Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
John Bradley <ve7jtb@ve7jtb.com> Tue, 21 February 2012 23:02 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 296D611E8116 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 15:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.506
X-Spam-Level:
X-Spam-Status: No, score=-3.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eAXlQtVqEgjt for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 15:02:04 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5148921F86A6 for <oauth@ietf.org>; Tue, 21 Feb 2012 15:02:04 -0800 (PST)
Received: by yhkk25 with SMTP id k25so3646570yhk.31 for <oauth@ietf.org>; Tue, 21 Feb 2012 15:02:03 -0800 (PST)
Received-SPF: pass (google.com: domain of ve7jtb@ve7jtb.com designates 10.236.92.201 as permitted sender) client-ip=10.236.92.201;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of ve7jtb@ve7jtb.com designates 10.236.92.201 as permitted sender) smtp.mail=ve7jtb@ve7jtb.com
Received: from mr.google.com ([10.236.92.201]) by 10.236.92.201 with SMTP id j49mr39307912yhf.60.1329865323971 (num_hops = 1); Tue, 21 Feb 2012 15:02:03 -0800 (PST)
Received: by 10.236.92.201 with SMTP id j49mr30565578yhf.60.1329865323811; Tue, 21 Feb 2012 15:02:03 -0800 (PST)
Received: from [192.168.1.213] ([190.22.73.49]) by mx.google.com with ESMTPS id y12sm34085123ang.21.2012.02.21.15.02.01 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 15:02:03 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_7185D2B1-09AE-435E-9442-F7F0E94AF6E4"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <2BFDC979-1767-4CD7-9D22-B7657EB15121@gmail.com>
Date: Tue, 21 Feb 2012 20:01:42 -0300
Message-Id: <6F478836-0DB8-4D7F-8954-5D127C0DA6AE@ve7jtb.com>
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com> <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com> <5D97D44A-FF8A-4E67-B22D-FB6019162800@ve7jtb.com> <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com> <1329626093.59538.YahooMailNeo@web31804.mail.mud.yahoo.com> <CAGmQQ9egR9DGg6LTQVzVxiq1of=WT2Ysv9EEzoK+5b7evwfiOg@mail.gmail.com> <1329860601.42679.YahooMailNeo@web31806.mail.mud.yahoo.com> <5F0D5C92-1228-4A3E-8CFF-05DC309B4084@ve7jtb.com> <2BFDC979-1767-4CD7-9D22-B7657EB15121@gmail.com>
To: Nicholas Devenish <misnomer@gmail.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQkVvvQYMBsDAQshmdNLqAXEI/TtjJlRgDMUthGr4DVy98gDKGLA/IsgdgxhsXwI5unT2w4u
Cc: "Lee, David" <david.lee10@hp.com>, Wenjie Lin <lin.820@osu.edu>, "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 23:02:05 -0000
On 2012-02-21, at 7:32 PM, Nicholas Devenish wrote: > > On 21 Feb 2012, at 21:59, John Bradley wrote: >> This 'attack' is one that only works with badly designed clients that are making unwarranted assumptions about the behaviour of the Authorization server. > > Unwarranted assumptions? The spec in 3.3 says: > > "If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted." > > - It says MUST; therefore any server that doesn't do this is non-compliant? > - It says scope different from the one requested by the *client*. The possibility that the resource owner intercepts this request and changes it doesn't seem to be considered here (it is not strictly the clients request if that happens) > - The purpose seems to be that the client should be told if the scope changes; this would be important if the client requires a certain scope level to work (though this could be solved more generally in many other ways that wouldn't be in the scope of the oauth spec) > > Thus, assuming that the server is stating compliance, isn't the assumption completely warranted? No the authorization server may at any time for any reason remove a scope from a granted access_token or refresh_token. Reporting back changes in scopes granted along with the access_token is a convenience not a security feature. Assuming it is a security feature and those scopes will continue to be valid for the token after granting is a bad design given the OAuth 2 spec. > >> The only way for a client to know if a token has a scope it to try it, or use a introspection endpoint. End of story. > > An introspection endpoint obviously isn't part of the specification, so isn't relevant to the discussion (though it solves the discussed facebook issue). > > You are right though, that the only way for a client to know for sure is to try to use it; Even if the spec mandated always returning the scope to the client, the user could always intercept the return redirection (assuming a non-confidential client) and change the scope there. > > Perhaps MUST should change to SHOULD, given that this essentially seems unenforceable? A SHOULD may lead people to the conclusion that it is secure. I am happy with saying it is not secure the only want to know is to have the client be prepared to deal with tokens that do not contain the desired scope when used. That is the only 100% solution. John B.
- [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Shane B Weeden
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Nicholas Devenish
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Kristoph
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Nicholas Devenish
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Dan Taflin