IETF Logo Mail Archive

Re: [OAUTH-WG] Token Revocation error codes

Sergey Ponomarev <stokito@gmail.com> Fri, 28 January 2022 13:58 UTC

Return-Path: <stokito@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BCF33A1488 for <oauth@ietfa.amsl.com>; Fri, 28 Jan 2022 05:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zflphTb-I35E for <oauth@ietfa.amsl.com>; Fri, 28 Jan 2022 05:58:28 -0800 (PST)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E9973A1588 for <oauth@ietf.org>; Fri, 28 Jan 2022 05:58:12 -0800 (PST)
Received: by mail-yb1-xb34.google.com with SMTP id i62so18674272ybg.5 for <oauth@ietf.org>; Fri, 28 Jan 2022 05:58:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=unQ835c12vSNEwKhZ1+qkIlHhzCbOarRbN1Jmz3VFR8=; b=oNJuhtJURGiJ0P6pyrlMS+c5duBfzh6Jf+zyd5bsy7hWVhVa2eYZ71imqIwVhPJpCZ EWPsfr5vPIucFBg8v4YGfnd22R4YJhAYDede908qdzWwJoAQTmRzhP1R8OotcrH5oNj2 FRxWxFD326NYSaEY4KLcECjUCtgkppFkTWU1yTG0PYGjb+sBzcxWd/hmZx1OMXhjbGsn SVFyrWwlsJSiz6yr2qorNwAZQtMRE8fQgJDxy3DDsfFuVaJe4WZEfP1dkUaKmIVXuD8T BS2UuuPrA0cKxLeVZzJ1QyfFd9mtCv3eZDuEX8qdWbbc3usSutHxtsB4teH8goUkMmhU S76g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=unQ835c12vSNEwKhZ1+qkIlHhzCbOarRbN1Jmz3VFR8=; b=mCSBMXQwsYFCJ85eM6G/czbfzFSmKa3fbOEaKU1DRMlZjq+3qV0XD9biE8KMacAYsK R0PYAO8YDmq8+0SICf8PffqK+eOD+jV7TZzSezXFZSI1WWq3beHRfgJmGCE9zUQN8xZy bl6bhVkuCnyOLB4/Ta97Dl3ZFgmryE9UUG3QOeGmmPawPB9ZkQqY3tGE8o7Xfq0jPPSr Vof6i1iN/BXJPL3dFx/Hk51s4LvpbZxL4hsU06J5tXTraA6IjcDwCqLxfEYpACg8+3L5 C4MUMUTpfazf0YClLZXN/RLMe44oXZ3h4cgkOnsbxHENns0Fp7PCyQyQpsmEpIGIRTVw EbaA==
X-Gm-Message-State: AOAM530fT6PEZhV0nDEmOIsMFAXswGI+kqxVryonPAF0yAlToI6DKBOI 5tqapTSr4p3oMRWfCGM7z7HlOks5gZ0M3VN6iDc=
X-Google-Smtp-Source: ABdhPJyHpJklF9uGbgJ0lrxWJKYlHP3UpL4q8DjbncX5TEGZo/d+tgXmM9t6659PPUwHLDGoa3DZvtnOFILGJWNVmAg=
X-Received: by 2002:a25:600a:: with SMTP id u10mr12254617ybb.215.1643378290041; Fri, 28 Jan 2022 05:58:10 -0800 (PST)
MIME-Version: 1.0
References: <CADR0UcWmKLmy=NcvCAH+6C2c55vgux1=z+7xpMHMApYLV-VQrw@mail.gmail.com> <06748dd8-017d-81cc-1b2f-0aa9d61a4731@aol.com> <CD52F9C3-EAED-48A5-BA0D-90B1D3F70811@mit.edu> <A13CFBFA-A94B-4095-9260-DEE61B359C56@authlete.com> <1241C308-15BA-4235-85B8-5B12E1E4B248@mit.edu> <CAEayHENcjk8rnya2ahNcG8BaZhg9=44s78iKaYoUBOnStpu33w@mail.gmail.com> <CADR0UcWAs2F21N+wEvMT82v44ue0iM7uPxDgXZLEE_=0zER-Kg@mail.gmail.com> <CADR0UcXhE2Yx9X0M_kJ7+VW64OLopayODKKSUMgxSByFEjpajA@mail.gmail.com> <CADR0UcUjGnGQkHB+9f6oQ5fChgBdHoVb30Tiy0Q7MqNyktjQGg@mail.gmail.com> <CAJot-L33LRAd_1RWpq6PcSxd0G8F6=EwaswSJMCjTmR+H+OHVQ@mail.gmail.com> <CADR0UcV9GykCeCwnv9SA6c=Yv4o65q+sr-DohefzLWgTCTaZVQ@mail.gmail.com> <fd52875f-7c71-7853-368d-f909c79170c9@aol.com>
In-Reply-To: <fd52875f-7c71-7853-368d-f909c79170c9@aol.com>
From: Sergey Ponomarev <stokito@gmail.com>
Date: Fri, 28 Jan 2022 15:57:34 +0200
Message-ID: <CADR0UcWraiVZH0pdob+urOKT0VfnLnesYVyVQYYvcY3+rRyxSw@mail.gmail.com>
To: George Fletcher <gffletch@aol.com>
Cc: Warren Parad <wparad@rhosys.ch>, sdronia@gmx.de, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000035aa7705d6a4d306"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K2m-egZEOlI8x4Jlf0rOHdubRbo>
