Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
John Bradley <ve7jtb@ve7jtb.com> Fri, 24 February 2012 01:33 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6CD521E8026 for <oauth@ietfa.amsl.com>; Thu, 23 Feb 2012 17:33:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rOf74fVebiNH for <oauth@ietfa.amsl.com>; Thu, 23 Feb 2012 17:33:29 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3F95A21F85FB for <oauth@ietf.org>; Thu, 23 Feb 2012 17:33:28 -0800 (PST)
Received: by ggnq2 with SMTP id q2so1058115ggn.31 for <oauth@ietf.org>; Thu, 23 Feb 2012 17:33:27 -0800 (PST)
Received-SPF: pass (google.com: domain of ve7jtb@ve7jtb.com designates 10.101.10.39 as permitted sender) client-ip=10.101.10.39;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of ve7jtb@ve7jtb.com designates 10.101.10.39 as permitted sender) smtp.mail=ve7jtb@ve7jtb.com
Received: from mr.google.com ([10.101.10.39]) by 10.101.10.39 with SMTP id n39mr122415ani.3.1330047207802 (num_hops = 1); Thu, 23 Feb 2012 17:33:27 -0800 (PST)
Received: by 10.101.10.39 with SMTP id n39mr94107ani.3.1330047207569; Thu, 23 Feb 2012 17:33:27 -0800 (PST)
Received: from 201-188-70-237.bam.movistar.cl ([201.188.70.237]) by mx.google.com with ESMTPS id g49sm8129206yhk.20.2012.02.23.17.33.24 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 23 Feb 2012 17:33:26 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_C11BD91A-475E-4150-B30C-13B395326051"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <1CA65248-D1AE-415D-85CD-E0E116D84A4B@gmail.com>
Date: Thu, 23 Feb 2012 22:33:22 -0300
Message-Id: <2078F36D-6F53-4750-8136-144936C1A2FD@ve7jtb.com>
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com> <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com> <5D97D44A-FF8A-4E67-B22D-FB6019162800@ve7jtb.com> <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com> <1329626093.59538.YahooMailNeo@web31804.mail.mud.yahoo.com> <CAGmQQ9egR9DGg6LTQVzVxiq1of=WT2Ysv9EEzoK+5b7evwfiOg@mail.gmail.com> <1329860601.42679.YahooMailNeo@web31806.mail.mud.yahoo.com> <5F0D5C92-1228-4A3E-8CFF-05DC309B4084@ve7jtb.com> <2BFDC979-1767-4CD7-9D22-B7657EB15121@gmail.com> <6F478836-0DB8-4D7F-8954-5D127C0DA6AE@ve7jtb.com> <CAEwGkqBZfE_n7wRWN33_jT2C8Yh0LfSy5Ex2pt+34KquiCw80A@mail.gmail.com> <C9A3D0A2-C845-4C71-90EC-1B3D01F48627@ve7jtb.com> <CAGmQQ9egdL-TtHtYpRUtL+6CNK=BfRWTM1J4gDZ2akivBokqMQ@mail.gmail.com> <34134676-9D51-4975-AD77-8AD34C3342B7@gmail.com> <CAGmQQ9exFKLCC3nbabgcoDhhfQxfDUcwydORbTtqh7v=tzwW5g@mail.gmail.com> <1CA65248-D1AE-415D-85CD-E0E116D84A4B@gmail.com>
To: Nicholas Devenish <misnomer@gmail.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQkWUiQ9zNFzi6oTVKbdWgSoc+4XPBziQTVgIUt+bysRdAIcUVQpL8w0fpbwdU3TXECQCjYQ
Cc: "Lee, David" <david.lee10@hp.com>, Wenjie Lin <lin.820@osu.edu>, "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 01:33:29 -0000
In that case the game is the client as it is using the access token to get to the protected resource (FB graph API in this case). The resource owner can revoke a granted scope at the authorization server after the fact. That is how Facebook works now, as near as I can tell. Not that Facebook is a good example of how OAuth should work, They issue long lived access tokens and not refresh tokens. A well behaved Authorization server would grant a refresh tokens with all of the granted scopes, once the short lived access token expires it would get a new one and see that it had been downs coped from the original grant scope set. The correct design is using a refresh token. that way if the user has edited the scopes on the way to the Authorization server the client just needs to use the refresh token with the scopes it believes were granted. If it gets back a downs coped response it knows something has changed. I have a hard time being sympathetic, because OAuth was not intended to enforce service agreements on behalf of the Client, it is acting on behalf of the resource owner. Enforcing multiparty service agreements should be a OAuth extension for those that want it. John B. On 2012-02-23, at 10:12 PM, Nicholas Devenish wrote: > > On 24 Feb 2012, at 01:02, Wenjie Lin wrote: > >> As we have shown in our Feb 17th email, the negative consequence is a violation by the user of the service agreement, that is, the user is able to play the game but the client cannot post messages on behalf of the user. > > That's not a negative within the context of the OAuth protocol, which protects the users interests, not the clients. It looks as though with the current wording, it's basically not possible to be compliant (very mildly) in this scenario. > > But as John Bradley pointed out, it's completely legitimate for a client to give the "game" full permissions, and then edit the scope afterwards (though I can't find an explicit reference in the draft, I expect it to be covered by one of the "This is out of scope" or revocation clauses). > > Implementations that want to allow clients to enforce the scope contract with the user could always just implement a method to get the actual scope back (like facebook), but it's not an attack against the protocol or user.. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Shane B Weeden
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Nicholas Devenish
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Kristoph
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Nicholas Devenish
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Dan Taflin