IETF Logo Mail Archive

Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

John Bradley <ve7jtb@ve7jtb.com> Fri, 18 March 2016 23:17 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C39A12D8EB for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:17:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kcCYnQCHq3xG for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:17:05 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA6BC12D874 for <oauth@ietf.org>; Fri, 18 Mar 2016 16:17:04 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id s68so55696093qkh.3 for <oauth@ietf.org>; Fri, 18 Mar 2016 16:17:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=6B91TXRGjGiIZU67BrlxuMEfXIfEfy70WhLB7eM7hu8=; b=2NNWpzwX6SumYhhnrXNoGg/jr0rUwvXMTLUhmJ7NhEcZO4VN3LH8mfQ5EK3+cHNkYE PI80qlsezRA6vUvaN7cwAncc4aCjY9mv8++Oa/kg9Ez58eSvyVbxfMv8MlasOil9FagI a3v30O3vM2pjERcvErqFF39sMZvi0cZeod7eC40Nr+B1imiwdrHELZa9OI2ej+YRRx9A EDEls9CBLDASq4mZ1t5wZgki7e0oXmTpMmjVWoof7RPe5JBxG3y7XmIB4/+LuAH5FBpH RXE9nsvEBteE3YZTXazYc5Kx21t+wRT4StiujtS/3tl6DcTcr4Jqntq3i/9hXXDgSIjR VYZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=6B91TXRGjGiIZU67BrlxuMEfXIfEfy70WhLB7eM7hu8=; b=X9nrjOF4znywCJHAFSYE2Uz/b7jaHAzrYIJldG0cUVjBd3WIeqzRiofwEU2l08Ym3i J16scO2NHQW5t5poqyRWQFd6z+QCpUizk/jc3mh74C8uYDGZvGmkCRt/xgtmlK/O/tUI uzb8S3iNXjNcK3bxoiAdMmQ3B+7J58hk7yRz9+u2ZrAQjIDXCpHYi9u4P/I5N4Jx+Kor dh6LuGqk+eHKfNVb3yncoZaVY4UzTnWiF1WII0s/MhNJjUm7xyKbYfeQSaxIGudClXiu B1vLt+mahakQPxkvWm3L3nVmbe5ixspuk0Eg0CjHPMbvDh9+5XAeJwNhM3NzGIjD1mTO iA6g==
X-Gm-Message-State: AD7BkJK0k5Tbw+8rdMx1rtTQFfQ1W1W1CCVnWCEaOrJQm0lAvr31KYx0Oa3aMuY4joggoQ==
X-Received: by 10.55.75.144 with SMTP id y138mr25861633qka.96.1458343023854; Fri, 18 Mar 2016 16:17:03 -0700 (PDT)
Received: from [192.168.8.101] ([181.202.83.141]) by smtp.gmail.com with ESMTPSA id e11sm7022931qkb.39.2016.03.18.16.17.02 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 18 Mar 2016 16:17:03 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_522B7762-96B1-4D8E-8EAF-2F4AC5A91ED9"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com>
Date: Fri, 18 Mar 2016 20:16:59 -0300
Message-Id: <EBC38367-126E-497C-9878-0F5E7DC4D7C6@ve7jtb.com>
References: <56EAEB54.8010208@aol.com> <CA+k3eCQ-C+MuAV__JnPMJqeKWMn=Qe2yGB06qzpet=xx1xGZ0g@mail.gmail.com> <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/H9J3kEnVQjrG070PuMTEDqJb33U>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 23:17:10 -0000

You still have a good AS and a bad AS it is just that the bad AS is using the good AS’s authorization endpoint.

I guess it comes down to how you define what a AS is if it is malicious.

Remember all of the attacks postulated in the papers require a xsrf attack or man in the network to cause a client to start a authorization with the bad AS triggering bad discovery and registration.

If the bad AS is publishing a malicious RS and the “good” registration, authorization, and token endpoints.   It will have a different issuer from the 
good AS authorization endpoint.   When the client performs authorization thinking it is going to bad AS and gets back the issuer for good AS that will trigger an error in the client and it will never present the AT to the bad RS’s resource endpoint.

If the developer hard codes some bad RS endpoint in the client then, I admit returning the iss and client_id from the authorization endpoint won’t help.

John B.


> On Mar 18, 2016, at 7:27 PM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:
> 
> There are two variations. 
> 
> Mitm the token endpoint is different then working one legit token endpoint against another thru redirect and state misdirection. 
> 
> In the mitm version you don't need multiple AS's.
> 
> Phil
> 
> On Mar 18, 2016, at 15:04, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
> 
>> The "a. wrong AS /token endpoint" is the mix-up issue, which can be mitigated by returning an identifier for the AS in the authorization response. It is something that needs to be addressed but "discovery" or metadata aren't needed and audience restricted access tokens tokens don't help.
>> 
>> Maybe that's obvious but there seems to be a lot of confusion on all this so I wanted to reiterate it.
>> 
>> On Thu, Mar 17, 2016 at 11:37 AM, George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
>> Goals:
>> 
>> 1. Help the client not send a token to the "wrong" endpoint
>>    a. wrong AS /token endpoint
>>    b. evil RS endpoint(s)
>> 2. Allow good RS to determine if the token being validated was intended for that RS
>> 
>> Other high-level goals?
>> 
>> Use cases:
>> 
>> 1. RS that supports multiple AS (we've had this in production since 2011)
>> 2. RS rejects token not issued for use at the RS
>> 3. Client that dynamically supports new RS (say any client that supports the jabber API)
>> 4. Client that dynamically supports new AS
>> 
>> Feel free to add to the list :)
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email