Subject: Re: [OAUTH-WG] Token Revocation error codes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2022 13:58:34 -0000

As I see from a security perspective it should be fine if the API may say
that the token was already revoked. The token is by itself a secret which
should be hard to guess. Otherwise an attacker may just call userinfo
endpoint.
So leaking information if the token was used or existing is not so
dangerous as not letting a client know that it may have an error.

If anybody can add a few sentences into the Security Considerations that
may help to implementors at least to think about this scenario and make
their own decision. They may chose to follow the spec and always return 200
code but they may instruct their sysadmin to check client integrations to
ensure that they always sending a correct token.

Thank you

On Thu, 27 Jan 2022 at 00:52, George Fletcher <gffletch@aol.com> wrote:

> As Justin pointed out earlier in the thread, if the value `token` is
> clearly not a valid token, then returning an invalid_request response is
> fine. The key is if the value provided for the token parameter is a token,
> then the API MUST NOT leak whether the token was valid or not.
>
> Is this not sufficient?
>
> On 1/26/22 3:01 PM, Sergey Ponomarev wrote:
>
> Thank you, Waren,
>
> Sorry that was misleading, I meant literally the 'null'  as a string which
> may be because of a bug in the client.
> That was an example taken from Thomas Broyer letter:
> > For months, my AS received requests with token=Array, and now receives
> requests with token=null. Those are clearly bugs in the client code, and
> because I return a 200 OK, the developers aren't aware of it.
>
> If you are interested here is the entire thread:
> https://mailarchive.ietf.org/arch/msg/oauth/w68pbTcp2jjk4tzldnS0gOS127Q/
>
> In an ideal world the AS may store even revoked tokens (or JWT kid) and
> clearly return some error in case of unknown token. At least for a day, for
> example. But at least it on a spec level there must be few words added into
> "Security Considerations" section
>
>
>
> On Wed, 26 Jan 2022 at 20:13, Warren Parad <wparad@rhosys.ch> wrote:
>
>> According to RFC7009, I don't see anywhere which says you have to return
>> a 200 for token=null. I interpret it as you return a 200, if the token
>> passed would never have been accepted as a valid token. *Null* isn't an
>> invalid token, it is an invalid value for the *token* parameter which is
>> required.
>>
>>    token   REQUIRED.  The token that the client wants to get revoked.
>>
>>
>> So the correct response is either an error immediately (returning a 4XX),
>> or feel free to return the 200 and then the AS should redirect the user to
>> a verified location with the *error *and *error_description* query
>> parameters.
>>
>> I do see some gray area for what to do with real invalid tokens, i.e. the
>> token signature is invalid. So some clarity on the definition of *invalid.
