Re: [OAUTH-WG] Standard URL parameter for mitigating RFC6819's threat 4.6.4?
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 15 March 2015 17:18 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086D81A1B51 for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2015 10:18:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.151
X-Spam-Level:
X-Spam-Status: No, score=-0.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XI3Jx0n0Qgav for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2015 10:18:19 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.18.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D23E01A0358 for <oauth@ietf.org>; Sun, 15 Mar 2015 10:18:18 -0700 (PDT)
Received: from [79.253.34.96] (helo=[192.168.71.100]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1YXCB6-0003kk-3T; Sun, 15 Mar 2015 18:18:16 +0100
Message-ID: <5505BED5.50307@lodderstedt.net>
Date: Sun, 15 Mar 2015 18:18:13 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Josh Mandel <jmandel@gmail.com>, "oauth@ietf.org WG" <oauth@ietf.org>
References: <CANSMLKH0s==3bGt6DgFF8XycvFWcxnK6XeYo3tHb1scecZDnKw@mail.gmail.com>
In-Reply-To: <CANSMLKH0s==3bGt6DgFF8XycvFWcxnK6XeYo3tHb1scecZDnKw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000404010203040306060103"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HcrpxAS0NSjpkLNamUM6wShOkho>
Cc: Matt Randall <matthew.a.randall@gmail.com>, Dixie Baker <Dixie.Baker@martin-blanck.com>
Subject: Re: [OAUTH-WG] Standard URL parameter for mitigating RFC6819's threat 4.6.4?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2015 17:18:22 -0000
Hi Josh, I'm not aware of a common practice to use such a parameter. The WG is instead heading towards authenticated requests to the resource server (see https://tools.ietf.org/html/rfc6819#section-5.4.2). Please take a look onto http://tools.ietf.org/html/draft-ietf-oauth-pop-architecture and further drafts on this topic. kind regards, Torsten. Am 03.03.2015 um 18:27 schrieb Josh Mandel: > Hi All, > > In section 4.6.4 ("Threat: Access Token Phishing by Counterfeit > Resource Server"), RFC6819 describes a threat where a counterfeit > resource server tricks a client into obtaining and sharing an access > token from a legitimate authorization server. One of the proposed > mitigations involves: "telling the authorization server about the > resource server endpoint URL in the authorization process." > > In other words, this mitigation would ask the client to pass an > additional parameter when redirecting to the Authorization server's > "authorize" URL, effectively something like: > > https://auth-server/authorize? > response_type=code& > client_id=123& > state=456& > scope=read-all& > redirect_uri=https://app-server/after-auth& > *resource_server_that_told_me_to_authorize_here=https://attacker.com* > * > * > (And if the authorization server saw a value it didn't like in the > final parameter, it would reject the request.) > > This is obviously not appropriate in every authorization scenario, but > it is useful anytime there's a discovery process by which apps learn > about authorization servers from resource servers. Since it's > something of a common need, I wanted to see if there was any common > practice in how to name this parameter, or whether it's worth > registering a standard extension at > http://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml . > (I don't see one there now -- possibly I'm just missing it.) > > If so, what should it be called? The name I used in the example above > is a bit verbose :-) > > Best, > > Josh > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Torsten Lodderstedt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Brian Campbell
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Torsten Lodderstedt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Josh Mandel
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Phil Hunt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Josh Mandel
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Phil Hunt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Josh Mandel
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Dixie Baker
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Phil Hunt
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Justin Richer
- Re: [OAUTH-WG] Standard URL parameter for mitigat… John Bradley
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Bill Mills
- Re: [OAUTH-WG] Standard URL parameter for mitigat… Nat Sakimura
- [OAUTH-WG] Standard URL parameter for mitigating … Josh Mandel