Re: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?

Yaron Goland <> Fri, 01 October 2010 22:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 450963A6E15 for <>; Fri, 1 Oct 2010 15:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.403
X-Spam-Status: No, score=-10.403 tagged_above=-999 required=5 tests=[AWL=0.195, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8XOQbUQICUUo for <>; Fri, 1 Oct 2010 15:47:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5856D3A6E06 for <>; Fri, 1 Oct 2010 15:47:20 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 1 Oct 2010 15:48:03 -0700
Received: from ([]) by ([]) with mapi id 14.01.0218.012; Fri, 1 Oct 2010 15:48:02 -0700
From: Yaron Goland <>
Thread-Topic: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?
Thread-Index: ActcLVkcw12z9VXcRZaPemtNsnYbYQAQ74MAAVJFP2A=
Date: Fri, 01 Oct 2010 22:48:02 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_7C01E631FF4B654FA1E783F1C0265F8C635D3859TK5EX14MBXC113r_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Oct 2010 22:47:22 -0000

In the core OAuth spec the scenario is a tightly related token and application endpoint. It presumes that they will take the appropriate security mechanisms between them such as signed tokens but doesn't require any particular solution for how to implement such a mechanism.

When the issue was extended to address discovery based scenarios (a scenario not currently supported by the core spec) this brought up the problem that a standard mechanism to provide audience protection is needed. So my article suggests that when discovery is in scope then we will introduce a standard mechanism (in my article I suggest a standardized signed token format including an audience value) to address the issue.

In other words, the current spec leaves the issue unaddressed because it isn't in scope but when the scope extends to discovery we'll have to provide an explicit mechanism.


Sent: Friday, September 24, 2010 3:19 PM
To: Yaron Goland
Subject: Re: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?


You have referenced the SAML browser SSO protocol  (POST profile) in your blog posting, and correctly observed that the same problem would manifest itself there as well.

As a counter-measure, the SAML POST profile explicitly requires that the target  (destination) URL or similar identifier be carried as part of the SAML payload, and, that further the SAML payload is signed. This allows for the recipient to determine whether it was the intended target and to ignore payloads directed at other targets.

I dont believe that similar constraints have been placed on the OAuth access token - it is essentially undefined? - but maybe I missed that in my reading of the specification draft.

- prateek

My understanding of Eran's article ( is that Eran believes that bearer tokens are not good enough as a security mechanism because they allow for replay attacks in discovery style scenarios. He then, if I understood the article correctly, argues that the solution to the replay attack is to sign OAuth 2.0 requests.
In I tried to demonstrate that in fact one can easily prevent replay attacks in discovery scenarios using OAuth 2.0 and bearer tokens. If the article is correct then it is not a requirement to introduce message signing into OAuth 2.0 in order to prevent the attacks that Eran identified.

So this leaves me wondering, what's the critical scenario that can't be met unless we use sign OAuth 2.0 requests?





OAuth mailing list<>