>> *Since the spec talks about invalidation lots of times we should
>> interpret it to mean *a token that has already been invalidated.* And I
>> would interpret all other tokens as justifications for returning a 4XX
>> status code.
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data with IAM authorization as a service. Implement
>> Authress <https://authress.io/>.
>>
>>
>> On Wed, Jan 26, 2022 at 6:44 PM Sergey Ponomarev <stokito@gmail.com>
>> wrote:
>>
>>> Hi and sorry for raising the four years old topic.
>>>
>>> As a recup I reported a SECURITY VULNERABILITY on OAuth 2
>>> specification level. It's minor (I hope) but still seen in the real
>>> world AS implementation.
>>> In short, to logout a user the revocation endpoint is called with the
>>> user's token. And by a the RFC7009 the AS must always return 200 Ok
>>> status code even if the token is invalid:
>>>
>>> > The authorization server responds with HTTP status code 200 if the
>>> token has been revoked successfully or if the client submitted an invalid
>>> token.
>>> > Note: invalid tokens do not cause an error response since the client
>>> cannot handle such an error in a reasonable way.  Moreover, the purpose of
>>> the revocation request, invalidating the particular token, is already
>>> achieved.
>>>
>>> So if a client just made an incorrect call e.g. token=null then it
>>> will anyway receive a 200 OK and the user will think that logout was
>>> successful and a session closed. But internally the token may be
>>> stored in many places and even shared  between microservices/UI and
>>> other parties and it will remain still working.
>>>
>>> Can anybody take some actions and at least make some errata to the spec?
>>>
>>> P.S. adding to CC authors of the spec
>>>
>>> On Tue, 22 May 2018 at 20:29, Sergey Ponomarev <stokito@gmail.com>
>>> wrote:
>>> >
>>> > What is also should be discussed and specified is revoking of expired
>>> token. For example in Keycloak you can invalidate a session by expired
>>> token:
>>> >>
>>> >> It should be possible to logout a session with a token that is
>>> expired. This is to make sure that a user can invalidate a session if
>>> there's a suspicion that the refresh/offline token has been leaked. In such
>>> a case it could be that the real user has an expired refresh token while an
>>> attacker has been able to refresh the token and obtain a new not expired
>>> refresh token.
>>> >
>>> >
>>> > KEYCLOAK-3302
>>> >
>>> > Think this is doubtful but makes sense.
>>> >
>>> > To summarize: we have to create some threat model with description of
>>> possible use cases.
>>> >
>>> >
>>> > On Tue, 22 May 2018 at 18:18, Sergey Ponomarev <stokito@gmail.com>
>>> wrote:
>>> >>
>>> >> From OAuth perspective we can't say that the token should have some
>>> structure: they can be any random value in case of reference (opaque)
>>> tokens. But the Google's OAuth Server responds in this case with 400 error
>>> "invalid_token".
>>> >> The same can be used for JWTs with invalid sign or issuer.
>>> >> So it would be better if specification allow OAuth servers to respond
>>> with this error code if it clearly know that token was invalid by format.
>>> >>
>>> >> On Tue, 22 May 2018 at 17:51, Thomas Broyer <t.broyer@gmail.com>
>>> wrote:
>>> >>>
>>> >>> IFF the server processes it!
>>> >>> RFC 7009 says “An authorization server MAY ignore this parameter,
>>> particularly if it is able to detect the token type automatically.” which
>>> BTW is exactly my case.
>>> >>>
>>> >>> For months, my AS received requests with token=Array, and now
>>> receives requests with token=null. Those are clearly bugs in the client
>>> code, and because I return a 200 OK, the developers aren't aware of it.
>>> >>>
>>> >>> If tokens have an expected "structure", I think AS should probably
>>> return an error when the token value clearly is not a token (at one point I
>>> may change my implementation to do just that). As soon as it looks like a
>>> potential token though, then 200 OK sounds good to me.
>>> >>>
>>> >>> On Tue, May 22, 2018 at 4:34 PM Justin Richer <jricher@mit.edu>
>>> wrote:
>>> >>>>
>>> >>>> In that specific case, the token_type_hint value is invalid and can
>>> be rejected as an invalid_request.
