Deprecate OAuth implicit grant in 14.0 for new applications
Proposal
The implicit grant has known security flaws that are known since the inception of OAuth and are mentioned in the 2012 OAuth RFC. Back then it was the only solution for pure client-side apps (SPA, mobile, etc) that rely only on 3rd party servers for authentication, but nowadays we have the PKCE grant which is the modern and safer alternative.
The latest OAuth security recommendations from IETF is also clear on the subject (emphasis mine)
The implicit grant (response type "token") and other response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage and access token replay as described in Section 4.1, Section 4.2, Section 4.3, and Section 4.6.
Moreover, no viable mechanism exists to cryptographically bind access tokens issued in the authorization response to a certain client as it is recommended in Section 2.2. This makes replay detection for such access tokens at resource servers impossible.
In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.
The implicit
grant is removed from OAuth in OAuth 2.1 (still in draft).
I propose that we deprecate the implicit grant in GitLab 14.0.
Additionally, and perhaps this should be another issue, a given OAuth application should be able to disable the flows it doesn't want to use. At the moment anyone can modify URLs and use the grant they want regardless of the application's author's intent.
Updated timeline
Suggestion deprecation timeline following chat with @mushakov https://gitlab.slack.com/archives/CLM1D8QR0/p1611089224089100 (internal)
-
%14.0
- Block the implicit grant for new applications only
- Communicate widely that a deprecation for existing applications in coming
-
%14.4 (tentative)
- Block the implicit grant for everyone in %15.0
Usage stats
As of 2021-01-20 for GitLab.com
In the last 24 hours there were roughly:
- 1300 requests for access tokens with the implicit flow (source)
- 300,000 requests for the other OAuth flows (source)
- 40,000 requests if we exclude the private GitLab Pages requests (auth to those is done using OAuth code flow) (source)
So that's about 0.4% of overall OAuth access token requests that would be affected, 3.25% excluding GitLab pages requests
Note that the source
links will show "last 24 hours" for whatever time it is when you click on it so the numbers might fluctuate.
The top 3 clients generate 60% of requests