IETF Logo Mail Archive

Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

Nicholas Devenish <misnomer@gmail.com> Tue, 21 February 2012 22:32 UTC

Return-Path: <misnomer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522D511E80AA for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 14:32:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VH2wx38rrdF2 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 14:32:07 -0800 (PST)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0584411E807F for <oauth@ietf.org>; Tue, 21 Feb 2012 14:32:06 -0800 (PST)
Received: by werg1 with SMTP id g1so4243070wer.31 for <oauth@ietf.org>; Tue, 21 Feb 2012 14:32:06 -0800 (PST)
Received-SPF: pass (google.com: domain of misnomer@gmail.com designates 10.180.24.202 as permitted sender) client-ip=10.180.24.202;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of misnomer@gmail.com designates 10.180.24.202 as permitted sender) smtp.mail=misnomer@gmail.com; dkim=pass header.i=misnomer@gmail.com
Received: from mr.google.com ([10.180.24.202]) by 10.180.24.202 with SMTP id w10mr29490469wif.9.1329863526320 (num_hops = 1); Tue, 21 Feb 2012 14:32:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=xoqf0NLZB+MUYb1EfTwWjuG3f97Y1Otq0Jc+ZYL2yH0=; b=w8CNazldXCry+X1jOkuRNE6xWHA0VdJZha1V3xomYeoKAjgHB504GmHXG32ocxAFq3 sqs7GooKK3esUmxAVD3KVqfwwGAm74m92R+hkcLSJ87qIxH/Jf24ty7QwXPfYcG9TK7e hdydl177WEMigiJ8hcZiUrTuljWNNAxxK6oKc=
Received: by 10.180.24.202 with SMTP id w10mr24551770wif.9.1329863526208; Tue, 21 Feb 2012 14:32:06 -0800 (PST)
Received: from [192.168.0.2] (94-193-236-71.zone7.bethere.co.uk. [94.193.236.71]) by mx.google.com with ESMTPS id p10sm25917502wic.0.2012.02.21.14.32.04 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 14:32:05 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_3927AAEB-3EA0-4F81-8722-383A14BB9A45"; protocol="application/pgp-signature"; micalg="pgp-sha1"
From: Nicholas Devenish <misnomer@gmail.com>
In-Reply-To: <5F0D5C92-1228-4A3E-8CFF-05DC309B4084@ve7jtb.com>
Date: Tue, 21 Feb 2012 22:32:00 +0000
Message-Id: <2BFDC979-1767-4CD7-9D22-B7657EB15121@gmail.com>
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com> <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com> <5D97D44A-FF8A-4E67-B22D-FB6019162800@ve7jtb.com> <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com> <1329626093.59538.YahooMailNeo@web31804.mail.mud.yahoo.com> <CAGmQQ9egR9DGg6LTQVzVxiq1of=WT2Ysv9EEzoK+5b7evwfiOg@mail.gmail.com> <1329860601.42679.YahooMailNeo@web31806.mail.mud.yahoo.com> <5F0D5C92-1228-4A3E-8CFF-05DC309B4084@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1257)
Cc: "Lee, David" <david.lee10@hp.com>, Wenjie Lin <lin.820@osu.edu>, "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 22:32:08 -0000

On 21 Feb 2012, at 21:59, John Bradley wrote:
> This 'attack'  is one that only works with badly designed clients that are making unwarranted assumptions about the behaviour of the Authorization server.  

Unwarranted assumptions? The spec in 3.3 says:

"If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted."

- It says MUST; therefore any server that doesn't do this is non-compliant?
- It says scope different from the one requested by the *client*. The possibility that the resource owner intercepts this request and changes it doesn't seem to be considered here (it is not strictly the clients request if that happens)
- The purpose seems to be that the client should be told if the scope changes; this would be important if the client requires a certain scope level to work (though this could be solved more generally in many other ways that wouldn't be in the scope of the oauth spec)

Thus, assuming that the server is stating compliance, isn't the assumption completely warranted?

> The only way for a client to know if a token has a scope it to try it, or use a introspection endpoint.  End of story.

An introspection endpoint obviously isn't part of the specification, so isn't relevant to the discussion (though it solves the discussed facebook issue).

You are right though, that the only way for a client to know for sure is to try to use it; Even if the spec mandated always returning the scope to the client, the user could always intercept the return redirection (assuming a non-confidential client) and change the scope there.

Perhaps MUST should change to SHOULD, given that this essentially seems unenforceable?

v2.23.0 | Report a Bug | By Email