended for authorization flows that use secondary windows, which are well-suited for browser-based applications.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 26 May 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
OAuth [RFC6749] uses HTTP redirects
to transfer authorization response parameters
from the authorization server via the user-agent to the client's redirection endpoint.
In this case, the authorization response parameters
are encoded in the query string (response_mode=query)
or in the fragment (response_mode=fragment) of the redirect_uri [oauth.encoding] (Section 2.1).
[RFC6749] (Section 1.7) allows other mechanisms available via the user-agent
to accomplish this redirection, such as response_mode=form_post [oauth.post].¶
The standardized query, fragment, and form post response modes are designed for single-window authorization but not for multi-window authorization flows. A common example is a popup-based authorization flow, where the client's primary window opens the authorization server in a secondary window. The secondary window cannot use HTTP redirects to transfer response parameters back to the client in the primary window.¶
This specification defines the web message response mode
that uses the user-agent's postMessage API [whatwg.postmessage]
to exchange messages between two different browser windows.
Clients inform the authorization server to use this response mode
for returning the authorization response
by setting the response_mode parameter in the authorization request to web_message.
This response mode facilitates popup-based and iframe-based authorization flows,
in which the authorization server is called in a secondary window or embedded in a frame on the client.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification uses the terms "client", "user-agent", "authorization server", "authorization endpoint", "redirection endpoint", "redirection URI", "authorization request", and "authorization response" defined by the OAuth 2.0 Authorization Framework [RFC6749]. It further uses the term "response mode" defined by the OAuth 2.0 Multiple Response Type Encoding Practices [oauth.encoding].¶
This specification defines the following additional terminology.¶
This specification defines the web message response mode,
which is described with the following response_mode parameter value in the authorization request [oauth.encoding].¶
web_messageIf the authorization request includes the value web_message for the response_mode parameter, the authorization server:¶
The client's redirection URI MUST serve as the postMessage's receiver origin to protect the authorization response from being leaked to malicious origins.¶
This example illustrates how an authorization server (identified by the issuer https://as.example) in a secondary window returns the authorization response to the client (whose registered redirection URI is https://client.example/cb) in the primary window using the postMessage API:¶
========== NOTE: '\' line wrapping per RFC 8792 ===========
const primaryWindowRef = window.opener // popup-based auth. flow
const primaryWindowRef = window.parent // iframe-based auth. flow
primaryWindowRef.postMessage({"code": "XXXXXXXX","state":"XXXXXXXX",\
"iss": "https://as.example"},"https://client.example/cb")
¶
An authorization endpoint and consent-page embedded in an iframe MUST be protected against Clickjacking attacks [I-D.ietf-oauth-security-topics] (Section 4.16).¶
If the user's browser supports the Observer v2 API [w3c.observerv2], the authorization server MAY use it to allow the client to embed the authorization endpoint and consent-page. Otherwise, the authorization server MUST implement Clickjacking countermeasures according to [I-D.ietf-oauth-security-topics] (Section 4.16). The authorization server MUST prevent framing the authorization endpoint and consent-page except from origins deemed trustworthy.¶
Modern browsers have started to disable the support for third-party cookies. Thereby, iframes do not send authentication cookies along with requests in sub resource requests, such as iframes. Using iframes as secondary windows therefore requires special exceptions to bypass this restriction, such as the Storage Access API [mozilla.storageaccessapi].¶
Authorization servers MUST follow Section 2 and the security best practices [I-D.ietf-oauth-security-topics] (Section 4.18.2) when validating the postMessage receiver origin. Otherwise, the authorization response may leak to an attacker, as described in [I-D.ietf-oauth-security-topics] (Section 4.18.1.1) and [I-D.ietf-oauth-security-topics] (Section 4.18.1.2).¶
In redirect-based authorization flows, there is no inherent mechanism available
that enables a client to verify that the trusted authorization server initiates a redirection.
Instead, [RFC6749] introduces the state parameter to counter so-called Cross-Site Request Forgery (CSRF) attacks [I-D.ietf-oauth-security-topics] (Section 4.7) against the client's redirection endpoint by maintaining a state between the authorization request and response.¶
The postMessage API provides an inherent mechanism to verify the initiator of a postMessage. The client MUST use this mechanism as described in Section 2 and the security best practices [I-D.ietf-oauth-security-topics] (Section 4.18.2) to verify that the trusted authorization server is the initiator of the postMessage. Otherwise, an attacker can inject a maliciously crafted authorization response to the client [I-D.ietf-oauth-security-topics] (Section 4.18.1.3). This verification prevents some variants of CSRF attacks, where the attacker wants to log in a victim to the attacker account.¶
However, attackers can also use CSRF attacks to log in a victim to the victim's own account. This attack variant cannot be mitigated with the checks mentioned above. Instead, a proper CSRF countermeasure, as described in [I-D.ietf-oauth-security-topics] (Section 4.7.1) MUST be used.¶
Even after the initiator origin of the postMessage is validated, the client
MUST check that the postMessage has the expected format [whatwg.postmessage] (Section 9.3.2.1).
In specific, the postMessage
MUST NOT be processed in
unsafe JavaScript sinks like eval or innerHTML
to prevent cross-site scripting (XSS) flaws and other potentially malicious injections.
Otherwise, if the authorization server has been attacked using an XSS flaw,
further unchecked processing of the postMessage could result in the attack being propagated into the client.¶
In redirect-based authorization flows, the confidentiality of the authorization response is scoped to the redirection URI that contains a path. The path separates the authorization response from other, potentially vulnerable paths within the same web application. In flows using the web message response mode, the confidentiality of the authorization response is scoped to the postMessage's receiver origin that does not contain a path. Thus, cross-site scripting (XSS) vulnerabilities on any path within the web application's origin will leak the authorization response to the attacker.¶
This draft makes no requests to IANA.¶
We would like to acknowledge the prior work of Toru Yamaguchi, Nat Sakimura, and Nov Matake in [I-D.sakimura-oauth-wmrm] which tried to define a response mode with similarities to this specification. In contrast, this specification is not focused on iframes and does not include the use of the OAuth Implicit Grant.¶
We would like to thank Vladislav Mladenov, ...¶
for their valuable feedback on this document.¶
[[ To be removed from the final specification ]]¶
-00 * initial draft¶