Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address gaps in BPoP protocol and feedback #667

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 43 additions & 24 deletions BindingContext/BPoP.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,40 +5,45 @@
- [Will Bartlett](mailto:wibartle@microsoft.com)
- [Sameera Gajjarapu](mailto:sameera.gajjarapu@microsoft.com)

## Participate
## Participate (Coming soon)
- [Issue tracker]
- [Discussion forum]

## Table of Contents [if the explainer is longer than one printed page]

[You can generate a Table of Contents for markdown documents using a tool like [doctoc](https://github.com/thlorenz/doctoc).]
[You can generate a Table of Contents for markdown documents using a tool like [doctoc](https://github.com`/thlorenz/doctoc).]

<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
<!-- END doctoc generated TOC please keep comment here to allow auto update -->

- [Introduction](#introduction)
- [Goals [or Motivating Use Cases, or Scenarios]](#goals-or-motivating-use-cases-or-scenarios)
- [Non-goals](#non-goals)
- [BPoP functionality](#bpop-functionality)
- [Usecases](#usecases)
- [CNAMEs](#cnames)
- [Server activation](#server-activation)
- [Header based model:](#header-based-model)
- [JS API based model:](#js-api-based-model)
- [Browser BPoP proofs](#browser-bpop-proofs)
- [Detailed design](#detailed-design)
- [Storage model](#storage-model)
- [Retrieval model](#retrieval-model)
- [Application model](#application-model)
- [BPoP key verification](#bpop-key-verification)
- [BPoP background refresh](#bpop-background-refresh)
- [Server challenge](#server-challenge)
- [Server update](#server-update)
- [Considered alternatives](#considered-alternatives)
- [TLS Token Binding](#tls-token-binding)
- [Stakeholder Feedback / Opposition](#stakeholder-feedback--opposition)
- [References & acknowledgements](#references--acknowledgements)
- [Demonstrating Proof-of-Possession in the Browser Application (for authentication cookies) (BPoP)](#demonstrating-proof-of-possession-in-the-browser-application-for-authentication-cookies-bpop)
- [Authors:](#authors)
- [Participate (Coming soon)](#participate-coming-soon)
- [Table of Contents \[if the explainer is longer than one printed page\]](#table-of-contents-if-the-explainer-is-longer-than-one-printed-page)
- [Introduction](#introduction)
- [Goals \[or Motivating Use Cases, or Scenarios\]](#goals-or-motivating-use-cases-or-scenarios)
- [Non-goals](#non-goals)
- [BPoP functionality](#bpop-functionality)
- [Usecases](#usecases)
- [CNAMEs](#cnames)
- [Design proposal](#design-proposal)
- [Server activation](#server-activation)
- [Header based model:](#header-based-model)
- [JS API based model:](#js-api-based-model)
- [Browser BPoP proofs](#browser-bpop-proofs)
- [Detailed design](#detailed-design)
- [Storage model](#storage-model)
- [Retrieval model](#retrieval-model)
- [Application model](#application-model)
- [BPoP key verification](#bpop-key-verification)
- [BPoP background refresh](#bpop-background-refresh)
- [Server challenge](#server-challenge)
- [Server update](#server-update)
- [Considered alternatives](#considered-alternatives)
- [TLS Token Binding](#tls-token-binding)
- [Stakeholder Feedback / Opposition](#stakeholder-feedback--opposition)
- [References \& acknowledgements](#references--acknowledgements)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

Expand Down Expand Up @@ -66,8 +71,11 @@ This document makes direct analogs to DPoP, e.g. defining a "BPoP Proof" to matc

A website that is its own standalone identity provider (i.e. a website that accepts a username and password) could activate BPoP as part of rending the login form. Then, on the subsequent request, when the website verifies the username and password and issues an authentication cookie, the website could also verify the BPoP proof and record the public key associated with the BPoP proof in the authentication cookie. If this website had user submitted content and such content was subsequently used as part of a stored cross site scripting (XSS) attack, this attack would be unable to steal the BPoP private key and thus the attacker would be unable to use any stolen cookies.
sameerag marked this conversation as resolved.
Show resolved Hide resolved

BPoP also helps in mitigating the man-in-the-middle attacks where an attacker incercepting the traffic and stealing any artifacts will not be able to apply them without the extra proof we require with this protocol. Same with the on-device attacks which can result in the cookie-jar being stolen, will not be able to use those cookies for acquiring access to other resources.

