Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should this approach extend to native applications? #38

Open
NickBorgersOnLowSecurityNode opened this issue Apr 8, 2024 · 2 comments
Open

Should this approach extend to native applications? #38

NickBorgersOnLowSecurityNode opened this issue Apr 8, 2024 · 2 comments

Comments

@NickBorgersOnLowSecurityNode
Copy link

This isn't necessarily the scope of the proposal and I don't know if it should be co-mingled, but I wonder what native apps will do. It's perhaps a different failure mode for native client tokens to be stolen because something like a malicious browser extension probably wouldn't be able to accomplish, but is another situation where session token theft can be a problem and device binding would help mitigate.

If considering attacks beyond a browser it really indicates the OS needing to provide an API for creating keys which userspace software can request operations with (sign/encrypt) but not directly access without elevated OS privileges. I'm not well-versed in the nuances of how this has been implemented.

I'm coming at this from the perspective of a Corpsec Engineer who struggles with consistent revocation of long-lived session tokens in SSO-integrated apps. This proposal doesn't address that problem, but I'm acutely aware of just how many forms sessions tokens take. On a mobile OS (iOS/Android) stealing the session tokens from another application likely implies a level of host compromise that only a TPM/Secure Enclave would mitigate, but on a desktop/laptop OS my impression is that userspace privileges could likely be used to harvest session tokens so device-binding would provide some value.

These thoughts came to reading responses to #13
@arnar
Copy link
Collaborator

arnar commented Apr 8, 2024

If your native apps use OAuth, it's well worth considering DPoP at least on the refresh token -> access token exchanges. In fact doing something similar* to that is what led us to DBSC.

(* Similar because it pre-dates DPoP, but in the end it's a simple JWT in the client_assertion on the /token endpoint.)

@NickBorgersOnLowSecurityNode
Copy link
Author

An RFC to read (on DPoP), thank you.

I will subsequently :cry-in-corpsec: because I don't get to write/modify the code of any products I'm responsible for the security of.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arnar @NickBorgersOnLowSecurityNode