IETF Logo Mail Archive

Re: [OAUTH-WG] validate authorization code in draft 12

Eric <pflam@cs.stanford.edu> Fri, 21 January 2011 08:27 UTC

Return-Path: <pflam@cs.stanford.edu>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91FBA3A68F0 for <oauth@core3.amsl.com>; Fri, 21 Jan 2011 00:27:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.867
X-Spam-Level:
X-Spam-Status: No, score=-5.867 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4dv9ouzwWoEb for <oauth@core3.amsl.com>; Fri, 21 Jan 2011 00:27:51 -0800 (PST)
Received: from cs-smtp-2.Stanford.EDU (cs-smtp-2.Stanford.EDU [171.64.64.26]) by core3.amsl.com (Postfix) with ESMTP id B298A3A68E4 for <oauth@ietf.org>; Fri, 21 Jan 2011 00:27:51 -0800 (PST)
Received: from secllab.stanford.edu ([171.64.65.88] helo=css-macbook-pro-9.local) by cs-smtp-2.Stanford.EDU with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.60) (envelope-from <pflam@cs.stanford.edu>) id 1PgCOB-00073u-Re; Fri, 21 Jan 2011 00:30:36 -0800
Message-ID: <4D39442B.2090408@cs.stanford.edu>
Date: Fri, 21 Jan 2011 00:30:35 -0800
From: Eric <pflam@cs.stanford.edu>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="------------070800090208060203040002"
X-Scan-Signature: fa98ac227168b5e907bebab69d011ac6
Subject: Re: [OAUTH-WG] validate authorization code in draft 12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2011 08:27:53 -0000

Eran, and others,

A few of us had some discussions on the authorization code flow, as 
depicted in Fig. 3 of the current (12th) draft. We think that it is 
probably worthwhile to suggest in the specification that an OAuth 
implementation SHOULD provide a way for the client to validate the 
authorization code before sending it to the  Authorization Server (AS). 
 From what we have heard, this has been done in some of the current 
OAuth deployments. There are other people who do not think this is such 
a big security risk, although so far no one has objected that there is 
some risk here.

The issue is that according to the current draft, someone who owns a 
botnet can locate the redirect URIs of clients that listen on HTTP, and 
access them with random authorization codes, and cause HTTPS connections 
to be made on the Authorization Server (AS). There are a few things that 
the attacker can achieve with this OAuth flow that he cannot easily 
achieve otherwise :

1. Cost magnification: the attacker incurs the cost of an HTTP 
connection and causes an HTTPS connection to be made on the AS; and he 
can co-ordinate the timing of such HTTPS connections across multiple 
clients relatively easily, if these clients blindly connect to the AS 
without first validating the authorization codes received.

Although the attacker could achieve something similar, say by including 
an iframe pointing to the HTTPS URL of the AS in an HTTP web page and 
lure web  users to visit that page, timing attacks using such a scheme 
is (say for the purpose of DDoS) more difficult .

2. Connection laundering: if the AS realizes it is flooded by HTTPS 
connections with illegitimate codes, it collects no useful information 
about the attacker, since the clients act as relays.

3. CSRF defense/the 'state' parameter don't completely address this 
problem. With such a defense, the attacker might need to incur an 
additional HTTP request to obtain a valid CSRF code/ state parameter. 
This does cut down the effectiveness of the attack by a factor of 2, 
which is good. However, if the HTTPS/HTTP cost ratio is higher than 2 
(the cost factor is estimated to be around 3.5x at 
http://www.semicomplete.com/blog/geekery/ssl-latency.html), the attacker 
still achieves a cost magnification.

Our proposal is that the OAuth specification suggests that an OAuth 
implementation SHOULD provide a way for the client to validate the 
authorization code before sending it to the  Authorization Server (AS). 
The specifics of how to validate the authorization code may not need to 
be part of the core specification. We sketch a design below for 
consideration for future implementation. It might be reasonable to 
assume that OAuth implementations provide some API for the client to 
call to validate and send the authorization code to the AS. There are 
two possible schemes for implementation: a) if the client and the AS 
already share a symmetric secret, an HMAC key can be created from the 
shared secret, and the authorization code will be HMAC'ed and standard 
techniques can be employed in the client-side API implementation to 
detect replay and forgery attempts on the code; b) an alternative is for 
the AS to sign the code using the private key from its SSL certificate, 
and for the client API to validate the signature using the public key.



On Thu, Jan 20, 2011 at 4:56 PM, Eran 
Hammer-Lahav<eran@hueniverse.com>wrote:

    Draft -12 is finally out.

    This is almost a complete rewrite of the entire document, with the
    primary goal of moving it back to a similar structure used in -05. I
    have been thinking about this for a few months and finally came up
    with a structure that combines the two approaches.

    The draft includes some major cleanups, significantly simpler
    language, reduces repeated prose, and tried to keep prose to the
    introduction and normative language in the rest of the
    specification. I took out sections that broke the flow, and did my
    best to give this a linear narrative that is easy to follow.

    The draft includes the following normative changes:

       o  Clarified 'token_type' as case insensitive.
       o  Authorization endpoint requires TLS when an access token is
    issued.
       o  Removed client assertion credentials, mandatory HTTP Basic
    authentication support for client credentials, WWW-Authenticate
    header, and the OAuth2 authentication scheme.
       o  Changed implicit grant (aka user-agent flow) error response
    from query to fragment.
       o  Removed the 'redirect_uri_mismatch' error code since in such a
    case, the authorization server must not send the error back to the
    client.
       o  Defined access token type registry.

    I would like to spend the coming week receiving and applying
    feedback before requesting a WGLC for everything but the security
    considerations section (missing) 2/1.

    EHL



    >  -----Original Message-----
    >  From:oauth-bounces@ietf.org
    <mailto:oauth-bounces@ietf.org>[mailto:oauth-bounces@ietf.org
    <mailto:oauth-bounces@ietf.org>] On Behalf
    >  OfInternet-Drafts@ietf.org <mailto:Internet-Drafts@ietf.org>
    >  Sent: Thursday, January 20, 2011 4:45 PM
    >  To:i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>
    >  Cc:oauth@ietf.org <mailto:oauth@ietf.org>
    >  Subject: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
    >
    >  A New Internet-Draft is available from the on-line Internet-Drafts
    directories.
    >  This draft is a work item of the Open Authentication Protocol
    Working Group
    >  of the IETF.
    >
    >
    >        Title           : The OAuth 2.0 Authorization Protocol
    >        Author(s)       : E. Hammer-Lahav, et al.
    >        Filename        : draft-ietf-oauth-v2-12.txt
    >        Pages           : 46
    >        Date            : 2011-01-20
    >
    >  This specification describes the OAuth 2.0 authorization protocol.
    >
    >  A URL for this Internet-Draft is:
    >http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-12.txt
    <http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-12.txt>
    >
    >  Internet-Drafts are also available by anonymous FTP at:
    >ftp://ftp.ietf.org/internet-drafts/
    <ftp://ftp.ietf.org/internet-drafts/>
    >
    >  Below is the data which will enable a MIME compliant mail reader
    >  implementation to automatically retrieve the ASCII version of the
    Internet-
    >  Draft.
    _______________________________________________
    OAuth mailing list
    OAuth@ietf.org <mailto:OAuth@ietf.org>
    https://www.ietf.org/mailman/listinfo/oauth
    <https://www.ietf.org/mailman/listinfo/oauth>

v2.23.0 | Report a Bug | By Email