Re: [OAUTH-WG] specification of authorization code properties
Brian Campbell <bcampbell@pingidentity.com> Fri, 01 October 2010 18:22 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DC5A3A6DDE for <oauth@core3.amsl.com>; Fri, 1 Oct 2010 11:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.874
X-Spam-Level:
X-Spam-Status: No, score=-5.874 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bk+Q0BlKbn68 for <oauth@core3.amsl.com>; Fri, 1 Oct 2010 11:22:19 -0700 (PDT)
Received: from na3sys009aog111.obsmtp.com (na3sys009aog111.obsmtp.com [74.125.149.205]) by core3.amsl.com (Postfix) with SMTP id 158063A6C80 for <oauth@ietf.org>; Fri, 1 Oct 2010 11:22:18 -0700 (PDT)
Received: from source ([209.85.161.54]) by na3sys009aob111.postini.com ([74.125.148.12]) with SMTP ID DSNKTKYnC1ljTKR740yAGHwYbl1od4guPAI8@postini.com; Fri, 01 Oct 2010 11:23:08 PDT
Received: by fxm9 with SMTP id 9so3658974fxm.27 for <oauth@ietf.org>; Fri, 01 Oct 2010 11:23:06 -0700 (PDT)
Received: by 10.223.114.69 with SMTP id d5mr4044328faq.58.1285957386267; Fri, 01 Oct 2010 11:23:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.113.3 with HTTP; Fri, 1 Oct 2010 11:22:35 -0700 (PDT)
In-Reply-To: <4CA61276.3080608@lodderstedt.net>
References: <90C41DD21FB7C64BB94121FBBC2E72343D460DB9A2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4CA3CCBE.80107@oracle.com> <709E7810-2F66-4E4B-85B2-B18BB8751EA5@lodderstedt.net> <4CA60E13.3060005@oracle.com> <4CA61276.3080608@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 01 Oct 2010 12:22:35 -0600
Message-ID: <AANLkTi==R1S55i-Mc7ScJP4sxMc7tLWOiJc0zCqUJ-c6@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>, PRATEEK MISHRA <prateek.mishra@oracle.com>
Subject: Re: [OAUTH-WG] specification of authorization code properties
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 18:22:21 -0000
Yes Torsten, I believe the consensus we ended up out of that last discussion was that the spec and associated security considerations should be written in such a way as to allow for either approach. On Fri, Oct 1, 2010 at 10:55 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Prateek, > > as I remember previous discussions, both design options (self-contained > short-living/one-time use tokens as well as random strings) shall be > feasible. So your contribution would helpful anyway. > > regards, > Torsten. > > Am 01.10.2010 18:36, schrieb PRATEEK MISHRA: > > Torsten, > > Brain Campbell points out that previous discussions suggest that the > authorization code is meant to be a cryptographically protected one-use > token (vs. a random string) but that these > key (essential!) details are not available draft 10. > > http://www.ietf.org/mail-archive/web/oauth/current/msg03885.html > > I would say then that the analogy with the SAML Web SSO browser profile > isn't exact but nevertheless some threats are common to both scenarios. I > will try to summarize > these once a concrete proposal for authorization code is made available by > the authors. > > - prateek > > Thank you for your advice. The Oauth security considerations are not > finished yet. They will handle the issues you raised, too. > > Regards, > Torsten. > > > Am 30.09.2010 um 01:33 schrieb PRATEEK MISHRA <prateek.mishra@oracle.com>: > > > > I read through v10 from the perspective of an implementor, and it seemed to > me that properties of generated authorization code and its treatment by > various entities need to be called out explicitly as a counter-measure > against various simple attacks. > > I would also comment that the exchanges between the end-user, client and > authorization endpoints, beginning with the issuance of an authorization > code (in SAML 2.0 called a browser artifact) and terminating with the client > obtaining an access token (in SAML 2.0 the RP obtaining a SAML assertion) > essentially follow the SAML web browser artifact profile and are therefore > open to all of the attacks that the SSTC considered for this protocol. > > 1) For example, given the current description it seems that perfectly > reasonable for an end-user authorization endpoint to generate a sequence of > increasing integers as an authorization code or always return a constant > value for a request with a given (client_id, redirection_uri) pair of > inputs. So this leads to the possibility of an adversary using some simple > techniques to guess valid authorization codes and obtain an access token. > > 2) There is a need to articulate some of the minimum properties that an > authorization code should possess. I understand that there is an attempt > here to give maximum choice to implementors. > > For example, the SAML 2.0 artifact format description includes the following > language - > > [quote] > The MessageHandle value is constructed from a cryptographically strong > random or > pseudorandom number sequence [RFC1750] generated by the issuer. The sequence > consists of > values of at least 16 bytes in size. > [\quote] > > > 3) I am also puzzled by the discrepancy between the language used to > describe the generation and use of an authorization code - > > [quote - generation - p.18] > The authorization code > SHOULD expire shortly after it is issued. The authorization > server MUST invalidate the authorization code after a single > usage. The authorization code is bound to the client > identifier and redirection URI. > [\quote] > > VS > > > [quote - use - p.23] > The authorization server MUST: > o Validate the client credentials (if present) and ensure they match > the authorization code. > o Verify that the authorization code and redirection URI are all > valid and match its stored association. > [\quote] > > > I dont understand how the authorization code is related to the client > credentials, or what is meant by "valid" or the reference > to "stored association". Is there an assumption that authorization server > has a stateful table of (authorization code, client id, redirection uri) > values? > Shouldnt this test be limited to checking whether the authorization code is > being used with the correct client identifier and redirection URI? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Next steps (draft timeline) Eran Hammer-Lahav
- [OAUTH-WG] specification of authorization code pr… PRATEEK MISHRA
- Re: [OAUTH-WG] specification of authorization cod… Torsten Lodderstedt
- Re: [OAUTH-WG] Next steps (draft timeline) Torsten Lodderstedt
- Re: [OAUTH-WG] Next steps (draft timeline) Eran Hammer-Lahav
- Re: [OAUTH-WG] specification of authorization cod… PRATEEK MISHRA
- Re: [OAUTH-WG] specification of authorization cod… Torsten Lodderstedt
- Re: [OAUTH-WG] specification of authorization cod… Brian Campbell