[OAUTH-WG] Fwd: Several typos in -20 and a possible security consideration
Niv Steingarten <nivstein@gmail.com> Mon, 25 July 2011 22:28 UTC
Return-Path: <nivstein@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48D211E80CF for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 15:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3ZLWm6anHF0 for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 15:28:17 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9076611E80C7 for <oauth@ietf.org>; Mon, 25 Jul 2011 15:28:17 -0700 (PDT)
Received: by vws12 with SMTP id 12so4140970vws.31 for <oauth@ietf.org>; Mon, 25 Jul 2011 15:28:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=JtjcDmd+R7bBljgCGS9C+JpuWpEwG6R6tgEBxNYqOJ4=; b=iS/hZKGinz+FzMxEuhHPi5oSn0OqcZOTBvN4dDoDEUuL1E6/DpQRAhngFcsGfMbb2o zSovqkCdLuE/Rl8VqB6uaF2MNAF1Ud18EZoHmwvtEQiBNyaTZLYqZVG3dXFoP6zko7Aw qLkqePyzhJ/nF59RdLvxJxe2+4vX9xfbzhXDA=
Received: by 10.52.76.105 with SMTP id j9mr5153754vdw.220.1311632897097; Mon, 25 Jul 2011 15:28:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.107.99 with HTTP; Mon, 25 Jul 2011 15:27:57 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723450245F58E6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CACEVmuoodRGS45zHmnTWX04uGhgTCLgSddLbPPd2qgoudrq31A@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723450245F58E6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Niv Steingarten <nivstein@gmail.com>
Date: Tue, 26 Jul 2011 01:27:57 +0300
Message-ID: <CACEVmurNP=G9c06bS4ftk+bKgNuFw+VVna132numsyPSBjVP+A@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="bcaec5014df9e840ef04a8ec546f"
Subject: [OAUTH-WG] Fwd: Several typos in -20 and a possible security consideration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 22:31:28 -0000
Forwarded as per Eran's request. A couple of corrections to my original email: 1. By AJAX, I mean, AJAX like techniques (if the user agent does not enforce same origin policy). 2. When saying POST to '/authorize_callback' -- it may well be GET, if the authorization server mishandles the request. Thank you, Niv ---------- Forwarded message ---------- From: Eran Hammer-Lahav <eran@hueniverse.com> Date: Tue, Jul 26, 2011 at 01:21 Subject: RE: Several typos in -20 and a possible security consideration To: Niv Steingarten <nivstein@gmail.com> Please forward this message to the oauth list at oauth@ieft.org.**** ** ** Thanks,**** ** ** EHL**** ** ** *From:* Niv Steingarten [mailto:nivstein@gmail.com] *Sent:* Monday, July 25, 2011 2:52 PM *To:* draft-ietf-oauth-v2@tools.ietf.org *Subject:* Several typos in -20 and a possible security consideration**** ** ** Hello,**** ** ** I've noticed a couple of typos in -20:**** ** ** Section 6 (page 41): Under 'The authorization server MUST', the second bullet should end with the word "and", and the third bullet should end with a full-stop.**** Section 10.2 (first paragraph): "...keep is client credentials confidential" should be "...keep *its* client credentials confidential".**** ** ** Regarding the security consideration --**** ** ** I might be missing something, but I saw there are references to clickjacking and to client impersonation, but I haven't seen any reference to possible resource owner impersonation.**** For example, in the implicit grant flow, a malicious client could send a request to the authorization endpoint via, say, AJAX, and receive the markup of the page asking the resource owner to authorize the client (assuming the resource owner is signed in and no resource owner authentication is required). Then, in a poorly designed authorization endpoint, the 'Allow' button might be the submission button of a form whose target is '/authorize_callback' on the authz server. Then, it may possible for the malicious client to simply POST to '/authorize_callback' and authorize itself without any resource owner intervention or knowledge that the process has even taken place. This, of course, can be mitigated in most modern browsers if the authorization server verifies the source of the request using the HTTP referrer header.**** ** ** Thanks for your time and for the fantastic work on OAuth,**** ** ** -- **** *Niv Steingarten***** ** ** T: E: nivstein@gmail.com**** W: http://nivstein.com**** ** ** -- *Niv Steingarten* *** * T: E: nivstein@gmail.com W: http://nivstein.com
- [OAUTH-WG] Fwd: Several typos in -20 and a possib… Niv Steingarten
- Re: [OAUTH-WG] Fwd: Several typos in -20 and a po… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: Several typos in -20 and a po… Niv Steingarten
- Re: [OAUTH-WG] Fwd: Several typos in -20 and a po… Niv Steingarten
- Re: [OAUTH-WG] Fwd: Several typos in -20 and a po… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: Several typos in -20 and a po… Niv Steingarten