IETF Logo Mail Archive

Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

John Bradley <ve7jtb@ve7jtb.com> Fri, 18 March 2016 23:43 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED4C12D5C7 for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:43:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_ByxbZmcMMk for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:43:50 -0700 (PDT)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B452512D50B for <oauth@ietf.org>; Fri, 18 Mar 2016 16:43:49 -0700 (PDT)
Received: by mail-qg0-x22a.google.com with SMTP id w104so113572288qge.1 for <oauth@ietf.org>; Fri, 18 Mar 2016 16:43:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=XrvSzStg3U5VS9ZHC0znjPCWjWDBBFaPkZQ2eChY9nI=; b=VjoM6jLQ5LtmT3z4wV4duA3lYqYUN3SjQ6ttuH2e7nCkbFCfPkzPwRsFefMgJ1R1gi u6cNfTlxooAspTDyT8DZLPG9PwpQZOpNfH67j8JV8sR64Gs1FEO6p5wft1NpdYIYct6I HDv7/o770D/7e+RAR9iiMEikOq6AXMYmdBWlahzrGc4l0Ri+TN+xrqT6gfF/69XhxRNW 4l0B9fhxhJ31m0ojoJAymLtgaWdseac77YYSjceMOi9lqTB/L3nZhLbYTcXV+prrUyJB 3HX03f8z3iXW4dbip61qhLqAV3a4/XQZrpZb8NpAaMzPDNFqFh/JKEI44XTPGXqyKxxB i/lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=XrvSzStg3U5VS9ZHC0znjPCWjWDBBFaPkZQ2eChY9nI=; b=clR9IH27/8uJ2pnO5W0FDSD1oiCcWzXt7W3Hy11QEiA1hqBS7CWPwhSEyzVJxFW293 YzUAEgQj3kemK1ll4uLfK0V5cAMR/05gykuxRm8GRQWas6xJl9kQ2xYd2zXsyXNN8sTQ a5cGT3g26kE/xo+uRPKmaToD0I6e/FI7aD1nqxAbrgwsKM+JDP1cJj7IRl11XCSZOE2m Ikunw78SpFO4wvYU4hs+o8ERpjQgPhKiT2h4dxT/2ixG/B+cvgAiN/WmrrMaFwv7oBu7 jTQ1CRCZWyQRq4hP6JYWdcy8u9zqe/3ok8hB5CEKc0bgK/YLbck1tuYbInZNP6cyCs5N JcbA==
X-Gm-Message-State: AD7BkJLOOW0Y+eQ+j5Q+t8PAqg7GPv4WlWHs013YCH7XXzSmJLrul9EfaxxAEbA9hko9OQ==
X-Received: by 10.140.177.17 with SMTP id x17mr27552898qhx.39.1458344628768; Fri, 18 Mar 2016 16:43:48 -0700 (PDT)
Received: from [192.168.8.101] ([181.202.83.141]) by smtp.gmail.com with ESMTPSA id s8sm7016271qhb.20.2016.03.18.16.43.46 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 18 Mar 2016 16:43:48 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_A2E39F3B-D032-44D5-AC1A-BF49719D0A2A"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BBC1AC42-E6B7-4250-9443-4FD07CBC136B@oracle.com>
Date: Fri, 18 Mar 2016 20:43:44 -0300
Message-Id: <EA94878D-83B2-41D0-A57B-2C5A390E4CB0@ve7jtb.com>
References: <56EAEB54.8010208@aol.com> <CA+k3eCQ-C+MuAV__JnPMJqeKWMn=Qe2yGB06qzpet=xx1xGZ0g@mail.gmail.com> <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com> <EBC38367-126E-497C-9878-0F5E7DC4D7C6@ve7jtb.com> <BBC1AC42-E6B7-4250-9443-4FD07CBC136B@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Jtrsue0OwOQeKY45A1t-8R2UQ7Y>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 23:43:53 -0000

Phil someone is giving the client the bad endpoints.  From the perspective of the client that is an AS.

I count that as two entities one good and one bad.

We agreed not to force clients to do discovery.  

How is the client being given this bad set of endpoints?

If it is being given them by dereferencing a issuer to get the .well-known then the mitigation will stop the attack because the two issuers can’t be the same unless the attacker has compromised the good AS’s .well-known, and that I would argue is a different problem.

John B.



> On Mar 18, 2016, at 8:28 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> John
> 
> You are trying to solve a completely different problem.
> 
> In the bad discovery scenario there is no good AS and bad AS.
> 
> 1.  There is only one AS and one RS infrastrucutre
> 
> 2.  The client is mis-configured because it has been given a bad endpoint for one of dyn-reg, token, or resource
> 
> The client has no way to know what constitutes a valid set of endpoints.
> 
> The AS is acting in good faith in all respects.  It become promiscuous because it is turning over grants and/or tokens over to clients that are sending them to a bad endpoint.
> 
> Phil
> 
> @independentid
> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> 
> 
> 
> 
> 
>> On Mar 18, 2016, at 4:16 PM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>> 
>> You still have a good AS and a bad AS it is just that the bad AS is using the good AS’s authorization endpoint.
>> 
>> I guess it comes down to how you define what a AS is if it is malicious.
>> 
>> Remember all of the attacks postulated in the papers require a xsrf attack or man in the network to cause a client to start a authorization with the bad AS triggering bad discovery and registration.
>> 
>> If the bad AS is publishing a malicious RS and the “good” registration, authorization, and token endpoints.   It will have a different issuer from the 
>> good AS authorization endpoint.   When the client performs authorization thinking it is going to bad AS and gets back the issuer for good AS that will trigger an error in the client and it will never present the AT to the bad RS’s resource endpoint.
>> 
>> If the developer hard codes some bad RS endpoint in the client then, I admit returning the iss and client_id from the authorization endpoint won’t help.
>> 
>> John B.
>> 
>> 
>>> On Mar 18, 2016, at 7:27 PM, Phil Hunt (IDM) <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>> 
>>> There are two variations. 
>>> 
>>> Mitm the token endpoint is different then working one legit token endpoint against another thru redirect and state misdirection. 
>>> 
>>> In the mitm version you don't need multiple AS's.
>>> 
>>> Phil
>>> 
>>> On Mar 18, 2016, at 15:04, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>> 
>>>> The "a. wrong AS /token endpoint" is the mix-up issue, which can be mitigated by returning an identifier for the AS in the authorization response. It is something that needs to be addressed but "discovery" or metadata aren't needed and audience restricted access tokens tokens don't help.
>>>> 
>>>> Maybe that's obvious but there seems to be a lot of confusion on all this so I wanted to reiterate it.
>>>> 
>>>> On Thu, Mar 17, 2016 at 11:37 AM, George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
>>>> Goals:
>>>> 
>>>> 1. Help the client not send a token to the "wrong" endpoint
>>>>    a. wrong AS /token endpoint
>>>>    b. evil RS endpoint(s)
>>>> 2. Allow good RS to determine if the token being validated was intended for that RS
>>>> 
>>>> Other high-level goals?
>>>> 
>>>> Use cases:
>>>> 
>>>> 1. RS that supports multiple AS (we've had this in production since 2011)
>>>> 2. RS rejects token not issued for use at the RS
>>>> 3. Client that dynamically supports new RS (say any client that supports the jabber API)
>>>> 4. Client that dynamically supports new AS
>>>> 
>>>> Feel free to add to the list :)
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>

v2.23.0 | Report a Bug | By Email