Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft

John Bradley <> Thu, 21 January 2016 19:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 764701A8AF1 for <>; Thu, 21 Jan 2016 11:15:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zyob84GVlnzX for <>; Thu, 21 Jan 2016 11:15:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4468E1A8AD2 for <>; Thu, 21 Jan 2016 11:15:41 -0800 (PST)
Received: by with SMTP id e32so40128825qgf.3 for <>; Thu, 21 Jan 2016 11:15:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=uoH2HTZVwXa3LuhSY1hPm7SLdyb5cTLDezBfTGjq0Ac=; b=no6XcxUMuw0r3IhJm5KMt8DKHdj34nP/DKCIfD8K2GzS9oNlhs1/WDnBRC6x1fIGfF UpPcfb59OMR5xQPO5d1fPrGyqSuW77TQAaINH3qZ8kzPcpWnNwqDVCVomv17RGCb/cFY BNzyehOU903TG6Mpux23qV605t8/xoKyvjsOFBx92duNFncGrxd41zDf1wFQ6o55StQ3 dovbkQtYzWWURBJVf5/J+ZwwOPTNCA4N+ekzhUcjCOTpenED6pNF8dxFGqFNNBpunqaa 86bu5yGgoO8rChof3YTaQSajpiPNM58YVlry3SljMlTkkoaejJpEQuZqLguso8EuinHf ep9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=uoH2HTZVwXa3LuhSY1hPm7SLdyb5cTLDezBfTGjq0Ac=; b=C5l23RpjJ6OATDp2Bfo6u9ckpaNupiEOSE0kdKArdJrnYYSCUGtu7/sFwdTZWEuarl VehG2dzcdkwJ4aeH43JP7BUXjOAUzlXRa+LOq1RQHy7E7UDPDXX3dxn+35B3BIKSjIRB 5uIMIk2rTtMRdzpGO7VXSA8Jt1Q/zhXUFeWyHd/K6Xo8ZLjBFlTVKb4rvIdDrtDgerla Ql8MurE5Ve1G7E/rUtUXYtxqcguoOT+VSwsRVDvSvL3WqoAcC6P4rXOvF/x5jCqkgjWH WkZnPz9SFoao2i5uRTAHZrPLuJ7K9eW/DBKJyX5YOfaQKQzt7Lp2i4cbT9cS14awFRzy lVMw==
X-Gm-Message-State: ALoCoQkAe9/mavADnjOaZadeN/HiFw2Q83lY0+n3YKAAaZ0a9psc8nG9O48fjbGoprPciHA03L/Ks6LrQNPtpQqA8BpZyIUH6Q==
X-Received: by with SMTP id f20mr53724134qge.95.1453403740307; Thu, 21 Jan 2016 11:15:40 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id a69sm1153818qgf.21.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 21 Jan 2016 11:15:38 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_19A4E949-1FC6-4605-A4BE-6A4E7A745150"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <>
In-Reply-To: <>
Date: Thu, 21 Jan 2016 16:15:34 -0300
Message-Id: <>
References: <> <> <>
To: Justin Richer <jricher@MIT.EDU>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2016 19:15:44 -0000

The server could hash the state using the same algorithm the client uses if the client passed that as well.

I see lots of things being fragile about that.

The draft allows the server to use whatever hash it wants to internally to compare them.  Given that we are detecting tamping and don’t need to worry about collisions as the state should have it’s own integrity protection you could probably get away with MD5 on the server.  Though I don’t think saying that in a spec would be a good idea:)

I am being sensitive, because I am changing a decision that was agreed to by the group in Germany.   I want people to know it was changed, so they can provide feedback if they feel strongly.

John B.

> On Jan 21, 2016, at 3:58 PM, Justin Richer <jricher@MIT.EDU> wrote:
> Thank you for removing state hashing and please don’t add it back. It’s security theater, and that’s giving it the benefit of the doubt. Remember, this is being sent in a  request where other parameters (code, client_id, client_secret, redirect_uri) are all sent plain over TLS as well. Either come up with a general mechanism to hash everything or don’t hash anything. The latter is more likely to win, and it’s the only thing that makes sense currently. 
> Also, keep in mind that if the client hashes the state on the second request, then the server can’t store the state parameter using its own hash methods (for data-at-rest protection) and still be able to do the comparison. Having the client send it over plain is really better all around in terms of simplicity and adoptability.
> Now if we really wanted to have message-level protection of HTTP requests, I can think of a good way to do that…
>  — Justin
>> On Jan 21, 2016, at 9:41 AM, John Bradley < <>> wrote:
>> We merged the state verification in with this rather than forcing people to also look at the JWT encoded State draft. <>.  
>> While JWT encoded state is how I would do state in a client and at-least one client I know of uses it, it is not the only way to manage state, and I am hesitant that developers might be scared away by thinking they need to encode state as a JWT.
>> I decided that cross referencing them is better.   This made sending much simpler to describe.   
>> I also removed the hashing from state.   That cut the text by about 2/3 by not having to describe character set normalization so that both the client and the AS could calculate the same hash.
>> That also achieved the goal of not requiring a simple OAuth client doing the code flow to add a crypto library to support SHA256.
>> Once we make a algorithm mandatory, we need to defend why we don’t have crypto agility eg support for SHA3 etc.  We would be forced by the IESG to add another parameter to the request to specify the hash alg if we went that direction.
>> Given that we assume state to be public info in the request that an attacker can see, hashing state provides not much value for a lot of complexity that people may get wrong or not implement.
>> I appreciate why from a theory point of view hashing it would have been better.
>> If people really want it I can add it back.
>> John B.
>>> On Jan 21, 2016, at 3:28 AM, Mike Jones < <>> wrote:
>>> John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up Mitigation draft.  Changes were:
>>> ·       Simplified by no longer specifying the signed JWT method for returning the mitigation information.
>>> ·       Simplified by no longer depending upon publication of a discovery metadata document.
>>> ·       Added the “state” token request parameter.
>>> ·       Added examples.
>>> ·       Added John Bradley as an editor.
>>> The specification is available at:
>>> · <>
>>> An HTML-formatted version is also available at:
>>> · <>
>>>                                                           -- Mike
>>> P.S.  This note was also posted at <> and as @selfissued <>.
>>> _______________________________________________
>>> OAuth mailing list
>>> <>
>>> <>
>> _______________________________________________
>> OAuth mailing list
>> <>