IETF Logo Mail Archive

Re: [OAUTH-WG] Report an authentication issue

John Bradley <ve7jtb@ve7jtb.com> Fri, 29 June 2012 18:31 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 256EA21F87AE for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 11:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.454
X-Spam-Level:
X-Spam-Status: No, score=-3.454 tagged_above=-999 required=5 tests=[AWL=0.145, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wc4tfcgH6K5Z for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 11:31:10 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE4121F8812 for <oauth@ietf.org>; Fri, 29 Jun 2012 11:31:10 -0700 (PDT)
Received: by yenq13 with SMTP id q13so3368256yen.31 for <oauth@ietf.org>; Fri, 29 Jun 2012 11:31:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=LtdA7PUOSq/xbQVC97YecLFJgXvpc4kq+zaz9wK+wwQ=; b=SO1WuqgAqkV7pGOS/1nXgWXcRWUjovitOXV0KjDphyu2IUAZPUJ7f8A/T5Z6wgM77r 9DfvYMw9CUaBMNhqwifRk2O25GiMH0NfQua4z59OKpJ1a+16HxSj7dj6BF+qXu+r83QS /Fho9i71iuFeROqLqOxLCwK1XEdF3On6v8v8PRbp421ebHqszfov+j4hqQLfOfIFLLqF n0ucvJ9dwuhPqkQbRwNQtrwXP8x2gXHmm0jbD7/WIPd8dPy1aC5xREDXtf/ee/WSi1ST VaETCtHoVa3cRNXtpE+1wZJCpISO3jcEo1kABK3Bc+EJ4PK4oBgR094GKBLkUAsFX7Q2 jOzg==
Received: by 10.236.79.74 with SMTP id h50mr4353983yhe.104.1340994669584; Fri, 29 Jun 2012 11:31:09 -0700 (PDT)
Received: from [192.168.1.211] (190-20-59-251.baf.movistar.cl. [190.20.59.251]) by mx.google.com with ESMTPS id c70sm2294138yhk.12.2012.06.29.11.31.05 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 29 Jun 2012 11:31:07 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_B64B3BB2-03B5-4F35-8086-357BFEB648E8"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <71899C6B-40A6-46E8-BCF8-BF9C43B83C64@oracle.com>
Date: Fri, 29 Jun 2012 14:30:59 -0400
Message-Id: <83124DF5-8D21-4D63-9D37-BBFBA0932065@ve7jtb.com>
References: <CAEEmcpEcNqNHwfVozD-NtfkruiB-v0MTszwNL4cob2rL=QQTSA@mail.gmail.com> <4FE223E4.6060307@mitre.org> <4FE226BC.6010403@alcatel-lucent.com> <59E470B10C4630419ED717AC79FCF9A910889AB5@BL2PRD0410MB363.namprd04.prod.outlook.com> <CABzCy2CLe_DVcxiD1EasuhtG1_6+6tCtV5TckZ80fvqyjan_bA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A917052BC8@SN2PRD0410MB370.namprd04.prod.outlook.com> <4FE37D38.1030407@gmail.com> <CABzCy2A_zJ3vaauoo6VwsmLWsTesdTujuQ4dHdVpc5Nh==iEFg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2C8949@CH1PRD0410MB369.namprd04.prod.outlook.com> <CABzCy2DzmNgmMALNfc1qp95fwD2WULb-49Dk yLiZnjXngAmaPg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2D1309@CH1PRD0410MB369.namprd04.prod.outlook.com> <496AFB1D-A609-4188-B92D-2185E8880388@ve7jtb.com> <59E470B10C4630419ED717AC79FCF9A91A2D13C9@CH1PRD0410MB369.namprd04.prod.outlook.com> <67F8B633-E4C8-42F6-B84C-FDBC337B7EEA@ve7jtb.com> <04C05FAA-63BC-4441-8540-36280E40DB98@adobe.com> <4FEDE4AF.9030107@mitre.org> <! 4 DD23AA1-C319-477A-B0CB-34E558EB7FCC@ve7jtb.com> <8C18C43D-AC63-465A-ADC2-966CE7F38685@gmail.com> <71899C6B-40A6-46E8-BCF8-BF9C43B83C64@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQl2+XSqx47JdLMXP7lCTsWOzX4FVOgaqsM0Y5gdgm4MPHL311+qVLgiA/s4kCiJpcgRyAxM
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Report an authentication issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 18:31:11 -0000

I think they only exploited the implicit flow.   

My point was that there is a way you could do the same thing with code if it is a public client that is not authenticating to the token endpoint.

In general making identity assumptions in the client based on a code or access_token has risks that are out of scope for OAuth.

We do however want to provide good advice about specific things that can leave systems insecure when using OAuth.

John B.

On 2012-06-29, at 2:22 PM, Phil Hunt wrote:

> I'm not clear whether the MS Security Researcher hack was with the authorization code or the access token. If the latter, the client_id is out of the picture isn't it?
> 
> Phil
> 
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> 
> 
> 
> 
> 
> On 2012-06-29, at 11:14 AM, Dick Hardt wrote:
> 
>> 
>> On Jun 29, 2012, at 11:06 AM, John Bradley wrote:
>> 
>>> It is nice to know that I may occasionally be correct:)
>> 
>> You must be delighted when it happens! ;)
>> 
>>> While you may assume that it is reasonable for a client with a code to make a request to the token endpoint including it's client_id and the server to only give out the access token if the client_id in the token request matches the one in the original authorization request.   However the spec specifically doesn't require that.
>> 
>> I think that is an error in the spec and should be changed, or text adding saying that the client_id SHOULD be checked.
>> 
>> -- Dick
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email