[OAUTH-WG] Standard URL parameter for mitigating RFC6819's threat 4.6.4?
Josh Mandel <jmandel@gmail.com> Tue, 03 March 2015 17:27 UTC
Return-Path: <jmandel@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E20B1AC3ED for <oauth@ietfa.amsl.com>; Tue, 3 Mar 2015 09:27:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DI7oiiCLCOTT for <oauth@ietfa.amsl.com>; Tue, 3 Mar 2015 09:27:52 -0800 (PST)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1DF41ABC75 for <oauth@ietf.org>; Tue, 3 Mar 2015 09:27:51 -0800 (PST)
Received: by oiav63 with SMTP id v63so783456oia.8 for <oauth@ietf.org>; Tue, 03 Mar 2015 09:27:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=RyqMSAPLgqfB10wvnyCHeWijDB2aEGIwpWHlyhEh/Dc=; b=Im/Rk2/MMGTJk3Kk7yxtBqlf04R7GGh72B/tsAqcxbT0Rdwf4Z9X4X4wUgQwKqxecL OEyEDdsXE3/nL++x/7UUqTt4u8TYtNYhG2bRmDWnliq3SqKsNTKC0vUHM56VYukziLkx IuuWluAKYuQEg7BZCdUnh2eleS+umSTAtw4qs1XYv+Osg0hJwaCtaZ8optGUcXB0nSb5 vAafKajoTeMcXlnrfadj8YPilf56zx9QwINiYC+wjgcbipfSEcakdNHNrQwDlDePMp5o Q/WvDRcqeC/XdjkNG+WRhtNUn5UYhPkvFIJA0j3u9CmEcvKJ9/iDBr8zprOu+EAiJxq2 Om3Q==
X-Received: by 10.202.188.66 with SMTP id m63mr23337oif.14.1425403671291; Tue, 03 Mar 2015 09:27:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.97.102 with HTTP; Tue, 3 Mar 2015 09:27:31 -0800 (PST)
From: Josh Mandel <jmandel@gmail.com>
Date: Tue, 03 Mar 2015 09:27:31 -0800
Message-ID: <CANSMLKH0s==3bGt6DgFF8XycvFWcxnK6XeYo3tHb1scecZDnKw@mail.gmail.com>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113dd6887d2ed6051065a725"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/EfhxR09tOVQe8pHGD2GXSTaAclU>
Cc: Matt Randall <matthew.a.randall@gmail.com>, Dixie Baker <Dixie.Baker@martin-blanck.com>
Subject: [OAUTH-WG] Standard URL parameter for mitigating RFC6819's threat 4.6.4?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2015 17:27:58 -0000
Hi All, In section 4.6.4 ("Threat: Access Token Phishing by Counterfeit Resource Server"), RFC6819 describes a threat where a counterfeit resource server tricks a client into obtaining and sharing an access token from a legitimate authorization server. One of the proposed mitigations involves: "telling the authorization server about the resource server endpoint URL in the authorization process." In other words, this mitigation would ask the client to pass an additional parameter when redirecting to the Authorization server's "authorize" URL, effectively something like: https://auth-server/authorize? response_type=code& client_id=123& state=456& scope=read-all& redirect_uri=https://app-server/after-auth& *resource_server_that_told_me_to_authorize_here=https://attacker.com <https://attacker.com>* (And if the authorization server saw a value it didn't like in the final parameter, it would reject the request.) This is obviously not appropriate in every authorization scenario, but it is useful anytime there's a discovery process by which apps learn about authorization servers from resource servers. Since it's something of a common need, I wanted to see if there was any common practice in how to name this parameter, or whether it's worth registering a standard extension at http://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml . (I don't see one there now -- possibly I'm just missing it.) If so, what should it be called? The name I used in the example above is a bit verbose :-) Best, Josh
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Torsten Lodderstedt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Brian Campbell
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Torsten Lodderstedt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Josh Mandel
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Phil Hunt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Josh Mandel
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Phil Hunt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Josh Mandel
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Dixie Baker
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Phil Hunt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Justin Richer
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Nat Sakimura
- [OAUTH-WG] Standard URL parameter for mitigating … Josh Mandel