>>> >>>>
>>> >>>>  — Justin
>>> >>>>
>>> >>>>
>>> >>>> On May 22, 2018, at 5:27 AM, Joseph Heenan <joseph@authlete.com>
>>> wrote:
>>> >>>>
>>> >>>>
>>> >>>> I think one important point Sergey raised was that the response to
>>> the client from submitting the wrong token is the same 200 response as
>>> submitting a valid token, and that hugely increases the chance that the
>>> developer of the client app might submit the wrong token and never realise.
>>> Making it easier for the developer of the client app to see that they've
>>> done something wrong and need to fix their implementation seems like a
>>> worthwhile goal to me, and that would appear to explain what google are
>>> thinking with their responses.
>>> >>>>
>>> >>>> An example of an easy to make error that would get a 200 response
>>> is getting the values the wrong way around, i.e. a body of:
>>> >>>>
>>> >>>>      token=refresh_token&token_type_hint=45ghiukldjahdnhzdauz
>>> >>>>
>>> >>>> (as token_type_hint may be ignored by the server.)
>>> >>>>
>>> >>>> The example Sergey gave of the developer accidentally sending the
>>> id token instead of the intended token seems quite likely to happen in the
>>> real world too, and a 200 response in that case does seem wrong to me.
>>> >>>>
>>> >>>>
>>> >>>> Joseph
>>> >>>>
>>> >>>>
>>> >>>> On 21 May 2018, at 22:29, Justin Richer <jricher@mit.edu> wrote:
>>> >>>>
>>> >>>> I’m with George here: revocation is almost a best-effort request
>>> from the client’s perspective. It sends a message to the server saying “hey
>>> I’m done with this token, you can throw it out too”. If the server does
>>> revoke the token, the client throws it out. If the server doesn’t revoke
>>> the token? Then the client still throws it out. Either way the results from
>>> the client’s perspective are the same: it’s already decided that it’s done
>>> with the token before it talks to the server. It’s an optional cleanup step
>>> in most  OAuth systems.
>>> >>>>
>>> >>>>  — Justin
>>> >>>>
>>> >>>> On May 21, 2018, at 5:08 PM, George Fletcher <gffletch=
>>> 40aol.com@dmarc.ietf.org> wrote:
>>> >>>>
>>> >>>> I'm not understanding how these different cases matter to the
>>> client? I doubt that the running code will be able to dynamically handle
>>> the error. So it seems this information is only relevant to the developers
>>> and not relevant from an end user and the client perspective.
>>> >>>>
>>> >>>> Also, for the 5 states you define, the effect of calling revocation
>>> is still that the token is "revoked" because the token is already not valid.
>>> >>>>
>>> >>>> So from an implementation perspective, where is the concern that
>>> developer will do the "wrong thing" without these more detailed error
>>> responses?
>>> >>>>
>>> >>>> Thanks,
>>> >>>> George
>>> >>>>
>>> >>>> On 5/19/18 5:41 PM, Sergey Ponomarev wrote:
>>> >>>>
>>> >>>> Hi,
>>> >>>>
>>> >>>> I developing an implementation of back channel token revocation
>>> endpoint. And I think we should reconsider and probably change the
>>> specification to improve error handling.
>>> >>>>
>>> >>>> Here we see several situations of error state:
>>> >>>> 1. token wasn't sent in request.
>>> >>>> 2. token is invalid by format i.e. not JWT or JWT with invalid
>>> signature
>>> >>>> 3. token is expired or token is even unknown
>>> >>>> 4. token was already revoked
>>> >>>> 5. token type is unsupported
>>> >>>>
>>> >>>> According to  RFC7009 OAuth 2.0 Token Revocation  section 2.2
>>> Revocation Response:
>>> >>>>
>>> >>>>> The authorization server responds with HTTP status code 200 if the
>>> token has been revoked successfully or if the client submitted an invalid
>>> token.
