Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Daniel Roesler <> Sat, 09 November 2019 17:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EDB7A12001E for <>; Sat, 9 Nov 2019 09:44:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a140u8coiyPt for <>; Sat, 9 Nov 2019 09:44:12 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF0C21200DF for <>; Sat, 9 Nov 2019 09:44:11 -0800 (PST)
Received: by with SMTP id e187so7892462qkf.4 for <>; Sat, 09 Nov 2019 09:44:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=e6TJWKAYP/dHJPibCnJcVVI2vWj7gj/g1nseScT22HE=; b=VK+rOWWzzV4y+BzqCuIj0Zpsch67LRD4QETxeuHbU2n+3cW9iiOZFkfWBEgrVff9pv YYAiUyCU92hwDlSlufLQcvrIN/uvE4mrsMbKwjadD3KPmgQ69pTVCCPrTbYWgXmHbZa2 8ubK5XDP/B7KDNctYaTXSXXRbonuGAeKpBbiY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=e6TJWKAYP/dHJPibCnJcVVI2vWj7gj/g1nseScT22HE=; b=EQzI8ChtAjZoYUHHSXEIQOs33PMUHdmiVvUzYNYBVt986fUmoo9xb8JSHVOHg+B4E+ KEjiY2vdBRzFnsY2W5G7SD1fRzAKlO7AR1k2eWrC8+cWkL3cdyrg4xBQrz4jM62PkbkD OQDAo1tbM0+McAXAp05Nb96hozv9DRL+eENNZq2y3VJgjtfj9+/99KU2y+Lna9qZ/pq9 p1Fnw9aocMV/bLtsSPX8QGxTGU+6N2NBFaEV5KX/GnnPAOF01g0JMAgEFuCTrkN7a4ys and3CqZ8kvS/ydShTipQdAxe0v4PDeaQYWFi7O4qPUqyclYAi1tb8qytSkvkHkSObDdi jQJw==
X-Gm-Message-State: APjAAAXCnqu60su999xu6BF+X0ywefMeIj53ObNeDJK3kAyM81wRVClY SlAUxKUzIEM/hdCwOPBY9D3jjTzmasgEUUHQ3trUAGK6
X-Google-Smtp-Source: APXvYqzrKKljhWpCuzDLwn17cVOpAwmhhngqWONgp+uV/onB//0g4OZk1AUzuTnI99qzFA5hazBPN9aTPKib/5/faEM=
X-Received: by 2002:a37:424a:: with SMTP id p71mr2931321qka.194.1573321450570; Sat, 09 Nov 2019 09:44:10 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Daniel Roesler <>
Date: Sat, 9 Nov 2019 11:43:34 -0600
Message-ID: <>
To: David Waite <>
Cc: Daniel Roesler <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 09 Nov 2019 17:44:17 -0000

Howdy DW,

Thanks very much for your response! It's totally understandable that
the authorization server should ask for re-confirm if the
refresh_token is no longer valid, and it's also understandable that if
you're using implicit flow with only an access_token that you don't
need to ask for re-confirm every time.

However, I'm specifically interested in authorization code flow
situations where an authorization request is made despite the client
already having a valid grant. It's an atypical request for the client
to make, since they theoretically should already have valid
access/refresh_tokens, but when it does happen, what is the
authorization server supposed to do? Is it bad for them to
auto-redirect back with another authorization code without asking the
user to confirm again? Shouldn't they treat the authorization request
the same way they treat all other authorization requests (by asking
for user confirmation)?

It seems there are situations where this transparent redirect behavior
can be dangerous[1][2] or misleading[3].

[1]: Issuing a new authorization code without requiring confirmation
from the user is what allowed Github's HEAD exploit to be practical
because it allowed the client to exfiltrate the authorization code
without user interaction. Had Github always requested user to click
Allow, even though the user would have already granted access through
the HEAD exploit, the client wouldn't be able to obtain the
authorization code without user interaction. I understand that fixing
the HEAD exploit in the first place is the first and best solution,
but the lack of user interaction is what elevated this exploit from
high to critical.

[2]: For users that have multiple accounts with a client (e.g.
personal, anonymous, work, etc.), if an authorization server
auto-redirects for repeated authorization requests, once that user
connects one account via OAuth to the client, the client can then
attempt authorization requests for other accounts and see which ones
get auto-redirect back. This can, without user interaction,
potentially de-anonymize or map different accounts on the client to
the same user that the user didn't necessarily want to be mapped.

