IETF Logo Mail Archive

Re: [OAUTH-WG] state parameter and XSRF detection

Eran Hammer-Lahav <eran@hueniverse.com> Sun, 10 July 2011 17:45 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CED5221F8781 for <oauth@ietfa.amsl.com>; Sun, 10 Jul 2011 10:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[AWL=-0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oTKfKqkQ8Ixj for <oauth@ietfa.amsl.com>; Sun, 10 Jul 2011 10:45:38 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 456B921F877A for <oauth@ietf.org>; Sun, 10 Jul 2011 10:45:38 -0700 (PDT)
Received: (qmail 9331 invoked from network); 10 Jul 2011 17:45:37 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Jul 2011 17:45:37 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Sun, 10 Jul 2011 10:45:37 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, OAuth WG <oauth@ietf.org>
Date: Sun, 10 Jul 2011 10:45:29 -0700
Thread-Topic: [OAUTH-WG] state parameter and XSRF detection
Thread-Index: Acw+4ovf8LX6RmLrRUSLefmnYL9iBAARX93Q
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234501D4A0187@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E08F494.2010807@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234501D49FDD3@P3PW5EX1MB01.EX1.SECURESERVER.NET> <9d7933e1-6845-4d58-9835-387b0753aab9@email.android.com> <90C41DD21FB7C64BB94121FBBC2E7234501D4A0032@P3PW5EX1MB01.EX1.SECURESERVER.NET> <aacd0390-c617-43ef-9693-20fe62c9516d@email.android.com>
In-Reply-To: <aacd0390-c617-43ef-9693-20fe62c9516d@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] state parameter and XSRF detection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2011 17:45:38 -0000

> -----Original Message-----
> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> Sent: Sunday, July 10, 2011 2:17 AM

> Eran Hammer-Lahav <eran@hueniverse.com> schrieb:
> 
> >The security of the protocol relies fully (implicit grant) or partially
> >(authorization code) on the validation of the redirection URI. This was
> >well understood by many experts but until -17, we largely ignored by
> >the specification.
> 
> what does "security of the protocol" mean? Wrt what threats?

s/security of the protocol/client identification

> I personally think there are various features of the protocol contributing to
> the overall security level of the protocol protocol (for different threats). For
> example: user engagement and control plays an important role. We
> documented those relations in the security document.

User engagement is nice in theory. In practice, it is more likely to enable attacks than prevent them (e.g. phishing).
 
> Redirect uri validation is, in my opinion, not effective for native apps and
> useless if the attacker uses a native app (no matter whether the legitimate
> client is a web, user agent based or native app). Thus I consider relying on
> this mean exclusively is dangerous.

There are no other practical means. Also, can you describe an attack involving a native application that is more problematic than the actual installation of a malicious native application?

> >Using dynamic values are still fully supported:
> >
> >   3.1.2.2.  Registration Requirements
> >
> >   The authorization server MUST require public clients to register
> >   their redirection URI, MUST require all clients to register their
> >   redirection URI prior to utilizing the implicit grant type, and
> > SHOULD require all clients to register their redirection URI prior to
> >   utilizing the authorization code grant type.
> >
> >   The authorization server SHOULD require the client to provide the
> >   complete redirection URI (the client MAY use the "state" request
> >   parameter to achieve per-request customization).  The authorization
> >   server MAY allow the client to register multiple redirection URIs.
> >   If requiring the registration of the complete redirection URI is not
> > possible, the authorization server SHOULD require the registration of
> >   the URI scheme, authority, and path.
> >
> 
> So what this text basically says is: You should enforce full uri registration &
> validation but you don't have to. Which also means my use case for XSRF
> prevention using other parameters is still supported. Am I wrong?

Full registration is recommended. Allowing changes should be limited to the query, and doing that comes with its own can of worms to look for. But yes, your use case is still supported. Personally, I will never deploy anything but full registration of redirection URI.

EHL

v2.37.1 | Report a Bug | By Email | System Status