Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)
Prateek Mishra <prateek.mishra@oracle.com> Tue, 04 February 2014 18:51 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EAD21A0169 for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 10:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.735
X-Spam-Level:
X-Spam-Status: No, score=-4.735 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5zarNk2k6xY for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 10:51:03 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id BF3B01A0125 for <oauth@ietf.org>; Tue, 4 Feb 2014 10:51:03 -0800 (PST)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s14IowbZ017436 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Feb 2014 18:50:59 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s14IouWD008100 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Feb 2014 18:50:56 GMT
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s14Iot3N008076; Tue, 4 Feb 2014 18:50:55 GMT
Received: from [130.35.50.173] (/130.35.50.173) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 04 Feb 2014 10:50:55 -0800
Message-ID: <52F1368D.9040106@oracle.com>
Date: Tue, 04 Feb 2014 10:50:53 -0800
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>, RFC Errata System <rfc-editor@rfc-editor.org>
References: <20140204161338.9A4007FC168@rfc-editor.org> <9B180E22-D31A-48A7-A233-8F3DA05ABF71@ve7jtb.com>
In-Reply-To: <9B180E22-D31A-48A7-A233-8F3DA05ABF71@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------090306020203040307090309"
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: eriksencosta@gmail.com, Derek Atkins <derek@ihtfp.com>, Sean Turner <turners@ieca.com>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 18:51:06 -0000
Well, the proposed correction does point to a genuine security hazard Specifically, when client instances share the same re-direct URI, typically mobile clients this is independent of whether implicit or code flows are used It is only injective clients - each of whose instances bind to unique redirect URLs - that can support discriminative Az servers So I would re-phrase the proposed text as: [quote] For public, non-injective clients, this specification does not provide any method for the authorization server to determine what client an access token was issued to. [\quote] - prateek > The text in 10.16 is correct. > > This is a security consideration that has caused serious problems for Facebook and other implementers. > > In the Implicit flow there is no way for a client to know if a access token was issued to it or another client. > > The UA presenting the access token in an implicit flow may be the resource owner but may also be any other client that has ever received an access token for the resource. > > In the implicit flow the Authorization server knows what client it has issued a access token to via the registered redirect URI. > > The change doesn't reflect the intent of the security consideration. > > John B. > > > On Feb 4, 2014, at 1:13 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > >> The following errata report has been submitted for RFC6749, >> "The OAuth 2.0 Authorization Framework". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3880 >> >> -------------------------------------- >> Type: Technical >> Reported by: Eriksen Costa <eriksencosta@gmail.com> >> >> Section: 10.16 >> >> Original Text >> ------------- >> For public clients using implicit flows, this specification does not >> provide any method for the client to determine what client an access >> token was issued to. >> >> Corrected Text >> -------------- >> For public clients using implicit flows, this specification does not >> provide any method for the authorization server to determine what >> client an access token was issued to. >> >> Notes >> ----- >> A client can only know about tokens issued to it and not for other clients. >> >> Instructions: >> ------------- >> This errata is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party (IESG) >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC6749 (draft-ietf-oauth-v2-31) >> -------------------------------------- >> Title : The OAuth 2.0 Authorization Framework >> Publication Date : October 2012 >> Author(s) : D. Hardt, Ed. >> Category : PROPOSED STANDARD >> Source : Web Authorization Protocol >> Area : Security >> Stream : IETF >> Verifying Party : IESG >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] [Technical Errata Reported] RFC6749 (3… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Dick Hardt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… John Bradley
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Phil Hunt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Dick Hardt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Prateek Mishra
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Bill Mills
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… John Bradley
- [OAUTH-WG] Suitable grant type for a Javascript u… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Manfred Steyer
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Prateek Mishra
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Justin Richer
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Prateek Mishra
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Eriksen Costa
- [OAUTH-WG] [Errata Rejected] RFC6749 (3880) RFC Errata System