Re: [OAUTH-WG] OAuth 2.0: client_secret, state
Richard Barnes <rbarnes@bbn.com> Tue, 23 March 2010 20:28 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A4063A68EA for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 13:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.332
X-Spam-Level: *
X-Spam-Status: No, score=1.332 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzj1t8GMpAMf for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 13:28:38 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 894EA3A690F for <oauth@ietf.org>; Tue, 23 Mar 2010 13:28:37 -0700 (PDT)
Received: from [128.89.254.16] (helo=dhcp-wireless-open-abg-24-118.meeting.ietf.org) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1NuAie-000Cjv-5o; Tue, 23 Mar 2010 16:28:56 -0400
Message-Id: <6F32A1A5-4DBE-4384-B754-B903FB722C2A@bbn.com>
From: Richard Barnes <rbarnes@bbn.com>
To: Allen Tom <atom@yahoo-inc.com>
In-Reply-To: <C7CE5991.280AA%atom@yahoo-inc.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 23 Mar 2010 13:28:53 -0700
References: <C7CE5991.280AA%atom@yahoo-inc.com>
X-Mailer: Apple Mail (2.936)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0: client_secret, state
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 20:28:39 -0000
Allen, Right, the PR needs to have the client's access token so that it knows which access tokens to accept. The AS issues the access token, so in order for the PR to know the access token, the AS need to send a secure message to the PR saying that "this access token is OK". This communication can happen either directly or indirectly: -- Direct: AS tells PR which access tokens are valid -- Indirect: AS signs access token Either way, the PR has to be able to authenticate messages from the AS, so it has to have a public key or shared key for the AS. That same key could be used to communicate keys to validate signatures from clients (access token secrets). So disallowing signatures actually doesn't save you anything in terms of the crypto that the PR and AS need. --Richard On Mar 23, 2010, at 11:42 AM, Allen Tom wrote: > Hi Richard, > > From a security perspective, it might be undesirable to distribute the > client secret to all potential protected resources that a client > might want > to access. > > In many ways, distributing the client secret to all PRs is > undesirable in > the same way that it's undesirable to distribute the user's password > to all > PRs. Even if the client secret is encrypted into the Access Token, > it has to > be extracted by the PR to verify the signature (at least using the > current > version of the Oauth 2.0 spec). > > If the client secret is distributed to the PR, the PR would be able to > impersonate the client. (Unlike Oauth 1.0, the PR and the AuthZ > server are > separate entities) > > Admittedly, with Oauth-WRAP, the PR would still have a client's access > token, however, the access token could be scoped to be only valid > for the > PR, so a PR might not be able to impersonate the client by replaying > the > access token, and also the Access Token has a limited lifetime. > > Hope that helps to clarify things, > Allen > > > On 3/22/10 10:19 PM, "Richard Barnes" <rbarnes@bbn.com> wrote: > > >> >> If you make the same two assumptions -- shared keys and structured >> tokens -- then the signing cases can also work via the token: You can >> just encrypt the validation key (MAC key or public key) with the >> shared key and put it in the token. >> >> So from the perspective of the need for a relationship between AS and >> PR, there is absolutely no difference between the "bearer token" and >> "signing" use cases. >> >> --Richard >> >
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] First draft of OAuth 2.0 Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Luke Shepard
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Mark Mcgloin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Paul Madsen
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Brian Eaton
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Hans Granqvist
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Marius Scurtescu