A website that uses a federated identity provider could activate BPoP as part of redirecting to the federated identity provider. Then, on the response back from the federated identity provider, when the website verifies the federation response and issues an authentication cookie, the website could also verify the BPoP proof and record the public key associated with the BPoP proof in the authentication cookie. If this website were vulnerable to a reflected XSS which stole the authentication cookie, the attacker would be unable to use that stolen cookie, as the attacker would be unable to produce a BPoP proof.


BPoP is also not strictly limited to cookies - it can be used to bind any artifact which is issued and accepted by the same web server (e.g. an ASP.NET ViewState).

### CNAMEs
Expand All @@ -76,6 +84,15 @@ One prominent place where authentication cookies may be shared with multiple par

While it is possible for `example.com` to properly audience constrain cookies today (e.g. by issuing one cookie for each subdomain, rather than one cookie in the top-level domain), doing so in practice has proven to be prohibitively cumbersome for many deployments.

### Design proposal

Here is how BPoP is expected to work end-to-end:

1. Webpage user goes to `example.com`, and initiates login. `example.com` redirects to `login.microsoftonline.com`, using javascript or http headers to active binding for `example.com` cookies.
2. `login.microsoftonline.com`, shows password prompt, javascript or http header activates binding for eSTS cookie
sameerag marked this conversation as resolved.
Show resolved Hide resolved
3. enter password, ESTS SHR in http request, response contains bound eSTS cookie, redirect to example.com with auth code
Copy link

@oldalton oldalton Sep 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit confused, who generates SHR in this step? Is it JS running in STS context when it is submitting a request to validate password and issue auth code?

ESTS SHR in http request

Consider expanding/improving wording a bit for clarity.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, agreed. Sorry, I planned to checkin after expanding this, :). Will get it in the next draft.

4. `example.com` SHR in http request, response from `example.com` contains bound `example.com` cookie

Copy link

@peterzenz peterzenz Oct 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sequence diagram here might be useful? Should we generalize the domain names here so it's less Microsoft specific? example.com & loginservice.com

### Server activation

BPoP is designed to be linked to a classic OAuth session (can be any other authentication mechanism), and when a user makes a request to authenticate, the server also returns a response header `BPoP` to active binding. `BPoP` is a [structured header](https://www.rfc-editor.org/rfc/rfc8941.html) whose value is a dictionary. The following keys are recognized:
Expand Down Expand Up @@ -210,6 +227,8 @@ BPoP: enabled, SameSite=None

The latest configuration replaces the previous configuration. Replacement occurs for the entire config, not just for configuration elements who appear in the `BPoP` header.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this BPoP per-origin data also be covered by Clear-Site-Data? It's not clear to which of the individual site data types it belongs. BPoP may be used to bind other data from both storage and cookies, so it doesn't seem to fit neatly in either of them alone.


Please note that this behavior applies only when there is no enterprise policy override. In case if enterprise policy enabled by the browser config, the BPoP behaves as configured by the policy. More details on key management and storage for enterprise use cases are covered later in this document.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my learning, do you know what specific enterprise policy mechanism we'd want to use? Whatever is built into the browser? I was reading about Chrome's policies here, and didn't see a reference to mobile, I think mobile isn't supported: https://support.google.com/chrome/a/answer/9037717?hl=en

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can find out, I am not very familiar with it either. Will check with the google engineer and get back.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://chromeenterprise.google/policies/#PasswordManagerEnabled - This has an example for mobile. A policy set should reflect at chrome://policy/ as per google. Hope this helps.


### Retrieval model

The browser only attaches BPoP proofs to "secure" protocols (as defined by the user agent).
Expand Down