Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft

John Bradley <> Thu, 21 January 2016 21:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4E1381B31B3 for <>; Thu, 21 Jan 2016 13:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 60wWnrheFRsV for <>; Thu, 21 Jan 2016 13:50:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 256551B33B1 for <>; Thu, 21 Jan 2016 13:50:32 -0800 (PST)
Received: by with SMTP id 6so43345881qgy.1 for <>; Thu, 21 Jan 2016 13:50:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=Qi0fTNOpJy2SUhYbqObFCxIqzp12kdEkLPkDSiQtUCI=; b=f5LHoXW3++7mhNViIFOEazzErugGAyJ1FfiyZ41BhIiH3tbYjRlqTsXJRL9cZ63NRj c5G0NQ6hnMiAH6aBffN8i+KeAZrAyScov70n6ok/6OhL0FZ2oY3JNlcC7dwP43/fPvap mr98VNR1rCfX3gn8EKa6GUfReV4A//yWMAltQmHrKtpluvA+xynKU3I3rVt4Q4ozMGwT z/PRdeeKtSyZgeJ3pPMjRQM0PAY9jTFsZgqajG8Reqlw/2tNnlbT/w5gDGEfxSpyqgrx eqND4iVF9TKoWxZe3BASNmL3Op+trtPkiP1LhfxyOIOsB6QUZCR2uWFuwXbTCxGQdPvD VPBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Qi0fTNOpJy2SUhYbqObFCxIqzp12kdEkLPkDSiQtUCI=; b=FbGrMKTJ95Rbe07ExIwzsA6uB/7tZoUZNQIRHHrvaisGwsJYi0KUg8ZGh3yH9Cxvac ckzycncvpoHZGQmHFHYCAfWyr27+2NbJIr4aAiK5gaE9yt2bG714MX8QK85R36rbVIT5 edXyAOHkkwWqLCsJBhmCnslbovkTVSS05YFOXqwdmNZfDH0wc2lTO0SgIbTtecKuD+lL GkeyfAhkLM5t4OF59C8j8lLxGXUlEzkD9FhAnixL09A1BGFOBD32ZUn9JROCOHOw13f0 MB1m4RGvznWYBu2j6oz/pzIvKsoTDYa5Nlqgdjwca1nI3Kpl2y96xInQ3wxYjaetUYFV 0sJQ==
X-Gm-Message-State: ALoCoQkafs9xE4nOjZA5YgVGm5U/4zKp9ELBFzGpLWSphvIsdbhYuDyJDQF5ytgr5x9ZhBxfmU3jaEOpBBZu+GumkPvxuFLjHA==
X-Received: by with SMTP id 94mr56052615qgh.32.1453413031927; Thu, 21 Jan 2016 13:50:31 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id t187sm1417116qht.39.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 21 Jan 2016 13:50:30 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_92483AD3-CECA-42F0-8C40-89C7AA4285C0"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <>
In-Reply-To: <>
Date: Thu, 21 Jan 2016 18:50:27 -0300
Message-Id: <>
References: <> <>
To: David Waite <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2016 21:50:38 -0000

Yes if the AS is encoding state + redirect_uri and grants in the code then it could get big.  
In that case you probably would put a hash of the state in the code to manage size.  The alg would be up to the AS, as long as it used the same hash both places it would work.

Sending the state to the token endpoint is like having nonce and c_hash in the id_token, it binds the issued code to the browser instance.

This protects against codes that leak via redirect uri pattern matching. failures etc.  It prevents an attacker from being able to replay a code from a different browser.

If the client implements the other mitigations on the authorization endpoint, then it wouldn't be leaking the code via the token endpoint. 

The two mitigations are for different attacks, however some of the attacks combined both vulnerabilities.

Sending the iss and client_id is enough to stop the confused client attacks, but sending state on its own would not have stopped all of them.

We discussed having them in separate drafts, and may still do that.   However for discussion having them in one document is I think better in the short run.

John B.

> On Jan 21, 2016, at 4:48 PM, David Waite <> wrote:
> Question: 
> I understand how “iss" helps mitigate this attack (client knows response was from the appropriate issuer and not an attack where the request was answered by another issuer). 
> However, how does passing “state” on the authorization_code grant token request help once you have the above in place? Is this against some alternate flow of this attack I don’t see, or is it meant to mitigate some entirely separate attack?
> If one is attempting to work statelessly (e.g. your “state” parameter is actual state and not just a randomly generated value), a client would have always needed some way to differentiate which issuer the authorization_code grant token request would be sent to.
> However, if an AS was treating “code” as a token (for instance, encoding: client, user, consent time and approved scopes), the AS now has to include the client’s state as well. This would effectively double (likely more with encoding) the state sent in the authorization response back to the client redirect URL, adding more pressure against maximum URL sizes.
> -DW
>> On Jan 20, 2016, at 11:28 PM, Mike Jones < <>> wrote:
>> John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up Mitigation draft.  Changes were:
>> ·       Simplified by no longer specifying the signed JWT method for returning the mitigation information.
>> ·       Simplified by no longer depending upon publication of a discovery metadata document.
>> ·       Added the “state” token request parameter.
>> ·       Added examples.
>> ·       Added John Bradley as an editor.
>> The specification is available at:
>> · <>
>> An HTML-formatted version is also available at:
>> · <>
>>                                                           -- Mike
>> P.S.  This note was also posted at <> and as @selfissued <>.
>> _______________________________________________
>> OAuth mailing list
>> <>
>> <>
> _______________________________________________
> OAuth mailing list