IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization code use in draft-ietf-oauth-v2-21

André DeMarre <andredemarre@gmail.com> Mon, 12 September 2011 19:02 UTC

Return-Path: <andredemarre@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 091D321F8CA8 for <oauth@ietfa.amsl.com>; Mon, 12 Sep 2011 12:02:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPgknuuHbuVG for <oauth@ietfa.amsl.com>; Mon, 12 Sep 2011 12:02:44 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 54D0121F8BFE for <oauth@ietf.org>; Mon, 12 Sep 2011 12:02:44 -0700 (PDT)
Received: by ywa6 with SMTP id 6so2215199ywa.31 for <oauth@ietf.org>; Mon, 12 Sep 2011 12:04:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=wCOzrN0fqQ84jcgAicB4E1acTRoCrN/SBg7WAPNtRX8=; b=CIQ7B5v1L4o3C82m6pCAF7ak+aJ2Nko6LDybP9Ow0sJxchjPm+oZ+2xReQ1+ZyIxtV 4cwyh1bN1w505Fkp7Ot9wJW9BJ6+QIA9sYGqSXnQnTutQ6503B4yV6IcODUfVHD52BUA gYdr0PQM/3t/GqnYbMBDZeuP425nzFqDRk9o8=
MIME-Version: 1.0
Received: by 10.42.96.65 with SMTP id i1mr875036icn.275.1315854288110; Mon, 12 Sep 2011 12:04:48 -0700 (PDT)
Received: by 10.42.18.129 with HTTP; Mon, 12 Sep 2011 12:04:48 -0700 (PDT)
In-Reply-To: <8A78E766-3A1D-4534-B336-3084A182EFD0@hueniverse.com>
References: <CAEwGkqCcvBS+HvoQQGj+R0eXYUnPS8W0SqeSxTtt03rnUsywZQ@mail.gmail.com> <8A78E766-3A1D-4534-B336-3084A182EFD0@hueniverse.com>
Date: Mon, 12 Sep 2011 12:04:48 -0700
Message-ID: <CAEwGkqB5XS4wMbQxF-=gsxCcfzvvCVR46bD3eeHfKHzLayJj2w@mail.gmail.com>
From: André DeMarre <andredemarre@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Mon, 12 Sep 2011 13:27:38 -0700
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authorization code use in draft-ietf-oauth-v2-21
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2011 19:07:58 -0000

I overlooked section 10.5 paragraph 3, which addresses my first point
below, but I think enforcing single use authentication codes should
also be included at the bottom of section 4.1.3 in the "authorization
server MUST" list. Proposed text for item 3: "verify that the
authorization code is valid and has not yet been used to acquire an
access token, and".

It is stated in 10.5 that authorization codes must be short lived, but
it might be good to state that the lifetime of authorization codes
should be included in the authorization server documentation.

Andre DeMarre

On Fri, Sep 9, 2011 at 4:06 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> Sending to the right address.
>
> EHL
>
> On Sep 9, 2011, at 15:31, "André DeMarre" <andredemarre@gmail.com> wrote:
>
>> Greetings Everyone,
>>
>> I hope the draft isn't too far along for these comments.
>> (draft-ietf-oauth-v2-21)
>>
>> 1. AUTHORIZATION CODE RESTRICTIONS
>>
>> The specification (particularly Section 4.1) does not say if the
>> authorization server may or may not allow an authorization code to be
>> used more than once in exchange for an access token. (Section 4.1.3)
>>
>> With this ambiguity, some authorization server implementations might
>> allow authorization codes to be reused by the client (whether
>> intentionally or not). I don't see any benefit in allowing this and
>> think it should be forbidden for several reasons.
>>
>> Allowing this enables a scenario where an authorization code may be
>> reused when the client should use the refresh token instead. The
>> refresh token has more desirable security properties.
>>
>> The usefulness of authorization codes should be restricted wherever
>> possible because they are revealed to resource owners and can be sent
>> over unsecure connections when the client does not require TLS on its
>> redirection URI. These properties combined with the possibility that
>> the authorization code flow may be used by public clients might open
>> more severe attack vectors.
>>
>> I think it should be clearly stated that the authorization server MUST
>> NOT issue more than one access token per authorization code grant. An
>> authorization code should be discarded after its first use and new
>> access tokens should only be issued when exchanged for refresh tokens.
>>
>>
>> 2. AUTHORIZATION CODE VS. TOKEN?
>>
>> Much less important, and please forgive me if this has already been
>> discussed, but why isn't the authorization code called an
>> authorization token? It is similar to the refresh token in that it can
>> be presented in exchange for an access token at the token endpoint. I
>> see it as another type of token and wonder if the language used should
>> perhaps reflect that as well.
>>
>>
>> 3. GRAMMAR CORRECTION IN SECTION 10.12
>>
>> In Section 10.12 paragraph three it says "(e.g. a hash of the session
>> cookie used to authentication the user-agent)." This should say
>> "authenticate" instead of "authentication".
>>
>> Regards,
>> Andre DeMarre
>
>

v2.23.0 | Report a Bug | By Email