Re: [OAUTH-WG] OAuth2 security considerations for client_id
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 06 January 2012 13:22 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63B221F87EF for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 05:22:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnBMEwnkvpf8 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 05:22:04 -0800 (PST)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.29]) by ietfa.amsl.com (Postfix) with ESMTP id E0EFC21F85B6 for <oauth@ietf.org>; Fri, 6 Jan 2012 05:22:03 -0800 (PST)
Received: from [80.187.107.54] (helo=[10.223.181.27]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1Rj9k9-0005my-AI; Fri, 06 Jan 2012 14:22:01 +0100
References: <CACHRFsBNqUgXPxgFth-zHL=tvkVHy=OCXK2tcQ6hC273eoJ9EQ@mail.gmail.com>
User-Agent: K-9 Mail for Android
In-Reply-To: <CACHRFsBNqUgXPxgFth-zHL=tvkVHy=OCXK2tcQ6hC273eoJ9EQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----5WNUD2RWEZCFB1KRA5LQWRQFTTCXFV"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Fri, 06 Jan 2012 14:21:45 +0100
To: Karim <medkarim.esskalli@gmail.com>, oauth@ietf.org
Message-ID: <0f4aff4b-9fcc-4077-9fca-a068ebf97dd4@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 13:22:04 -0000
Hi, your observation is correct. OAuth security considerations recommend not to rely on secrets for authenticating mobile apps (aka native apps) but to manage them as so-called public clients. Please take a look onto section 10 of the core spec for further details. regards, Torsten. Karim <medkarim.esskalli@gmail.com> schrieb: Hello, When using User-agent flow with OAuth2 for mobile platform, there is no way for Authorization server to authenticate the client_id of the application. So, anyone can impersonate my app by copying the client_id (and so get all access tokens on my behalf), and this is applicable to Facebook, Foursquare,... This is not managed by OAuth2 ? Or I missed something ? For Web applications (Web server flow), access token is stored on the server side, and the client is authenticated using secret key. -- Karim
- [OAUTH-WG] OAuth2 security considerations for cli… Karim
- Re: [OAUTH-WG] OAuth2 security considerations for… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth2 security considerations for… William Mills
- Re: [OAUTH-WG] OAuth2 security considerations for… Justin Richer
- Re: [OAUTH-WG] OAuth2 security considerations for… Paul Madsen
- Re: [OAUTH-WG] OAuth2 security considerations for… William Mills
- Re: [OAUTH-WG] OAuth2 security considerations for… Karim