IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1

Daniel Fett <fett@danielfett.de> Mon, 18 October 2021 06:49 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C3F43A12AF for <oauth@ietfa.amsl.com>; Sun, 17 Oct 2021 23:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbkfYeMIYVXj for <oauth@ietfa.amsl.com>; Sun, 17 Oct 2021 23:49:29 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 618833A1217 for <oauth@ietf.org>; Sun, 17 Oct 2021 23:49:28 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id B9F1017F00 for <oauth@ietf.org>; Mon, 18 Oct 2021 06:49:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1634539758; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=41za1qfrawr9bHz6uhVB174ys9ZD/SFDN1IUUkQX9Ow=; b=WelcylZ401t6LM5GLIhcvcz/R/SUcbJUPlblYxEkKMPZmQ2OZUQqAbcdAm7jioEBRlWOkw /Rm7SDHgOTBZ+5y9Wt4IsjaaaKOqrCMtseA+I5NMH8tU18kgSjTgDEyCTLFUzJwO3i9iWB NOXMOywKo3nZK8x9GqrllOsPyphSoeU=
To: oauth@ietf.org
References: <SJ0PR00MB1005DDD53BB9E1CB098632B1F5B99@SJ0PR00MB1005.namprd00.prod.outlook.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <6d73b543-eedf-0c87-8523-ff843355649f@danielfett.de>
Date: Mon, 18 Oct 2021 08:49:18 +0200
MIME-Version: 1.0
In-Reply-To: <SJ0PR00MB1005DDD53BB9E1CB098632B1F5B99@SJ0PR00MB1005.namprd00.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------B41ECAABFB153BAE75D2F7CC"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1634539758; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=41za1qfrawr9bHz6uhVB174ys9ZD/SFDN1IUUkQX9Ow=; b=MIbEFls/JuK77388Hklz1Ja3kK45lvrf+gmS9Hdb5Mhm+jolmDtghd7eOiYs+F2CuOGjlz ApfNy6lMzk6shzT/iZNUMCkEmBHL0sIx/xxmTqd5qTKzuuYNgab0W/+cZ1+wcxr9tBKmbd 0nSHSPTHO/jYYRbSyl9jQAmwIWOBglY=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1634539758; a=rsa-sha256; cv=none; b=I2k6nFg/b8zowRykeQLcvMv/EYwhG54GK6bvhXlgW9+mvPAmTU4TJVlVSVbNu6RBHDesPr B22W3oC7pDPb8kCVNSHaBPvszrWOO0j6k6AeVq5ChTn2kVNeEvjOELdGLL1PDAp9W+E24R hMt8clJGNjIpbwDc7yXX4c2+l0llqMc=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/75mTOuNy_chAoK3LdOfLQQIP-xE>
Subject: Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 06:49:43 -0000

Am 16.10.21 um 01:41 schrieb Mike Jones:
>
> As I see it, the retry in case of network failures should happen by
> performing a new authorization request – not by trying to reuse an
> authorization code – which is indistinguishable from an attack.
>
It only looks like an attack when the code has actually arrived at the
token endpoint on the first try (which the client cannot know, of course).

I think Annabelle's proposal of allowing reuse-on-error has its merits.
The AS can still reject the code when it has seen the same code already,
and the client can then fall back to starting a new authorization request.

-Daniel


>  
>
> Let’s not use OAuth 2.1 as an opportunity to sanction behaviors that
> we can’t distinguish from attacks.
>
>  
>
> The prohibition on clients reusing an authorization code needs to remain.
>
>  
>
>                                                           -- Mike
>
>  
>
> *From:* Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
> *Sent:* Friday, October 15, 2021 4:19 PM
> *To:* Richard Backman, Annabelle <richanna@amazon.com>
> *Cc:* Mike Jones <Michael.Jones@microsoft.com>; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and
> OAuth 2.1
>
>  
>
> I am a fan of this approach. It feels pretty empty to cast people out
> of compliance just because they are handling a realistic circumstance,
> such as network failures, that we know about beforehand. 
>
> In addition, this gives us a chance to provide guidance on how to
> handle the situation, instead of leaving AS implementers to their own
> device.
>
>  
>
> On Fri, Oct 15, 2021 at 11:32 AM Richard Backman, Annabelle
> <richanna=40amazon.com@dmarc.ietf.org
> <mailto:40amazon.com@dmarc.ietf.org>> wrote:
>
>             The client MUST NOT use the authorization code more than once.
>
>      
>
>     This language makes it impossible to build a fault tolerant, spec
>     compliant client, as it prohibits retries. We could discuss
>     whether a retry really constitutes a separate "use", but
>     ultimately it doesn't matter; multiple presentations of the same
>     code look the same to the AS, whether they are the result of
>     retries, the client attempting to get multiple sets of tokens, or
>     an unauthorized party trying to replay the code.
>
>      
>
>     I think we can have a fault tolerant, replay-proof implementation,
>     but it takes some effort:
>
>      
>
>      1. The AS can prevent the authorized client from using one code
>         to get a bunch of independent refresh and access token pairs
>         by either re-issuing the same token (effectively making the
>         token request idempotent) or invalidating previously issued
>         tokens for that code. (Almost but not quite
>         idempotent…idempotent-adjacent?)
>      2. The AS can prevent unauthorized parties from replaying snooped
>         codes+PKCE by requiring stronger client authentication:
>         implement dynamic client registration and require a
>         replay-resistant client authentication method like
>         `jwt-bearer`. The AS can enforce one-time use of the client
>         credential token without breaking fault tolerance, as the
>         client can easily mint a new one for each retry to the token
>         endpoint.
>
>      
>
>     Yes, I know, this is way more complex than just a credential-less
>     public client doing PKCE. Perhaps we can have our cake and eat it
>     too with language like:
>
>      
>
>         The client MUST NOT use the authorization code more than once,
>         unless retrying a token request that failed for reasons beyond
>         the scope of this protocol. (e.g., network interruption,
>         server outage) Refer to [Fault Tolerant Replay Prevention] for
>         guidance.
>
>      
>
>     …where Fault Tolerant Replay Prevention is a subsection under
>     Security Considerations. I don't think this wording is quite
>     right, as the guidance is really going to be for the AS, not the
>     client, but hopefully it's enough to get the idea across.
>
>      
>
>     —
>
>     Annabelle Backman (she/her)
>
>     richanna@amazon.com <mailto:richanna@amazon.com>
>
>      
>
>      
>

-- 
https://danielfett.de

v2.23.0 | Report a Bug | By Email