IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Justin Richer <jricher@mit.edu> Thu, 22 March 2018 14:36 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D7C4127078 for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2018 07:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pM-8QhEVw0pX for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2018 07:36:34 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65600126DFB for <oauth@ietf.org>; Thu, 22 Mar 2018 07:36:34 -0700 (PDT)
X-AuditID: 1209190d-0bbff7000000431c-0a-5ab3bf701477
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 83.D1.17180.07FB3BA5; Thu, 22 Mar 2018 10:36:33 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w2MEaSxX016242; Thu, 22 Mar 2018 10:36:30 -0400
Received: from [10.209.230.205] (77-108-155-3.brightstar.limited [77.108.155.3] (may be forged)) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2MEaOV6023311 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 22 Mar 2018 10:36:26 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <EA634456-5214-4198-AAF3-56E25BC48075@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E3B33F2D-C2BB-4564-BFE0-379A6446DB29"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Thu, 22 Mar 2018 14:36:23 +0000
In-Reply-To: <CA+k3eCTp5Y6yNPjMitku8pLxdxoqY9s4hQUF_S8CwgOPDkw-Cg@mail.gmail.com>
Cc: Torsten Lodderstadt <torsten@lodderstedt.net>, "<oauth@ietf.org>" <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <E126FCD2-55E0-4ADB-9A3F-6EEF3955EC2C@authlete.com> <CAEKOcs1Ky7XETQ4xk2XaBZnkjyF-M_OpJvSWK5pouYgq90c5Nw@mail.gmail.com> <CA+k3eCR+bvWRK8H+tmkSGbHob1i7ZgrQ96g3qEeaLaU=_LJYSQ@mail.gmail.com> <57EDA9BC-1710-4968-B9D5-D6BBBC702046@lodderstedt.net> <CA+k3eCSheQzav2CmXvuOL3mT_z_6WON4UWCXqg_rsxzHP+XsAA@mail.gmail.com> <CA+k3eCQVsNr0pV8R8YAK-3o-qjF0c+7rVwqJ-Wyk=M8O0V=xyQ@mail.gmail.com> <CAEKOcs1AhdU=nSnoj6OPP31789aV0Cn0cKheRDqmw63nx-bvMQ@mail.gmail.com> <C499BC4D-C2D1-4654-82DF-BF3C5216C223@lodderstedt.net> <CA+k3eCTp5Y6yNPjMitku8pLxdxoqY9s4hQUF_S8CwgOPDkw-Cg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDKsWRmVeSWpSXmKPExsUixG6nrlu4f3OUwdIHEhar/99ktDj59hWb xatjT1kcmD2WLPnJ5HGsp5/V4+7RiywBzFFcNimpOZllqUX6dglcGYenrGcrOBFR8f7wAfYG xp8+XYycHBICJhKf535n72Lk4hASWMwk8e3tVTYIZyOjxI2OM1DOXSaJiwta2EFa2ARUJaav aWECsXkFrCQ2TPvDAmIzCyRJ3F50kwUibiLx/u1DsBphAW+Jed8fsIHYLEC9d/sagOIcHJwC gRIv7rOCmMwC8RJPD6qAVIgI6EvcfjoH6qDbLBJrLy5jhbhUSWL699tsExj5ZyHZNgvJNoi4 tsSyha+ZIWxNif3dy1kwxTUkOr9NZF3AyLaKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI10gvN7NE LzWldBMjKNg5JXl3MP6763WIUYCDUYmHNyNnU5QQa2JZcWXuIUZJDiYlUd5PL4BCfEn5KZUZ icUZ8UWlOanFhxglOJiVRHjz126OEuJNSaysSi3Kh0lJc7AoifO6m2hHCQmkJ5akZqemFqQW wWRlODiUJHhn7gNqFCxKTU+tSMvMKUFIM3FwggznARp+GKSGt7ggMbc4Mx0if4rRnuPPw5dt zBxbHoHIA2DyxovXbcxCLHn5ealS4ryT9wK1CYC0ZZTmwU0GJTLfnNnMrxjFgR4V5n0NUsUD TIJws18BrWUCWps9cwPI2pJEhJRUA+P67JIVnKzR03ijoqelLVVyd9+q+d47WPgdv1mzmtBc 39UO1X2dl9bctTQud7mZwrZAjevg9ycTT3/elalz38/w5p3l/0+tWvHcMXTnsTs/MwSeCbM1 H5O36fIMrdvKuGTHenP1usCbk/Rn5652eNbIMJPLeNbish/8IQybrt08ortKqjxM7rASS3FG oqEWc1FxIgBmoXfyPwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6JAiLirReJVMDwY_uD7rLq7G34k>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 14:36:36 -0000

I like the new text, it frames the error better and puts it in the context where it’s likely to be exploited. IE, newly dynamically registered clients shouldn’t be trusted as much as others.

 — Justin

> On Mar 22, 2018, at 8:16 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> That works for me
> 
> On Wed, Mar 21, 2018 at 7:34 PM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
> Hi all,
> 
> thanks for your feedback. Here is my text proposal for section 3.8.1.
> 
> ——
> 
> Attackers could try to utilize a user's trust in the authorization
>    server (and its URL in particular) for performing phishing attacks.
> 
> RFC 6749 already prevents open redirects by stating the AS
> MUST NOT automatically redirect the user agent in case
> of an invalid combination of client_id and redirect_uri.
> 
> However, as described in [I-D.ietf-oauth-closing-redirectors], an
> attacker could also utilize a correctly registered redirect URI to
> perform phishing attacks. It could for example register a client
> via dynamic client registration and intentionally send an
> erroneous authorization request, e.g. by using an invalid
> scope value, to cause the AS to automatically redirect the user
> agent to its phishing site.
> 
> The AS MUST take precautions to prevent this threat.
> Based on its risk assessment the AS needs to decide whether
> it can trust the redirect URI or not and should only automatically
> redirect the user agent, if it trusts the redirect URI. If not, it could
> inform the user that it is about to redirect her to the another site
> and rely on the user to decide or just inform the user about the
> error.
> 
> ——
> 
> kind regards,
> Torsten.
> 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>

v2.23.0 | Report a Bug | By Email