search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
571 stars 152 forks source link

Validation of service worker approch against new draft from ietf.org #1307

Closed pgangwani closed 4 months ago

pgangwani commented 4 months ago

Issue and Steps to Reproduce

I got update from my security team that ietf.org is drafting some observation on service worker pattern called it "may be" secured which they previously claimed to be the most secured method. Now If you reed 7.4.1.1. Attacking the Service Worker specifically point number : 2 Prevent an attacker from acquiring a new set of tokens

To meet the second security requirement, the Service Worker must be able to guarantee that an attacker controlling the legitimate application cannot execute a new Authorization Code flow, an attack discussed in Section 5.1.3. Due to the nature of Service Workers, the registered Service Worker will be able to block all outgoing requests that initialize such a new flow, even when they occur in a frame or a new window.

payload-new-flow

Screenshot 2024-02-23 at 12 29 16 AM Screenshot 2024-02-23 at 12 30 31 AM

Steps I got are:

  1. Pretend, Hacker is injecting code to intercept authorization value and token payload
  2. If un-successful, tries to turn off service worker for the site.
  3. then refresh with same above code, new token details fetched are somehow intercepted by code
  4. Tokens are then used forever.

This issue is just to validate and prove that we are good and safe with the service worker approach.

Versions

any version

Screenshots

Expected

No way any code in main or iframe code able to access any tokens in service worker approach

Actual

Need to test if expected is true

Additional Details

guillaume-chervet commented 4 months ago

Good issue @pgangwani , I will detail a response + code + video very soon :)

The hidden FAQ give an answer : https://github.com/AxaFrance/oidc-client/blob/main/FAQ.md#good-security-practices--does-a-hacker-can-unregister-the-service-worker-and-retrieve-tokens-via-an-iframe-

pgangwani commented 4 months ago

Good issue @pgangwani , I will detail a response + code + video very soon :)

The hidden FAQ give an answer : https://github.com/AxaFrance/oidc-client/blob/main/FAQ.md#good-security-practices--does-a-hacker-can-unregister-the-service-worker-and-retrieve-tokens-via-an-iframe-

Nice information in hidden gem and apt reply to my security team. I understood. thanks for next detailed steps.