The Implicit Flow: Part 1

[hhorikawa]

The Implicit Flow: Part 1.

It's quite a big deal, so I split it into several patches.
I have checked that I don't break the Code Flow.

AS-IS:
The Implicit Flow is used in a situation when the client_secret cannot be kept safe.
So, the client must validate the token returned by the IdP with the IdP's public key.
However, neither the strategy code nor the test cases have been validated and tested. It is vulnerable.

In this Part 1, I prepare the flow to incorporate verification.

options:

• response_type: ['id_token','token']

You must use always the IdP's RSA public key.

• new methods to parse IdP's public keys for discovery:false.
• public_key() is restricted to only public keys.
• call public_key() from key_or_secret() at necessary
• flexibility of configured_response_type()

others:

• coveralls dependency removed due to version conflict.

[stanhu]

Why is this commented out?

[hhorikawa]

Because omniauth/strategies/openid_connect is not a subdirectory. This is required from lib/omniauth_openid_connect.

[stanhu]

response_type can also be:

1. token
2. token id_token token

[hhorikawa]

No. token (raw OAuth 2.0) MUST NOT be used for the authentication purpose. There are many explanations, for example, see: http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

Acceptable:

• code - Authorization Code Flow
• id_token token - Implicit Flow
• code id_token - Hybrid Flow -- Financial-grade API Security Profile 1.0 - Part 2: Advanced

However, I think i will implement the Implicit Flow first. After finishing, I will consider whether to implement the Hybrid Flow.

[stanhu]

This method name setup_phase is confusing; maybe validate_response_type! is better. My point is there are many types of response_type values, and it's not clear to me that this is checking specific types for different flows.

We may want to link: https://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html

[hhorikawa]

setup_phase is a override method. It's OK.
As you say, there are various combinations of response_type. However, they cannot be implemented without checking the use cases and risks one by one.
If you want to implement the Hybrid Flow, I won't stop it and welcome you to do it.

[stanhu]

I see your security note about id_token, but this gem supported that configuration in the past (e.g. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request). I'm a bit hesitant to break existing configurations.

[hhorikawa]

There are too many things to point out and I am at a loss.

• The Implicit Flow of this branch does not force the public key verification required by the specification and does not secure. So I'm trying to make it.
• The compatibility with what does not work. What does that mean?
• As stated in the link you shared, Azure AD disables the Implicit Flow by default.
• I'm using Azure AD, so I checked. You can enable the implicit permissions on the Azure AD console. However, in the description there, id_token token is specified. In the case of the Hybrid Flow, enabling only id_token is instructed.
• The Hybrid Flow is not the scope of this patch sequence.

Furthermore, if you still want to get id_token only, OK, I consider implementing it. Let me do to accept only id_token in the next patch part 2 and implement the public key validation in patch part 3.

[hhorikawa]

@stanhu
Are there any additions? For reference, I would link to the implementation guide.
https://openid.net/specs/openid-connect-implicit-1_0.html

[stanhu]

I think there should be some method for implicit_flow?, client_credentials_flow?, etc. There are many possibilities for configured_response_type.

[hhorikawa]

Ah, I see.
I want to organize it with the patch part 2 to push next.

[formigarafa]

Some people (me) may get a bit confused with the use-case you are trying to cover.
If you don't mind I would appreciate if you could give a better explanation on this use.
Some people won't expect to see an implicit flow using a server, understand?
I am not saying you can't have such use-case. I had to deal with some very odd ones myself.
I am just trying to follow what you are trying to achieve.

BTW, my expectation is that I may be just about to learn something.

[hhorikawa]

@formigarafa
Thanks for your comment.

1. The current implementation is not perfect, so I would like to brush up and fix it. It's a purely technical interest.
2. The use case is free from client_secret in the server app. By using this secure library, you don't have to store the client_secret in your application. There are no trade-offs. It's simply good to make one less secret to keep safe
3. Desktop or front-end application. However, I don't have knowledge about this point. Ruby Hyperloop (now called HYPERSTACK)?

Do you know what a use case was expected when the first Implicit Flow was introduced?

[hhorikawa]

The review takes a lot of time.
Guess the patch is too big.
OK. I'll drop this PR and reconstruct it into a bunch of smaller patches.

[formigarafa]

My concern is just if it would become possible to create an implicit flow on server-side with your changes which I believe is supposed to be avoided.
Running the tool in the client will not complete any of the server flows.

I have been reading and it seem there are other less conventional flows using the name implicit. I wonder if what you are implementing would be one of those. It would be nice to have a link or description to give an overview of what the code is supposed to do. It will ease reviews by knowing what is new and if something is breaking in the process.