IETF Logo Mail Archive

Re: [OAUTH-WG] Standard URL parameter for mitigating RFC6819's threat 4.6.4?

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 15 March 2015 17:18 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086D81A1B51 for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2015 10:18:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.151
X-Spam-Level:
X-Spam-Status: No, score=-0.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XI3Jx0n0Qgav for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2015 10:18:19 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.18.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D23E01A0358 for <oauth@ietf.org>; Sun, 15 Mar 2015 10:18:18 -0700 (PDT)
Received: from [79.253.34.96] (helo=[192.168.71.100]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1YXCB6-0003kk-3T; Sun, 15 Mar 2015 18:18:16 +0100
Message-ID: <5505BED5.50307@lodderstedt.net>
Date: Sun, 15 Mar 2015 18:18:13 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Josh Mandel <jmandel@gmail.com>, "oauth@ietf.org WG" <oauth@ietf.org>
References: <CANSMLKH0s==3bGt6DgFF8XycvFWcxnK6XeYo3tHb1scecZDnKw@mail.gmail.com>
In-Reply-To: <CANSMLKH0s==3bGt6DgFF8XycvFWcxnK6XeYo3tHb1scecZDnKw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000404010203040306060103"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HcrpxAS0NSjpkLNamUM6wShOkho>
Cc: Matt Randall <matthew.a.randall@gmail.com>, Dixie Baker <Dixie.Baker@martin-blanck.com>
Subject: Re: [OAUTH-WG] Standard URL parameter for mitigating RFC6819's threat 4.6.4?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2015 17:18:22 -0000

Hi Josh,

I'm not aware of a common practice to use such a parameter. The WG is 
instead heading towards authenticated requests to the resource server 
(see https://tools.ietf.org/html/rfc6819#section-5.4.2).

Please take a look onto 
http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture and further 
drafts on this topic.

kind regards,
Torsten.

Am 03.03.2015 um 18:27 schrieb Josh Mandel:
> Hi All,
>
> In section 4.6.4 ("Threat: Access Token Phishing by Counterfeit 
> Resource Server"), RFC6819 describes a threat where a counterfeit 
> resource server tricks a client into obtaining and sharing an access 
> token from a legitimate authorization server. One of the proposed 
> mitigations involves: "telling the authorization server about the 
> resource server endpoint URL in the authorization process."
>
> In other words, this mitigation would ask the client to pass an 
> additional parameter when redirecting to the Authorization server's 
> "authorize" URL, effectively something like:
>
> https://auth-server/authorize?
> response_type=code&
> client_id=123&
> state=456&
> scope=read-all&
> redirect_uri=https://app-server/after-auth&
> *resource_server_that_told_me_to_authorize_here=https://attacker.com*
> *
> *
> (And if the authorization server saw a value it didn't like in the 
> final parameter, it would reject the request.)
>
> This is obviously not appropriate in every authorization scenario, but 
> it is useful anytime there's a discovery process by which apps learn 
> about authorization servers from resource servers. Since it's 
> something of a common need, I wanted to see if there was any common 
> practice in how to name this parameter, or whether it's worth 
> registering a standard extension at 
> http://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml . 
> (I don't see one there now -- possibly I'm just missing it.)
>
> If so, what should it be called? The name I used in the example above 
> is a bit verbose :-)
>
> Best,
>
>   Josh
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email