[OAUTH-WG] OAuth Security BCP -15
Aaron Parecki <aaron@parecki.com> Sun, 05 April 2020 18:43 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA433A0A97 for <oauth@ietfa.amsl.com>; Sun, 5 Apr 2020 11:43:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqSQUiihrKnY for <oauth@ietfa.amsl.com>; Sun, 5 Apr 2020 11:43:04 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325183A0A8C for <oauth@ietf.org>; Sun, 5 Apr 2020 11:43:03 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id o3so13413743ioh.2 for <oauth@ietf.org>; Sun, 05 Apr 2020 11:43:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=dvaMRC4Y5XuS6t9q1MW1/+R0JMgyDly1y6uJuh0BqPY=; b=jzIB7DkZeobf3BJXTKpsPRkCh00VoO8xhdSd4/aj/Xwlcl9iazLisFSMa1+b3uy4bA 1Rsn80oTMxA8wLwDDPGas4H4uN/MHdnz3VGGPBm3biMwILFjZgwPR01ikYRVCS7RO6iu JEJSzyMWmEldzT1b67vNwEZEeIDjG1k1GMoYBUxFsYMVfV4pZWrFOVF4GwH1FuIaujtS oR7NJHyVL55EuEBxy/CF81f/s24dLpHUZ9z8/+CZPriOgg0W3zjh7ylCyra8IJa3R1MU xv8sTTiSL57WJqd3PkE/UMmi91O40ak93dqEhlMVuMt2G5M1ORR1FJuKEeqI0lzixr5d NHkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=dvaMRC4Y5XuS6t9q1MW1/+R0JMgyDly1y6uJuh0BqPY=; b=pOfaemWYd1AjfDArQY14r3TftnbiPPFsmE930e6nSpccinrnM8sIvve9HfEYf4X1we rZ+SHVV9Shg0lnHKJ7AxWeHB2+6YX6gA/KjF7ZsesEMzg0bYpxnStwuHrXyiLMUpBgrG rfh1NML032AgW68fRiXZLVFbfSDcIC0ynCEjIXPJL1AaTa1C1xO0+2QARQydxFr+J29N AAnw42W/70AY084h+vlispyGTdY25kbNVsyb8Oi5dbFOMWDI/BLa+xcbAx4V3OIlGrxH YcItjbSgoNGgp5ZG5TIdgS3IR5Eg6N2jSF8s4nbnq8FyDqzqibuHpMjwnePmuMZF0FLj XU/g==
X-Gm-Message-State: AGi0PuYXajEX2ENzqWHpwuoINU+SElRbU7SwqaPLPZwPcUIvJ8cxFcl6 R8U+JENUyYoCHkp5j2CbIGSwo2MfYYA=
X-Google-Smtp-Source: APiQypIEMI2pd0UJlkHHGp8IJ//G76/rBnSBdsTGJx2Dy8gaOWTrxGb9llCBSRos3ZwCtLJ3TUFx6A==
X-Received: by 2002:a02:2a4a:: with SMTP id w71mr17705720jaw.75.1586112181798; Sun, 05 Apr 2020 11:43:01 -0700 (PDT)
Received: from mail-il1-f170.google.com (mail-il1-f170.google.com. [209.85.166.170]) by smtp.gmail.com with ESMTPSA id h29sm5159055ili.19.2020.04.05.11.43.00 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 05 Apr 2020 11:43:00 -0700 (PDT)
Received: by mail-il1-f170.google.com with SMTP id i75so12508508ild.13 for <oauth@ietf.org>; Sun, 05 Apr 2020 11:43:00 -0700 (PDT)
X-Received: by 2002:a05:6e02:54e:: with SMTP id i14mr18905658ils.166.1586112180106; Sun, 05 Apr 2020 11:43:00 -0700 (PDT)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Sun, 05 Apr 2020 11:42:49 -0700
X-Gmail-Original-Message-ID: <CAGBSGjq2DtMfGAbzQz54-7h2vgwyQnDkab8ET0w+fvLxE6Uypg@mail.gmail.com>
Message-ID: <CAGBSGjq2DtMfGAbzQz54-7h2vgwyQnDkab8ET0w+fvLxE6Uypg@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000011be9905a28f856f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3gZsFaaMJa_VS46NQOwkDytOwPs>
Subject: [OAUTH-WG] OAuth Security BCP -15
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Apr 2020 18:43:19 -0000
Section 2.1.1 says: Clients MUST prevent injection (replay) of authorization codes into > the authorization response by attackers. The use of PKCE [RFC7636] > is RECOMMENDED to this end. The OpenID Connect "nonce" parameter and > ID Token Claim [OpenID] MAY be used as well. Minor nit: this should be "ID Token claim" with a lowercase "c". I spent a while trying to figure out what an "ID Token Claim" is before realizing this sentence was referring to the "nonce" claim in an ID Token. Aside from that, I'm struggling to understand what this section is actually saying to do. Since this is in the "Authorization Code Grant" section, is this saying that using response_type=code is fine as long as the client checks the "nonce" in the ID Token obtained after it uses the authorization code? It seems like that would still allow an authorization code to be injected. I don't see how the "nonce" parameter solves anything to do with the authorization code, it seems like it only solves ID token injections via response_type=id_token. In any case, this section could benefit from some more explicit instructions on how exactly to prevent authorization code injection attacks. ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk>
- [OAUTH-WG] OAuth Security BCP -15 Aaron Parecki
- Re: [OAUTH-WG] OAuth Security BCP -15 David Waite
- Re: [OAUTH-WG] OAuth Security BCP -15 Daniel Fett
- Re: [OAUTH-WG] OAuth Security BCP -15 Aaron Parecki
- Re: [OAUTH-WG] OAuth Security BCP -15 Daniel Fett