Re: [OAUTH-WG] WRAP session fixation?
Michael Malone <mjmalone@gmail.com> Wed, 25 November 2009 01:45 UTC
Return-Path: <mjmalone@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A578A28C159 for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 17:45:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRBBtdKdrh4X for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 17:45:27 -0800 (PST)
Received: from mail-pz0-f174.google.com (mail-pz0-f174.google.com [209.85.222.174]) by core3.amsl.com (Postfix) with ESMTP id DD73128C158 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:45:27 -0800 (PST)
Received: by pzk4 with SMTP id 4so4872807pzk.32 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:45:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:x-mailer :mime-version:subject:date:cc; bh=NHMaCTy+/AxEqMWLX2ylGLFYlMIsEwI+OrJ8M6XcKxM=; b=ZpOm4PNhc8s09JE2NZEGEyIh0d11HcawfN/BQDGYKYV5JSX7KTnIlG7nCJc65KZEa9 1E8zJcT5VibY0L/nCXDStTYTI9ZK2QLI/epQ2Wtf5fSnJcs9Q6706dYUotQT1C2khler ylsSmBJ/YTWHTlYwZyUI5iXQTtMdoGg19/J9Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:x-mailer:mime-version:subject:date:cc; b=BQMJD7o519ZAR//ItRKNXPaDn+a99y0LH49KM5yStoAQQkJa2U5nnjCUlYUmX8sWc5 jmtpAcM9wWxr3/ImoTT6Ons3/b8bb1V1JXsT4SaO6tLhXNSMkZc7IFY/FtPyHcW4bHU+ 5zwfU4Yfd4x4w2iscALw62NsuyXDHaoOb+zEw=
Received: by 10.115.135.6 with SMTP id m6mr14102393wan.22.1259113517633; Tue, 24 Nov 2009 17:45:17 -0800 (PST)
Received: from ?10.97.158.79? ([166.205.136.41]) by mx.google.com with ESMTPS id 23sm1547412pzk.8.2009.11.24.17.45.13 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 24 Nov 2009 17:45:16 -0800 (PST)
References: <daf5b9570911241728h7bfc36e2w517cf85448ae492a@mail.gmail.com>
Message-Id: <059DCB41-BC68-43B9-8E50-B774AD71FB24@gmail.com>
From: Michael Malone <mjmalone@gmail.com>
To: Brian Eaton <beaton@google.com>
In-Reply-To: <daf5b9570911241728h7bfc36e2w517cf85448ae492a@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
X-Mailer: iPhone Mail (7C144)
Mime-Version: 1.0 (iPhone Mail 7C144)
Date: Tue, 24 Nov 2009 17:45:01 -0800
Cc: Naitik Shah <naitik@facebook.com>, Luke Shepard <lshepard@facebook.com>, Brent Goldman <brent@facebook.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WRAP session fixation?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 01:45:28 -0000
On Nov 24, 2009, at 5:28 PM, Brian Eaton <beaton@google.com> wrote: > On Tue, Nov 24, 2009 at 4:35 PM, Mike Malone <mjmalone@gmail.com> > wrote: >> One final note - unless I'm missing something WRAP is vulnerable to >> the same session fixation attack that OAuth 1.0 had... unless it's >> requiring callback registration, which is a really lame solution to >> that problem. > > Callback registration is not required to prevent session fixation. > Check out the requirements in section 5.4.6 "Successful Access Token > Response From Authorization Server." They are (supposed to) be > sufficient to prevent the attack. Ah interesting, so you pass the callback URL to the authorization server again to get an access token? How does that work if you _do_ have a registered callback URL? I'll have to take another look at the spec. Thanks, Mike
- [OAUTH-WG] WRAP session fixation? Brian Eaton
- Re: [OAUTH-WG] WRAP session fixation? Michael Malone
- Re: [OAUTH-WG] WRAP session fixation? Brian Eaton
- Re: [OAUTH-WG] WRAP session fixation? Brian Eaton
- Re: [OAUTH-WG] WRAP session fixation? Luke Shepard
- Re: [OAUTH-WG] WRAP session fixation? Brent Goldman
- Re: [OAUTH-WG] WRAP session fixation? Mike Malone