Re: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?

Eran Hammer-Lahav <> Sat, 25 September 2010 02:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A0463A6B50 for <>; Fri, 24 Sep 2010 19:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.493
X-Spam-Status: No, score=-2.493 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nj+WImYH-L-P for <>; Fri, 24 Sep 2010 19:43:52 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 5F8AA3A6B31 for <>; Fri, 24 Sep 2010 19:43:52 -0700 (PDT)
Received: (qmail 10926 invoked from network); 25 Sep 2010 02:44:25 -0000
Received: from unknown (HELO ( by with SMTP; 25 Sep 2010 02:44:24 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([]) with mapi; Fri, 24 Sep 2010 19:44:23 -0700
From: Eran Hammer-Lahav <>
To: Yaron Goland <>, OAuth WG <>
Date: Fri, 24 Sep 2010 19:44:21 -0700
Thread-Topic: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?
Thread-Index: ActcLVkcw12z9VXcRZaPemtNsnYbYQALjU6x
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C8C2B0153AD3Feranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 25 Sep 2010 02:44:00 -0000

These are my two:

1. Remove the need to rely solely on HTTPS

There are plenty of cases where people can't or don't want to use HTTPS. Clearly, the web is not all HTTPS and OAuth should be useful on the entire web. We are not going to settle the long debate over the cost or speed of using HTTPS. It doesn't matter. There are enough people who are set in their mind about it and we need to offer an alternative.

>From an implementation perspective, HTTP client implementations are notoriously broken. Not the library code, but the way developers use it. For example, most developer ignore exceptions about invalid or expired certificates. This is why the major browsers had to change their UI to make it really hard for users to accept bad certificated (which people still do). We keep forgetting that while HTTPS is properly executed in most browsers, it is not the case in most client applications.

I would like to see a detailed section in the specification detailing everything a developer has to check to actually ensure their HTTPS connection is secure and to the right destination. It is nice to put the burden on HTTPS and point people there, but if we know they are going to do stupid things (like they have done before), we have the responsibility to write a defensive protocol that prevents exploits when developers make predictable mistakes.

Another aspect of HTTPS is that in most cases, it terminates at the entry point to the server deployment which exposes the tokens internally to anyone with access, beyond the final applications.

*** If HTTPS is to remain optional for protected resource requests, a signature-based alternative is required.

2. Ensure that tokens are not open to phishing attacks

Discovery as well as future use cases for OAuth will create the need for clients to authenticate using tokens against servers that are not hard-coded into the application. When this happens, bearer tokens are simply too dangerous. Any solution that is based on sending secrets in the clear (that is, whoever receives them on the other side can use them, legally or not) is going to cause secrets to leak.

I don't need to lay out the exact exploit, only to point to the past 20 years and show that every single password-based solution has been proven broken, even when used over secure channels. It is sad that some of the people who criticized WRAP for this exact reason are not taking part of this discussion and gave up (some due to lack of time or interest, others due to being told to STFU by their employer).

It is true that there are methods for using bearer tokens with discovery, but those I have seen all require the client to basically ask the server after each new resource they encounter if it is ok to send the token there. This is very inefficient, when a signature solves that (as offered successfully by OpenID). The other solution is to tell the client using some form of policy where it is ok to send tokens (as is done with cookies), and that's clearly an approach guaranteed to fail.


On 9/24/10 2:18 PM, "Yaron Goland" <> wrote:

My understanding of Eran's article ( is that Eran believes that bearer tokens are not good enough as a security mechanism because they allow for replay attacks in discovery style scenarios. He then, if I understood the article correctly, argues that the solution to the replay attack is to sign OAuth 2.0 requests.
In I tried to demonstrate that in fact one can easily prevent replay attacks in discovery scenarios using OAuth 2.0 and bearer tokens. If the article is correct then it is not a requirement to introduce message signing into OAuth 2.0 in order to prevent the attacks that Eran identified.

So this leaves me wondering, what's the critical scenario that can't be met unless we use sign OAuth 2.0 requests?