IETF Logo Mail Archive

Re: [OAUTH-WG] "shared symmetric secret"

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 13 July 2010 21:33 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 037053A69F0 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 14:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.463
X-Spam-Level:
X-Spam-Status: No, score=-2.463 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id otlHa5p6DygN for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 14:33:32 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id BE01A3A6405 for <oauth@ietf.org>; Tue, 13 Jul 2010 14:33:32 -0700 (PDT)
Received: (qmail 28812 invoked from network); 13 Jul 2010 21:33:42 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 13 Jul 2010 21:33:42 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 13 Jul 2010 14:33:37 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Tue, 13 Jul 2010 14:33:35 -0700
Thread-Topic: [OAUTH-WG] "shared symmetric secret"
Thread-Index: AcsizyIgPZ5pukpWRt6lfGldShDB+wAA+os5
Message-ID: <C86229BF.37200%eran@hueniverse.com>
In-Reply-To: <B45651EC-FEA2-4117-80F2-A35F99E432A1@jkemp.net>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C86229BF37200eranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] "shared symmetric secret"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 21:33:38 -0000

This is how OAuth works: The client wants to access a protected resource. The resource requires authentication (that's the definition of protected). The client presents the access token to authenticate (using an HTTP authentication header). The access token has all the security characteristics of a password:

- Opaque to the client - just a string
- Client must store it in a way that provides access to the clear-text token
- Anyone holding the token can access - the bearer of the token is considered its rightful owner
- The token can be leaked or phished - which is sufficient for full access

I don't care much about the philosophical debate (authentication vs authorization) as I don't think it adds much value here. When it comes to using an access token, the client uses it just like a password, it serves as the authentication construct, and it has all the same problems passwords have.

I do recognize that unlike users' passwords, the tokens are not bound to a person's memory and therefore can be longer, short-lived, and client-specific which is an improvement over users' passwords. But that's just an implementation detail. There is little in the protocol today that enforces this.

My assumption is that for the most part, OAuth 2.0 will be used without any additional authentication. For example, my employer (whom I do not represents here in any way) intends to use access tokens over plain HTTP without SSL/TLS (current BBAuth deployment).

As soon as we add discovery, bearer token phishing will become an issue - mark my words. This is why I find bearer tokens so offensive (I consider discovery a required feature) - but I have lost that battle. All I can do now is use my editorial capacity to warn readers of what they are dealing with *in practice*, and in practice, bearer tokens are used just like passwords.

--

Either way, this is the new text:

        Clients access protected resources by presenting an access token to the resource server.
        Access tokens are bearer authentication tokens, such as passwords or capabilities (as
        defined by RFC2828). This requires treating the access token with the
        same care as other passwords. Access tokens SHOULD NOT be sent in the clear over an
        insecure channel.


EHL

v2.40.3 | Report a Bug | By Email | System Status