[3]: Privacy regulations are adding more and more for users to
"opt-in" to various types of data access or data sharing, and
sometimes consent requirements for the client don't line up with the
expiration/revocation timelines of the authorization server (e.g.
clients may be required to get an opt-in annually, even if the
authorization server grant never expires). Clients are assuming that
using the redirect back with an authorization code is proof of consent
for their privacy compliance records (it is called Open Authorization,
after all). However, with transparent redirects in the authorization
code flow, this isn't necessarily true and you can no longer rely on
OAuth as a valid mechanism for proving user consent.

I realize that it's open to the authorization server to issue
authorization codes how they see fit. It just strikes me as odd that
there's not a lot of guidance around when transparent redirects are
safe, when user interaction should occur, and the risks and
implications of both behaviors.

Daniel Roesler
Co-founder & CTO, UtilityAPI
On Fri, Nov 8, 2019 at 2:02 PM David Waite <> wrote:
> Hello Daniel!
> > 1. The client makes an ajax HEAD request to the OAuth authorization
> > endpoint, which will silently create the authorization grant (this was
> > the security exploit that was patched).
> > Anyway, I'm trying to find guidance on transparent redirects for
> > authorization code grants. There's a whole host of both security and
> > application logic issues that could come up from such behavior, so I'd
> > like to ask for clarification in best practices.
> OAuth does not provide a way to recover from an expired access token barring a refresh token, which also can be invalidated. In particular, the only front channel ‘continuation’ parameter I know of is ‘id_token_hint’ in OIDC.
> There are deployments today (admittedly mostly using implicit flow) which do not have refresh tokens. A mandate that you SHOULD ask for re-consent would be a recommendation that they have to interrupt the user periodically to continue access - which would just create another security vs usability decision.
> Per your point above, the actual security issue was that GitHub 1) had the authorization endpoint serve double-duty and 2) treated HEAD requests as a quasi GET/POST to create a grant in their database to the client without user confirmation. The solution for this is not to ask the user to re-confirm on every request..
> That said, it does make sense for some deployments to periodically invalidate a refresh token, even for the purpose of bringing the user back to re-consent permissions (aka self-audit). An application could theoretically distinguish from tokens granted by the protected user needing to be invalidated to drive the user to re-consent, and operationally granted tokens which are assumed to be actively managed and not tied to any user account.
> -DW
> > On Nov 8, 2019, at 5:49 AM, Daniel Roesler <> wrote:
> >
> > Howdy,
> >
> > In the "3.1 Protecting Redirect-Based Flows" > "3.1.1. Authorization
> > Code Grant" section, is there guidance on when it is appropriate (if
> > ever) to automatically generate a new authorization code and redirect
> > back to the client?
> >
> > A recent exploit[1] on Github's OAuth implementation was practical
> > because if you make an authorization request and the resource owner is
> > already authenticated and the scope is already authorized, Github will
> > silently generate a new authorization code and redirect the user back
> > to the redirect_uri without asking them to click "Authorize" again.
> >
> > How the exploit worked:
> >
> >
> > 2. However, since the ajax response was blocked via CORS, the client
> > couldn't receive the authorization code in the response parameters.
> >
> > 3. So, the client then redirected the user to Github's authorization
> > endpoint with the same authorization code request (only this time as a
> > real GET redirect).
> >
> > 4. Github instantly redirected the user back to the client's
> > redirect_uri with a new authorization code and without asking for any
> > user interaction.
> >
> > It seems strange to me that OAuth should allow for transparent
> > authorization code redirects without resource owner confirmation. This
> > situation only comes up when something weird is happening, such as
> > when a client loses their valid access|refresh_token, but isn't that
> > all the more reason to clarify that you should always ask for resource
> > owner confirmation of the scope, even in scenarios where you are just
> > re-authorizing the same scope as before?
> >
> > Had Github asked for confirmation on step 4 above, the practicality of
> > the HEAD exploit would have been reduced because the user would have
> > been presented with an unexpected Allow/Deny Github OAuth dialogue,
> > possibly alerting them to the fact that something strange was going
> > on.
> >
> >
> > [1]:
> >
> > Daniel Roesler
> > Co-founder & CTO, UtilityAPI
> >
> >
> >
> >
> > On Wed, Nov 6, 2019 at 2:27 AM Hannes Tschofenig
> > <> wrote:
> >>
> >> Hi all,
> >>
> >> this is a working group last call for "OAuth 2.0 Security Best Current Practice".
> >>
> >> Here is the document:
> >>
> >>
> >> Please send you comments to the OAuth mailing list by Nov. 27, 2019.
> >> (We use a three week WGLC because of the IETF meeting.)
> >>
> >> Ciao
> >> Hannes & Rifaat
> >>
> >> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >>
> >>
> >
> > _______________________________________________
> > OAuth mailing list
> >
> >
> _______________________________________________
> OAuth mailing list