Re: [OAUTH-WG] client authentication for implicit grant type
Marius Scurtescu <mscurtescu@google.com> Fri, 29 April 2011 22:03 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF07E072D for <oauth@ietfa.amsl.com>; Fri, 29 Apr 2011 15:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NIZJ76T0+SCp for <oauth@ietfa.amsl.com>; Fri, 29 Apr 2011 15:03:24 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id AED1CE0670 for <oauth@ietf.org>; Fri, 29 Apr 2011 15:03:23 -0700 (PDT)
Received: from kpbe19.cbf.corp.google.com (kpbe19.cbf.corp.google.com [172.25.105.83]) by smtp-out.google.com with ESMTP id p3TM3MXs031614 for <oauth@ietf.org>; Fri, 29 Apr 2011 15:03:22 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1304114602; bh=EjRedDhKds/H1ZHNoucScJf37zU=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=ZGeHnTs5nHoyIgxyHTgFarfi8ndQKDiJRsnQTz6cRhGIVM43dSKdF3JGUlnsN2Hn/ kNJ+/9NBH9zyXXrW7U5Uw==
Received: from yib2 (yib2.prod.google.com [10.243.65.66]) by kpbe19.cbf.corp.google.com with ESMTP id p3TM3KNq003245 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Fri, 29 Apr 2011 15:03:20 -0700
Received: by yib2 with SMTP id 2so1458527yib.10 for <oauth@ietf.org>; Fri, 29 Apr 2011 15:03:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=3bH/68paGepJZAw6yHs2vyR23oQZ1OJpvEPB0vnsMCI=; b=yhC0TX6BimEy5fT6l5i/Tzg/65Sgi9YagGRisMVFVKPbsO2oSVZI/Nq0eO31COIQEs 4NBPXQG4E0Qc1NBTTz7Q==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=mXydOyb23YpHjg0JWxtjETAs6DbJ942tIkyuX2je0kdjq+/bvXwp6FQAlidX7Rcod/ EuFschgGDBdfClrMj2nw==
Received: by 10.91.199.3 with SMTP id b3mr4629714agq.168.1304114600290; Fri, 29 Apr 2011 15:03:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.93.9 with HTTP; Fri, 29 Apr 2011 15:03:00 -0700 (PDT)
In-Reply-To: <BANLkTincm9KCMGrXzp1UU6n-coUn_D4VCQ@mail.gmail.com>
References: <BANLkTincm9KCMGrXzp1UU6n-coUn_D4VCQ@mail.gmail.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Fri, 29 Apr 2011 15:03:00 -0700
Message-ID: <BANLkTik2+gCWBT3V+0mmWcUFBxm+dYRUig@mail.gmail.com>
To: Andrew Arnott <andrewarnott@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] client authentication for implicit grant type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2011 22:03:25 -0000
On Tue, Apr 12, 2011 at 7:27 AM, Andrew Arnott <andrewarnott@gmail.com> wrote: > I brought this concern up about a year ago. Now reviewing the latest > drafts, I still have a concern with it. It is regarding the use of > client_id without a password. I agree with section 3, as included below: > Section 3. Client Authentication > >> The client identifier is not a secret, it is exposed to the resource >> owner, and MUST NOT be used alone for client authentication. Client >> authentication is accomplished via additional means such as a >> matching client password. > > The above tells me (rightly so IMO) that considering the client_id alone > (without real authentication) is dangerous. Yet the Implicit Grant type > accepts a client_id, but no authentication: > Section 4.2 Implicit Grant >> >> client_id >> >> REQUIRED. The client identifier as described in Section 3. > > Now here me: I am not advocating for a client_secret in this case. I fully > understand that some clients, particularly javascript widget clients that > are embedded in others' web pages, can't keep secrets. What I am advocating > is that clients that can't keep secrets shouldn't have IDs either. This is > a wide-open door for clients to obtain access to protected user data by > lying about their identity to authorization servers. They can achieve this > in either of two ways, given some popular client_id we'll arbitrarily call > 'facebook' that users are accustomed to authorizing access to: > > 1. An evil client can redirect the user to the authorization endpoint, > requesting an implicit grant, and including client_id=facebook in the URL. > The authorization server may ask the user "Do you want to give Facebook > access?" along with (perhaps) a warning that most users won't know what to > do about (honestly, most technical users wouldn't know how to verify either. > The user, who trusts Facebook, will click Accept, and offer whatever rogue > client was running on the page they were visiting the access that they > requested. > 2. In scenario 2, which is far worse, an evil client can redirect the user to > the authorization endpoint, requesting an implicit grant, and including > client_id=facebook in the URL. Same so far, but in this case, the > authorization server sees that access has already been authorized by the > resource owner to this client in the past and immediately redirects back > with the requested access token, no user involvement whatsoever. Again, the > client obtains access. Maybe this is obvious, but none of these scenarios are that easy to exploit in practice. If evil client presents "facebook" as a client ID then it can only use a redirect URI that matches the one registered by the real Facebook. Unless an open redirector on Facebook can be exploited (if matching rules are too lax), evil client cannot grab the response. Marius
- [OAUTH-WG] client authentication for implicit gra… Andrew Arnott
- Re: [OAUTH-WG] client authentication for implicit… Eran Hammer-Lahav
- Re: [OAUTH-WG] client authentication for implicit… Andrew Arnott
- Re: [OAUTH-WG] client authentication for implicit… Eran Hammer-Lahav
- Re: [OAUTH-WG] client authentication for implicit… Torsten Lodderstedt
- Re: [OAUTH-WG] client authentication for implicit… Eran Hammer-Lahav
- Re: [OAUTH-WG] client authentication for implicit… Skylar Woodward
- Re: [OAUTH-WG] client authentication for implicit… Andrew Arnott
- Re: [OAUTH-WG] client authentication for implicit… Marius Scurtescu