IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)

John Bradley <ve7jtb@ve7jtb.com> Tue, 04 February 2014 16:33 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3DC21A01AE for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 08:33:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8Ef1gkYvzj1 for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 08:33:42 -0800 (PST)
Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by ietfa.amsl.com (Postfix) with ESMTP id F04791A0130 for <oauth@ietf.org>; Tue, 4 Feb 2014 08:33:41 -0800 (PST)
Received: by mail-qa0-f47.google.com with SMTP id j5so12388226qaq.6 for <oauth@ietf.org>; Tue, 04 Feb 2014 08:33:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=uKw06yy91fXNcHdy9SbHBlwAmfSkhGjYEwtZhlIIrq0=; b=iPXtckGK+GjatZeqGG4e+UWl41XdsZWHhUZc7DQXx0F7UFNLb66iC3KtA25rYGwuTi uTFxE5s+ekTFzhZCGE6AdGmbzQoyqVCpt/+8IWShiKTY5R8rEaKmdf44vPqHBoPsp5Hh 1ad5Ci+m6QzWTrVrDHHc7ilfpcSpiMxIVIA7c2z0mcY1T/U2lwmomZRy1PeXCmHfrHW3 YSZP9e+012YP3BPpwp66er+LkF3Eq7iZi6U0ajt+Bn7wyS4ubKP5Wh5DKoLRmKVznd+B YIBvMQSTJtnnz3csLd292Gv5G4I+5XMqX5eSpcw3bttlX85sSFqWU/m7AwC0r0sjZHoc O6WQ==
X-Gm-Message-State: ALoCoQmVNARC18+inMJophuE7BMjA//qqzbUNJw+lMpEn2aP38a0fNv+F5He+4QaRUyEUs7bLXeF
X-Received: by 10.140.39.212 with SMTP id v78mr63495817qgv.77.1391531621380; Tue, 04 Feb 2014 08:33:41 -0800 (PST)
Received: from [192.168.0.200] ([201.188.48.63]) by mx.google.com with ESMTPSA id z9sm32855237qgz.20.2014.02.04.08.33.36 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 04 Feb 2014 08:33:38 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_BEE9B491-36BF-4E0B-8E76-08CE321EB1AA"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <20140204161338.9A4007FC168@rfc-editor.org>
Date: Tue, 04 Feb 2014 13:33:26 -0300
Message-Id: <9B180E22-D31A-48A7-A233-8F3DA05ABF71@ve7jtb.com>
References: <20140204161338.9A4007FC168@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.1827)
Cc: eriksencosta@gmail.com, Sean Turner <turners@ieca.com>, Derek Atkins <derek@ihtfp.com>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 16:33:49 -0000

The text in 10.16 is correct.

This is a security consideration that has caused serious problems for Facebook and other implementers.

In the Implicit flow there is no way for a client to know if a access token was issued to it or another client.

The UA presenting the access token in an implicit flow may be the resource owner but may also be any other client that has ever received an access token for the resource.

In the implicit flow the Authorization server knows what client it has issued a access token to via the registered redirect URI.

The change doesn't reflect the intent of the security consideration.

John B.


On Feb 4, 2014, at 1:13 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:

> The following errata report has been submitted for RFC6749,
> "The OAuth 2.0 Authorization Framework".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3880
> 
> --------------------------------------
> Type: Technical
> Reported by: Eriksen Costa <eriksencosta@gmail.com>
> 
> Section: 10.16
> 
> Original Text
> -------------
> For public clients using implicit flows, this specification does not
> provide any method for the client to determine what client an access
> token was issued to.
> 
> Corrected Text
> --------------
> For public clients using implicit flows, this specification does not
> provide any method for the authorization server to determine what
> client an access token was issued to.
> 
> Notes
> -----
> A client can only know about tokens issued to it and not for other clients.
> 
> Instructions:
> -------------
> This errata is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC6749 (draft-ietf-oauth-v2-31)
> --------------------------------------
> Title               : The OAuth 2.0 Authorization Framework
> Publication Date    : October 2012
> Author(s)           : D. Hardt, Ed.
> Category            : PROPOSED STANDARD
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email