>>> >>>>> Note: invalid tokens do not cause an error response since the
>>> client cannot handle such an error in a reasonable way.  Moreover, the
>>> purpose of the revocation request, invalidating the particular token, is
>>> already achieved..
>>> >>>>
>>> >>>>
>>> >>>> As you may see this section covers only case 3 and case 4 but it's
>>> very unclear: calling token as "invalid" is very broad definition.
>>> >>>> I think we should take a look on each case separately:
>>> >>>>
>>> >>>> 1. token wasn't sent in request.
>>> >>>> Most implementations returns 400 status code, error:
>>> "invalid_request", error_description": "Missing required parameter: token".
>>> >>>> Note that returned error is not "invalid_token" but
>>> "invalid_request" and I think this should be correct behavior and should be
>>> clearly specified.
>>> >>>>
>>> >>>> 2. token is invalid by format i.e. not JWT or JWT with invalid
>>> signature
>>> >>>> This error is mostly related to JWT but for reference (opaque)
>>> tokens can be also applied (e.g. token is too long).
>>> >>>> Goolge OAuth returns 400 code with  "error": "invalid_token" and I
>>> think this is correct behavior.
>>> >>>> The client can have a bug and sends invalid tokens so we should
>>> return an error response instead of 200 status.
>>> >>>>
>>> >>>> 3. token is expired or even unknown
>>> >>>> Spec says that IdP should return 200 in this case but in case of
>>> unknown token this may be a symptom of a bug on client side. Even if IdP
>>> can clearly determine that token is expired (in case of JWT) this is hard
>>> to determine in case of reference token that was removed from DB.
>>> >>>> So personally I think that from security perspective it's better to
>>> response with 400 status because client can have a bug when it's sends some
>>> unknown token and think that it was revoked while it wasn't.
>>> >>>>
>>> >>>> For example Google OAuth revocation endpoint implementation do not
>>> follow the spec and returns 400 Bad Request with error message "Token is
>>> revoked or expired".
>>> >>>>
>>> >>>> 4. token was already revoked
>>> >>>> The same as above: this can be a bug in a client and we should
>>> return 400 status. In case of reference token which was removed from DB we
>>> can't distinguish that the token was revoked or even existed so this
>>> situation is the same as unknown token.
>>> >>>>
>>> >>>> 5. token type is unsupported
>>> >>>> For this case specification introduces a new error code for case 5
>>> in section 2.2.1. Error Response :
>>> >>>>>
>>> >>>>> unsupported_token_type:  The authorization server does not support
>>> the revocation of the presented token type.  That is, the client tried to
>>> revoke an access token on a server not   supporting this feature.
>>> >>>>
>>> >>>> But it would be better to mention that revocation of ID token
>>> (which can be is considered as "public" and not used to auth) definitely
>>> should cause this error.
>>> >>>>
>>> >>>> It would be great if we discuss this cases and improve
>>> specification.
>>> >>>>
>>> >>>> P.S. Also it may be worse to mention that specification says that
>>> content of successful response is empty but status code is 200 instead of
>>> 201 "No Content".
>>> >>>>
>>> >>>> Regards,
>>> >>>> Sergey Ponomarev
>>> >>>>
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> OAuth mailing list
>>> >>>> OAuth@ietf.org
>>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>>> >>>>
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> OAuth mailing list
>>> >>>> OAuth@ietf.org
>>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>>> >>>>
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> OAuth mailing list
>>> >>>> OAuth@ietf.org
>>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>>> >>>>
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> OAuth mailing list
>>> >>>> OAuth@ietf.org
>>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>>> >>>>
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> OAuth mailing list
>>> >>>> OAuth@ietf.org
>>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>>> >>>
>>> >>> _______________________________________________
>>> >>> OAuth mailing list
>>> >>> OAuth@ietf.org
>>> >>> https://www.ietf.org/mailman/listinfo/oauth
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Sergey Ponomarev, skype:stokito
>>> >
>>> >
>>> >
>>> > --
>>> > Sergey Ponomarev, skype:stokito
>>>
>>>
>>>
>>> --
>>> Sergey Ponomarev,
>>> stokito.com
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
> _______________________________________________
>
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email